MySQL enables the creation of accounts that permit client users to connect to the server and access data managed by the server. MySQL支持创建帐户,允许客户端用户连接到服务器并访问服务器管理的数据。The primary function of the MySQL privilege system is to authenticate a user who connects from a given host and to associate that user with privileges on a database such as MySQL权限系统的主要功能是对从给定主机连接的用户进行身份验证,并将该用户与数据库上的权限(如SELECT, INSERT, UPDATE, and DELETE. SELECT、INSERT、UPDATE和DELETE)相关联。Additional functionality includes the ability to grant privileges for administrative operations.其他功能包括授予管理操作权限的能力。
To control which users can connect, each account can be assigned authentication credentials such as a password. 为了控制哪些用户可以连接,可以为每个帐户分配身份验证凭据,例如密码。The user interface to MySQL accounts consists of SQL statements such as MySQL帐户的用户界面由CREATE USER, GRANT, and REVOKE. CREATE USER、GRANT和REVOKE等SQL语句组成。See Section 13.7.1, “Account Management Statements”.见第13.7.1节,“账户管理报表”。
The MySQL privilege system ensures that all users may perform only the operations permitted to them. MySQL权限系统确保所有用户只能执行允许他们执行的操作。As a user, when you connect to a MySQL server, your identity is determined by the host from which you connect and the user name you specify. 作为用户,当您连接到MySQL服务器时,您的身份由您连接的主机和您指定的用户名决定。When you issue requests after connecting, the system grants privileges according to your identity and what you want to do.当您在连接后发出请求时,系统会根据您的身份和您要执行的操作授予权限。
MySQL considers both your host name and user name in identifying you because there is no reason to assume that a given user name belongs to the same person on all hosts. MySQL在识别您时会同时考虑您的主机名和用户名,因为没有理由假设给定的用户名在所有主机上属于同一个人。For example, the user 例如,从joe who connects from office.example.com need not be the same person as the user joe who connects from home.example.com. office.example.com连接的用户joe不必与从home.example.com连接的用户joe是同一个人。MySQL handles this by enabling you to distinguish users on different hosts that happen to have the same name: You can grant one set of privileges for connections by MySQL通过使您能够区分不同主机上恰好具有相同名称的用户来处理此问题:您可以为来自joe from office.example.com, and a different set of privileges for connections by joe from home.example.com. office.example.com的joe的连接授予一组权限,并为来自home.example.com的joe的连接授予另一组权限。To see what privileges a given account has, use the 要查看给定帐户具有哪些权限,请使用SHOW GRANTS statement. SHOW GRANTS语句。For example:例如:
SHOW GRANTS FOR 'joe'@'office.example.com'; SHOW GRANTS FOR 'joe'@'home.example.com';
Internally, the server stores privilege information in the grant tables of the 在内部,服务器将权限信息存储在mysql system database. mysql系统数据库的授权表中。The MySQL server reads the contents of these tables into memory when it starts and bases access-control decisions on the in-memory copies of the grant tables.MySQL服务器在启动时将这些表的内容读入内存,并根据授权表的内存副本来决定访问控制。
MySQL access control involves two stages when you run a client program that connects to the server:当您运行连接到服务器的客户端程序时,MySQL访问控制包括两个阶段:
Stage 1:第一阶段: The server accepts or rejects the connection based on your identity and whether you can verify your identity by supplying the correct password.服务器根据您的身份以及您是否可以通过提供正确的密码来验证您的身份来接受或拒绝连接。
Stage 2:第二阶段: Assuming that you can connect, the server checks each statement you issue to determine whether you have sufficient privileges to perform it. 假设您可以连接,服务器将检查您发出的每个语句,以确定您是否有足够的权限执行它。For example, if you try to select rows from a table in a database or drop a table from the database, the server verifies that you have the 例如,如果尝试从数据库中的表中选择行或从数据库中删除表,服务器将验证您是否具有该表的SELECT privilege for the table or the DROP privilege for the database.SELECT权限或数据库的DROP权限。
For a more detailed description of what happens during each stage, see Section 6.2.6, “Access Control, Stage 1: Connection Verification”, and Section 6.2.7, “Access Control, Stage 2: Request Verification”. 有关每个阶段中发生的情况的更详细描述,请参阅第6.2.6节“访问控制,阶段1:连接验证”和第6.2.7节“访问控制,阶段2:请求验证”。For help in diagnosing privilege-related problems, see Section 6.2.21, “Troubleshooting Problems Connecting to MySQL”.有关诊断权限相关问题的帮助,请参阅第6.2.21节“连接到MySQL的故障排除”。
If your privileges are changed (either by yourself or someone else) while you are connected, those changes do not necessarily take effect immediately for the next statement that you issue. 如果您的权限在连接时发生更改(由您自己或其他人更改),则这些更改不一定会在您发出的下一条语句中立即生效。For details about the conditions under which the server reloads the grant tables, see Section 6.2.13, “When Privilege Changes Take Effect”.有关服务器重新加载授权表的条件的详细信息,请参阅第6.2.13节“权限更改何时生效”。
There are some things that you cannot do with the MySQL privilege system:有些事情是MySQL权限系统无法做到的:
You cannot explicitly specify that a given user should be denied access. 不能明确指定拒绝给定用户的访问。That is, you cannot explicitly match a user and then refuse the connection.也就是说,不能显式匹配用户,然后拒绝连接。
You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.不能指定用户具有在数据库中创建或删除表的权限,而且不能指定用户具有创建或删除数据库本身的权限。
A password applies globally to an account. 密码全局应用于帐户。You cannot associate a password with a specific object such as a database, table, or routine.不能将密码与特定对象(如数据库、表或例程)相关联。