To manage MySQL accounts, use the SQL statements intended for that purpose:要管理MySQL帐户,请使用用于此目的的SQL语句:
CREATE USER and DROP USER create and remove accounts.CREATE USER和DROP USER创建和删除帐户。
GRANT and REVOKE assign privileges to and revoke privileges from accounts.GRANT和REVOKE为帐户分配权限和撤销权限。
SHOW GRANTS displays account privilege assignments.SHOW GRANTS显示帐户权限分配。
Account-management statements cause the server to make appropriate modifications to the underlying grant tables, which are discussed in Section 6.2.3, “Grant Tables”.帐户管理语句使服务器对底层授权表进行适当的修改,这在第6.2.3节,“授权表”中进行了讨论。
Direct modification of grant tables using statements such as 不建议使用INSERT, UPDATE, or DELETE is discouraged and done at your own risk. INSERT、UPDATE或DELETE等语句直接修改授权表,风险由您自行承担。The server is free to ignore rows that become malformed as a result of such modifications.服务器可以自由忽略因此类修改而格式错误的行。
For any operation that modifies a grant table, the server checks whether the table has the expected structure and produces an error if not. To update the tables to the expected structure, perform the MySQL upgrade procedure. See Section 2.11, “Upgrading MySQL”.对于修改授权表的任何操作,服务器都会检查该表是否具有预期的结构,如果没有,则会产生错误。要将表更新为预期的结构,请执行MySQL升级过程。请参阅第2.11节,“升级MySQL”。
Another option for creating accounts is to use the GUI tool MySQL Workbench. Also, several third-party programs offer capabilities for MySQL account administration. 创建帐户的另一种选择是使用GUI工具MySQL Workbench。此外,一些第三方程序提供MySQL帐户管理功能。phpMyAdmin is one such program.phpMyAdmin就是这样一个程序。
This section discusses the following topics:本节讨论以下主题:
For additional information about the statements discussed here, see Section 13.7.1, “Account Management Statements”.有关此处讨论的报表的更多信息,请参阅第13.7.1节,“账户管理报表”。
The following examples show how to use the mysql client program to set up new accounts. 以下示例显示了如何使用mysql客户端程序设置新帐户。These examples assume that the MySQL 这些示例假设MySQLroot account has the CREATE USER privilege and all privileges that it grants to other accounts.root帐户具有CREATE USER权限以及它授予其他帐户的所有权限。
At the command line, connect to the server as the MySQL 在命令行中,以MySQL root user, supplying the appropriate password at the password prompt:root用户身份连接到服务器,在密码提示下提供相应的密码:
shell>mysql -u root -pEnter password:(enter root password here)
After connecting to the server, you can add new accounts. 连接到服务器后,您可以添加新帐户。The following example uses 以下示例使用CREATE USER and GRANT statements to set up four accounts (where you see ', substitute an appropriate password):password'CREATE USER和GRANT语句设置四个帐户(在您看到'password'的地方,请替换为适当的密码):
CREATE USER 'finley'@'localhost' IDENTIFIED BY 'password'; GRANT ALL ON *.* TO 'finley'@'localhost' WITH GRANT OPTION; CREATE USER 'finley'@'%.example.com' IDENTIFIED BY 'password'; GRANT ALL ON *.* TO 'finley'@'%.example.com' WITH GRANT OPTION; CREATE USER 'admin'@'localhost' IDENTIFIED BY 'password'; GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost'; CREATE USER 'dummy'@'localhost';
The accounts created by those statements have the following properties:这些报表创建的帐户具有以下属性:
Two accounts have a user name of 两个帐户的用户名为finley. Both are superuser accounts with full global privileges to do anything. finley。两者都是超级用户帐户,具有完全的全局权限来做任何事情。The 'finley'@'localhost' account can be used only when connecting from the local host. The 'finley'@'%.example.com' account uses the '%' wildcard in the host part, so it can be used to connect from any host in the example.com domain.'finley'@'localhost'帐户只能在从本地主机连接时使用。'finley'@'%.example.com'帐户在主机部分使用了'%'通配符,因此它可以用于从example.com域中的任何主机进行连接。
The 如果本地主机有匿名用户帐户,则'finley'@'localhost' account is necessary if there is an anonymous-user account for localhost. 'finley'@'localhost'帐户是必需的。Without the 如果没有'finley'@'localhost' account, that anonymous-user account takes precedence when finley connects from the local host and finley is treated as an anonymous user. 'finley'@'localhost'帐户,当finley从本地主机连接并且finley被视为匿名用户时,该匿名用户帐户优先。The reason for this is that the anonymous-user account has a more specific 原因是匿名用户帐户的Host column value than the 'finley'@'%' account and thus comes earlier in the user table sort order. Host列值比'finley'@'%'帐户更具体,因此在user表排序顺序中排在前面。(For information about (有关user table sorting, see Section 6.2.6, “Access Control, Stage 1: Connection Verification”.)user表排序的信息,请参阅第6.2.6节,“访问控制,第1阶段:连接验证”。)
The 'admin'@'localhost' account can be used only by admin to connect from the local host. 'admin'@'localhost'帐户只能由管理员用于从本地主机连接。It is granted the global 它被授予全局RELOAD and PROCESS administrative privileges. RELOAD和PROCESS管理权限。These privileges enable the 这些权限使admin user to execute the mysqladmin reload, mysqladmin refresh, and mysqladmin flush-xxx commands, as well as mysqladmin processlist . admin用户能够执行mysqladmin reload、mysqladmin refresh和mysqladmin flush-xxx命令,以及mysqladmin processlist。No privileges are granted for accessing any databases. You could add such privileges using 没有权限访问任何数据库。您可以使用GRANT statements.GRANT语句添加此类特权。
The 'dummy'@'localhost' account has no password (which is insecure and not recommended). This account can be used only to connect from the local host. 'dummy'@'localhost'帐户没有密码(这是不安全的,不建议使用)。此帐户只能用于从本地主机连接。No privileges are granted. It is assumed that you grant specific privileges to the account using 不授予任何特权。假设您使用GRANT statements.GRANT语句向帐户授予特定权限。
The previous example grants privileges at the global level. The next example creates three accounts and grants them access at lower levels; that is, to specific databases or objects within databases. 前面的示例在全局级别授予特权。下一个示例创建了三个帐户,并授予它们较低级别的访问权限;即特定数据库或数据库内的对象。Each account has a user name of 每个帐户都有一个自定义用户名,但主机名部分不同:custom, but the host name parts differ:
CREATE USER 'custom'@'localhost' IDENTIFIED BY 'password'; GRANT ALL ON bankaccount.* TO 'custom'@'localhost'; CREATE USER 'custom'@'host47.example.com' IDENTIFIED BY 'password'; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON expenses.* TO 'custom'@'host47.example.com'; CREATE USER 'custom'@'%.example.com' IDENTIFIED BY 'password'; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON customer.addresses TO 'custom'@'%.example.com';
The three accounts can be used as follows:这三个账户可以按如下方式使用:
The 'custom'@'localhost' account has all database-level privileges to access the bankaccount database. 'custom'@'localhost'帐户具有访问bankaccount数据库的所有数据库级权限。The account can be used to connect to the server only from the local host.该帐户只能用于从本地主机连接到服务器。
The 'custom'@'host47.example.com' account has specific database-level privileges to access the expenses database. 'custom'@'host47.example.com'帐户具有访问expenses数据库的特定数据库级别权限。The account can be used to connect to the server only from the host 该帐户只能用于从主机host47.example.com.host47.example.com连接到服务器。
The 'custom'@'%.example.com' account has specific table-level privileges to access the addresses table in the customer database, from any host in the example.com domain. 'custom'@'%.example.com'帐户具有特定的表级权限,可以从example.com域中的任何主机访问customer数据库中的addresses表。The account can be used to connect to the server from all machines in the domain due to use of the 由于在帐户名的主机部分使用了% wildcard character in the host part of the account name.%通配符,该帐户可用于从域中的所有计算机连接到服务器。
To see the privileges for an account, use 要查看帐户的权限,请使用SHOW GRANTS:SHOW GRANTS:
mysql> SHOW GRANTS FOR 'admin'@'localhost';
+-----------------------------------------------------+
| Grants for admin@localhost |
+-----------------------------------------------------+
| GRANT RELOAD, PROCESS ON *.* TO 'admin'@'localhost' |
+-----------------------------------------------------+
To see nonprivilege properties for an account, use 要查看帐户的非特权属性,请使用SHOW CREATE USER:SHOW CREATE USER:
mysql>SET print_identified_with_as_hex = ON;mysql>SHOW CREATE USER 'admin'@'localhost'\G*************************** 1. row *************************** CREATE USER for admin@localhost: CREATE USER 'admin'@'localhost' IDENTIFIED WITH 'caching_sha2_password' AS 0x24412430303524301D0E17054E2241362B1419313C3E44326F294133734B30792F436E77764270373039612E32445250786D43594F45354532324B6169794F47457852796E32 REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT
Enabling the 启用print_identified_with_as_hex system variable (available as of MySQL 8.0.17) causes SHOW CREATE USER to display hash values that contain unprintable characters as hexadecimal strings rather than as regular string literals.print_identified_with_as_hex系统变量(自MySQL 8.0.17起可用)会导致SHOW CREATE USER将包含不可打印字符的哈希值显示为十六进制字符串,而不是常规字符串文字。
To revoke account privileges, use the 要撤销帐户权限,请使用REVOKE statement. Privileges can be revoked at different levels, just as they can be granted at different levels.REVOKE语句。特权可以在不同的级别撤销,就像它们可以在不同级别授予一样。
Revoke global privileges:撤销全局权限:
REVOKE ALL ON *.* FROM 'finley'@'%.example.com'; REVOKE RELOAD ON *.* FROM 'admin'@'localhost';
Revoke database-level privileges:撤销数据库级别权限:
REVOKE CREATE,DROP ON expenses.* FROM 'custom'@'host47.example.com';
Revoke table-level privileges:撤销表级权限:
REVOKE INSERT,UPDATE,DELETE ON customer.addresses FROM 'custom'@'%.example.com';
To check the effect of privilege revocation, use 要检查特权撤销的效果,请使用SHOW GRANTS:SHOW GRANTS:
mysql> SHOW GRANTS FOR 'admin'@'localhost';
+---------------------------------------------+
| Grants for admin@localhost |
+---------------------------------------------+
| GRANT PROCESS ON *.* TO 'admin'@'localhost' |
+---------------------------------------------+To remove an account, use the 要删除帐户,请使用DROP USER statement. For example, to drop some of the accounts created previously:DROP USER语句。例如,要删除以前创建的一些帐户:
DROP USER 'finley'@'localhost'; DROP USER 'finley'@'%.example.com'; DROP USER 'admin'@'localhost'; DROP USER 'dummy'@'localhost';