MySQL provides password-expiration capability, which enables database administrators to require that users reset their password. Passwords can be expired manually, and on the basis of a policy for automatic expiration (see Section 6.2.15, “Password Management”).MySQL提供密码过期功能,使数据库管理员能够要求用户重置密码。密码可以手动过期,也可以根据自动过期策略过期(参阅第6.2.15节,“密码管理”)。
The ALTER USER statement enables account password expiration. For example:ALTER USER语句允许帐户密码过期。例如:
ALTER USER 'myuser'@'localhost' PASSWORD EXPIRE;
For each connection that uses an account with an expired password, the server either disconnects the client or restricts the client to “sandbox mode,” in which the server permits the client to perform only those operations necessary to reset the expired password. 对于使用密码过期的帐户的每个连接,服务器要么断开客户端的连接,要么将客户端限制为“沙盒模式”,在这种模式下,服务器只允许客户端执行重置过期密码所需的操作。Which action is taken by the server depends on both client and server settings, as discussed later.服务器采取的操作取决于客户端和服务器设置,稍后将讨论。
If the server disconnects the client, it returns an 如果服务器断开与客户端的连接,则返回ER_MUST_CHANGE_PASSWORD_LOGIN error:ER_MUST_CHANGE_PASSWORD_LOGIN错误:
shell>mysql -u myuser -pPassword:******ERROR 1862 (HY000): Your password has expired. To log in you must change it using a client that supports expired passwords.
If the server restricts the client to sandbox mode, these operations are permitted within the client session:如果服务器将客户端限制为沙盒模式,则允许在客户端会话中执行以下操作:
The client can reset the account password with 客户端可以使用ALTER USER or SET PASSWORD. ALTER USER或SET PASSWORD重置帐户密码。After that has been done, the server restores normal access for the session, as well as for subsequent connections that use the account.完成此操作后,服务器将恢复会话的正常访问,以及使用该帐户的后续连接的正常访问。
Although it is possible to “reset” an expired password by setting it to its current value, it is preferable, as a matter of good policy, to choose a different password. 虽然可以通过将过期的密码设置为当前值来“重置”它,但作为一项良好的政策,最好选择其他密码。DBAs can enforce non-reuse by establishing an appropriate password-reuse policy. DBA可以通过建立适当的密码重用策略来强制不重用。See Password Reuse Policy.请参阅密码重用策略。
Prior to MySQL 8.0.27, the client can use the 在MySQL 8.0.27之前,客户端可以使用SET statement. As of MySQL 8.0.27, this is no longer permitted.SET语句。从MySQL 8.0.27开始,不再允许这样做。
For any operation not permitted within the session, the server returns an 对于会话中不允许的任何操作,服务器将返回ER_MUST_CHANGE_PASSWORD error:ER_MUST_CHANGE_PASSWORD错误:
mysql>USE performance_schema;ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement. mysql>SELECT 1;ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
That is what normally happens for interactive invocations of the mysql client because by default such invocations are put in sandbox mode. To resume normal functioning, select a new password.这就是mysql客户端的交互式调用通常会发生的情况,因为默认情况下,此类调用处于沙盒模式。要恢复正常功能,请选择新密码。
For noninteractive invocations of the mysql client (for example, in batch mode), the server normally disconnects the client if the password is expired. 对于mysql客户端的非交互式调用(例如,在批处理模式下),如果密码过期,服务器通常会断开客户端的连接。To permit noninteractive mysql invocations to stay connected so that the password can be changed (using the statements permitted in sandbox mode), add the 要允许非交互式mysql调用保持连接,以便可以更改密码(使用沙盒模式中允许的语句),请在mysql命令中添加--connect-expired-password option to the mysql command.--connect-expired-password选项。
As mentioned previously, whether the server disconnects an expired-password client or restricts it to sandbox mode depends on a combination of client and server settings. The following discussion describes the relevant settings and how they interact.如前所述,服务器是断开过期密码客户端的连接还是将其限制为沙盒模式取决于客户端和服务器设置的组合。以下讨论描述了相关设置及其交互方式。
This discussion applies only for accounts with expired passwords. If a client connects using a nonexpired password, the server handles the client normally.此讨论仅适用于密码过期的帐户。如果客户端使用非盗版密码连接,服务器将正常处理客户端。
On the client side, a given client indicates whether it can handle sandbox mode for expired passwords. For clients that use the C client library, there are two ways to do this:在客户端,给定的客户端指示它是否可以处理过期密码的沙盒模式。对于使用C客户端库的客户端,有两种方法可以做到这一点:
Pass the 在连接之前,将MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS flag to mysql_options() prior to connecting:MY_RESOPT_CAN_HANDLE_EXPIRED_PASSWORDS标志传递给mysql_options():
bool arg = 1;
mysql_options(mysql,
MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
&arg);
This is the technique used within the mysql client, which enables 这是mysql客户端中使用的技术,如果以交互方式调用或使用MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS if invoked interactively or with the --connect-expired-password option.--connect-expired-password选项调用,则启用MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS。
Pass the 在连接时将CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS flag to mysql_real_connect() at connect time:CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS标志传递给mysql_real_connect():
MYSQL mysql;
mysql_init(&mysql);
if (!mysql_real_connect(&mysql,
host, user, password, db,
port, unix_socket,
CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS))
{
... handle error ...
}Other MySQL Connectors have their own conventions for indicating readiness to handle sandbox mode. See the documentation for the Connector in which you are interested.其他MySQL连接器有自己的约定来指示处理沙盒模式的准备状态。请参阅您感兴趣的连接器的文档。
On the server side, if a client indicates that it can handle expired passwords, the server puts it in sandbox mode.在服务器端,如果客户端表示可以处理过期的密码,服务器会将其置于沙盒模式。
If a client does not indicate that it can handle expired passwords (or uses an older version of the client library that cannot so indicate), the server action depends on the value of the 如果客户端没有指示它可以处理过期的密码(或使用不能这样指示的旧版本的客户端库),则服务器操作取决于disconnect_on_expired_password system variable:disconnect_on_expired_password系统变量的值:
If 如果启用了disconnect_on_expired_password is enabled (the default), the server disconnects the client with an ER_MUST_CHANGE_PASSWORD_LOGIN error.disconnect_on_expired_password(默认设置),服务器将通过ER_MUST_CHANGE_PASSWORD_LOGIN错误断开与客户端的连接。
If 如果禁用disconnect_on_expired_password is disabled, the server puts the client in sandbox mode.disconnect_on_expired_password,服务器会将客户端置于沙盒模式。