The mysql_no_login server-side authentication plugin prevents all client connections to any account that uses it. Use cases for this plugin include:mysql_no_login服务器端身份验证插件阻止所有客户端连接到使用它的任何帐户。此插件的用例包括:
Accounts that must be able to execute stored programs and views with elevated privileges without exposing those privileges to ordinary users.必须能够以提升的权限执行存储的程序和视图,而不会将这些权限暴露给普通用户的帐户。
Proxied accounts that should never permit direct login but are intended to be accessed only through proxy accounts.不应允许直接登录但只能通过代理帐户访问的代理帐户。
The following table shows the plugin and library file names. The file name suffix might differ on your system. The file must be located in the directory named by the 下表显示了插件和库文件名。文件名后缀可能因系统而异。文件必须位于plugin_dir system variable.plugin_dir系统变量命名的目录中。
Table 6.20 Plugin and Library Names for No-Login Authentication无登录身份验证的插件和库名称
| Server-side plugin | mysql_no_login |
| None | |
mysql_no_login.so |
The following sections provide installation and usage information specific to no-login pluggable authentication:以下部分提供了特定于无登录可插拔身份验证的安装和使用信息:
For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”. For proxy user information, see Section 6.2.18, “Proxy Users”.有关MySQL中可插拔身份验证的一般信息,请参阅第6.2.17节,“可插拔身份认证”。有关代理用户信息,请参阅第6.2.18节,“代理用户”。
This section describes how to install the no-login authentication plugin. For general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.本节介绍如何安装无登录身份验证插件。有关安装插件的一般信息,请参阅第5.6.1节,“安装和卸载插件”。
To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by the 为了让服务器使用,插件库文件必须位于MySQL插件目录(由plugin_dir system variable). plugin_dir系统变量命名的目录)中。If necessary, configure the plugin directory location by setting the value of 如有必要,在服务器启动时通过设置plugin_dir at server startup.plugin_dir的值来配置插件目录位置。
The plugin library file base name is 插件库文件库名为mysql_no_login. mysql_no_login。The file name suffix differs per platform (for example, 文件名后缀因平台而异(例如,用于Unix和类Unix系统的.so for Unix and Unix-like systems, .dll for Windows)..so,用于Windows的.dll)。
To load the plugin at server startup, use the 要在服务器启动时加载插件,请使用--plugin-load-add option to name the library file that contains it. --plugin-load-add选项命名包含它的库文件。With this plugin-loading method, the option must be given each time the server starts. 使用此插件加载方法,每次服务器启动时都必须给出该选项。For example, put these lines in the server 例如,将这些行放入服务器my.cnf file, adjusting the .so suffix for your platform as necessary:my.cnf文件中,根据需要调整您的平台的.so后缀:
[mysqld] plugin-load-add=mysql_no_login.so
After modifying 修改my.cnf, restart the server to cause the new settings to take effect.my.cnf后,重新启动服务器以使新设置生效。
Alternatively, to load the plugin at runtime, use this statement, adjusting the 或者,要在运行时加载插件,请使用以下语句,根据需要调整您的平台的.so suffix for your platform as necessary:.so后缀:
INSTALL PLUGIN mysql_no_login SONAME 'mysql_no_login.so';
INSTALL PLUGIN loads the plugin immediately, and also registers it in the mysql.plugins system table to cause the server to load it for each subsequent normal startup without the need for --plugin-load-add.INSTALL PLUGIN会立即加载插件,并将其注册到mysql.plugins系统表中,以便服务器在每次后续正常启动时加载它,而不需要--plugin-load-add。
To verify plugin installation, examine the 要验证插件安装,请检查INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:INFORMATION_SCHEMA.PLUGINS表或使用SHOW PLUGINS语句(请参阅第5.6.2节,“获取服务器插件信息”)。例如:
mysql>SELECT PLUGIN_NAME, PLUGIN_STATUSFROM INFORMATION_SCHEMA.PLUGINSWHERE PLUGIN_NAME LIKE '%login%';+----------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +----------------+---------------+ | mysql_no_login | ACTIVE | +----------------+---------------+
If the plugin fails to initialize, check the server error log for diagnostic messages.如果插件初始化失败,请检查服务器错误日志中的诊断消息。
To associate MySQL accounts with the no-login plugin, see Using No-Login Pluggable Authentication.要将MySQL帐户和无登录插件相关联,请参阅使用无登录可插拔身份验证。
The method used to uninstall the no-login authentication plugin depends on how you installed it:卸载无登录身份验证插件的方法取决于您的安装方式:
If you installed the plugin at server startup using a 如果您在服务器启动时使用--plugin-load-add option, restart the server without the option.--plugin-load-add选项安装了插件,请在不使用该选项的情况下重新启动服务器。
If you installed the plugin at runtime using an 如果您在运行时使用INSTALL PLUGIN statement, it remains installed across server restarts. INSTALL PLUGIN语句安装了插件,则它在服务器重新启动时仍会安装。To uninstall it, use 要卸载它,请使用UNINSTALL PLUGIN:UNINSTALL PLUGIN:
UNINSTALL PLUGIN mysql_no_login;
This section describes how to use the no-login authentication plugin to prevent accounts from being used for connecting from MySQL client programs to the server. 本节介绍如何使用无登录身份验证插件来防止帐户用于从MySQL客户端程序连接到服务器。It is assumed that the server is running with the no-login plugin enabled, as described in Installing No-Login Pluggable Authentication.假设服务器在未启用登录插件的情况下运行,如安装无登录可插拔身份验证中所述。
To refer to the no-login authentication plugin in the 要引用IDENTIFIED WITH clause of a CREATE USER statement, use the name mysql_no_login.CREATE USER语句的IDENTIFIED WITH子句中的无登录身份验证插件,请使用名称mysql_no_login。
An account that authenticates using 使用mysql_no_login may be used as the DEFINER for stored program and view objects. mysql_no_login进行身份验证的帐户可以用作存储程序和视图对象的DEFINER。If such an object definition also includes 如果这样的对象定义还包括SQL SECURITY DEFINER, it executes with that account's privileges. SQL SECURITY DEFINER,则它将以该帐户的权限执行。DBAs can use this behavior to provide access to confidential or sensitive data that is exposed only through well-controlled interfaces.DBA可以使用这种行为来提供对仅通过良好控制的接口暴露的机密或敏感数据的访问。
The following example illustrates these principles. It defines an account that does not permit client connections, and associates with it a view that exposes only certain columns of the 以下示例说明了这些原则。它定义了一个不允许客户端连接的帐户,并与之关联了一个仅公开mysql.user system table:mysql.user系统表某些列的视图:
CREATE DATABASE nologindb; CREATE USER 'nologin'@'localhost' IDENTIFIED WITH mysql_no_login; GRANT ALL ON nologindb.* TO 'nologin'@'localhost'; GRANT SELECT ON mysql.user TO 'nologin'@'localhost'; CREATE DEFINER = 'nologin'@'localhost' SQL SECURITY DEFINER VIEW nologindb.myview AS SELECT User, Host FROM mysql.user;
To provide protected access to the view to an ordinary user, do this:要为普通用户提供对视图的受保护访问,请执行以下操作:
GRANT SELECT ON nologindb.myview TO 'ordinaryuser'@'localhost';
Now the ordinary user can use the view to access the limited information it presents:现在,普通用户可以使用该视图访问它提供的有限信息:
SELECT * FROM nologindb.myview;
Attempts by the user to access columns other than those exposed by the view result in an error, as do attempts to select from the view by users not granted access to it.用户尝试访问除视图公开的列之外的列会导致错误,未被授予访问权限的用户尝试从视图中选择也会导致错误。
Because the 因为nologin帐户不能直接使用,所以设置它使用的对象所需的操作必须由具有创建对象和设置DEFINER值所需权限的root或类似帐户执行。nologin account cannot be used directly, the operations required to set up objects that it uses must be performed by root or similar account that has the privileges required to create the objects and set DEFINER values.
The mysql_no_login plugin is also useful in proxying scenarios. mysql_no_login插件在代理场景中也很有用。(For a discussion of concepts involved in proxying, see Section 6.2.18, “Proxy Users”.) (有关代理中涉及的概念的讨论,请参阅第6.2.18节,“代理用户”。)An account that authenticates using 使用mysql_no_login may be used as a proxied user for proxy accounts:mysql_no_login进行身份验证的帐户可以用作代理帐户的代理用户:
-- create proxied account CREATE USER 'proxied_user'@'localhost' IDENTIFIED WITH mysql_no_login; -- grant privileges to proxied account GRANT ... ON ... TO 'proxied_user'@'localhost'; -- permit proxy_user to be a proxy account for proxied account GRANT PROXY ON 'proxied_user'@'localhost' TO 'proxy_user'@'localhost';
This enables clients to access MySQL through the proxy account (这使客户端能够通过代理帐户(proxy_user) but not to bypass the proxy mechanism by connecting directly as the proxied user (proxied_user). proxy_user)访问MySQL,但不能通过直接作为代理用户(proxied_user)连接来绕过代理机制。A client who connects using the 使用proxy_user account has the privileges of the proxied_user account, but proxied_user itself cannot be used to connect.proxy_user帐户连接的客户端具有proxied_user帐户的权限,但proxied.user本身不能用于连接。
For alternative methods of protecting proxied accounts against direct use, see Preventing Direct Login to Proxied Accounts.有关保护代理帐户免受直接使用的替代方法,请参阅防止直接登录代理帐户。