The MySQL server authenticates client connections using authentication plugins. The plugin that authenticates a given connection may request that the connecting (external) user be treated as a different user for privilege-checking purposes. MySQL服务器使用身份验证插件对客户端连接进行身份验证。验证给定连接的插件可能会请求将连接(外部)用户视为不同的用户,以进行权限检查。This enables the external user to be a proxy for the second user; that is, to assume the privileges of the second user:这使得外部用户能够成为第二用户的代理;即假定第二用户的特权:
The external user is a “proxy user” (a user who can impersonate or become known as another user).外部用户是“代理用户”(可以冒充或成为另一个用户的用户)。
The second user is a “proxied user” (a user whose identity and privileges can be assumed by a proxy user).第二个用户是“代理用户”(其身份和权限可以由代理用户承担的用户)。
This section describes how the proxy user capability works. For general information about authentication plugins, see Section 6.2.17, “Pluggable Authentication”. 本节介绍代理用户功能的工作原理。有关身份验证插件的一般信息,请参阅第6.2.17节,“可插拔身份验证”。For information about specific plugins, see Section 6.4.1, “Authentication Plugins”. 有关特定插件的信息,请参阅第6.4.1节,“身份验证插件”。For information about writing authentication plugins that support proxy users, see Implementing Proxy User Support in Authentication Plugins.有关编写支持代理用户的身份验证插件的信息,请参阅在身份验证插件中实现代理用户支持。
One administrative benefit to be gained by proxying is that the DBA can set up a single account with a set of privileges and then enable multiple proxy users to have those privileges without having to assign the privileges individually to each of those users. 通过代理可以获得的一个管理好处是,DBA可以设置一个具有一组权限的单个帐户,然后使多个代理用户能够拥有这些权限,而无需将权限单独分配给每个用户。As an alternative to proxy users, DBAs may find that roles provide a suitable way to map users onto specific sets of named privileges. Each user can be granted a given single role to, in effect, be granted the appropriate set of privileges. 作为代理用户的替代方案,DBA可能会发现角色提供了一种将用户映射到特定命名特权集的合适方法。每个用户都可以被授予一个给定的单一角色,从而实际上被授予一组适当的特权。See Section 6.2.10, “Using Roles”.请参阅第6.2.10节,“使用角色”。
For proxying to occur for a given authentication plugin, these conditions must be satisfied:为了使给定的身份验证插件发生代理,必须满足以下条件:
Proxying must be supported, either by the plugin itself, or by the MySQL server on behalf of the plugin. In the latter case, server support may need to be enabled explicitly; see Server Support for Proxy User Mapping.代理必须得到插件本身或代表插件的MySQL服务器的支持。在后一种情况下,可能需要明确启用服务器支持;请参阅代理用户映射的服务器支持。
The account for the external proxy user must be set up to be authenticated by the plugin. 必须将外部代理用户的帐户设置为由插件进行身份验证。Use the 使用CREATE USER statement to associate an account with an authentication plugin, or ALTER USER to change its plugin.CREATE USER语句将帐户与身份验证插件相关联,或使用ALTER USER更改其插件。
The account for the proxied user must exist and be granted the privileges to be assumed by the proxy user. 代理用户的帐户必须存在,并被授予代理用户所享有的特权。Use the 为此,请使用CREATE USER and GRANT statements for this.CREATE USER和GRANT语句。
Normally, the proxied user is configured so that it can be used only in proxying scenaries and not for direct logins.通常,被代理的用户被配置为只能在代理场景中使用,而不能用于直接登录。
The proxy user account must have the 代理用户帐户必须具有代理帐户的PROXY privilege for the proxied account. Use the GRANT statement for this.PROXY权限。请使用GRANT语句。
For a client connecting to the proxy account to be treated as a proxy user, the authentication plugin must return a user name different from the client user name, to indicate the user name of the proxied account that defines the privileges to be assumed by the proxy user.为了将连接到代理帐户的客户端视为代理用户,身份验证插件必须返回一个与客户端用户名不同的用户名,以指示定义代理用户要承担的特权的代理帐户的用户名。
Alternatively, for plugins that are provided proxy mapping by the server, the proxied user is determined from the 或者,对于由服务器提供代理映射的插件,代理用户由代理用户持有的PROXY privilege held by the proxy user.PROXY权限确定。
The proxy mechanism permits mapping only the external client user name to the proxied user name. There is no provision for mapping host names:代理机制只允许将外部客户端用户名映射到代理用户名。没有映射主机名的规定:
When a client connects to the server, the server determines the proper account based on the user name passed by the client program and the host from which the client connects.当客户端连接到服务器时,服务器会根据客户端程序传递的用户名和客户端连接的主机来确定正确的帐户。
If that account is a proxy account, the server attempts to determine the appropriate proxied account by finding a match for a proxied account using the user name returned by the authentication plugin and the host name of the proxy account. The host name in the proxied account is ignored.如果该帐户是代理帐户,则服务器会尝试通过使用身份验证插件返回的用户名和代理帐户的主机名查找代理帐户的匹配项来确定适当的代理帐户。代理帐户中的主机名将被忽略。
Consider the following account definitions:考虑以下帐户定义:
-- create proxy account
CREATE USER 'employee_ext'@'localhost'
IDENTIFIED WITH my_auth_plugin
AS 'my_auth_string';
-- create proxied account and grant its privileges;
-- use mysql_no_login plugin to prevent direct login
CREATE USER 'employee'@'localhost'
IDENTIFIED WITH mysql_no_login;
GRANT ALL
ON employees.*
TO 'employee'@'localhost';
-- grant to proxy account the
-- PROXY privilege for proxied account
GRANT PROXY
ON 'employee'@'localhost'
TO 'employee_ext'@'localhost';
When a client connects as 当客户端以employee_ext from the local host, MySQL uses the plugin named my_auth_plugin to perform authentication. employee_ext身份从本地主机连接时,MySQL使用名为my_auth_plugin的插件进行身份验证。Suppose that 假设my_auth_plugin returns a user name of employee to the server, based on the content of ' and perhaps by consulting some external authentication system. my_auth_string'my_auth_plugin根据'my_auth_string'的内容,并可能通过咨询一些外部身份验证系统,向服务器返回employee的用户名。The name 名称employee differs from employee_ext, so returning employee serves as a request to the server to treat the employee_ext external user, for purposes of privilege checking, as the employee local user.employee与employee_ext不同,因此返回employee是向服务器发出的请求,要求将employee_ext外部用户视为employee本地用户,以便进行权限检查。
In this case, 在这种情况下,employee_ext is the proxy user and employee is the proxied user.employee_ext是代理用户,employee是代理用户。
The server verifies that proxy authentication for 服务器通过检查employee is possible for the employee_ext user by checking whether employee_ext (the proxy user) has the PROXY privilege for employee (the proxied user). employee_ext(代理用户)是否具有employee(被代理用户)的代理权限,验证employee_ext用户是否可以对employee进行代理身份验证。If this privilege has not been granted, an error occurs. Otherwise, 如果未授予此特权,则会发生错误。否则,employee_ext assumes the privileges of employee. employee_ext将享有employee的特权。The server checks statements executed during the client session by 服务器检查employee_ext against the privileges granted to employee. employee_ext在客户端会话期间执行的语句与授予employee的权限。In this case, 在这种情况下,employee_ext can access tables in the employees database.employee_ext可以访问employees数据库中的表。
The proxied account, 代理帐户employee, uses the mysql_no_login authentication plugin to prevent clients from using the account to log in directly. employee使用mysql_no_login身份验证插件来防止客户端使用该帐户直接登录。(This assumes that the plugin is installed. For instructions, see Section 6.4.1.8, “No-Login Pluggable Authentication”.) (这假设插件已安装。有关说明,请参阅第6.4.1.8节,“无登录可插拔身份验证”。)For alternative methods of protecting proxied accounts against direct use, see Preventing Direct Login to Proxied Accounts.有关保护代理帐户免受直接使用的替代方法,请参阅防止直接登录代理帐户。
When proxying occurs, the 当代理发生时,可以使用USER() and CURRENT_USER() functions can be used to see the difference between the connecting user (the proxy user) and the account whose privileges apply during the current session (the proxied user). USER()和CURRENT_USER()函数来查看连接用户(代理用户)和在当前会话期间特权适用的帐户(被代理用户)之间的差异。For the example just described, those functions return these values:对于刚才描述的示例,这些函数返回以下值:
mysql> SELECT USER(), CURRENT_USER();
+------------------------+--------------------+
| USER() | CURRENT_USER() |
+------------------------+--------------------+
| employee_ext@localhost | employee@localhost |
+------------------------+--------------------+
In the 在创建代理用户帐户的CREATE USER statement that creates the proxy user account, the IDENTIFIED WITH clause that names the proxy-supporting authentication plugin is optionally followed by an AS ' clause specifying a string that the server passes to the plugin when the user connects. auth_string'CREATE USER语句中,命名支持身份验证插件的代理的IDENTIFIED WITH子句后面可选地跟有AS 'auth_string'子句,该子句指定了用户连接时服务器传递给插件的字符串。If present, the string provides information that helps the plugin determine how to map the proxy (external) client user name to a proxied user name. 如果存在,该字符串提供的信息有助于插件确定如何将代理(外部)客户端用户名映射到代理用户名。It is up to each plugin whether it requires the 是否需要AS clause. AS子句取决于每个插件。If so, the format of the authentication string depends on how the plugin intends to use it. Consult the documentation for a given plugin for information about the authentication string values it accepts.如果是这样,身份验证字符串的格式取决于插件打算如何使用它。有关它接受的身份验证字符串值的信息,请参阅给定插件的文档。
Proxied accounts generally are intended to be used only by means of proxy accounts. That is, clients connect using a proxy account, then are mapped onto and assume the privileges of the appropriate proxied user.代理帐户通常仅用于代理帐户。也就是说,客户端使用代理帐户进行连接,然后映射到相应的代理用户并承担其权限。
There are multiple ways to ensure that a proxied account cannot be used directly:有多种方法可以确保代理帐户不能直接使用:
Associate the account with the 将帐户与mysql_no_login authentication plugin. In this case, the account cannot be used for direct logins under any circumstances. mysql_no_login身份验证插件相关联。在这种情况下,该帐户在任何情况下都不能用于直接登录。This assumes that the plugin is installed. For instructions, see Section 6.4.1.8, “No-Login Pluggable Authentication”.这假设插件已安装。有关说明,请参阅第6.4.1.8节,“无登录可插拔身份验证”。
Include the 在创建帐户时包括ACCOUNT LOCK option when you create the account. See Section 13.7.1.3, “CREATE USER Statement”. ACCOUNT LOCK选项。请参阅第13.7.1.3节,“CREATE USER语句”。With this method, also include a password so that if the account is unlocked later, it cannot be accessed with no password. 使用此方法,还可以包含密码,这样如果稍后解锁帐户,则无法在没有密码的情况下访问。(If the (如果启用了validate_password component is enabled, creating an account without a password is not permitted, even if the account is locked. validate_password组件,则不允许创建没有密码的帐户,即使帐户已锁定。See Section 6.4.3, “The Password Validation Component”.)请参阅第6.4.3节,“密码验证组件”。)
Create the account with a password but do not tell anyone else the password. If you do not let anyone know the password for the account, clients cannot use it to connect directly to the MySQL server.使用密码创建帐户,但不要告诉其他人密码。如果你不让任何人知道帐户的密码,客户端就无法使用它直接连接到MySQL服务器。
The 需要PROXY privilege is needed to enable an external user to connect as and have the privileges of another user. PROXY权限才能使外部用户以其他用户的身份连接并拥有其他用户的权限。To grant this privilege, use the 要授予此特权,请使用GRANT statement. For example:GRANT语句。例如:
GRANT PROXY ON 'proxied_user' TO 'proxy_user';
The statement creates a row in the 该语句在mysql.proxies_priv grant table.mysql.proxies_priv授权表中创建一行。
At connect time, 在连接时,proxy_user must represent a valid externally authenticated MySQL user, and proxied_user must represent a valid locally authenticated user. Otherwise, the connection attempt fails.proxy_user必须表示一个有效的外部身份验证的MySQL用户,而proxied_user必须代表一个合法的本地身份验证的用户。否则,连接尝试将失败。
The corresponding 相应的REVOKE syntax is:REVOKE语法为:
REVOKE PROXY ON 'proxied_user' FROM 'proxy_user';
MySQL MySQLGRANT and REVOKE syntax extensions work as usual. Examples: GRANT和REVOKE语法扩展正常工作。示例:
-- grant PROXY to multiple accounts GRANT PROXY ON 'a' TO 'b', 'c', 'd'; -- revoke PROXY from multiple accounts REVOKE PROXY ON 'a' FROM 'b', 'c', 'd'; -- grant PROXY to an account and enable the account to grant -- PROXY to the proxied account GRANT PROXY ON 'a' TO 'd' WITH GRANT OPTION; -- grant PROXY to default proxy account GRANT PROXY ON 'a' TO ''@'';
The 在以下情况下可以授予PROXY privilege can be granted in these cases:PROXY特权:
By a user that has 按一个具有GRANT PROXY ... WITH GRANT OPTION for proxied_user.GRANT PROXY ... WITH GRANT OPTION的用户用于proxied_user。
By 按proxied_user for itself: The value of USER() must exactly match CURRENT_USER() and proxied_user, for both the user name and host name parts of the account name.proxied_user本身:对于帐户名的用户名和主机名部分,user()的值必须与CURRENT_USER()和proxied_user完全匹配。
The initial MySQL安装过程中创建的初始root account created during MySQL installation has the PROXY ... WITH GRANT OPTION privilege for ''@'', that is, for all users and all hosts. root帐户具有PROXY ... WITH GRANT OPTION权限用于''@''(即所有用户和所有主机)。This enables 这使root to set up proxy users, as well as to delegate to other accounts the authority to set up proxy users. For example, root can do this:root用户能够设置代理用户,并将设置代理用户的权限委托给其他帐户。例如,root可以这样做:
CREATE USER 'admin'@'localhost'
IDENTIFIED BY 'admin_password';
GRANT PROXY
ON ''@''
TO 'admin'@'localhost'
WITH GRANT OPTION;
Those statements create an 这些语句创建了一个可以管理所有admin user that can manage all GRANT PROXY mappings. For example, admin can do this:GRANT PROXY映射的admin用户。例如,admin可以这样做:
GRANT PROXY ON sally TO joe;
To specify that some or all users should connect using a given authentication plugin, create a “blank” MySQL account with an empty user name and host name (要指定部分或所有用户应使用给定的身份验证插件进行连接,请使用空用户名和主机名(''@''), associate it with that plugin, and let the plugin return the real authenticated user name (if different from the blank user). ''@'')创建一个“空”MySQL帐户,将其与该插件相关联,并让插件返回真实的身份验证用户名(如果与空用户不同)。Suppose that there exists a plugin named 假设存在一个名为ldap_auth that implements LDAP authentication and maps connecting users onto either a developer or manager account. ldap_auth的插件,它实现了ldap身份验证,并将连接用户映射到开发人员或管理人员帐户上。To set up proxying of users onto these accounts, use the following statements:要设置用户在这些帐户上的代理,请使用以下语句:
-- create default proxy account CREATE USER ''@'' IDENTIFIED WITH ldap_auth AS 'O=Oracle, OU=MySQL'; -- create proxied accounts; use -- mysql_no_login plugin to prevent direct login CREATE USER 'developer'@'localhost' IDENTIFIED WITH mysql_no_login; CREATE USER 'manager'@'localhost' IDENTIFIED WITH mysql_no_login; -- grant to default proxy account the -- PROXY privilege for proxied accounts GRANT PROXY ON 'manager'@'localhost' TO ''@''; GRANT PROXY ON 'developer'@'localhost' TO ''@'';
Now assume that a client connects as follows:现在假设客户端连接如下:
shell>mysql --user=myuser --password ...Enter password:myuser_password
The server does not find 服务器找不到定义为MySQL用户的myuser defined as a MySQL user, but because there is a blank user account (''@'') that matches the client user name and host name, the server authenticates the client against that account. myuser,但由于有一个与客户端用户名和主机名匹配的空白用户帐户(''@''),服务器会根据该帐户对客户端进行身份验证。The server invokes the 服务器调用ldap_auth authentication plugin and passes myuser and myuser_password to it as the user name and password.ldap_auth身份验证插件,并将myuser和myuser_password作为用户名和密码传递给它。
If the 如果ldap_auth plugin finds in the LDAP directory that myuser_password is not the correct password for myuser, authentication fails and the server rejects the connection.ldap_auth插件在ldap目录中发现myuser_password不是myuser的正确密码,则身份验证失败,服务器拒绝连接。
If the password is correct and 如果密码正确并且ldap_auth finds that myuser is a developer, it returns the user name developer to the MySQL server, rather than myuser. ldap_auth发现myuser是开发人员,它会将用户名developer返回给MySQL服务器,而不是myuser。Returning a user name different from the client user name of 返回一个与myuser signals to the server that it should treat myuser as a proxy. myuser的客户端用户名不同的用户名,向服务器发出信号,表明它应该将myuser视为代理。The server verifies that 服务器验证''@'' can authenticate as developer (because ''@'' has the PROXY privilege to do so) and accepts the connection. ''@''是否可以作为developer进行身份验证(因为''@''具有PROXY权限),并接受连接。The session proceeds with 会话继续进行,myuser having the privileges of the developer proxied user. myuser具有developer代理用户的权限。(These privileges should be set up by the DBA using (这些特权应由DBA使用GRANT statements, not shown.) GRANT语句设置,未显示。)The USER() and CURRENT_USER() functions return these values:USER()和CURRENT_USER()函数返回以下值:
mysql> SELECT USER(), CURRENT_USER();
+------------------+---------------------+
| USER() | CURRENT_USER() |
+------------------+---------------------+
| myuser@localhost | developer@localhost |
+------------------+---------------------+
If the plugin instead finds in the LDAP directory that 如果插件在LDAP目录中发现myuser is a manager, it returns manager as the user name and the session proceeds with myuser having the privileges of the manager proxied user.myuser是管理员,它将返回manager作为用户名,会话将继续进行,myuser具有管理员代理用户的权限。
mysql> SELECT USER(), CURRENT_USER();
+------------------+-------------------+
| USER() | CURRENT_USER() |
+------------------+-------------------+
| myuser@localhost | manager@localhost |
+------------------+-------------------+
For simplicity, external authentication cannot be multilevel: Neither the credentials for 为简单起见,外部身份验证不能是多级的:在前面的示例中,developer nor those for manager are taken into account in the preceding example. developer和manager的凭据都没有考虑在内。However, they are still used if a client tries to connect and authenticate directly as the 但是,如果客户端试图直接以developer or manager account, which is why those proxied accounts should be protected against direct login (see Preventing Direct Login to Proxied Accounts).developer或manager帐户进行连接和身份验证,则仍然会使用它们,这就是为什么这些代理帐户应该受到保护,防止直接登录(请参阅防止直接登录到代理帐户)。
If you intend to create a default proxy user, check for other existing “match any user” accounts that take precedence over the default proxy user because they can prevent that user from working as intended.如果您打算创建默认代理用户,请检查其他优先于默认代理用户的现有“匹配任何用户”帐户,因为它们可能会阻止该用户按预期工作。
In the preceding discussion, the default proxy user account has 在前面的讨论中,默认代理用户帐户在主机部分有'' in the host part, which matches any host. '',它与任何主机都匹配。If you set up a default proxy user, take care to also check whether nonproxy accounts exist with the same user part and 如果您设置了默认代理用户,请注意检查是否存在具有相同用户部分和主机部分中的“%”的非代理帐户,因为'%' in the host part, because '%' also matches any host, but has precedence over '' by the rules that the server uses to sort account rows internally (see Section 6.2.6, “Access Control, Stage 1: Connection Verification”).'%'也与任何主机匹配,但根据服务器内部用于对帐户行进行排序的规则,'%'优先于''(请参阅第6.2.6节,“访问控制,第1阶段:连接验证”)。
Suppose that a MySQL installation includes these two accounts:假设MySQL安装包括以下两个帐户:
-- create default proxy account CREATE USER ''@'' IDENTIFIED WITH some_plugin AS 'some_auth_string'; -- create anonymous account CREATE USER ''@'%' IDENTIFIED BY 'anon_user_password';
The first account (第一个帐户(''@'') is intended as the default proxy user, used to authenticate connections for users who do not otherwise match a more-specific account. ''@'')旨在作为默认代理用户,用于对与更特定帐户不匹配的用户的连接进行身份验证。The second account (第二个帐户(''@'%') is an anonymous-user account, which might have been created, for example, to enable users without their own account to connect anonymously.''@'%')是匿名用户帐户,例如,创建该帐户是为了使没有自己帐户的用户能够匿名连接。
Both accounts have the same user part (两个帐户具有相同的用户部分(''), which matches any user. And each account has a host part that matches any host. ''),该部分与任何用户匹配。每个帐户都有一个与任何主机匹配的主机部分。Nevertheless, there is a priority in account matching for connection attempts because the matching rules sort a host of 然而,在连接尝试的帐户匹配中有一个优先级,因为匹配规则将'%' ahead of ''. '%'的主机排在''之前。For accounts that do not match any more-specific account, the server attempts to authenticate them against 对于与任何其他特定帐户不匹配的帐户,服务器会尝试对其进行身份验证,验证对象是''@'%' (the anonymous user) rather than ''@'' (the default proxy user). ''@'%'(匿名用户),而不是''@''(默认代理用户)。As a result, the default proxy account is never used.因此,默认代理帐户永远不会被使用。
To avoid this problem, use one of the following strategies:要避免此问题,请使用以下策略之一:
Remove the anonymous account so that it does not conflict with the default proxy user.删除匿名帐户,使其不与默认代理用户冲突。
Use a more-specific default proxy user that matches ahead of the anonymous user. For example, to permit only 使用比匿名用户更早匹配的更具体的默认代理用户。例如,要只允许localhost proxy connections, use ''@'localhost':localhost代理连接,请使用''@'localhost':
CREATE USER ''@'localhost'
IDENTIFIED WITH some_plugin
AS 'some_auth_string';
In addition, modify any 此外,将任何GRANT PROXY statements to name ''@'localhost' rather than ''@'' as the proxy user.GRANT PROXY语句修改为将''@'localhost'而不是''@''命名为代理用户。
Be aware that this strategy prevents anonymous-user connections from 请注意,此策略可防止来自localhost.localhost的匿名用户连接。
Use a named default account rather than an anonymous default account. For an example of this technique, consult the instructions for using the 使用命名默认帐户,而不是匿名默认帐户。有关此技术的示例,请参阅使用authentication_windows plugin. authentication_windows插件的说明。See Section 6.4.1.6, “Windows Pluggable Authentication”.请参阅第6.4.1.6节,“Windows可插拔身份验证”。
Create multiple proxy users, one for local connections and one for “everything else” (remote connections). This can be useful particularly when local users should have different privileges from remote users.创建多个代理用户,一个用于本地连接,另一个用于“其他所有”(远程连接)。当本地用户应该具有与远程用户不同的权限时,这可能特别有用。
Create the proxy users:创建代理用户:
-- create proxy user for local connections CREATE USER ''@'localhost' IDENTIFIED WITH some_plugin AS 'some_auth_string'; -- create proxy user for remote connections CREATE USER ''@'%' IDENTIFIED WITH some_plugin AS 'some_auth_string';
Create the proxied users:创建代理用户:
-- create proxied user for local connections CREATE USER 'developer'@'localhost' IDENTIFIED WITH mysql_no_login; -- create proxied user for remote connections CREATE USER 'developer'@'%' IDENTIFIED WITH mysql_no_login;
Grant to each proxy account the 为每个代理帐户授予相应代理帐户的PROXY privilege for the corresponding proxied account:PROXY权限:
GRANT PROXY ON 'developer'@'localhost' TO ''@'localhost'; GRANT PROXY ON 'developer'@'%' TO ''@'%';
Finally, grant appropriate privileges to the local and remote proxied users (not shown).最后,为本地和远程代理用户(未显示)授予适当的权限。
Assume that the 假设some_plugin/' combination causes some_auth_string'some_plugin to map the client user name to developer. some_plugin/'some_auth_string'组合导致some_plugin将客户端用户名映射到developer。Local connections match the 本地连接与''@'localhost' proxy user, which maps to the 'developer'@'localhost' proxied user. ''@'localhost'代理用户匹配,该用户映射到'developer'@'localhost'代理用户。Remote connections match the 远程连接与''@'%' proxy user, which maps to the 'developer'@'%' proxied user.''@'%'代理用户匹配,该用户映射到'developer'@'%'代理用户。
Some authentication plugins implement proxy user mapping for themselves (for example, the PAM and Windows authentication plugins). Other authentication plugins do not support proxy users by default. 一些身份验证插件为自己实现了代理用户映射(例如,PAM和Windows身份验证插件)。默认情况下,其他身份验证插件不支持代理用户。Of these, some can request that the MySQL server itself map proxy users according to granted proxy privileges: 其中,有些可以请求MySQL服务器本身根据授予的代理权限映射代理用户:mysql_native_password, sha256_password. mysql_native_password、sha256_password。If the 如果启用了check_proxy_users system variable is enabled, the server performs proxy user mapping for any authentication plugins that make such a request:check_proxy_users系统变量,服务器将对发出此类请求的任何身份验证插件执行代理用户映射:
By default, 默认情况下,check_proxy_users is disabled, so the server performs no proxy user mapping even for authentication plugins that request server support for proxy users.check_proxy_users是禁用的,因此即使对于请求服务器支持代理用户的身份验证插件,服务器也不会执行代理用户映射。
If 如果启用了check_proxy_users is enabled, it may also be necessary to enable a plugin-specific system variable to take advantage of server proxy user mapping support:check_proxy_users,则可能还需要启用特定于插件的系统变量,以利用服务器代理用户映射支持:
For the 对于mysql_native_password plugin, enable mysql_native_password_proxy_users.mysql_native_password插件,启用mysql_native-password_proxy_users。
For the 对于sha256_password plugin, enable sha256_password_proxy_users.sha256_password插件,启用sha256_paassword_proxy_users。
For example, to enable all the preceding capabilities, start the server with these lines in the 例如,要启用上述所有功能,请在my.cnf file:my.cnf文件中使用以下行启动服务器:
[mysqld] check_proxy_users=ON mysql_native_password_proxy_users=ON sha256_password_proxy_users=ON
Assuming that the relevant system variables have been enabled, create the proxy user as usual using 假设相关系统变量已启用,则使用CREATE USER, then grant it the PROXY privilege to a single other account to be treated as the proxied user. CREATE USER像往常一样创建代理用户,然后将PROXY权限授予另一个被视为代理用户的帐户。When the server receives a successful connection request for the proxy user, it finds that the user has the 当服务器收到代理用户的成功连接请求时,它会发现该用户具有PROXY privilege and uses it to determine the proper proxied user.PROXY权限,并使用该权限来确定正确的代理用户。
-- create proxy account
CREATE USER 'proxy_user'@'localhost'
IDENTIFIED WITH mysql_native_password
BY 'password';
-- create proxied account and grant its privileges;
-- use mysql_no_login plugin to prevent direct login
CREATE USER 'proxied_user'@'localhost'
IDENTIFIED WITH mysql_no_login;
-- grant privileges to proxied account
GRANT ...
ON ...
TO 'proxied_user'@'localhost';
-- grant to proxy account the
-- PROXY privilege for proxied account
GRANT PROXY
ON 'proxied_user'@'localhost'
TO 'proxy_user'@'localhost';
To use the proxy account, connect to the server using its name and password:要使用代理帐户,请使用其名称和密码连接到服务器:
shell>mysql -u proxy_user -pEnter password:(enter proxy_user password here)
Authentication succeeds, the server finds that 身份验证成功,服务器发现proxy_user has the PROXY privilege for proxied_user, and the session proceeds with proxy_user having the privileges of proxied_user.proxy_user具有proxied_user的代理权限,会话继续进行,proxy_user具有proxied_user的权限。
Proxy user mapping performed by the server is subject to these restrictions:服务器执行的代理用户映射受以下限制:
The server does not proxy to or from an anonymous user, even if the associated 即使授予了相关的PROXY privilege is granted.PROXY权限,服务器也不会代理匿名用户。
When a single account has been granted proxy privileges for more than one proxied account, server proxy user mapping is nondeterministic. Therefore, granting to a single account proxy privileges for multiple proxied accounts is discouraged.当一个帐户被授予多个代理帐户的代理权限时,服务器代理用户映射是不确定的。因此,不建议为多个代理帐户授予单个帐户代理权限。
Two system variables help trace the proxy login process:两个系统变量有助于跟踪代理登录过程:
proxy_user: This value is :如果不使用代理,则此值为NULL if proxying is not used. Otherwise, it indicates the proxy user account. NULL。否则,它表示代理用户帐户。For example, if a client authenticates through the 例如,如果客户端通过''@'' proxy account, this variable is set as follows:''@''代理帐户进行身份验证,则此变量设置如下:
mysql> SELECT @@proxy_user;
+--------------+
| @@proxy_user |
+--------------+
| ''@'' |
+--------------+external_user: Sometimes the authentication plugin may use an external user to authenticate to the MySQL server. :有时身份验证插件可能会使用外部用户对MySQL服务器进行身份验证。For example, when using Windows native authentication, a plugin that authenticates using the windows API does not need the login ID passed to it. However, it still uses a Windows user ID to authenticate. 例如,当使用Windows本机身份验证时,使用Windows API进行身份验证的插件不需要传递登录ID。但是,它仍然使用Windows用户ID进行身份验证。The plugin may return this external user ID (or the first 512 UTF-8 bytes of it) to the server using the 插件可以使用external_user read-only session variable. If the plugin does not set this variable, its value is NULL.external_user只读会话变量将此外部用户ID(或其前512个UTF-8字节)返回给服务器。如果插件未设置此变量,则其值为NULL。