create users
create user if not exists ‘anan’@‘localhost’ identified with mysql_native_passwd by ‘Zja1540774503_’ with max_queries_per_hour 500 max_updates_per_hour 100;
Granting and revoking access to users
grant select on company.* to 'company_read_only'@'localhost';
GRANT INSERT, DELETE, UPDATE ON company.* TO 'company_write'@'%' IDENTIFIED WITH mysql_native_password AS '*EBD9E3BFD1489CA1EB0D2B4F29F6665F321E8C18';
GRANT SELECT(first_name,last_name) ON employees.employees TO 'employees_ro'@'%' IDENTIFIED WITH mysql_native_password AS '*EBD9E3BFD1489CA1EB0D2B4F29F6665F321E8C18';
GRANT ALL ON *.* TO 'dbadmin'@'%';
GRANT GRANT OPTION ON *.* TO 'dbadmin'@'%';
CREATE USER 'u1', 'u2';
CREATE ROLE 'r1', 'r2';
GRANT 'u1' TO 'u1'; -- simple loop: u1 => u1
GRANT 'r1' TO 'r1'; -- simple loop: r1 => r1
GRANT 'r2' TO 'u2';
GRANT 'u2' TO 'r2'; -- mixed user/role loop: u2 => r2 => u2
revoke select on . from ‘anan’@‘localhost’;
revoke select on . from ‘anan’@‘localhost’;
All the user information, along with privileges, is
stored in the mysql.user table. If you have the privilege
to access the mysql.user table, you can directly modify
the mysql.user table to create users and grant privileges.
刷新权限:
flush privileges;
设置某用户只能本地访问:
update mysql.user set host='localhost' where user='anan';
flush privileges;
创建用户并设置用户登录后立即修改密码:
create user 'developer'@'%' identified with mysql_native_password as '*98F1E207D17ED074CF0C4B7F79DC7F6F6035E291' password expire;
用户修改密码:
alter user 'developer'@'%' identified with mysql_native_password as 'new_company_pass';
Manually expire the existing user;
alter user 'developer'@'%'password expire;
Require the password to be changed every 180 days:要求每90天修改一次密码
alter user 'developer'@'%'password expire interval 90 day;
Locking users
Alter user 'developer'@'%' account lock;
You can unlock the account after confirming:
alter user 'developer'@'%' account unlock;
Creating roles for users
A MySQL role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. A user account can be granted roles, which grants to the account the role privileges. Earlier, you created separate users for reads, writes, and administration. For write privilege, you have granted INSERT , DELETE , and UPDATE to the user. Instead, you can grant those privileges to a role and then assign the user to that role. By this way, you can avoid granting privileges individually to possibly many user accounts.
create roles:
create role 'app_read_only','app_writes','app_developer';
grant select on employees.* to 'app_read_only';
grant insert ,update,delete on employees.* to 'app_writes';
grant all on employees.* to 'app_developer';
such as
create user emp_read_only identified by 'Abce#asfd_3re';
create user emp_writes identified by 'Abce#asfd_3re';
create user emp_developer identified by 'Abce#asfd_3re';
grant 'app_read_only' to 'emp_read_only'@'%';
grant 'app_wirtes' to 'emp_wirtes'@'%';
grant 'app_developer' to 'emp_developer'@'%';
grant 'app_read_only','app_writes' to 'emp_read_wirte'@'%';
发布 因为使用的有道云笔记会员markdown格式,故图片显示不出,这里附上笔记链接:
http://note.youdao.com/noteshare?id=c109e307813fff8baa48bfc9c4904d39&sub=0D00DFD88C0E4AF2A9DF30C30F8401EE