The mysql system database includes several grant tables that contain information about user accounts and the privileges held by them. mysql系统数据库包括几个授权表,其中包含有关用户帐户及其所拥有的权限的信息。This section describes those tables. 本节介绍这些表。For information about other tables in the system database, see Section 5.3, “The mysql System Schema”.有关系统数据库中其他表的信息,请参阅第5.3节“mysql系统模式”。
The discussion here describes the underlying structure of the grant tables and how the server uses their contents when interacting with clients. 这里的讨论描述了授权表的底层结构,以及服务器在与客户机交互时如何使用它们的内容。However, normally you do not modify the grant tables directly. 但是,通常不直接修改授权表。Modifications occur indirectly when you use account-management statements such as 当您使用诸如CREATE USER, GRANT, and REVOKE to set up accounts and control the privileges available to each one. CREATE USER、GRANT和REVOKE之类的帐户管理语句来设置帐户并控制每个帐户可用的权限时,会间接进行修改。See Section 13.7.1, “Account Management Statements”. 请参阅第13.7.1节“账户管理报表”。When you use such statements to perform account manipulations, the server modifies the grant tables on your behalf.当您使用此类语句执行帐户操作时,服务器将代表您修改grant表。
Direct modification of grant tables using statements such as 不鼓励使用INSERT, UPDATE, or DELETE is discouraged and done at your own risk. INSERT、UPDATE或DELETE等语句直接修改授权表,并自行承担风险。The server is free to ignore rows that become malformed as a result of such modifications.服务器可以随意忽略由于这些修改而导致格式错误的行。
For any operation that modifies a grant table, the server checks whether the table has the expected structure and produces an error if not. 对于任何修改授权表的操作,服务器都会检查该表是否具有预期的结构,如果没有,则会产生错误。To update the tables to the expected structure, perform the MySQL upgrade procedure. 要将表更新为预期的结构,请执行MySQL升级过程。See Section 2.11, “Upgrading MySQL”.请参阅第2.11节“升级MySQL”。
These 这些mysql database tables contain grant information:mysql数据库表包含授权信息:
user: User accounts, static global privileges, and other nonprivilege columns.:用户帐户、静态全局权限和其他非权限列。
global_grants: Dynamic global privileges.:动态全局权限。
db: Database-level privileges.:数据库级权限。
tables_priv: Table-level privileges.:表级权限。
columns_priv: Column-level privileges.:列级权限。
procs_priv: Stored procedure and function privileges.:存储过程和函数特权。
proxies_priv: Proxy-user privileges.:代理用户权限。
default_roles: Default user roles.:默认用户角色。
role_edges: Edges for role subgraphs.:角色子图的边。
password_history: Password change history.:密码更改历史记录。
For information about the differences between static and dynamic global privileges, see Static Versus Dynamic Privileges.)有关静态和动态全局权限之间差异的信息,请参阅静态权限和动态权限的对比。)
In MySQL 8.0, grant tables use the 在MySQL 8.0中,授权表使用InnoDB storage engine and are transactional. Before MySQL 8.0, grant tables used the MyISAM storage engine and were nontransactional. InnoDB存储引擎,并且是事务性的。在MySQL 8.0之前,授权表使用MyISAM存储引擎,并且是非事务性的。This change of grant table storage engine enables an accompanying change to the behavior of account-management statements such as 授权表存储引擎的这种更改允许对帐户管理语句(如CREATE USER or GRANT. CREATE USER或GRANT)的行为进行相应的更改。Previously, an account-management statement that named multiple users could succeed for some users and fail for others. Now, each statement is transactional and either succeeds for all named users or rolls back and has no effect if any error occurs.以前,命名多个用户的帐户管理语句可能会对某些用户成功,而对其他用户失败。现在,每条语句都是事务性的,要么对所有命名用户成功,要么回滚,如果发生任何错误,则无效。
Each grant table contains scope columns and privilege columns:每个授权表都包含作用域列和权限列:
Scope columns determine the scope of each row in the tables; that is, the context in which the row applies. 使用域列确定表中每一行的作用域;即行应用的上下文。For example, a 例如,具有user table row with Host and User values of 'h1.example.net' and 'bob' applies to authenticating connections made to the server from the host h1.example.net by a client that specifies a user name of bob. Host和user值'h1.example.net'和'bob'的user表行适用于对指定用户名bob的客户端从主机h1.example.net到服务器的连接进行身份验证。Similarly, a 同样,当db table row with Host, User, and Db column values of 'h1.example.net', 'bob' and 'reports' applies when bob connects from the host h1.example.net to access the reports database. bob从主机h1.example.net连接以访问reports数据库时,将应用具有Host、User和db列值“h1.example.net”、“bob”和“reports”的db表行。The tables_priv and columns_priv tables contain scope columns indicating tables or table/column combinations to which each row applies. tables_priv和columns_priv表包含作用域列,指示每行应用的表或表/列组合。The procs_priv scope columns indicate the stored routine to which each row applies.procs_priv作用域列指示每行应用的存储例程。
Privilege columns indicate which privileges a table row grants; that is, which operations it permits to be performed. 特权列指示表行授予哪些特权;也就是说,它允许执行哪些操作。The server combines the information in the various grant tables to form a complete description of a user's privileges. 服务器将各种授权表中的信息结合起来,形成用户权限的完整描述。Section 6.2.7, “Access Control, Stage 2: Request Verification”, describes the rules for this.第6.2.7节“访问控制,第2阶段:请求验证”描述了这方面的规则。
In addition, a grant table may contain columns used for purposes other than scope or privilege assessment.此外,授权表可能包含用于作用域或权限评估以外目的的列。
The server uses the grant tables in the following manner:服务器按以下方式使用授权表:
The user table scope columns determine whether to reject or permit incoming connections. user表作用域列决定是拒绝还是允许传入连接。For permitted connections, any privileges granted in the 对于允许的连接,user table indicate the user's static global privileges. user表中授予的任何权限都表示用户的静态全局权限。Any privileges granted in this table apply to all databases on the server.此表中授予的任何特权都适用于服务器上的所有数据库。
Because any static global privilege is considered a privilege for all databases, any static global privilege enables a user to see all database names with 因为任何静态全局特权都被认为是所有数据库的特权,所以任何静态全局权限都允许用户使用SHOW DATABASES or by examining the SCHEMATA table of INFORMATION_SCHEMA, except databases that have been restricted at the database level by partial revokes.SHOW DATABASES或通过检查INFORMATION_SCHEMA的SCHEMATA表来查看所有数据库名称,但在数据库级别被部分撤销限制的数据库除外。
The global_grants table lists current assignments of dynamic global privileges to user accounts. global_grants表列出了对用户帐户的动态全局权限的当前分配。For each row, the scope columns determine which user has the privilege named in the privilege column.对于每一行,作用域列确定哪个用户具有特权列中指定的特权。
The db table scope columns determine which users can access which databases from which hosts. db表作用域列确定哪些用户可以从哪些主机访问哪些数据库。The privilege columns determine the permitted operations. A privilege granted at the database level applies to the database and to all objects in the database, such as tables and stored programs.权限列决定了允许的操作。在数据库级别授予的特权适用于数据库和数据库中的所有对象,如表和存储的程序。
The tables_priv and columns_priv tables are similar to the db table, but are more fine-grained: They apply at the table and column levels rather than at the database level. tables_priv和columns_priv表类似于db表,但更细粒度:它们适用于表和列级别,而不是数据库级别。A privilege granted at the table level applies to the table and to all its columns. 在表级别授予的特权应用于表及其所有列。A privilege granted at the column level applies only to a specific column.在列级别授予的特权仅适用于特定列。
The procs_priv table applies to stored routines (stored procedures and functions). procs_priv表适用于存储例程(存储过程和函数)。A privilege granted at the routine level applies only to a single procedure or function.在例程级别授予的特权仅适用于单个过程或函数。
The proxies_priv table indicates which users can act as proxies for other users and whether a user can grant the PROXY privilege to other users.proxies_priv表指示哪些用户可以充当其他用户的代理,以及用户是否可以向其他用户授予PROXY权限。
The default_roles and role_edges tables contain information about role relationships.default_roles和role_edges表包含有关角色关系的信息。
The password_history table retains previously chosen passwords to enable restrictions on password reuse. See Section 6.2.15, “Password Management”.password_history表保留以前选择的密码,以限制密码的重复使用。请参阅第6.2.15节,“密码管理”。
The server reads the contents of the grant tables into memory when it starts. 服务器在启动时将授权表的内容读入内存。You can tell it to reload the tables by issuing a 您可以通过发出FLUSH PRIVILEGES statement or executing a mysqladmin flush-privileges or mysqladmin reload command. FLUSH PRIVILEGES语句或执行mysqladmin flush-privileges或mysqladmin reload命令来告诉它重新加载表。Changes to the grant tables take effect as indicated in Section 6.2.13, “When Privilege Changes Take Effect”.对授权表的更改将按照第6.2.13节,“特权更改生效时”的指示生效。
When you modify an account, it is a good idea to verify that your changes have the intended effect. 修改帐户时,最好验证您的更改是否具有预期效果。To check the privileges for a given account, use the 要检查给定帐户的权限,请使用SHOW GRANTS statement. SHOW GRANTS语句。For example, to determine the privileges that are granted to an account with user name and host name values of 例如,要确定授予用户名和主机名值为bob and pc84.example.com, use this statement:bob和pc84.example.com的帐户的权限,请使用以下语句:
SHOW GRANTS FOR 'bob'@'pc84.example.com';
To display nonprivilege properties of an account, use 要显示帐户的非特权属性,请使用SHOW CREATE USER:SHOW CREATE USER:
SHOW CREATE USER 'bob'@'pc84.example.com';
The server uses the 服务器在访问控制的第一和第二阶段都使用mysql数据库中的user and db tables in the mysql database at both the first and second stages of access control (see Section 6.2, “Access Control and Account Management”). The columns in the user and db tables are shown here.user和db表(参阅第6.2节,“访问控制和帐户管理”)。user表和db表中的列显示在这里。
Table 6.4 user and db Table Columnsuser和db表列
user | db | |
|---|---|---|
Host | Host |
|
User | Db |
|
User |
||
Select_priv | Select_priv |
|
Insert_priv | Insert_priv |
|
Update_priv | Update_priv |
|
Delete_priv | Delete_priv |
|
Index_priv | Index_priv |
|
Alter_priv | Alter_priv |
|
Create_priv | Create_priv |
|
Drop_priv | Drop_priv |
|
Grant_priv | Grant_priv |
|
Create_view_priv | Create_view_priv |
|
Show_view_priv | Show_view_priv |
|
Create_routine_priv | Create_routine_priv |
|
Alter_routine_priv | Alter_routine_priv |
|
Execute_priv | Execute_priv |
|
Trigger_priv | Trigger_priv |
|
Event_priv | Event_priv |
|
Create_tmp_table_priv | Create_tmp_table_priv |
|
Lock_tables_priv | Lock_tables_priv |
|
References_priv | References_priv |
|
Reload_priv | ||
Shutdown_priv | ||
Process_priv | ||
File_priv | ||
Show_db_priv | ||
Super_priv | ||
Repl_slave_priv | ||
Repl_client_priv | ||
Create_user_priv | ||
Create_tablespace_priv | ||
Create_role_priv | ||
Drop_role_priv | ||
ssl_type | ||
ssl_cipher | ||
x509_issuer | ||
x509_subject | ||
plugin | ||
authentication_string | ||
password_expired | ||
password_last_changed | ||
password_lifetime | ||
account_locked | ||
Password_reuse_history | ||
Password_reuse_time | ||
Password_require_current | ||
User_attributes | ||
max_questions | ||
max_updates | ||
max_connections | ||
max_user_connections |
The user table plugin and authentication_string columns store authentication plugin and credential information.user表插件和authentication_string列存储身份验证插件和凭据信息。
The server uses the plugin named in the 服务器使用帐户行的plugin column of an account row to authenticate connection attempts for the account.plugin列中命名的插件来验证帐户的连接尝试。
The plugin column must be nonempty. plugin列必须非空。At startup, and at runtime when 在启动时和运行时执行FLUSH PRIVILEGES is executed, the server checks user table rows. For any row with an empty plugin column, the server writes a warning to the error log of this form:FLUSH PRIVILES时,服务器会检查user表行。对于任何plugin列为空的行,服务器都会向此表单的错误日志中写入警告:
[Warning] User entry 'user_name'@'host_name' has an empty plugin value. The user will be ignored and no one can login with this user anymore.
To assign a plugin to an account that is missing one, use the 要将插件分配给缺少插件的帐户,请使用ALTER USER statement.ALTER USER语句。
The password_expired column permits DBAs to expire account passwords and require users to reset their password. password_expired列允许DBA使帐户密码过期,并要求用户重置密码。The default 默认的password_expired value is 'N', but can be set to 'Y' with the ALTER USER statement. password_expired值为'N',但可以使用ALTER USER语句将其设置为'Y'。After an account's password has been expired, all operations performed by the account in subsequent connections to the server result in an error until the user issues an 帐户密码过期后,帐户在后续连接到服务器时执行的所有操作都会导致错误,直到用户发出ALTER USER statement to establish a new account password.ALTER USER语句以建立新的帐户密码。
Although it is possible to “reset” an expired password by setting it to its current value, it is preferable, as a matter of good policy, to choose a different password. 虽然可以通过将过期的密码设置为当前值来“重置”它,但作为一项良好的政策,最好选择其他密码。DBAs can enforce non-reuse by establishing an appropriate password-reuse policy. DBA可以通过建立适当的密码重用策略来强制不重用。See Password Reuse Policy.请参阅密码重用策略。
password_last_changed is a TIMESTAMP column indicating when the password was last changed. password_last_changed是一个TIMESTAMP列,指示密码上次更改的时间。The value is non-仅对于使用MySQL内置身份验证插件(NULL only for accounts that use a MySQL built-in authentication plugin (mysql_native_password, sha256_password, or caching_sha2_password). mysql_native_password、sha256_password或caching_sha2_password)的帐户,该值才为非NULL。The value is 对于其他帐户,该值为NULL for other accounts, such as those authenticated using an external authentication system.NULL,例如使用外部身份验证系统进行身份验证的帐户。
password_last_changed is updated by the CREATE USER, ALTER USER, and SET PASSWORD statements, and by GRANT statements that create an account or change an account password.password_last_changed由CREATE USER、ALTER USER和SET password语句以及创建帐户或更改帐户密码的GRANT语句更新。
password_lifetime indicates the account password lifetime, in days. password_lifetime表示帐户密码的有效期,以天为单位。If the password is past its lifetime (assessed using the 如果密码已过其生命周期(使用password_last_changed column), the server considers the password expired when clients connect using the account. password_last_changed列评估),则服务器在客户端使用该帐户连接时认为密码已过期。A value of 大于零的N greater than zero means that the password must be changed every N days. N值表示密码必须每N天更改一次。A value of 0 disables automatic password expiration. 值为0时禁用自动密码过期。If the value is 如果该值为NULL (the default), the global expiration policy applies, as defined by the default_password_lifetime system variable.NULL(默认值),则应用全局过期策略,如default_password_lifetime系统变量所定义。
account_locked indicates whether the account is locked (see Section 6.2.19, “Account Locking”).account_locked表示帐户是否被锁定(参阅第6.2.19节,“帐户锁定”)。
Password_reuse_history is the value of the PASSWORD HISTORY option for the account, or NULL for the default history.Password_reuse_history是帐户的PASSWORD HISTORY选项的值,默认历史为NULL。
Password_reuse_time is the value of the PASSWORD REUSE INTERVAL option for the account, or NULL for the default interval.Password_reuse_time是帐户的PASSWORD REUSE INTERVAL选项的值,默认间隔为NULL。
Password_require_current (added in MySQL 8.0.13) corresponds to the value of the PASSWORD REQUIRE option for the account, as shown by the following table.Password_require_current(在MySQL 8.0.13中添加)对应于帐户的PASSWORD REQUIRE选项的值,如下表所示。
Table 6.5 Permitted Password_require_current Values允许的密码_要求_当前值
| Password_require_current Value | Corresponding PASSWORD REQUIRE Option |
|---|---|
'Y' | PASSWORD REQUIRE CURRENT |
'N' | PASSWORD REQUIRE CURRENT OPTIONAL |
NULL | PASSWORD REQUIRE CURRENT DEFAULT |
User_attributes (added in MySQL 8.0.14) is a JSON-format column that stores account attributes not stored in other columns:User_attributes(在MySQL 8.0.14中添加)是一个JSON格式的列,用于存储未存储在其他列中的帐户属性:
additional_password: The secondary password, if any. See Dual Password Support.:辅助密码(如果有的话)。请参阅双密码支持。
Restrictions: Restriction lists, if any. Restrictions are added by partial-revoke operations. :限制列表(如有)。通过部分撤销操作添加限制。The attribute value is an array of elements that each have 属性值是一个元素数组,每个元素都有Database and Restrictions keys indicating the name of a restricted database and the applicable restrictions on it (see Section 6.2.12, “Privilege Restriction Using Partial Revokes”).Database键和Restrictions键,指示受限制数据库的名称及其适用的限制(参阅第6.2.12节,“使用部分撤销的特权限制”)。
Password_locking: The conditions for failed-login tracking and temporary account locking, if any (see Failed-Login Tracking and Temporary Account Locking). :登录跟踪和临时帐户锁定失败的条件(如果有的话)(请参阅登录跟踪和暂时帐户锁定失败)。The Password_locking attribute is updated according to the FAILED_LOGIN_ATTEMPTS and PASSWORD_LOCK_TIME options of the CREATE USER and ALTER USER statements. Password_locking属性根据CREATE USER和ALTER USER语句的FAILED_LOGIN_ATTEMPTS和PASSWORD_LOCK_TIME选项进行更新。The attribute value is a hash with 属性值是一个哈希值,其中包含failed_login_attempts and password_lock_time_days keys indicating the value of such options as have been specified for the account. failed_login_attempts和password_lock_time_days键,表示为帐户指定的此类选项的值。If a key is missing, its value is implicitly 0. If a key value is implicitly or explicitly 0, the corresponding capability is disabled. This attribute was added in MySQL 8.0.19.如果缺少键,则其值隐式为0。如果键值隐式或显式为0,则相应的功能将被禁用。此属性是在MySQL 8.0.19中添加的。
If no attributes apply, 如果没有适用的属性,则User_attributes is NULL.User_attributes为NULL。
Example: An account that has a secondary password and partially revoked database privileges has 示例:具有辅助密码和部分撤销的数据库权限的帐户在列值中具有additional_password and Restrictions attributes in the column value:additional_password和Restrictions属性:
mysql>SELECT User_attributes FROM mysql.User WHERE User = 'u'\G*************************** 1. row *************************** User_attributes: {"Restrictions": [{"Database": "mysql", "Privileges": ["SELECT"]}], "additional_password": "hashed_credentials"}
To determine which attributes are present, use the 要确定存在哪些属性,请使用JSON_KEYS() function:JSON_KEYS()函数:
SELECT User, Host, JSON_KEYS(User_attributes) FROM mysql.user WHERE User_attributes IS NOT NULL;
To extract a particular attribute, such as 要提取特定属性(如Restrictions, do this:Restrictions),请执行以下操作:
SELECT User, Host, User_attributes->>'$.Restrictions' FROM mysql.user WHERE User_attributes->>'$.Restrictions' <> '';
During the second stage of access control, the server performs request verification to ensure that each client has sufficient privileges for each request that it issues. 在访问控制的第二阶段,服务器执行请求验证,以确保每个客户端对它发出的每个请求都有足够的权限。In addition to the 除了user and db grant tables, the server may also consult the tables_priv and columns_priv tables for requests that involve tables. user和db授权表外,服务器还可以查询tables_priv和columns_priv表,以获取涉及表的请求。The latter tables provide finer privilege control at the table and column levels. They have the columns shown in the following table.后一种表在表和列级别提供了更精细的权限控制。它们的列如下表所示。
Table 6.6 tables_priv and columns_priv Table ColumnsTable_priv和columns_priv表列
tables_priv | columns_priv | |
|---|---|---|
Host | Host |
|
Db | Db |
|
User | User |
|
Table_name | Table_name |
|
Column_name |
||
Table_priv | Column_priv |
|
Column_priv | ||
Timestamp | Timestamp |
|
Grantor |
The Timestamp and Grantor columns are set to the current timestamp and the CURRENT_USER value, respectively, but are otherwise unused.Timestamp和Grantor列分别设置为当前时间戳和CURRENT_USER值,但在其他方面未使用。
For verification of requests that involve stored routines, the server may consult the 对于涉及存储例程的请求的验证,服务器可以查阅procs_priv table, which has the columns shown in the following table.procs_priv表,该表具有下表所示的列。
Table 6.7 procs_priv Table Columnsprocs_priv表列
procs_priv | |
|---|---|
| Scope columns | Host |
Db |
|
User |
|
Routine_name |
|
Routine_type |
|
Proc_priv |
|
Timestamp |
|
Grantor |
The Routine_type column is an ENUM column with values of 'FUNCTION' or 'PROCEDURE' to indicate the type of routine the row refers to. Routine_type列是一个ENUM列,其值为'FUNCTION'或'PROCEDURE',用于指示该行引用的例程类型。This column enables privileges to be granted separately for a function and a procedure with the same name.此列允许为同名函数和过程分别授予权限。
The Timestamp and Grantor columns are unused.Timestamp和Grantor(委托人)列未使用。
The proxies_priv table records information about proxy accounts. It has these columns:proxies_priv表记录有关代理帐户的信息。它有以下列:
Host, User: The proxy account; that is, the account that has the PROXY privilege for the proxied account.Host、User:代理帐户;即具有被代理帐户的PROXY权限的帐户。
Proxied_host, Proxied_user: The proxied account.Proxied_host、Proxied_user:被代理的帐户。
Grantor, Timestamp: Unused.Grantor,Timestamp:未使用。
With_grant: Whether the proxy account can grant the PROXY privilege to other accounts.With_grant:代理帐户是否可以将PROXY权限授予其他帐户。
For an account to be able to grant the 为了使一个帐户能够将代理权限授予其他帐户,它必须在PROXY privilege to other accounts, it must have a row in the proxies_priv table with With_grant set to 1 and Proxied_host and Proxied_user set to indicate the account or accounts for which the privilege can be granted. proxies_priv表中有一行,将with_grant设置为1,并将Proxied_host和Proxied_user设置为指示可以授予权限的帐户。For example, the 例如,在MySQL安装过程中创建的'root'@'localhost' account created during MySQL installation has a row in the proxies_priv table that enables granting the PROXY privilege for ''@'', that is, for all users and all hosts. 'root'@'localhost'帐户在proxies_priv表中有一行,可以为''@''授予PROXY权限,即为所有用户和所有主机授予代理权限。This enables 这使root to set up proxy users, as well as to delegate to other accounts the authority to set up proxy users. See Section 6.2.18, “Proxy Users”.root用户能够设置代理用户,并将设置代理用户的权限委托给其他帐户。请参阅第6.2.18节,“代理用户”。
The global_grants table lists current assignments of dynamic global privileges to user accounts. The table has these columns:global_grants表列出了用户帐户的动态全局权限的当前分配。该表有以下列:
USER, HOST: The user name and host name of the account to which the privilege is granted.USER、HOST:被授予特权的帐户的用户名和主机名。
PRIV: The privilege name.PRIV:特权名称。
WITH_GRANT_OPTION: Whether the account can grant the privilege to other accounts.WITH_GRANT_OPTION:该帐户是否可以将权限授予其他帐户。
The default_roles table lists default user roles. It has these columns:default_roles表列出了默认用户角色。它有以下列:
HOST, USER: The account or role to which the default role applies.HOST、USER:默认角色所应用的帐户或角色。
DEFAULT_ROLE_HOST, DEFAULT_ROLE_USER: The default role.DEFAULT_ROLE_HOST、DEFAULT_ROLE_USER:默认角色。
The role_edges table lists edges for role subgraphs. It has these columns:role_edges表列出了角色子图的边。它有以下列:
FROM_HOST, FROM_USER: The account that is granted a role.FROM_HOST、FROM_USER:被授予角色的帐户。
TO_HOST, TO_USER: The role that is granted to the account.TO_HOST、TO_USER:授予帐户的角色。
WITH_ADMIN_OPTION: Whether the account can grant the role to and revoke it from other accounts by using WITH ADMIN OPTION.WITH_ADMIN_OPTION:帐户是否可以使用WITH ADMIN OPTION将角色授予其他帐户或从其他帐户撤销角色。
The password_history table contains information about password changes. It has these columns:password_history表包含有关密码更改的信息。它有以下列:
Host, User: The account for which the password change occurred.:发生密码更改的帐户。
Password_timestamp: The time when the password change occurred.:密码更改发生的时间。
Password: The new password hash value.:新密码哈希值。
The password_history table accumulates a sufficient number of nonempty passwords per account to enable MySQL to perform checks against both the account password history length and reuse interval. Automatic pruning of entries that are outside both limits occurs when password-change attempts occur.password_history表为每个帐户累积了足够数量的非空密码,使MySQL能够根据帐户密码历史长度和重用间隔进行检查。当密码更改尝试发生时,会自动修剪超出这两个限制的条目。
The empty password does not count in the password history and is subject to reuse at any time.空密码不计入密码历史记录,可随时重复使用。
If an account is renamed, its entries are renamed to match. If an account is dropped or its authentication plugin is changed, its entries are removed.如果帐户被重命名,则其条目将被重命名以匹配。如果帐户被删除或其身份验证插件被更改,则其条目将被删除。
Scope columns in the grant tables contain strings. The default value for each is the empty string. The following table shows the number of characters permitted in each column.授权表中的作用域列包含字符串。每个列的默认值是空字符串。下表显示了每列中允许的字符数。
Table 6.8 Grant Table Scope Column Lengths授权表作用域列长度
Host, Proxied_host | 255 (60 prior to MySQL 8.0.17) |
User, Proxied_user | 32 |
Db | 64 |
Table_name | 64 |
Column_name | 64 |
Routine_name | 64 |
Host and Proxied_host values are converted to lowercase before being stored in the grant tables.Host和Proxied_host值在存储到授权表中之前会转换为小写。
For access-checking purposes, comparisons of 出于访问检查的目的,User, Proxied_user, authentication_string, Db, and Table_name values are case-sensitive. User、Proxied_User、authentication_string、Db和Table_name值的比较区分大小写。Comparisons of Host, Proxied_host, Column_name, and Routine_name values are not case-sensitive.Host、Proxied_Host、Column_name和Routing_name值的比较不区分大小写。
The user and db tables list each privilege in a separate column that is declared as ENUM('N','Y') DEFAULT 'N'. user表和db表在单独的列中列出了每个特权,该列声明为ENUM('N','Y') DEFAULT 'N'。In other words, each privilege can be disabled or enabled, with the default being disabled.换句话说,每个特权都可以被禁用或启用,默认设置为禁用。
The tables_priv, columns_priv, and procs_priv tables declare the privilege columns as SET columns. tables_priv、columns_priv和procs_priv表将特权列声明为SET列。Values in these columns can contain any combination of the privileges controlled by the table. Only those privileges listed in the column value are enabled.这些列中的值可以包含表控制的权限的任何组合。仅启用列值中列出的特权。
Table 6.9 Set-Type Privilege Column Values设置类型特权列值
tables_priv | Table_priv | 'Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop',
'Grant', 'References', 'Index', 'Alter', 'Create View',
'Show view', 'Trigger' |
|---|---|---|
tables_priv | Column_priv | 'Select', 'Insert', 'Update', 'References' |
columns_priv | Column_priv | 'Select', 'Insert', 'Update', 'References' |
procs_priv | Proc_priv | 'Execute', 'Alter Routine', 'Grant' |
Only the 只有user and global_grants tables specify administrative privileges, such as RELOAD, SHUTDOWN, and SYSTEM_VARIABLES_ADMIN. user和global_grants表指定了管理权限,如RELOAD、SHUTDOWN和SYSTEM_VARIABLES_ADMIN。Administrative operations are operations on the server itself and are not database-specific, so there is no reason to list these privileges in the other grant tables. 管理操作是服务器本身的操作,不是特定于数据库的,因此没有理由在其他授权表中列出这些权限。Consequently, the server need consult only the 因此,服务器只需要查询user and global_grants tables to determine whether a user can perform an administrative operation.user表和global_grants表来确定用户是否可以执行管理操作。
The FILE privilege also is specified only in the user table. FILE权限也仅在user表中指定。It is not an administrative privilege as such, but a user's ability to read or write files on the server host is independent of the database being accessed.这本身不是一种管理权限,但用户在服务器主机上读取或写入文件的能力与所访问的数据库无关。
As of MySQL 8.0.22, to permit concurrent DML and DDL operations on MySQL grant tables, read operations that previously acquired row locks on MySQL grant tables are executed as non-locking reads. Operations that are performed as non-locking reads on MySQL grant tables include:从MySQL 8.0.22开始,为了允许对MySQL授权表进行并发DML和DDL操作,以前在MySQL授权表上获取行锁的读取操作将作为非锁定读取执行。在MySQL授权表上作为非锁定读取执行的操作包括:
SELECT statements and other read-only statements that read data from grant tables through join lists and subqueries, including SELECT ... FOR SHARE statements, using any transaction isolation level.SELECT语句和其他只读语句,通过联接列表和子查询(包括SELECT ... FOR SHARE语句)从授权表读取数据,使用任何事务隔离级别。
DML operations that read data from grant tables (through join lists or subqueries) but do not modify them, using any transaction isolation level.DML操作,使用任何事务隔离级别从授权表读取数据(通过联接列表或子查询),但不修改它们。
Statements that no longer acquire row locks when reading data from grant tables report a warning if executed while using statement-based replication.从授权表读取数据时不再获取行锁的语句在使用基于语句的复制时执行时会报告警告。
When using -当使用binlog_format=mixed, DML operations that read data from grant tables are written to the binary log as row events to make the operations safe for mixed-mode replication.binlog_format=mixed时,从授权表读取数据的DML操作将作为行事件写入二进制日志,以确保混合模式复制的操作安全。
SELECT ... FOR SHARE statements that read data from grant tables report a warning. With the FOR SHARE clause, read locks are not supported on grant tables.SELECT ... FOR SHARE语句报告警告。使用FOR SHARE子句,授权表不支持读取锁。
DML operations that read data from grant tables and are executed using the 从授权表读取数据并使用SERIALIZABLE隔离级别执行的DML操作会报告警告。授权表不支持使用SERIALIZABLE isolation level report a warning. Read locks that would normally be acquired when using the SERIALIZABLE isolation level are not supported on grant tables.SERIALIZABLE隔离级别时通常会获取的读取锁。