ALTER USER [IF EXISTS]user[auth_option] [,user[auth_option]] ... [REQUIRE {NONE |tls_option[[AND]tls_option] ...}] [WITHresource_option[resource_option] ...] [password_option|lock_option] ... [COMMENT 'comment_string' | ATTRIBUTE 'json_object'] ALTER USER [IF EXISTS] USER()user_func_auth_optionALTER USER [IF EXISTS]userDEFAULT ROLE {NONE | ALL |role[,role] ...}user: (see Section 6.2.4, “Specifying Account Names”)auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED BY RANDOM PASSWORD [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITHauth_plugin| IDENTIFIED WITHauth_pluginBY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITHauth_pluginBY RANDOM PASSWORD [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | IDENTIFIED WITHauth_pluginAS 'auth_string' | DISCARD OLD PASSWORD }user_func_auth_option: { IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD] | DISCARD OLD PASSWORD }tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' }resource_option: { MAX_QUERIES_PER_HOURcount| MAX_UPDATES_PER_HOURcount| MAX_CONNECTIONS_PER_HOURcount| MAX_USER_CONNECTIONScount}password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVALNDAY] | PASSWORD HISTORY {DEFAULT |N} | PASSWORD REUSE INTERVAL {DEFAULT |NDAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL] | FAILED_LOGIN_ATTEMPTSN| PASSWORD_LOCK_TIME {N| UNBOUNDED} }lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK }
The ALTER USER statement modifies MySQL accounts. ALTER USER语句修改MySQL帐户。It enables authentication, role, SSL/TLS, resource-limit, and password-management properties to be modified for existing accounts. 它允许修改现有帐户的身份验证、角色、SSL/TLS、资源限制和密码管理属性。It can also be used to lock and unlock accounts.它还可用于锁定和解锁帐户。
In most cases, 在大多数情况下,ALTER USER requires the global CREATE USER privilege, or the UPDATE privilege for the mysql system schema. ALTER USER需要全局CREATE USER权限,或者mysql系统模式的UPDATE权限。The exceptions are:
Any client who connects to the server using a nonanonymous account can change the password for that account. 任何使用非匿名帐户连接到服务器的客户端都可以更改该帐户的密码。(In particular, you can change your own password.) (尤其是,您可以更改自己的密码。)To see which account the server authenticated you as, invoke the 要查看服务器将您验证为哪个帐户,请调用CURRENT_USER() functionCURRENT_USER()函数:
SELECT CURRENT_USER();
For 对于默认角色语法,DEFAULT ROLE syntax, ALTER USER requires these privileges:ALTER USER需要以下权限:
Setting the default roles for another user requires the global 为其他用户设置默认角色需要全局CREATE USER privilege, or the UPDATE privilege for the mysql.default_roles system table.CREATE USER权限,或mysql.default_roles系统表的UPDATE权限。
Setting the default roles for yourself requires no special privileges, as long as the roles you want as the default have been granted to you.为自己设置默认角色不需要特殊权限,只要您想要作为默认角色的角色已被授予。
Statements that modify secondary passwords require these privileges:修改辅助密码的语句需要以下权限:
The 对于适用于您自己帐户的APPLICATION_PASSWORD_ADMIN privilege is required to use the RETAIN CURRENT PASSWORD or DISCARD OLD PASSWORD clause for ALTER USER statements that apply to your own account. ALTER USER语句,使用RETAIN CURRENT PASSWORD或DISCARD OLD PASSWORD子句时,需要具有APPLICATION_PASSWORD_ADMIN权限。The privilege is required to manipulate your own secondary password because most users require only one password.由于大多数用户只需要一个密码,因此需要该权限来操作自己的辅助密码。
If an account is to be permitted to manipulate secondary passwords for all accounts, it requires the 如果允许一个帐户操作所有帐户的辅助密码,它需要CREATE USER privilege rather than APPLICATION_PASSWORD_ADMIN.CREATE USER权限,而不是APPLICATION_PASSWORD_ADMIN权限。
When the 启用read_only system variable is enabled, ALTER USER additionally requires the CONNECTION_ADMIN privilege (or the deprecated SUPER privilege).read_only系统变量时,ALTER USER还需要CONNECTION_ADMIN权限(或不推荐使用的SUPER权限)。
By default, an error occurs if you try to modify a user that does not exist. 默认情况下,如果试图修改不存在的用户,则会发生错误。If the 如果给出了IF EXISTS clause is given, the statement produces a warning for each named user that does not exist, rather than an error.IF EXISTS子句,该语句将为每个不存在的命名用户生成警告,而不是错误。
Under some circumstances, 在某些情况下,ALTER USER may be recorded in server logs or on the client side in a history file such as ~/.mysql_history, which means that cleartext passwords may be read by anyone having read access to that information. ALTER USER可能会记录在服务器日志中,或者在客户端记录在历史文件中,例如~/.mysql_history,这意味着任何有权读取该信息的人都可以读取明文密码。For information about the conditions under which this occurs for the server logs and how to control it, see Section 6.1.2.3, “Passwords and Logging”. 有关服务器日志发生这种情况的条件以及如何控制它的信息,请参阅第6.1.2.3节,“密码和日志”。For similar information about client-side logging, see Section 4.5.1.3, “mysql Client Logging”.有关客户端日志记录的类似信息,请参阅第4.5.1.3节,“mysql客户端日志记录”。
There are several aspects to the ALTER USER statement, described under the following topics:ALTER USER语句包括以下几个方面:
For each affected account, 对于每个受影响的帐户,ALTER USER modifies the corresponding row in the mysql.user system table to reflect the properties specified in the statement. ALTER USER会修改mysql.user系统表中相应的行,以反映语句中指定的属性。Unspecified properties retain their current values.未指定的属性将保留其当前值。
Each account name uses the format described in Section 6.2.4, “Specifying Account Names”. 每个账户名称使用第6.2.4节,“指定账户名称”中描述的格式。The host name part of the account name, if omitted, defaults to 帐户名的主机名部分(如果省略)默认为'%'. '%'。It is also possible to specify 还可以指定CURRENT_USER or CURRENT_USER() to refer to the account associated with the current session.CURRENT_USER或CURRENT_USER()来引用与当前会话关联的帐户。
For one syntax only, the account may be specified with the 仅对于一种语法,可以使用USER() function:USER()函数指定帐户:
ALTER USER USER() IDENTIFIED BY 'auth_string';
This syntax enables changing your own password without naming your account literally. 此语法允许更改您自己的密码,而无需按字面命名您的帐户。(The syntax also supports the (该语法还支持ALTER USER身份验证选项中描述的REPLACE, RETAIN CURRENT PASSWORD, and DISCARD OLD PASSWORD clauses described at ALTER USER Authentication Options.)REPLACE、RETAIN CURRENT PASSWORD和DISCARD OLD PASSWORD子句。)
MySQL 8.0.21 and later supports user comments and user attributes, as described in Section 13.7.1.3, “CREATE USER Statement”. MySQL 8.0.21及更高版本支持用户评论和用户属性,如第13.7.1.3节,“创建用户语句”所述。These can be modified employing 可以使用ALTER USER by means of the COMMENT and ATTRIBUTE options, respectively. ALTER USER分别通过COMMENT和ATTRIBUTE选项修改这些选项。You cannot specify both options in the same 不能在同一ALTER USER statement; attempting to do so results in a syntax error.ALTER USER语句中同时指定这两个选项;尝试这样做会导致语法错误。
The user comment and user attribute are stored in the 用户注释和用户属性作为JSON对象存储在INFORMATION_SCHEMA.USER_ATTRIBUTES table as a JSON object; the user comment is stored as the value for a comment key in the ATTRIBUTE column of this table, as shown later in this discussion. INFORMATION_SCHEMAUSER_ATTRIBUTES表中;用户注释作为comment键的值存储在此表的属性列中,如本讨论后面所示。The COMMENT text can be any arbtitrary quoted text, and replaces any existing user comment. COMMIT文本可以是任意引用的文本,并替换任何现有的用户评论。The ATTRIBUTE value must be the valid string represntation of a JSON object. ATTRIBUTE值必须是JSON对象的有效字符串表示形式。This is merged with any existing user attribute as if the 这会与任何现有用户属性合并,就好像JSON_MERGE_PATCH() function had been used on the existing user attribute and the new one; for any keys that are re-used, the new value overwrites the old one, as shown here:JSON_MERGE_PATCH()函数已用于现有用户属性和新用户属性一样;对于重复使用的任何键,新值将覆盖旧值,如下所示:
mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER='bill' AND HOST='localhost';+------+-----------+----------------+ | USER | HOST | ATTRIBUTE | +------+-----------+----------------+ | bill | localhost | {"foo": "bar"} | +------+-----------+----------------+ 1 row in set (0.11 sec) mysql>ALTER USER 'bill'@'localhost' ATTRIBUTE '{"baz": "faz", "foo": "moo"}';Query OK, 0 rows affected (0.22 sec) mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER='bill' AND HOST='localhost';+------+-----------+------------------------------+ | USER | HOST | ATTRIBUTE | +------+-----------+------------------------------+ | bill | localhost | {"baz": "faz", "foo": "moo"} | +------+-----------+------------------------------+ 1 row in set (0.00 sec)
To remove a key and its value from the user attribute, set the key to JSON 要从用户属性中删除密钥及其值,请将密钥设置为JSON null (must be lowercase and unquoted), like this:null(必须是小写且无引号),如下所示:
mysql>ALTER USER 'bill'@'localhost' ATTRIBUTE '{"foo": null}';Query OK, 0 rows affected (0.08 sec) mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER='bill' AND HOST='localhost';+------+-----------+----------------+ | USER | HOST | ATTRIBUTE | +------+-----------+----------------+ | bill | localhost | {"baz": "faz"} | +------+-----------+----------------+ 1 row in set (0.00 sec)
To set an existing user comment to an empty string, use ALTER USER ... COMMENT ''. This leaves an empty comment value in the USER_ATTRIBUTES table; to remove the user comment completely, use ALTER USER ... ATTRIBUTE ... with the value for the column key set to JSON null (unquoted, in lower case). This is illustrated by the following sequence of SQL statements:下面的SQL语句序列说明了这一点:
mysql>ALTER USER 'bill'@'localhost' COMMENT 'Something about Bill';Query OK, 0 rows affected (0.06 sec) mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER='bill' AND HOST='localhost';+------+-----------+---------------------------------------------------+ | USER | HOST | ATTRIBUTE | +------+-----------+---------------------------------------------------+ | bill | localhost | {"baz": "faz", "comment": "Something about Bill"} | +------+-----------+---------------------------------------------------+ 1 row in set (0.00 sec) mysql>ALTER USER 'bill'@'localhost' COMMENT '';Query OK, 0 rows affected (0.09 sec) mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER='bill' AND HOST='localhost';+------+-----------+-------------------------------+ | USER | HOST | ATTRIBUTE | +------+-----------+-------------------------------+ | bill | localhost | {"baz": "faz", "comment": ""} | +------+-----------+-------------------------------+ 1 row in set (0.00 sec) mysql>ALTER USER 'bill'@'localhost' ATTRIBUTE '{"comment": null}';Query OK, 0 rows affected (0.07 sec) mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER='bill' AND HOST='localhost';+------+-----------+----------------+ | USER | HOST | ATTRIBUTE | +------+-----------+----------------+ | bill | localhost | {"baz": "faz"} | +------+-----------+----------------+ 1 row in set (0.00 sec)
For ALTER USER syntax that permits an auth_option value to follow a user value, auth_option indicates how the account authenticates by specifying an account authentication plugin, credentials (for example, a password), or both. Each auth_option value applies only to the account named immediately preceding it.
Following the 根据user specifications, the statement may include options for SSL/TLS, resource-limit, password-management, and locking properties. user规范,该语句可能包括SSL/TLS、资源限制、密码管理和锁定属性的选项。All such options are global to the statement and apply to all accounts named in the statement.所有这些选项都是对账单的全局选项,并适用于对账单中指定的所有账户。
Example: Change an account's password and expire it. 示例:更改帐户密码并使其过期。As a result, the user must connect with the named password and choose a new one at the next connection:因此,用户必须使用指定密码连接,并在下一次连接时选择新密码:
ALTER USER 'jeffrey'@'localhost'
IDENTIFIED BY 'new_password' PASSWORD EXPIRE;
Example: Modify an account to use the 示例:修改帐户以使用caching_sha2_password authentication plugin and the given password. caching_sha2_password验证插件和给定密码。Require that a new password be chosen every 180 days, and enable failed-login tracking, such that three consecutive incorrect passwords cause temporary account locking for two days:要求每180天选择一个新密码,并启用失败的登录跟踪,这样连续三个不正确的密码会导致临时帐户锁定两天:
ALTER USER 'jeffrey'@'localhost'
IDENTIFIED WITH caching_sha2_password BY 'new_password'
PASSWORD EXPIRE INTERVAL 180 DAY
FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 2;
Example: Lock or unlock an account:示例:锁定或解锁帐户:
ALTER USER 'jeffrey'@'localhost' ACCOUNT LOCK; ALTER USER 'jeffrey'@'localhost' ACCOUNT UNLOCK;
Example: Require an account to connect using SSL and establish a limit of 20 connections per hour:示例:要求帐户使用SSL连接,并设定每小时20次连接的限制:
ALTER USER 'jeffrey'@'localhost' REQUIRE SSL WITH MAX_CONNECTIONS_PER_HOUR 20;
Example: Alter multiple accounts, specifying some per-account properties and some global properties:示例:更改多个帐户,指定一些每个帐户属性和一些全局属性:
ALTER USER
'jeffrey'@'localhost'
IDENTIFIED BY 'jeffrey_new_password',
'jeanne'@'localhost',
'josh'@'localhost'
IDENTIFIED BY 'josh_new_password'
REPLACE 'josh_current_password'
RETAIN CURRENT PASSWORD
REQUIRE SSL WITH MAX_USER_CONNECTIONS 2
PASSWORD HISTORY 5;
The IDENTIFIED BY value following jeffrey applies only to its immediately preceding account, so it changes the password to ' only for jeffrey_new_password'jeffrey. For jeanne, there is no per-account value (thus leaving the password unchanged). For josh, IDENTIFIED BY establishes a new password ('), josh_new_password'REPLACE is specified to verify that the user issuing the ALTER USER statement knows the current password ('), and that current password is also retained as the account secondary password. (As a result, josh_current_password'josh can connect with either the primary or secondary password.)
The remaining properties apply globally to all accounts named in the statement, so for both accounts:其余属性全局应用于对账单中指定的所有帐户,因此对于这两个帐户:
Connections are required to use SSL.使用SSL需要连接。
The account can be used for a maximum of two simultaneous connections.该帐户最多可同时用于两个连接。
Password changes cannot reuse any of the five most recent passwords.密码更改不能重复使用最近的五个密码中的任何一个。
Example: Discard the secondary password for 示例:放弃josh, leaving the account with only its primary password:josh的辅助密码,只保留其主密码:
ALTER USER 'josh'@'localhost' DISCARD OLD PASSWORD;
In the absence of a particular type of option, the account remains unchanged in that respect. 在没有特定类型的期权的情况下,账户在这方面保持不变。For example, with no locking option, the locking state of the account is not changed.例如,如果没有锁定选项,则不会更改帐户的锁定状态。
An account name may be followed by an 帐户名后面可以跟一个auth_option authentication option that specifies the account authentication plugin, credentials, or both. auth_option身份验证选项,该选项指定帐户身份验证插件、凭据或两者。It may also include a password-verification clause that specifies the account current password to be replaced, and clauses that manage whether an account has a secondary password.它还可能包括密码验证子句,指定要替换的帐户当前密码,以及管理帐户是否具有辅助密码的子句。
Clauses for random password generation, password verification, and secondary passwords apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. 用于随机密码生成、密码验证和辅助密码的条款仅适用于使用在MySQL内部存储凭据的身份验证插件的帐户。For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well. 对于使用插件对MySQL外部的凭据系统执行身份验证的帐户,密码管理也必须针对该系统进行外部处理。For more information about internal credentials storage, see Section 6.2.15, “Password Management”.有关内部凭证存储的更多信息,请参阅第6.2.15节,“密码管理”。
auth_plugin names an authentication plugin. 命名一个身份验证插件。The plugin name can be a quoted string literal or an unquoted name. 插件名称可以是带引号的字符串文字或不带引号的名称。Plugin names are stored in the 插件名称存储在plugin column of the mysql.user system table.mysql.user系统表的plugin列中。
For auth_option syntax that does not specify an authentication plugin, the default plugin is indicated by the value of the default_authentication_plugin system variable. For descriptions of each plugin, see Section 6.4.1, “Authentication Plugins”.
Credentials that are stored internally are stored in the mysql.user system table. An ' value or auth_string'RANDOM PASSWORD specifies account credentials, either as a cleartext (unencrypted) string or hashed in the format expected by the authentication plugin associated with the account, respectively:
For syntax that uses 对于BY ', the string is cleartext and is passed to the authentication plugin for possible hashing. auth_string'BY 'auth_string'使用的语法,字符串是明文,并传递给身份验证插件进行可能的哈希处理。The result returned by the plugin is stored in the 插件返回的结果存储在mysql.user table. mysql.user表中。A plugin may use the value as specified, in which case no hashing occurs.插件可以使用指定的值,在这种情况下不会发生哈希。
For syntax that uses 对于使用BY RANDOM PASSWORD, MySQL generates a random password and as cleartext and passes it to the authentication plugin for possible hashing. BY RANDOM PASSWORD的语法,MySQL生成一个随机密码和一个明文,并将其传递给身份验证插件进行可能的哈希处理。The result returned by the plugin is stored in the 插件返回的结果存储在mysql.user table. mysql.user表中。A plugin may use the value as specified, in which case no hashing occurs.插件可以使用指定的值,在这种情况下不会发生哈希。
Randomly generated passwords are available as of MySQL 8.0.18 and have the characteristics described in Random Password Generation.从MySQL 8.0.18开始,可以使用随机生成的密码,并且具有随机密码生成中描述的特征。
For syntax that uses 对于使用AS ', the string is assumed to be already in the format the authentication plugin requires, and is stored as is in the auth_string'mysql.user table. AS 'auth_string'的语法,假定该字符串已采用身份验证插件所需的格式,并按原样存储在mysql.user表中。If a plugin requires a hashed value, the value must be already hashed in a format appropriate for the plugin; otherwise, the value cannot be used by the plugin and correct authentication of client connections does not occur.如果插件需要散列值,则该值必须已经以适合该插件的格式进行散列;否则,插件将无法使用该值,并且不会对客户端连接进行正确的身份验证。
As of MySQL 8.0.17, a hashed string can be either a string literal or a hexadecimal value. 从MySQL 8.0.17开始,哈希字符串可以是字符串文字或十六进制值。The latter corresponds to the type of value displayed by 后者对应于启用SHOW CREATE USER for password hashes containing unprintable characters when the print_identified_with_as_hex system variable is enabled.print_identified_with_as_hex系统变量时,SHOW CREATE USER为包含不可打印字符的密码哈希显示的值类型。
If an authentication plugin performs no hashing of the authentication string, the BY ' and auth_string'AS ' clauses have the same effect: The authentication string is stored as is in the auth_string'mysql.user system table.
The REPLACE ' clause performs password verification and is available as of MySQL 8.0.13. current_auth_string'REPLACE 'current_auth_string'子句执行密码验证,从MySQL 8.0.13开始提供。If given:如果给出:
REPLACE specifies the account current password to be replaced, as a cleartext (unencrypted) string.以明文(未加密)字符串形式指定要替换的帐户当前密码。
The clause must be given if password changes for the are required to specify the current password, as verification that the user attempting to make the change actually knows the current password.如果需要更改的密码来指定当前密码,则必须给出该子句,以验证试图进行更改的用户是否确实知道当前密码。
The clause is optional if password changes for the account may but need not specify the current password.如果帐户的密码更改可能但不需要指定当前密码,则该子句是可选的。
The statement fails if the clause is given but does not match the current password, even if the clause is optional.如果给定的子句与当前密码不匹配,则语句失败,即使该子句是可选的。
REPLACE can be specified only when changing the account password for the current user.REPLACE。
For more information about password verification by specifying the current password, see Section 6.2.15, “Password Management”.有关通过指定当前密码进行密码验证的更多信息,请参阅第6.2.15节,“密码管理”。
The RETAIN CURRENT PASSWORD and DISCARD OLD PASSWORD clauses implement dual-password capability and are available as of MySQL 8.0.14. RETAIN CURRENT PASSWORD和DISCARD OLD PASSWORD子句实现了双密码功能,从MySQL 8.0.14开始提供。Both are optional, but if given, have the following effects:两者都是可选的,但如果给定,则具有以下效果:
RETAIN CURRENT PASSWORD retains an account current password as its secondary password, replacing any existing secondary password. 保留帐户当前密码作为其辅助密码,替换任何现有辅助密码。The new password becomes the primary password, but clients can use the account to connect to the server using either the primary or secondary password. 新密码将成为主密码,但客户端可以使用该帐户使用主密码或辅助密码连接到服务器。(Exception: If the new password specified by the (例外:如果ALTER USER statement is empty, the secondary password becomes empty as well, even if RETAIN CURRENT PASSWORD is given.)ALTER USER语句指定的新密码为空,则第二个密码也将变为空,即使给定了RETAIN CURRENT PASSWORD。)
If you specify 如果为主密码为空的帐户指定RETAIN CURRENT PASSWORD for an account that has an empty primary password, the statement fails.RETAIN CURRENT PASSWORD,则该语句将失败。
If an account has a secondary password and you change its primary password without specifying 如果一个帐户有一个辅助密码,而您在不指定RETAIN CURRENT PASSWORD, the secondary password remains unchanged.RETAIN CURRENT PASSWORD的情况下更改了其主密码,则辅助密码将保持不变。
If you change the authentication plugin assigned to the account, the secondary password is discarded. If you change the authentication plugin and also specify 如果更改分配给该帐户的身份验证插件,则会丢弃辅助密码。如果更改身份验证插件并指定RETAIN CURRENT PASSWORD, the statement fails.RETAIN CURRENT PASSWORD,则该语句将失败。
DISCARD OLD PASSWORD discards the secondary password, if one exists. DISCARD OLD PASSWORD丢弃辅助密码(如果存在)。The account retains only its primary password, and clients can use the account to connect to the server only with the primary password.该帐户只保留其主密码,客户端只能使用该帐户以主密码连接到服务器。
For more information about use of dual passwords, see Section 6.2.15, “Password Management”.有关使用双重密码的更多信息,请参阅第6.2.15节,“密码管理”。
ALTER USER permits these 允许以下auth_option syntaxes:auth_option语法:
IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD]
Sets the account authentication plugin to the default plugin, passes the cleartext 将帐户身份验证插件设置为默认插件,将明文' value to the plugin for possible hashing, and stores the result in the account row in the auth_string'mysql.user system table.'auth_string'值传递给插件进行可能的哈希运算,并将结果存储在mysql.user系统表的帐户行中。
The REPLACE clause, if given, specifies the account current password, as described previously in this section.REPLACE子句(如果给定)指定帐户当前密码,如本节前面所述。
The 如果给定RETAIN CURRENT PASSWORD clause, if given, causes the account current password to be retained as its secondary password, as described previously in this section.RETAIN CURRENT PASSWORD子句,则会将帐户当前密码保留为其辅助密码,如本节前面所述。
IDENTIFIED BY RANDOM PASSWORD [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD]
Sets the account authentication plugin to the default plugin, generates a random password, passes the cleartext password value to the plugin for possible hashing, and stores the result in the account row in the 将帐户身份验证插件设置为默认插件,生成随机密码,将明文密码值传递给插件进行可能的哈希运算,并将结果存储在mysql.user system table. mysql.user系统表的帐户行中。The statement also returns the cleartext password in a result set to make it available to the user or application executing the statement. 该语句还将在结果集中返回明文密码,以使执行该语句的用户或应用程序可以使用该密码。For details about the result set and characteristics of randomly generated passwords, see Random Password Generation.有关随机生成密码的结果集和特征的详细信息,请参阅随机密码生成。
The REPLACE clause, if given, specifies the account current password, as described previously in this section.REPLACE子句(如果给定)指定帐户当前密码,如本节前面所述。
The 如果给定RETAIN CURRENT PASSWORD clause, if given, causes the account current password to be retained as its secondary password, as described previously in this section.RETAIN CURRENT PASSWORD子句,则会将帐户当前密码保留为其辅助密码,如本节前面所述。
IDENTIFIED WITH auth_plugin
Sets the account authentication plugin to 将帐户身份验证插件设置为auth_plugin, clears the credentials to the empty string (the credentials are associated with the old authentication plugin, not the new one), and stores the result in the account row in the mysql.user system table.auth_plugin,将凭据清除为空字符串(凭据与旧的身份验证插件关联,而不是新的),并将结果存储在mysql.user系统表的帐户行中。
In addition, the password is marked expired. 此外,密码被标记为过期。The user must choose a new one when next connecting.用户下次连接时必须选择一个新的。
IDENTIFIED WITH auth_plugin BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD]
Sets the account authentication plugin to auth_plugin, passes the cleartext ' value to the plugin for possible hashing, and stores the result in the account row in the auth_string'mysql.user system table.
The REPLACE clause, if given, specifies the account current password, as described previously in this section.REPLACE子句(如果给定)指定帐户当前密码,如本节前面所述。
The 如果给定RETAIN CURRENT PASSWORD clause, if given, causes the account current password to be retained as its secondary password, as described previously in this section.RETAIN CURRENT PASSWORD子句,则会将帐户当前密码保留为其辅助密码,如本节前面所述。
IDENTIFIED WITH auth_plugin BY RANDOM PASSWORD [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD]
Sets the account authentication plugin to 将帐户身份验证插件设置为auth_plugin, generates a random password, passes the cleartext password value to the plugin for possible hashing, and stores the result in the account row in the mysql.user system table. auth_plugin,生成随机密码,将明文密码值传递给插件进行可能的哈希运算,并将结果存储在mysql.user系统表的帐户行中。The statement also returns the cleartext password in a result set to make it available to the user or application executing the statement. 该语句还将在结果集中返回明文密码,以使执行该语句的用户或应用程序可以使用该密码。For details about the result set and characteristics of randomly generated passwords, see Random Password Generation.有关随机生成密码的结果集和特征的详细信息,请参阅随机密码生成。
The REPLACE clause, if given, specifies the account current password, as described previously in this section.REPLACE子句(如果给定)指定帐户当前密码,如本节前面所述。
The 如果给定RETAIN CURRENT PASSWORD clause, if given, causes the account current password to be retained as its secondary password, as described previously in this section.RETAIN CURRENT PASSWORD子句,则会将帐户当前密码保留为其辅助密码,如本节前面所述。
IDENTIFIED WITH auth_plugin AS 'auth_string'
Sets the account authentication plugin to 将帐户身份验证插件设置为auth_plugin and stores the ' value as is in the auth_string'mysql.user account row. auth_plugin,并将'auth_string'值存储在mysql.user帐户行中。If the plugin requires a hashed string, the string is assumed to be already hashed in the format the plugin requires.如果插件需要散列字符串,则假定该字符串已经按照插件所需的格式进行了散列。
DISCARD OLD PASSWORD
Discards the account secondary password, if there is one, as described previously in this section.如本节前面所述,放弃帐户辅助密码(如果有)。
Example: Specify the password as cleartext; the default plugin is used:示例:将密码指定为明文;使用默认插件:
ALTER USER 'jeffrey'@'localhost'
IDENTIFIED BY 'password';
Example: Specify the authentication plugin, along with a cleartext password value:示例:指定身份验证插件以及明文密码值:
ALTER USER 'jeffrey'@'localhost'
IDENTIFIED WITH mysql_native_password
BY 'password';
Example: Like the preceding example, but in addition, specify the current password as a cleartext value to satisfy any account requirement that the user making the change knows that password:示例:与前面的示例类似,但除此之外,请将当前密码指定为明文值,以满足进行更改的用户知道该密码的任何帐户要求:
ALTER USER 'jeffrey'@'localhost'
IDENTIFIED WITH mysql_native_password
BY 'password'
REPLACE 'current_password';
The preceding statement fails unless the current user is 除非当前用户是jeffrey because REPLACE is permitted only for changes to the current user's password.jeffrey,否则前面的语句将失败,因为只有在更改当前用户的密码时才允许REPLACE。
Example: Establish a new primary password and retain the existing password as the secondary password:示例:建立新的主密码并保留现有密码作为辅助密码:
ALTER USER 'jeffrey'@'localhost'
IDENTIFIED BY 'new_password'
RETAIN CURRENT PASSWORD;
Example: Discard the secondary password, leaving the account with only its primary password:示例:放弃辅助密码,只保留帐户的主密码:
ALTER USER 'jeffery'@'localhost' DISCARD OLD PASSWORD;
Example: Specify the authentication plugin, along with a hashed password value:示例:指定身份验证插件以及哈希密码值:
ALTER USER 'jeffrey'@'localhost'
IDENTIFIED WITH mysql_native_password
AS '*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4';
For additional information about setting passwords and authentication plugins, see Section 6.2.14, “Assigning Account Passwords”, and Section 6.2.17, “Pluggable Authentication”.有关设置密码和身份验证插件的更多信息,请参阅第6.2.14节,“分配帐户密码”和第6.2.17节,“可插入身份验证”。
ALTER USER ... DEFAULT ROLE defines which roles become active when the user connects to the server and authenticates, or when the user executes the 定义当用户连接到服务器并进行身份验证时,或当用户在会话期间执行SET ROLE DEFAULT statement during a session.SET ROLE DEFAULT语句时,哪些角色处于活动状态。
ALTER USER ... DEFAULT ROLE is alternative syntax for 是SET DEFAULT ROLE (see Section 13.7.1.9, “SET DEFAULT ROLE Statement”). SET DEFAULT ROLE的替代语法(请参阅第13.7.1.9节,“SET DEFAULT ROLE语句”)。However, 但是,ALTER USER can set the default for only a single user, whereas SET DEFAULT ROLE can set the default for multiple users. ALTER USER只能为单个用户设置默认值,而SET DEFAULT ROLE可以为多个用户设置默认值。On the other hand, you can specify 另一方面,您可以为CURRENT_USER as the user name for the ALTER USER statement, whereas you cannot for SET DEFAULT ROLE.ALTER USER语句指定CURRENT_USER作为用户名,而不能为SET DEFAULT ROLE指定用户名。
Each user account name uses the format described previously.每个用户帐户名都使用前面描述的格式。
Each role name uses the format described in Section 6.2.5, “Specifying Role Names”. For example:每个角色名称使用第6.2.5节,“指定角色名称”中描述的格式。例如:
ALTER USER 'joe'@'10.0.0.1' DEFAULT ROLE administrator, developer;
The host name part of the role name, if omitted, defaults to 角色名的主机名部分(如果省略)默认为'%'.'%'。
The clause following the DEFAULT ROLE keywords permits these values:DEFAULT ROLE关键字后面的子句允许以下值:
NONE: Set the default to :将默认设置为NONE (no roles).NONE(无角色)。
ALL: Set the default to all roles granted to the account.:将默认设置为授予帐户的所有角色。
role [, role ] ...: Set the default to the named roles, which must exist and be granted to the account at the time :将默认设置为命名角色,并且在执行ALTER USER ... DEFAULT ROLE is executed.ALTER USER ... DEFAULT ROLE时这些角色必须存在并授给账户。
MySQL can check X.509 certificate attributes in addition to the usual authentication that is based on the user name and credentials. 除了基于用户名和凭据的常规身份验证之外,MySQL还可以检查X.509证书属性。For background information on the use of SSL/TLS with MySQL, see Section 6.3, “Using Encrypted Connections”.有关在MySQL中使用SSL/TLS的背景信息,请参阅第6.3节,“使用加密连接”。
To specify SSL/TLS-related options for a MySQL account, use a 要为MySQL帐户指定SSL/TLS相关选项,请使用REQUIRE clause that specifies one or more tls_option values.REQUIRE子句指定一个或多个tls_option值。
Order of REQUIRE options does not matter, but no option can be specified twice. REQUIRE选项的顺序无关紧要,但任何选项都不能指定两次。The AND keyword is optional between REQUIRE options.AND关键字在REQUIRE选项之间是可选的。
ALTER USER permits these 允许以下tls_option values:tls_option值:
NONE
Indicates that all accounts named by the statement have no SSL or X.509 requirements. 指示由该对账单命名的所有帐户没有SSL或X.509要求。Unencrypted connections are permitted if the user name and password are valid. Encrypted connections can be used, at the client's option, if the client has the proper certificate and key files.如果用户名和密码有效,则允许未加密的连接。如果客户机拥有正确的证书和密钥文件,则可以根据客户机的选择使用加密连接。
ALTER USER 'jeffrey'@'localhost' REQUIRE NONE;
Clients attempt to establish a secure connection by default. 默认情况下,客户端尝试建立安全连接。For clients that have 对于REQUIRE NONE, the connection attempt falls back to an unencrypted connection if a secure connection cannot be established. REQUIRE NONE的客户端,如果无法建立安全连接,则连接尝试会退回到未加密的连接。To require an encrypted connection, a client need specify only the 要要求加密连接,客户端只需指定--ssl-mode=REQUIRED option; the connection attempt fails if a secure connection cannot be established.--ssl mode=REQUIRED选项;如果无法建立安全连接,连接尝试将失败。
SSL
Tells the server to permit only encrypted connections for all accounts named by the statement.告诉服务器只允许对该语句指定的所有帐户进行加密连接。
ALTER USER 'jeffrey'@'localhost' REQUIRE SSL;
Clients attempt to establish a secure connection by default. 默认情况下,客户端尝试建立安全连接。For accounts that have 对于需要REQUIRE SSL, the connection attempt fails if a secure connection cannot be established.SSL的帐户,如果无法建立安全连接,连接尝试将失败。
X509
For all accounts named by the statement, requires that clients present a valid certificate, but the exact certificate, issuer, and subject do not matter. 对于声明中指定的所有帐户,要求客户提供有效的证书,但确切的证书、颁发者和主题无关紧要。The only requirement is that it should be possible to verify its signature with one of the CA certificates. 唯一的要求是,应该可以使用其中一个CA证书验证其签名。Use of X.509 certificates always implies encryption, so the 使用X.509证书总是意味着加密,因此在这种情况下不需要SSL option is unnecessary in this case.SSL选项。
ALTER USER 'jeffrey'@'localhost' REQUIRE X509;
For accounts with REQUIRE X509, clients must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.) This is true for ISSUER and SUBJECT as well because those REQUIRE options imply the requirements of X509.
ISSUER 'issuer'
For all accounts named by the statement, requires that clients present a valid X.509 certificate issued by CA 对于声明中指定的所有账户,要求客户提供由CA“发卡机构”颁发的有效X.509证书。'. issuer'If a client presents a certificate that is valid but has a different issuer, the server rejects the connection. Use of X.509 certificates always implies encryption, so the 如果客户端提供的证书有效,但具有不同的颁发者,则服务器会拒绝连接。使用X.509证书总是意味着加密,因此在这种情况下不需要SSL option is unnecessary in this case.SSL选项。
ALTER USER 'jeffrey'@'localhost'
REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL/CN=CA/emailAddress=ca@example.com';
Because ISSUER implies the requirements of X509, clients must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.)
SUBJECT 'subject'
For all accounts named by the statement, requires that clients present a valid X.509 certificate containing the subject 对于由对账单命名的所有帐户,要求客户提供包含主题的有效X.509证书。subject. If a client presents a certificate that is valid but has a different subject, the server rejects the connection. 如果客户机提供的证书有效但主题不同,则服务器会拒绝连接。Use of X.509 certificates always implies encryption, so the 使用X.509证书总是意味着加密,因此在这种情况下不需要SSL option is unnecessary in this case.SSL选项。
ALTER USER 'jeffrey'@'localhost'
REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL demo client certificate/
CN=client/emailAddress=client@example.com';
MySQL does a simple string comparison of the MySQL将' value to the value in the certificate, so lettercase and component ordering must be given exactly as present in the certificate.subject''subject'值与证书中的值进行简单的字符串比较,因此必须给出与证书中的值完全相同的字母大小写和组件顺序。
Because SUBJECT implies the requirements of X509, clients must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.)
CIPHER 'cipher'
For all accounts named by the statement, requires a specific cipher method for encrypting connections. 对于由语句命名的所有帐户,需要使用特定的密码方法来加密连接。This option is needed to ensure that ciphers and key lengths of sufficient strength are used. 需要使用此选项以确保使用足够强度的密码和密钥长度。Encryption can be weak if old algorithms using short encryption keys are used.如果使用使用短加密密钥的旧算法,加密可能会很弱。
ALTER USER 'jeffrey'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';
The SUBJECT, ISSUER, and CIPHER options can be combined in the REQUIRE clause:SUBJECT、ISSURE和CIPHER选项可以组合在REQUIRE子句中:
ALTER USER 'jeffrey'@'localhost'
REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL demo client certificate/
CN=client/emailAddress=client@example.com'
AND ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL/CN=CA/emailAddress=ca@example.com'
AND CIPHER 'EDH-RSA-DES-CBC3-SHA';It is possible to place limits on use of server resources by an account, as discussed in Section 6.2.20, “Setting Account Resource Limits”. 如第6.2.20节,“设置帐户资源限制”所述,可以限制帐户使用服务器资源。To do so, use a 为此,请使用WITH clause that specifies one or more resource_option values.WITH子句指定一个或多个resource_option值。
Order of WITH options does not matter, except that if a given resource limit is specified multiple times, the last instance takes precedence.WITH选项的顺序无关紧要,除非多次指定给定的资源限制,最后一个实例优先。
ALTER USER permits these 允许以下resource_option values:resource_option值:
MAX_QUERIES_PER_HOUR , countMAX_UPDATES_PER_HOUR , countMAX_CONNECTIONS_PER_HOUR count
For all accounts named by the statement, these options restrict how many queries, updates, and connections to the server are permitted to each account during any given one-hour period. 对于由语句命名的所有帐户,这些选项限制在任何给定的一小时内每个帐户允许的查询、更新和到服务器的连接数。If 如果count is 0 (the default), this means that there is no limitation for the account.count为0(默认值),这意味着该帐户没有限制。
MAX_USER_CONNECTIONS count
For all accounts named by the statement, restricts the maximum number of simultaneous connections to the server by each account. 对于由语句命名的所有帐户,限制每个帐户同时连接到服务器的最大数量。A nonzero 非零count specifies the limit for the account explicitly. count明确指定帐户的限制。If 如果count is 0 (the default), the server determines the number of simultaneous connections for the account from the global value of the max_user_connections system variable. count为0(默认值),服务器将根据max_user_connections系统变量的全局值确定帐户的同时连接数。If 如果max_user_connections is also zero, there is no limit for the account.max_user_connections也为零,则该帐户没有限制。
Example:例子:
ALTER USER 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;
ALTER USER supports several 支持用于密码管理的多个password_option values for password management:password_option值:
Password expiration options: You can expire an account password manually and establish its password expiration policy. Policy options do not expire the password. 密码过期选项:您可以手动使帐户密码过期,并建立其密码过期策略。策略选项不会使密码过期。Instead, they determine how the server applies automatic expiration to the account based on password age, which is assessed from the date and time of the most recent account password change.相反,它们决定服务器如何根据密码期限对帐户应用自动过期,密码期限从最近一次帐户密码更改的日期和时间开始评估。
Password reuse options: You can restrict password reuse based on number of password changes, time elapsed, or both.密码重用选项:您可以根据密码更改的次数、经过的时间或两者来限制密码重用。
Password verification-required options: You can indicate whether attempts to change an account password must specify the current password, as verification that the user attempting to make the change actually knows the current password.密码验证必需选项:您可以指示更改帐户密码的尝试是否必须指定当前密码,以验证尝试进行更改的用户是否确实知道当前密码。
Incorrect-password failed-login tracking options: You can cause the server to track failed login attempts and temporarily lock accounts for which too many consecutive incorrect passwords are given. 密码错误登录失败跟踪选项:您可能会导致服务器跟踪失败的登录尝试,并暂时锁定连续提供过多错误密码的帐户。The required number of failures and the lock time are configurable.所需的故障次数和锁定时间是可配置的。
This section describes the syntax for password-management options. 本节介绍密码管理选项的语法。For information about establishing policy for password management, see Section 6.2.15, “Password Management”.有关建立密码管理策略的信息,请参阅第6.2.15节,“密码管理”。
If multiple password-management options of a given type are specified, the last one takes precedence. 如果指定了给定类型的多个密码管理选项,则以最后一个为准。For example, 例如,PASSWORD EXPIRE DEFAULT PASSWORD EXPIRE NEVER is the same as PASSWORD EXPIRE NEVER.PASSWORD EXPIRE DEFAULT PASSWORD EXPIRE NEVER与PASSWORD EXPIRE NEVER相同。
Except for the options that pertain to failed-login tracking, password-management options apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. 除了与登录跟踪失败相关的选项外,密码管理选项仅适用于使用身份验证插件的帐户,该插件在MySQL内部存储凭据。For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well. 对于使用插件对MySQL外部的凭据系统执行身份验证的帐户,密码管理也必须针对该系统进行外部处理。For more information about internal credentials storage, see Section 6.2.15, “Password Management”.有关内部凭证存储的更多信息,请参阅第6.2.15节,“密码管理”。
A client has an expired password if the account password was expired manually or the password age is considered greater than its permitted lifetime per the automatic expiration policy. 如果帐户密码手动过期,或者根据自动过期策略,密码期限被视为大于其允许的使用期限,则客户端的密码已过期。In this case, the server either disconnects the client or restricts the operations permitted to it (see Section 6.2.16, “Server Handling of Expired Passwords”). 在这种情况下,服务器会断开客户机的连接或限制其允许的操作(请参阅第6.2.16节,“过期密码的服务器处理”)。Operations performed by a restricted client result in an error until the user establishes a new account password.在用户建立新帐户密码之前,受限客户端执行的操作会导致错误。
Although it is possible to “reset” an expired password by setting it to its current value, it is preferable, as a matter of good policy, to choose a different password. 虽然可以通过将过期密码设置为其当前值来“重置”过期密码,但作为一项良好的策略,最好选择不同的密码。DBAs can enforce non-reuse by establishing an appropriate password-reuse policy. DBA可以通过建立适当的密码重用策略来强制不重用。See Password Reuse Policy.请参阅密码重用策略。
ALTER USER permits these 允许使用以下password_option values for controlling password expiration:password_option值来控制密码过期:
PASSWORD EXPIRE
Immediately marks the password expired for all accounts named by the statement.立即将声明中指定的所有帐户的密码标记为过期。
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE;
PASSWORD EXPIRE DEFAULT
Sets all accounts named by the statement so that the global expiration policy applies, as specified by the 设置由语句命名的所有帐户,以便应用全局过期策略,如default_password_lifetime system variable.default_password_lifetime系统变量所指定。
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT;
PASSWORD EXPIRE NEVER
This expiration option overrides the global policy for all accounts named by the statement. 此过期选项将覆盖对账单指定的所有帐户的全局策略。For each, it disables password expiration so that the password never expires.对于每个密码,它都会禁用密码过期,以便密码永远不会过期。
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE NEVER;
PASSWORD EXPIRE INTERVAL N DAY
This expiration option overrides the global policy for all accounts named by the statement. 此过期选项将覆盖对账单指定的所有帐户的全局策略。For each, it sets the password lifetime to 对于每个密码,它将密码生存期设置为N days. N天。The following statement requires the password to be changed every 180 days:以下语句要求每180天更改一次密码:
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 180 DAY;
ALTER USER permits these 根据所需的最少密码更改次数,允许使用这些password_option values for controlling reuse of previous passwords based on required minimum number of password changes:password_option值来控制以前密码的重复使用:
PASSWORD HISTORY DEFAULT
Sets all accounts named by the statement so that the global policy about password history length applies, to prohibit reuse of passwords before the number of changes specified by the 设置由该语句命名的所有帐户,以便应用有关密码历史记录长度的全局策略,以禁止在password_history system variable.password_history系统变量指定的更改次数之前重用密码。
ALTER USER 'jeffrey'@'localhost' PASSWORD HISTORY DEFAULT;
PASSWORD HISTORY N
This history-length option overrides the global policy for all accounts named by the statement. 此历史长度选项将覆盖由该语句命名的所有帐户的全局策略。For each, it sets the password history length to 对于每个密码,它将密码历史长度设置为N passwords, to prohibit reusing any of the N most recently chosen passwords. N个密码,以禁止重用最近选择的N个密码中的任何一个。The following statement prohibits reuse of any of the previous 6 passwords:以下声明禁止重复使用前6个密码中的任何一个:
ALTER USER 'jeffrey'@'localhost' PASSWORD HISTORY 6;
ALTER USER permits these 允许这些password_option values for controlling reuse of previous passwords based on time elapsed:password_option值根据经过的时间控制以前密码的重复使用:
PASSWORD REUSE INTERVAL DEFAULT
Sets all statements named by the account so that the global policy about time elapsed applies, to prohibit reuse of passwords newer than the number of days specified by the 设置由帐户命名的所有语句,以便应用有关已用时间的全局策略,以禁止重新使用比password_reuse_interval system variable.password_reuse_interval系统变量指定的天数新的密码。
ALTER USER 'jeffrey'@'localhost' PASSWORD REUSE INTERVAL DEFAULT;
PASSWORD REUSE INTERVAL N DAY
This time-elapsed option overrides the global policy for all accounts named by the statement. 此“已用时间”选项将覆盖由该语句命名的所有帐户的全局策略。For each, it sets the password reuse interval to 对于每种情况,它都将密码重复使用间隔设置为N days, to prohibit reuse of passwords newer than that many days. N天,以禁止重复使用比这几天更新的密码。The following statement prohibits password reuse for 360 days:以下声明禁止在360天内重复使用密码:
ALTER USER 'jeffrey'@'localhost' PASSWORD REUSE INTERVAL 360 DAY;
ALTER USER permits these password_option values for controlling whether attempts to change an account password must specify the current password, as verification that the user attempting to make the change actually knows the current password:ALTER USER允许这些password_option值用于控制更改帐户密码的尝试是否必须指定当前密码,以验证尝试进行更改的用户是否确实知道当前密码:
PASSWORD REQUIRE CURRENT
This verification option overrides the global policy for all accounts named by the statement. 此验证选项将覆盖对账单指定的所有帐户的全局策略。For each, it requires that password changes specify the current password.对于每个密码,它要求密码更改指定当前密码。
ALTER USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT;
PASSWORD REQUIRE CURRENT OPTIONAL
This verification option overrides the global policy for all accounts named by the statement. 此验证选项将覆盖对账单指定的所有帐户的全局策略。For each, it does not require that password changes specify the current password. 对于每个密码,它不要求密码更改指定当前密码。(The current password may but need not be given.)(可以提供但不需要提供当前密码。)
ALTER USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT OPTIONAL;
PASSWORD REQUIRE CURRENT DEFAULT
Sets all statements named by the account so that the global policy about password verification applies, as specified by the 设置由帐户命名的所有语句,以便按照password_require_current system variable.password_require_current系统变量的指定,应用有关密码验证的全局策略。
ALTER USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT DEFAULT;
As of MySQL 8.0.19, ALTER USER permits these 允许使用以下password_option values for controlling failed-login tracking:password_option值来控制失败的登录跟踪:
FAILED_LOGIN_ATTEMPTS N
Whether to track account login attempts that specify an incorrect password. 是否跟踪指定错误密码的帐户登录尝试。N must be a number from 0 to 32767. 必须是0到32767之间的数字。A value of 0 disables failed-login tracking. 值为0将禁用失败的登录跟踪。Values greater than 0 indicate how many consecutive password failures cause temporary account locking (if 大于0的值表示有多少连续密码失败导致临时帐户锁定(如果PASSWORD_LOCK_TIME is also nonzero).PASSWORD_LOCK_TIME也非零)。
PASSWORD_LOCK_TIME {N | UNBOUNDED}
How long to lock the account after too many consecutive login attempts provide an incorrect password. 连续多次登录尝试提供错误密码后锁定帐户的时间。N must be a number from 0 to 32767, or UNBOUNDED. N必须是0到32767之间的数字,或者是UNBOUNDED的。A value of 0 disables temporary account locking. 值为0将禁用临时帐户锁定。Values greater than 0 indicate how long to lock the account in days. 大于0的值表示以天为单位锁定帐户的时间。A value of 值为UNBOUNDED causes the account locking duration to be unbounded; once locked, the account remains in a locked state until unlocked. UNBOUNDED会导致帐户锁定持续时间为无限;一旦锁定,帐户将保持锁定状态,直到解锁。For information about the conditions under which unlocking occurs, see Failed-Login Tracking and Temporary Account Locking.有关解锁条件的信息,请参阅失败的登录跟踪和临时帐户锁定。
For failed-login tracking and temporary locking to occur, an account's 要进行失败的登录跟踪和临时锁定,帐户的FAILED_LOGIN_ATTEMPTS and PASSWORD_LOCK_TIME options both must be nonzero. FAILED_LOGIN_ATTEMPTS和PASSWORD_LOCK_TIME选项都必须为非零。The following statement modifies an account such that it remains locked for two days after four consecutive password failures:以下语句修改帐户,使其在连续四次密码失败后保持锁定两天:
ALTER USER 'jeffrey'@'localhost' FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 2;
MySQL supports account locking and unlocking using the MySQL使用ACCOUNT LOCK and ACCOUNT UNLOCK options, which specify the locking state for an account. ACCOUNT LOCK和ACCOUNT UNLOCK选项支持帐户锁定和解锁,这两个选项指定帐户的锁定状态。For additional discussion, see Section 6.2.19, “Account Locking”.有关更多讨论,请参阅第6.2.19节,“账户锁定”。
If multiple account-locking options are specified, the last one takes precedence.如果指定了多个帐户锁定选项,则最后一个选项优先。
As of MySQL 8.0.19, 从MySQL 8.0.19开始,ALTER USER ... UNLOCK unlocks any account named by the statement that is temporarily locked due to too many failed logins. ALTER USER ... UNLOCK解除对由于登录失败次数过多而被临时锁定的语句所指定的任何帐户的锁定。See Section 6.2.15, “Password Management”.请参阅第6.2.15节,“密码管理”。
ALTER USER is written to the binary log if it succeeds, but not if it fails; in that case, rollback occurs and no changes are made. 如果成功,则写入二进制日志,但如果失败则不写入;在这种情况下,会发生回滚,并且不会进行任何更改。A statement written to the binary log includes all named users. 写入二进制日志的语句包括所有命名用户。If the 如果给出了IF EXISTS clause is given, this includes even users that do not exist and were not altered.If EXISTS子句,这甚至包括不存在且未被更改的用户。
If the original statement changes the credentials for a user, the statement written to the binary log specifies the applicable authentication plugin for that user, determined as follows:如果原始语句更改了用户的凭据,则写入二进制日志的语句将指定该用户适用的身份验证插件,确定如下:
The plugin named in the original statement, if one was specified.原始语句中指定的插件(如果已指定)。
Otherwise, the plugin associated with the user account if the user exists, or the default authentication plugin if the user does not exist. 否则,如果用户存在,则为与用户帐户关联的插件;如果用户不存在,则为默认身份验证插件。(If the statement written to the binary log must specify a particular authentication plugin for a user, include it in the original statement.)(如果写入二进制日志的语句必须为用户指定特定的身份验证插件,请将其包含在原始语句中。)
If the server adds the default authentication plugin for any users in the statement written to the binary log, it writes a warning to the error log naming those users.如果服务器在写入二进制日志的语句中为任何用户添加默认的身份验证插件,它会向错误日志中写入一条警告,指明这些用户的名称。
If the original statement specifies the 如果原始语句指定FAILED_LOGIN_ATTEMPTS or PASSWORD_LOCK_TIME option, the statement written to the binary log includes the option.FAILED_LOGIN_ATTEMPTS或PASSWORD_LOCK_TIME选项,则写入二进制日志的语句将包含该选项。