[MySQL from introduction to proficiency] [advanced chapter] (IV) MySQL permission management and control

Hello! , I'm Manon Feige , Thank you for reading this article , Welcome to three links with one button .
1. Python Basic column , Basic knowledge in a net ,9.9 Yuan can't buy a loss , I can't buy it . Python From entry to mastery
️ 2. Python Crawler column , Systematically learn the knowledge points of reptiles .9.9 Yuan can't buy a loss , I can't buy it .python Reptile beginner level
️ 3. Ceph actual combat , Everything from principle to actual combat . Ceph actual combat
️ 4. Java Introduction to high concurrency programming , Punch in to learn Java High concurrency . Java Introduction to high concurrency programming
5. Take a stroll around the community , Weekly benefits , There are surprises every week . Manon Feige community , Leap plan
The whole network has the same name 【 Manon Feige 】 Welcome to your attention , personal VX: wei158556

1. brief introduction

In the last article, we introduced MySQL User creation in , Modify and delete . This article goes on to learn MySQL Authority management and control .

2. Environmental Science

3. Rights management

MySQL The simple understanding of permission management is MySQL Allow you to do what is within your power , You can't cross the line , For example, only you are allowed to perform SELECT operation , Then you can't carry out UPDATE operation , Only allow you to connect from one machine MySQL, Then you can't connect from any other machine except that one MySQL. After creating a new account , By default, only information_schema Database permissions , If you want this user to operate other databases , This requires assigning specific permissions to users .

3.1. Permission list

MySQL What kind of authority do you have ？

mysql> show privileges;

GRANT and REVOKE The permissions that can be used in the statement are as follows ：

1. CREATE and DROP jurisdiction , You can create new databases and tables 、 Or delete （ move away ） Existing databases and tables , If you will MySQL In the database DROP Permission granted to a user , The user can delete MySQL Access permission saved table .
2. SELECT、INSERT、UPDATE and DELETE jurisdiction Allow operations on existing tables in a database .
3. SELECT jurisdiction They are only used when they actually retrieve rows from a table .
4. INDEX jurisdiction Allow indexes to be created or deleted 、INDEX Applicable to existing tables , If you have a table CREATE jurisdiction , You can go to CREATE TABLE Include the index definition in the statement .
5. ALTER jurisdiction have access to ALTER TABLE To change the table structure and rename the table .
6. CREATE ROUTINE jurisdiction To create a saved program （ Functions and programs ）,ALTER ROUTINE Permissions are used to change and delete saved programs ,EXECUTE jurisdiction Used to execute saved programs .
7. GRANT jurisdiction Allow authorization to other users , It can be used in database 、 Tables and procedures .
8. FILE jurisdiction So that users can use LOAD DATA INFILE and SELECT … INTO OUTFILE Statement to read or write to a file on the server , Any person who is granted FILE Users with permissions can read or write MySQL Any file on the server .
   MySQL How permissions are distributed

2.2. The principle of granting authority

Access control is mainly for security reasons , So we need to follow a few empirical principles ：

1. Grant only the minimum permissions that meet your needs , Prevent users from doing bad things , For example, users only need to query , Then just select Authority is enough . There is no need to give users UPDATE、INSERT perhaps DELETE jurisdiction .
2. When creating users Restrict the user's Login Host , Generally, it is limited to designated IP Or Intranet IP paragraph .
3. For each user Set a password that meets the password complexity .
4. Clean up unwanted users regularly , Reclaim permissions or delete users .

2.3. Grant authority

There are ways to authorize users 2 Kind of , By putting Role grants user authorization and Authorize users directly . The user is the user of the database , We can grant users access to resources in the database by , To control users' access to the database , Eliminate safety hazards .
Authorization command ：

GRANT  jurisdiction 1, jurisdiction 2,... jurisdiction n ON  Database name . The name of the table  TO  user name @ Address of the user  [IDENTIFIED BY ' Password '];

If the user is not found during authorization , A new user will be created directly .
such as ：

1. to zhang3 The user uses the local command line mode , grant test The authority to query, insert, delete and modify all tables under this library .

GRANT SELECT,INSERT,DELETE,UPDATE ON test.* TO zhang3 IDENTIFIED BY '[email protected]';

2. Granted to log in through the network zhangsan user , Full permissions for all libraries, all tables , The password is set to [email protected], Only... Is not included here grant Authority .

GRANT ALL PRIVILEGES ON *.* TO zhangsan@'%' IDENTIFIED BY '[email protected]';

have access to GRANT Add permissions to users repeatedly , Authority stack , For example, you first add a SELECT jurisdiction , then Add another one to the user INSERT jurisdiction , Then the user has SELECT and INSERT jurisdiction .

2.4. View permissions

1. View current user permissions

SHOW GRANTS;

2. View the global permissions of a user

SHOW GRANTS FOR 'user'@' The host address '

It is recommended that you try to use the database's own role and user mechanism to control access rights , Don't use it easily root account number , because root The account and password are not safe in the code , In case of leakage , The database will be completely unprotected .

2.5. Take back authority

Withdrawing permissions means canceling some permissions that have been given to users , Taking back users' unnecessary permissions can ensure the security of the system to a certain extent .MySQL Use in REVOKE sentence Cancel some permissions of the user , Use REVOKE After taking back the authority , User account records will be from db、host、tables_priv and column_priv In the table to delete , But user account records are still user Save in the table （ Delete user The user information in the table is used DROP USER sentence ）.
Be careful ： The user account is being removed from user Before deleting the table , All permissions of the corresponding user should be revoked .
Withdraw the order ：

REVOKE  jurisdiction 1, jurisdiction 2,..., jurisdiction n ON  Database name . The name of the table  FROM  User name @ Address of the user ;

give an example ：

# Take back all permissions of the whole database and table 
REVOKE ALL PRIVILEGES ON *.* FROM zhang3@'%';

and ,MySQL The authority control function of is very perfect , Should be used as much as possible , Can improve efficiency , And it's safe and reliable .

3. Permissions on the table

MySQL Server pass Permissions on the table To control users' access to the database , The authority list is stored in mysql database in ,MySQL The database system will give each user corresponding permissions according to the contents of these permission tables . The most important of these permission tables is user surface 、db surface . besides , also table_priv surface 、column_priv surface and proc_priv surface . stay MySQL Startup time , The server reads the permission information in these databases into memory .

Let's say db Table as an example .
among ,zhang3 This account has test The authority of checking, deleting, modifying and inserting under the Library .

summary

This article introduces in detail how to assign permissions to users and withdraw permissions