CREATE USER [IF NOT EXISTS]user[auth_option] [,user[auth_option]] ... DEFAULT ROLErole[,role] ... [REQUIRE {NONE |tls_option[[AND]tls_option] ...}] [WITHresource_option[resource_option] ...] [password_option|lock_option] ... [COMMENT 'comment_string' | ATTRIBUTE 'json_object']user: (see Section 6.2.4, “Specifying Account Names”)auth_option: { IDENTIFIED BY 'auth_string' | IDENTIFIED BY RANDOM PASSWORD | IDENTIFIED WITHauth_plugin| IDENTIFIED WITHauth_pluginBY 'auth_string' | IDENTIFIED WITHauth_pluginBY RANDOM PASSWORD | IDENTIFIED WITHauth_pluginAS 'auth_string' }tls_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' }resource_option: { MAX_QUERIES_PER_HOURcount| MAX_UPDATES_PER_HOURcount| MAX_CONNECTIONS_PER_HOURcount| MAX_USER_CONNECTIONScount}password_option: { PASSWORD EXPIRE [DEFAULT | NEVER | INTERVALNDAY] | PASSWORD HISTORY {DEFAULT |N} | PASSWORD REUSE INTERVAL {DEFAULT |NDAY} | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL] | FAILED_LOGIN_ATTEMPTSN| PASSWORD_LOCK_TIME {N| UNBOUNDED} }lock_option: { ACCOUNT LOCK | ACCOUNT UNLOCK }
The CREATE USER statement creates new MySQL accounts. CREATE USER语句创建新的MySQL帐户。It enables authentication, role, SSL/TLS, resource-limit, and password-management properties to be established for new accounts. 它允许为新帐户建立身份验证、角色、SSL/TLS、资源限制和密码管理属性。It also controls whether accounts are initially locked or unlocked.它还控制帐户最初是锁定还是解锁。
To use 要使用CREATE USER, you must have the global CREATE USER privilege, or the INSERT privilege for the mysql system schema. CREATE USER,您必须拥有全局CREATE USER权限,或mysql系统架构的INSERT权限。When the 启用read_only system variable is enabled, CREATE USER additionally requires the CONNECTION_ADMIN privilege (or the deprecated SUPER privilege).read_only系统变量时,CREATE USER还需要CONNECTION_ADMIN权限(或不推荐使用的SUPER权限)。
As of MySQL 8.0.22, 从MySQL 8.0.22开始,如果任何要创建的帐户被命名为任何存储对象的CREATE USER fails with an error if any account to be created is named as the DEFINER attribute for any stored object. DEFINER属性,则CREATE USER将失败并出现错误。(That is, the statement fails if creating an account would cause the account to adopt a currently orphaned stored object.) (也就是说,如果创建帐户会导致帐户采用当前孤立的存储对象,则该语句将失败。)To perform the operation anyway, you must have the 要执行该操作,您必须具有SET_USER_ID privilege; in this case, the statement succeeds with a warning rather than failing with an error. SET_USER_ID权限;在这种情况下,语句成功时会发出警告,而不是失败时出错。Without 在没有SET_USER_ID, to perform the user-creation operation, drop the orphan objects, create the account and grant its privileges, and then re-create the dropped objects. SET_USER_ID的情况下,要执行用户创建操作,请删除孤立对象,创建帐户并授予其权限,然后重新创建删除的对象。For additional information, including how to identify which objects name a given account as the 有关其他信息,包括如何识别哪些对象将给定帐户命名为DEFINER attribute, see Orphan Stored Objects.DEFINER属性,请参阅孤立存储对象。
CREATE USER either succeeds for all named users or rolls back and has no effect if any error occurs. CREATE USER要么对所有命名用户成功,要么回滚,如果发生任何错误,则不起作用。By default, an error occurs if you try to create a user that already exists. 默认情况下,如果尝试创建已存在的用户,则会发生错误。If the 如果给出了IF NOT EXISTS clause is given, the statement produces a warning for each named user that already exists, rather than an error.IF NOT EXISTS子句,则该语句将为已经存在的每个命名用户生成警告,而不是错误。
Under some circumstances, 在某些情况下,CREATE USER may be recorded in server logs or on the client side in a history file such as ~/.mysql_history, which means that cleartext passwords may be read by anyone having read access to that information. CREATE USER可能会记录在服务器日志中,或者记录在客户端的历史文件中,例如~/.mysql_history,这意味着任何有权读取该信息的人都可以读取明文密码。For information about the conditions under which this occurs for the server logs and how to control it, see Section 6.1.2.3, “Passwords and Logging”. 有关服务器日志发生这种情况的条件以及如何控制它的信息,请参阅第6.1.2.3节,“密码和日志”。For similar information about client-side logging, see Section 4.5.1.3, “mysql Client Logging”.有关客户端日志记录的类似信息,请参阅第4.5.1.3节,“mysql客户端日志记录”。
There are several aspects to the CREATE USER statement, described under the following topics:CREATE USER语句有几个方面,如下主题所述:
For each account, 对于每个帐户,CREATE USER creates a new row in the mysql.user system table. CREATE USER在mysql.user系统表中创建一个新行。The account row reflects the properties specified in the statement. 账户行反映了对账单中指定的属性。Unspecified properties are set to their default values:未指定的属性设置为其默认值:
Authentication: The authentication plugin defined by the 身份验证:由default_authentication_plugin system variable, and empty credentialsdefault_authentication_plugin系统变量定义的身份验证插件,以及空凭据
Default role: 默认角色:NONE
SSL/TLS: SSL/TLS:NONE
Resource limits: 资源限制:Unlimited
Password management: 密码管理:PASSWORD EXPIRE DEFAULT PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT; failed-login tracking and temporary account locking are disabled; 失败的登录跟踪和临时帐户锁定被禁用
Account locking: 帐户锁定:ACCOUNT UNLOCK
An account when first created has no privileges and a default role of 首次创建的帐户没有特权,默认角色为NONE. NONE。To assign privileges or roles, use the 要分配特权或角色,请使用GRANT statement.GRANT语句。
Each account name uses the format described in Section 6.2.4, “Specifying Account Names”. 每个账户名称使用第6.2.4节,“指定账户名称”中描述的格式。For example:例如:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'password';
The host name part of the account name, if omitted, defaults to 帐户名的主机名部分(如果省略)默认为'%'.'%'。
Each 每个命名帐户的user value naming an account may be followed by an optional auth_option value that indicates how the account authenticates. user值后面都可能跟一个可选的auth_option值,该选项值指示帐户的身份验证方式。These values enable account authentication plugins and credentials (for example, a password) to be specified. 这些值允许指定帐户身份验证插件和凭据(例如,密码)。Each 每个auth_option value applies only to the account named immediately preceding it.auth_option值仅适用于紧靠其前面命名的帐户。
Following the 根据user specifications, the statement may include options for SSL/TLS, resource-limit, password-management, and locking properties. user规范,该语句可能包括SSL/TLS、资源限制、密码管理和锁定属性的选项。All such options are global to the statement and apply to all accounts named in the statement.所有这些选项都是对账单的global选项,并适用于对账单中指定的所有账户。
Example: Create an account that uses the default authentication plugin and the given password. 示例:创建一个使用默认身份验证插件和给定密码的帐户。Mark the password expired so that the user must choose a new one at the first connection to the server:将密码标记为过期,以便用户在第一次连接到服务器时必须选择新密码:
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED BY 'new_password' PASSWORD EXPIRE;
Example: Create an account that uses the 示例:创建一个使用caching_sha2_password authentication plugin and the given password. caching_sha2_password验证插件和给定密码的帐户。Require that a new password be chosen every 180 days, and enable failed-login tracking, such that three consecutive incorrect passwords cause temporary account locking for two days:要求每180天选择一个新密码,并启用失败的登录跟踪,这样连续三个不正确的密码会导致临时帐户锁定两天:
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED WITH caching_sha2_password BY 'new_password'
PASSWORD EXPIRE INTERVAL 180 DAY
FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 2;
Example: Create multiple accounts, specifying some per-account properties and some global properties:示例:创建多个帐户,指定一些每个帐户属性和一些全局属性:
CREATE USER
'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password
BY 'new_password1',
'jeanne'@'localhost' IDENTIFIED WITH caching_sha2_password
BY 'new_password2'
REQUIRE X509 WITH MAX_QUERIES_PER_HOUR 60
PASSWORD HISTORY 5
ACCOUNT LOCK;
Each 每个auth_option value (IDENTIFIED WITH ... BY in this case) applies only to the account named immediately preceding it, so each account uses the immediately following authentication plugin and password.auth_option值(在本例中为IDENTIFIED WITH ... BY)仅适用于紧跟在它前面的名为的帐户,因此每个帐户使用紧跟其后的身份验证插件和密码。
The remaining properties apply globally to all accounts named in the statement, so for both accounts:其余属性全局应用于对账单中指定的所有帐户,因此对于这两个帐户:
Connections must be made using a valid X.509 certificate.必须使用有效的X.509证书进行连接。
Up to 60 queries per hour are permitted.每小时最多允许60次查询。
Password changes cannot reuse any of the five most recent passwords.密码更改不能重复使用最近的五个密码中的任何一个。
The account is locked initially, so effectively it is a placeholder and cannot be used until an administrator unlocks it.该帐户最初被锁定,因此实际上它是一个占位符,在管理员解锁之前无法使用。
Beginning with MySQL 8.0.21, you can optionally create a user with a user comment or a user attribute, as described here:从MySQL 8.0.21开始,您可以选择创建带有用户注释或用户属性的用户,如下所述:
User comment
To set a user comment, add 要设置用户注释,请将COMMENT ' to the user_comment'CREATE USER statement, where user_comment is the text of the user comment.COMMENT 'user_comment'添加到CREATE USER语句中,其中user_comment是用户注释的文本。
Example (omitting any other options):示例(省略任何其他选项):
CREATE USER 'jon'@'localhost' COMMENT 'Some information about Jon';
User attributeUSER属性
A user attribute is a JSON object made up of one or more key-value pairs, and is set by including 用户属性是由一个或多个键值对组成的JSON对象,通过将ATTRIBUTE ' as part of of json_object'CREATE USER. ATTRIBUTE 'json_object'包含在CREATE USER中来设置。json_object must be a valid JSON object.json_object必须是有效的json对象。
Example (omitting any other options):示例(省略任何其他选项):
CREATE USER 'jim'@'localhost'
ATTRIBUTE '{"fname": "James", "lname": "Scott", "phone": "123-456-7890"}';User comments and user attributes are stored together in the 用户注释和用户属性一起存储在ATTRIBUTE column of the INFORMATION_SCHEMA.USER_ATTRIBUTES table. INFORMATION_SCHEMA.USER_ATTRIBUTES表的ATTRIBUTE列中。This query displays the row in this table inserted by the statement just shown for creating the user 此查询将显示该表中的行,该行由刚才为创建用户而显示的语句插入jin@localhost:jin@localhost:
mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER = 'jim' AND HOST = 'localhost'\G*************************** 1. row *************************** USER: jim HOST: localhost ATTRIBUTE: {"fname": "James", "lname": "Scott", "phone": "123-456-7890"} 1 row in set (0.00 sec)
The 实际上,COMMENT option in actuality provides a shortcut for setting a user attribute whose only element has comment as its key and whose value is the argument supplied for the option. COMMENT选项提供了一个快捷方式,用于设置用户属性,该属性的唯一元素的键是comment,其值是为该选项提供的参数。You can see this by executing the statement 通过执行语句CREATE USER 'jon'@'localhost' COMMENT 'Some information about Jon', and observing the row which it inserts into the USER_ATTRIBUTES table:CREATE USER 'jon'@'localhost' COMMENT 'Some information about Jon',并观察它插入到USER_ATTRIBUTES表中的行,可以看到这一点:
mysql>CREATE USER 'jon'@'localhost' COMMENT 'Some information about Jon';Query OK, 0 rows affected (0.06 sec) mysql>SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER = 'jon' AND HOST = 'localhost';+------+-----------+-------------------------------------------+ | USER | HOST | ATTRIBUTE | +------+-----------+-------------------------------------------+ | jon | localhost | {"comment": "Some information about Jon"} | +------+-----------+-------------------------------------------+ 1 row in set (0.00 sec)
You cannot use 不能在同一个COMMENT and ATTRIBUTE together in the same CREATE USER statement; attempting to do so causes a syntax error. CREATE USER语句中同时使用COMMENT和ATTRIBUTE;尝试这样做会导致语法错误。To set a user comment concurrently with setting a user attribute, use 要在设置用户属性的同时设置用户注释,请使用ATTRIBUTE and include in its argument a value with a comment key, like this:ATTRIBUTE并在其参数中包含一个带有comment键的值,如下所示:
mysql> CREATE USER 'bill'@'localhost'
-> ATTRIBUTE '{"fname":"William", "lname":"Schmidt",
-> "comment":"Website developer"}';
Query OK, 0 rows affected (0.16 sec)
Since the content of the 由于ATTRIBUTE row is a JSON object, you can employ any appropriate MySQL JSON functions or operators to manipulate it, as shown here:ATTRIBUTE行的内容是一个JSON对象,因此可以使用任何适当的MySQL JSON函数或运算符来操作它,如下所示:
mysql>SELECT->USER AS User,->HOST AS Host,->CONCAT(ATTRIBUTE->>"$.fname"," ",ATTRIBUTE->>"$.lname") AS 'Full Name',->ATTRIBUTE->>"$.comment" AS Comment->FROM INFORMATION_SCHEMA.USER_ATTRIBUTES->WHERE USER='bill' AND HOST='localhost';+------+-----------+-----------------+-------------------+ | User | Host | Full Name | Comment | +------+-----------+-----------------+-------------------+ | bill | localhost | William Schmidt | Website developer | +------+-----------+-----------------+-------------------+ 1 row in set (0.00 sec)
To set or to make changes in the user comment or user attribute for an existing user, you can use a 要设置或更改现有用户的用户注释或用户属性,可以将COMMENT or ATTRIBUTE option with an ALTER USER statement.COMMENT或ATTRIBUTE选项与ALTER USER语句一起使用。
Because the user comment and user attribute are stored together internally in a single 由于用户注释和用户属性在内部存储在一个JSON column, this sets an upper limit on their maximum combined size; see JSON Storage Requirements, for more information.JSON列中,这就为它们的最大组合大小设置了上限;有关更多信息,请参阅JSON存储要求。
See also the description of the Information Schema 有关更多信息和示例,请参阅信息模式USER_ATTRIBUTES table for more information and examples.USER_ATTRIBUTES表的说明。
An account name may be followed by an 帐户名后面可以跟一个auth_option authentication option that specifies the account authentication plugin, credentials, or both.auth_option身份验证选项,该选项指定帐户身份验证插件、凭据或两者。
Clauses for random password generation apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. 随机密码生成条款仅适用于使用身份验证插件的帐户,该插件在MySQL内部存储凭据。For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well. 对于使用插件对MySQL外部的凭据系统执行身份验证的帐户,密码管理也必须针对该系统进行外部处理。For more information about internal credentials storage, see Section 6.2.15, “Password Management”.有关内部凭证存储的更多信息,请参阅第6.2.15节,“密码管理”。
auth_plugin names an authentication plugin. 命名一个身份验证插件。The plugin name can be a quoted string literal or an unquoted name. 插件名称可以是带引号的字符串文字或不带引号的名称。Plugin names are stored in the 插件名称存储在plugin column of the mysql.user system table.mysql.user系统表的plugin列中。
For 对于未指定身份验证插件的auth_option syntax that does not specify an authentication plugin, the default plugin is indicated by the value of the default_authentication_plugin system variable. auth_option语法,默认插件由default_authentication_plugin系统变量的值指示。For descriptions of each plugin, see Section 6.4.1, “Authentication Plugins”.有关每个插件的描述,请参阅第6.4.1节,“身份验证插件”。
Credentials that are stored internally are stored in the 存储在内部的凭据存储在mysql.user system table. mysql.user系统表中。An ' value or auth_string'RANDOM PASSWORD specifies account credentials, either as a cleartext (unencrypted) string or hashed in the format expected by the authentication plugin associated with the account, respectively:'auth_string'值或RANDOM PASSWORD分别将帐户凭据指定为明文(未加密)字符串或以与帐户关联的身份验证插件预期的格式散列:
For syntax that uses 对于使用BY ', the string is cleartext and is passed to the authentication plugin for possible hashing. auth_string'BY 'auth_string'的语法,字符串是明文,并传递给身份验证插件进行可能的哈希处理。The result returned by the plugin is stored in the 插件返回的结果存储在mysql.user table. mysql.user表中。A plugin may use the value as specified, in which case no hashing occurs.插件可以使用指定的值,在这种情况下不会发生哈希。
For syntax that uses 对于使用BY RANDOM PASSWORD, MySQL generates a random password and as cleartext and passes it to the authentication plugin for possible hashing. BY RANDOM PASSWORD的语法,MySQL生成一个随机密码和一个明文,并将其传递给身份验证插件进行可能的哈希处理。The result returned by the plugin is stored in the 插件返回的结果存储在mysql.user table. mysql.user表中。A plugin may use the value as specified, in which case no hashing occurs.插件可以使用指定的值,在这种情况下不会发生哈希。
Randomly generated passwords are available as of MySQL 8.0.18 and have the characteristics described in Random Password Generation.从MySQL 8.0.18开始,可以使用随机生成的密码,并且具有随机密码生成中描述的特征。
For syntax that uses 对于使用AS ', the string is assumed to be already in the format the authentication plugin requires, and is stored as is in the auth_string'mysql.user table. AS 'auth_string'的语法,假定该字符串已采用身份验证插件所需的格式,并按原样存储在mysql.user表中。If a plugin requires a hashed value, the value must be already hashed in a format appropriate for the plugin; otherwise, the value cannot be used by the plugin and correct authentication of client connections does not occur.如果插件需要散列值,则该值必须已经以适合该插件的格式进行散列;否则,插件将无法使用该值,并且不会对客户端连接进行正确的身份验证。
As of MySQL 8.0.17, a hashed string can be either a string literal or a hexadecimal value. 从MySQL 8.0.17开始,哈希字符串可以是字符串文字或十六进制值。The latter corresponds to the type of value displayed by 后者对应于启用SHOW CREATE USER for password hashes containing unprintable characters when the print_identified_with_as_hex system variable is enabled.print_identified_with_as_hex系统变量时,SHOW CREATE USER为包含不可打印字符的密码哈希显示的值类型。
If an authentication plugin performs no hashing of the authentication string, the 如果身份验证插件不对身份验证字符串执行哈希,则BY ' and auth_string'AS ' clauses have the same effect: The authentication string is stored as is in the auth_string'mysql.user system table.BY '子句和auth_string'AS '子句具有相同的效果:身份验证字符串按原样存储在auth_string'mysql.user系统表中。
CREATE USER permits these 允许以下auth_option syntaxes:auth_option语法:
IDENTIFIED BY 'auth_string'
Sets the account authentication plugin to the default plugin, passes the cleartext 将帐户身份验证插件设置为默认插件,将明文' value to the plugin for possible hashing, and stores the result in the account row in the auth_string'mysql.user system table.'值传递给插件进行可能的哈希运算,并将结果存储在auth_string'mysql.user系统表的帐户行中。
IDENTIFIED BY RANDOM PASSWORD
Sets the account authentication plugin to the default plugin, generates a random password, passes the cleartext password value to the plugin for possible hashing, and stores the result in the account row in the 将帐户身份验证插件设置为默认插件,生成随机密码,将明文密码值传递给插件进行可能的哈希运算,并将结果存储在mysql.user system table. mysql.user系统表的帐户行中。The statement also returns the cleartext password in a result set to make it available to the user or application executing the statement. 该语句还将在结果集中返回明文密码,以使执行该语句的用户或应用程序可以使用该密码。For details about the result set and characteristics of randomly generated passwords, see Random Password Generation.有关随机生成密码的结果集和特征的详细信息,请参阅随机密码生成。
IDENTIFIED WITH auth_plugin
Sets the account authentication plugin to 将帐户身份验证插件设置为auth_plugin, clears the credentials to the empty string, and stores the result in the account row in the mysql.user system table.auth_plugin,将凭据清除为空字符串,并将结果存储在mysql.user系统表的帐户行中。
IDENTIFIED WITH auth_plugin BY 'auth_string'
Sets the account authentication plugin to 将帐户身份验证插件设置为auth_plugin, passes the cleartext ' value to the plugin for possible hashing, and stores the result in the account row in the auth_string'mysql.user system table.auth_plugin,将明文'auth_string'值传递给插件进行可能的哈希运算,并将结果存储在mysql.user系统表的帐户行中。
IDENTIFIED WITH auth_plugin BY RANDOM PASSWORD
Sets the account authentication plugin to 将帐户身份验证插件设置为auth_plugin, generates a random password, passes the cleartext password value to the plugin for possible hashing, and stores the result in the account row in the mysql.user system table. auth_plugin,生成一个随机密码,将明文密码值传递给插件进行可能的哈希运算,并将结果存储在mysql.user系统表的帐户行中。The statement also returns the cleartext password in a result set to make it available to the user or application executing the statement. 该语句还将在结果集中返回明文密码,以使执行该语句的用户或应用程序可以使用该密码。For details about the result set and characteristics of randomly generated passwords, see Random Password Generation.有关随机生成密码的结果集和特征的详细信息,请参阅随机密码生成。
IDENTIFIED WITH auth_plugin AS 'auth_string'
Sets the account authentication plugin to 将帐户身份验证插件设置为auth_plugin and stores the ' value as is in the auth_string'mysql.user account row. auth_plugin,并将'值存储在auth_string'mysql.user帐户行中。If the plugin requires a hashed string, the string is assumed to be already hashed in the format the plugin requires.如果插件需要散列字符串,则假定该字符串已经按照插件所需的格式进行了散列。
Example: Specify the password as cleartext; the default plugin is used:示例:将密码指定为明文;使用默认插件:
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED BY 'password';
Example: Specify the authentication plugin, along with a cleartext password value:示例:指定身份验证插件以及明文密码值:
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED WITH mysql_native_password BY 'password';
In each case, the password value stored in the account row is the cleartext value 在每种情况下,存储在帐户行中的密码值都是明文值' after it has been hashed by the authentication plugin associated with the account.password'',它已被与帐户关联的身份验证插件散列。password'
For additional information about setting passwords and authentication plugins, see Section 6.2.14, “Assigning Account Passwords”, and Section 6.2.17, “Pluggable Authentication”.有关设置密码和身份验证插件的更多信息,请参阅第6.2.14节,“分配帐户密码”和第6.2.17节,“可插入身份验证”。
The DEFAULT ROLE clause defines which roles become active when the user connects to the server and authenticates, or when the user executes the SET ROLE DEFAULT statement during a session.DEFAULT ROLE子句定义了当用户连接到服务器并进行身份验证时,或当用户在会话期间执行SET ROLE DEFAULT语句时,哪些角色处于活动状态。
Each role name uses the format described in Section 6.2.5, “Specifying Role Names”. 每个角色名称使用第6.2.5节,“指定角色名称”中描述的格式。For example:例如:
CREATE USER 'joe'@'10.0.0.1' DEFAULT ROLE administrator, developer;
The host name part of the role name, if omitted, defaults to 角色名的主机名部分(如果省略)默认为'%'.'%'。
The DEFAULT ROLE clause permits a list of one or more comma-separated role names. DEFAULT ROLE子句允许列出一个或多个逗号分隔的角色名。These roles need not exist at the time 执行CREATE USER is executed.CREATE USER时,这些角色不必存在。
MySQL can check X.509 certificate attributes in addition to the usual authentication that is based on the user name and credentials. 除了基于用户名和凭据的常规身份验证之外,MySQL还可以检查X.509证书属性。For background information on the use of SSL/TLS with MySQL, see Section 6.3, “Using Encrypted Connections”.有关在MySQL中使用SSL/TLS的背景信息,请参阅第6.3节,“使用加密连接”。
To specify SSL/TLS-related options for a MySQL account, use a 要为MySQL帐户指定SSL/TLS相关选项,请使用REQUIRE clause that specifies one or more tls_option values.REQUIRE子句指定一个或多个tls_option值。
Order of REQUIRE options does not matter, but no option can be specified twice. REQUIRE选项的顺序无关紧要,但任何选项都不能指定两次。The AND keyword is optional between REQUIRE options.AND关键字在REQUIRE选项之间是可选的。
CREATE USER permits these tls_option values:CREATE USER允许以下tls_option:
NONE
Indicates that all accounts named by the statement have no SSL or X.509 requirements. 指示由该对账单命名的所有帐户没有SSL或X.509要求。Unencrypted connections are permitted if the user name and password are valid. 如果用户名和密码有效,则允许未加密的连接。Encrypted connections can be used, at the client's option, if the client has the proper certificate and key files.如果客户机拥有正确的证书和密钥文件,则可以根据客户机的选择使用加密连接。
CREATE USER 'jeffrey'@'localhost' REQUIRE NONE;
Clients attempt to establish a secure connection by default. 默认情况下,客户端尝试建立安全连接。For clients that have 对于REQUIRE NONE, the connection attempt falls back to an unencrypted connection if a secure connection cannot be established. REQUIRE NONE的客户端,如果无法建立安全连接,则连接尝试会退回到未加密的连接。To require an encrypted connection, a client need specify only the 要要求加密连接,客户端只需指定--ssl-mode=REQUIRED option; the connection attempt fails if a secure connection cannot be established.--ssl-mode=REQUIRED选项;如果无法建立安全连接,连接尝试将失败。
NONE is the default if no SSL-related REQUIRE options are specified.REQUIRE选项,则默认为NONE。
SSL
Tells the server to permit only encrypted connections for all accounts named by the statement.告诉服务器只允许对该语句指定的所有帐户进行加密连接。
CREATE USER 'jeffrey'@'localhost' REQUIRE SSL;
Clients attempt to establish a secure connection by default. 默认情况下,客户端尝试建立安全连接。For accounts that have 对于具有REQUIRE SSL, the connection attempt fails if a secure connection cannot be established.REQUIRE SSL的帐户,如果无法建立安全连接,连接尝试将失败。
X509
For all accounts named by the statement, requires that clients present a valid certificate, but the exact certificate, issuer, and subject do not matter. 对于声明中指定的所有帐户,要求客户提供有效的证书,但确切的证书、颁发者和主题无关紧要。The only requirement is that it should be possible to verify its signature with one of the CA certificates. 唯一的要求是,应该可以使用其中一个CA证书验证其签名。Use of X.509 certificates always implies encryption, so the 使用X.509证书总是意味着加密,因此在这种情况下不需要SSL option is unnecessary in this case.SSL选项。
CREATE USER 'jeffrey'@'localhost' REQUIRE X509;
For accounts with 对于具有REQUIRE X509, clients must specify the --ssl-key and --ssl-cert options to connect. REQUIRE SSL的帐户,客户端必须指定要连接的--ssl-key和--ssl-cert选项。(It is recommended but not required that (建议但不要求还指定--ssl-ca also be specified so that the public certificate provided by the server can be verified.) --ssl-ca,以便验证服务器提供的公共证书。)This is true for 对于ISSUER and SUBJECT as well because those REQUIRE options imply the requirements of X509.ISSUER和SUBJECT来说也是如此,因为这些REQUIRE选项意味着X509的要求。
ISSUER 'issuer'
For all accounts named by the statement, requires that clients present a valid X.509 certificate issued by CA 对于声明中指定的所有账户,要求客户提供由CA'. issuer''issuer'颁发的有效X.509证书。If a client presents a certificate that is valid but has a different issuer, the server rejects the connection. 如果客户端提供的证书有效,但具有不同的颁发者,则服务器会拒绝连接。Use of X.509 certificates always implies encryption, so the 使用X.509证书总是意味着加密,因此在这种情况下不需要SSL option is unnecessary in this case.SSL选项。
CREATE USER 'jeffrey'@'localhost'
REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL/CN=CA/emailAddress=ca@example.com';
Because 因为ISSUER implies the requirements of X509, clients must specify the --ssl-key and --ssl-cert options to connect. ISSUER暗示了X509的要求,所以客户端必须指定--ssl-key和--ssl-cert选项来连接。(It is recommended but not required that (建议但不要求还指定--ssl-ca also be specified so that the public certificate provided by the server can be verified.)--ssl-ca,以便验证服务器提供的公共证书。)
SUBJECT 'subject'
For all accounts named by the statement, requires that clients present a valid X.509 certificate containing the subject 对于由对账单命名的所有帐户,要求客户提供包含主题subject. subject的有效X.509证书。If a client presents a certificate that is valid but has a different subject, the server rejects the connection. 如果客户机提供的证书有效但主题不同,则服务器会拒绝连接。Use of X.509 certificates always implies encryption, so the 使用X.509证书总是意味着加密,因此在这种情况下不需要SSL option is unnecessary in this case.SSL选项。
CREATE USER 'jeffrey'@'localhost'
REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL demo client certificate/
CN=client/emailAddress=client@example.com';
MySQL does a simple string comparison of the MySQL将' value to the value in the certificate, so lettercase and component ordering must be given exactly as present in the certificate.subject''subject'值与证书中的值进行简单的字符串比较,因此必须给出与证书中的值完全相同的字母大小写和组件顺序。
Because 因为SUBJECT implies the requirements of X509, clients must specify the --ssl-key and --ssl-cert options to connect. SUBJECT暗示了X509的要求,所以客户端必须指定要连接的--ssl-key和--ssl-cert选项。(It is recommended but not required that (建议但不要求还指定--ssl-ca also be specified so that the public certificate provided by the server can be verified.)--ssl-ca,以便验证服务器提供的公共证书。)
CIPHER 'cipher'
For all accounts named by the statement, requires a specific cipher method for encrypting connections. 对于由语句命名的所有帐户,需要使用特定的密码方法来加密连接。This option is needed to ensure that ciphers and key lengths of sufficient strength are used. 需要使用此选项以确保使用足够强度的密码和密钥长度。Encryption can be weak if old algorithms using short encryption keys are used.如果使用使用短加密密钥的旧算法,加密可能会很弱。
CREATE USER 'jeffrey'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';
The SUBJECT, ISSUER, and CIPHER options can be combined in the REQUIRE clause:SUBJECT、ISSUER和CIPHER选项可以组合在REQUIRE子句中:
CREATE USER 'jeffrey'@'localhost'
REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL demo client certificate/
CN=client/emailAddress=client@example.com'
AND ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
O=MySQL/CN=CA/emailAddress=ca@example.com'
AND CIPHER 'EDH-RSA-DES-CBC3-SHA';It is possible to place limits on use of server resources by an account, as discussed in Section 6.2.20, “Setting Account Resource Limits”. 如第6.2.20节,“设置帐户资源限制”所述,可以限制帐户使用服务器资源。To do so, use a 为此,请使用WITH clause that specifies one or more resource_option values.WITH子句指定一个或多个resource_option值。
Order of WITH options does not matter, except that if a given resource limit is specified multiple times, the last instance takes precedence.WITH选项的顺序无关紧要,除非多次指定给定的资源限制,最后一个实例优先。
CREATE USER permits these resource_option values:CREATE USER允许以下resource_option值:
MAX_QUERIES_PER_HOUR , countMAX_UPDATES_PER_HOUR , countMAX_CONNECTIONS_PER_HOUR count
For all accounts named by the statement, these options restrict how many queries, updates, and connections to the server are permitted to each account during any given one-hour period. 对于由语句命名的所有帐户,这些选项限制在任何给定的一小时内每个帐户允许的查询、更新和到服务器的连接数。If 如果count is 0 (the default), this means that there is no limitation for the account.count为0(默认值),这意味着该帐户没有限制。
MAX_USER_CONNECTIONS count
For all accounts named by the statement, restricts the maximum number of simultaneous connections to the server by each account. 对于由语句命名的所有帐户,限制每个帐户同时连接到服务器的最大数量。A nonzero 非零count specifies the limit for the account explicitly. count明确指定帐户的限制。If 如果count is 0 (the default), the server determines the number of simultaneous connections for the account from the global value of the max_user_connections system variable. count为0(默认值),服务器将根据max_user_connections系统变量的全局值确定帐户的同时连接数。If 如果max_user_connections is also zero, there is no limit for the account.max_user_connections也为零,则该帐户没有限制。
Example:
CREATE USER 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;
CREATE USER supports several password_option values for password management:CREATE USER支持用于密码管理的多个password_option值:
Password expiration options: You can expire an account password manually and establish its password expiration policy. Policy options do not expire the password. 密码过期选项:您可以手动使帐户密码过期,并建立其密码过期策略。策略选项不会使密码过期。Instead, they determine how the server applies automatic expiration to the account based on password age, which is assessed from the date and time of the most recent account password change.相反,它们决定服务器如何根据密码期限对帐户应用自动过期,密码期限从最近一次帐户密码更改的日期和时间开始评估。
Password reuse options: You can restrict password reuse based on number of password changes, time elapsed, or both.密码重用选项:您可以根据密码更改的次数、经过的时间或两者来限制密码重用。
Password verification-required options: You can indicate whether attempts to change an account password must specify the current password, as verification that the user attempting to make the change actually knows the current password.密码验证必需选项:您可以指示更改帐户密码的尝试是否必须指定当前密码,以验证尝试进行更改的用户是否确实知道当前密码。
Incorrect-password failed-login tracking options: You can cause the server to track failed login attempts and temporarily lock accounts for which too many consecutive incorrect passwords are given. 密码错误登录失败跟踪选项:您可能会导致服务器跟踪失败的登录尝试,并暂时锁定连续提供过多错误密码的帐户。The required number of failures and the lock time are configurable.所需的故障次数和锁定时间是可配置的。
This section describes the syntax for password-management options. 本节介绍密码管理选项的语法。For information about establishing policy for password management, see Section 6.2.15, “Password Management”.有关建立密码管理策略的信息,请参阅第6.2.15节,“密码管理”。
If multiple password-management options of a given type are specified, the last one takes precedence. 如果指定了给定类型的多个密码管理选项,则以最后一个为准。For example, 例如,PASSWORD EXPIRE DEFAULT PASSWORD EXPIRE NEVER is the same as PASSWORD EXPIRE NEVER.PASSWORD EXPIRE DEFAULT PASSWORD EXPIRE NEVER与PASSWORD EXPIRE NEVER相同。
Except for the options that pertain to failed-login tracking, password-management options apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. 除了与登录跟踪失败相关的选项外,密码管理选项仅适用于使用身份验证插件的帐户,该插件在MySQL内部存储凭据。For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well. 对于使用插件对MySQL外部的凭据系统执行身份验证的帐户,密码管理也必须针对该系统进行外部处理。For more information about internal credentials storage, see Section 6.2.15, “Password Management”.有关内部凭证存储的更多信息,请参阅第6.2.15节,“密码管理”。
A client has an expired password if the account password was expired manually or the password age is considered greater than its permitted lifetime per the automatic expiration policy. 如果帐户密码手动过期,或者根据自动过期策略,密码期限被视为大于其允许的使用期限,则客户端的密码已过期。In this case, the server either disconnects the client or restricts the operations permitted to it (see Section 6.2.16, “Server Handling of Expired Passwords”). 在这种情况下,服务器会断开客户机的连接或限制其允许的操作(请参阅第6.2.16节,“过期密码的服务器处理”)。Operations performed by a restricted client result in an error until the user establishes a new account password.在用户建立新帐户密码之前,受限客户端执行的操作会导致错误。
CREATE USER permits these password_option values for controlling password expiration:CREATE USER允许以下password_option值用于控制密码过期:
PASSWORD EXPIRE
Immediately marks the password expired for all accounts named by the statement.立即将声明中指定的所有帐户的密码标记为过期。
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE;
PASSWORD EXPIRE DEFAULT
Sets all accounts named by the statement so that the global expiration policy applies, as specified by the 设置由语句命名的所有帐户,以便应用全局过期策略,如default_password_lifetime system variable.default_password_lifetime系统变量所指定。
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT;
PASSWORD EXPIRE NEVER
This expiration option overrides the global policy for all accounts named by the statement. 此过期选项将覆盖对账单指定的所有帐户的全局策略。For each, it disables password expiration so that the password never expires.对于每个密码,它都会禁用密码过期,以便密码永远不会过期。
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE NEVER;
PASSWORD EXPIRE INTERVAL N DAY
This expiration option overrides the global policy for all accounts named by the statement. 此过期选项将覆盖对账单指定的所有帐户的全局策略。For each, it sets the password lifetime to 对于每个密码,它将密码生存期设置为N days. N天。The following statement requires the password to be changed every 180 days:以下语句要求每180天更改一次密码:
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 180 DAY;
CREATE USER permits these password_option values for controlling reuse of previous passwords based on required minimum number of password changes:CREATE USER允许这些password_option值用于根据所需的最小密码更改次数控制以前密码的重复使用:
PASSWORD HISTORY DEFAULT
Sets all accounts named by the statement so that the global policy about password history length applies, to prohibit reuse of passwords before the number of changes specified by the 设置由该语句命名的所有帐户,以便应用有关密码历史记录长度的全局策略,以禁止在password_history system variable.password_history系统变量指定的更改次数之前重用密码。
CREATE USER 'jeffrey'@'localhost' PASSWORD HISTORY DEFAULT;
PASSWORD HISTORY N
This history-length option overrides the global policy for all accounts named by the statement. 此历史长度选项将覆盖由该语句命名的所有帐户的全局策略。For each, it sets the password history length to 对于每个密码,它将密码历史长度设置为N passwords, to prohibit reusing any of the N most recently chosen passwords. N个密码,以禁止重用最近选择的N个密码中的任何一个。The following statement prohibits reuse of any of the previous 6 passwords:以下声明禁止重复使用前6个密码中的任何一个:
CREATE USER 'jeffrey'@'localhost' PASSWORD HISTORY 6;
CREATE USER permits these password_option values for controlling reuse of previous passwords based on time elapsed:CREATE USER允许这些password_option值用于根据经过的时间控制以前密码的重复使用:
PASSWORD REUSE INTERVAL DEFAULT
Sets all statements named by the account so that the global policy about time elapsed applies, to prohibit reuse of passwords newer than the number of days specified by the 设置由帐户命名的所有语句,以便应用有关已用时间的全局策略,以禁止重新使用比password_reuse_interval system variable.password_reuse_interval系统变量指定的天数新的密码。
CREATE USER 'jeffrey'@'localhost' PASSWORD REUSE INTERVAL DEFAULT;
PASSWORD REUSE INTERVAL N DAY
This time-elapsed option overrides the global policy for all accounts named by the statement. 此“已用时间”选项将覆盖由该语句命名的所有帐户的全局策略。For each, it sets the password reuse interval to 对于每种情况,它都将密码重复使用间隔设置为N days, to prohibit reuse of passwords newer than that many days. N天,以禁止重复使用比这几天更新的密码。The following statement prohibits password reuse for 360 days:以下声明禁止在360天内重复使用密码:
CREATE USER 'jeffrey'@'localhost' PASSWORD REUSE INTERVAL 360 DAY;
CREATE USER permits these password_option values for controlling whether attempts to change an account password must specify the current password, as verification that the user attempting to make the change actually knows the current password:CREATE USER允许这些password_option值用于控制更改帐户密码的尝试是否必须指定当前密码,以验证尝试进行更改的用户是否确实知道当前密码:
PASSWORD REQUIRE CURRENT
This verification option overrides the global policy for all accounts named by the statement. 此验证选项将覆盖对账单指定的所有帐户的全局策略。For each, it requires that password changes specify the current password.对于每个密码,它要求密码更改指定当前密码。
CREATE USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT;
PASSWORD REQUIRE CURRENT OPTIONAL
This verification option overrides the global policy for all accounts named by the statement. 此验证选项将覆盖对账单指定的所有帐户的全局策略。For each, it does not require that password changes specify the current password. (The current password may but need not be given.)对于每个密码,它不要求密码更改指定当前密码。(可以提供但不需要提供当前密码。)
CREATE USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT OPTIONAL;
PASSWORD REQUIRE CURRENT DEFAULT
Sets all statements named by the account so that the global policy about password verification applies, as specified by the 设置由帐户命名的所有语句,以便按照password_require_current system variable.password_require_current系统变量的指定,应用有关密码验证的全局策略。
CREATE USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT DEFAULT;
As of MySQL 8.0.19, 从MySQL 8.0.19开始,CREATE USER permits these password_option values for controlling failed-login tracking:CREATE USER允许使用以下password_option值来控制失败的登录跟踪:
FAILED_LOGIN_ATTEMPTS N
Whether to track account login attempts that specify an incorrect password. 是否跟踪指定错误密码的帐户登录尝试。N must be a number from 0 to 32767. N必须是0到32767之间的数字。A value of 0 disables failed-login tracking. 值为0将禁用失败的登录跟踪。Values greater than 0 indicate how many consecutive password failures cause temporary account locking (if 大于0的值表示有多少连续密码失败导致临时帐户锁定(如果PASSWORD_LOCK_TIME is also nonzero).PASSWORD_LOCK_TIME也非零)。
PASSWORD_LOCK_TIME {N | UNBOUNDED}
How long to lock the account after too many consecutive login attempts provide an incorrect password. 连续多次登录尝试提供错误密码后锁定帐户的时间。N must be a number from 0 to 32767, or UNBOUNDED. N必须是0到32767之间的数字,或者是UNBOUNDED(无界的)。A value of 0 disables temporary account locking. 值为0将禁用临时帐户锁定。Values greater than 0 indicate how long to lock the account in days. 大于0的值表示以天为单位锁定帐户的时间。A value of 值为UNBOUNDED causes the account locking duration to be unbounded; once locked, the account remains in a locked state until unlocked. UNBOUNDED会导致帐户锁定持续时间为无界;一旦锁定,帐户将保持锁定状态,直到解锁。For information about the conditions under which unlocking occurs, see Failed-Login Tracking and Temporary Account Locking.有关解锁条件的信息,请参阅失败的登录跟踪和临时帐户锁定。
For failed-login tracking and temporary locking to occur, an account's 要进行失败的登录跟踪和临时锁定,帐户的FAILED_LOGIN_ATTEMPTS and PASSWORD_LOCK_TIME options both must be nonzero. FAILED_LOGIN_ATTEMPTS选项和PASSWORD_LOCK_TIME选项都必须为非零。The following statement creates an account that remains locked for two days after four consecutive password failures:以下语句创建了一个在连续四次密码失败后保持锁定两天的帐户:
CREATE USER 'jeffrey'@'localhost' FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 2;
MySQL supports account locking and unlocking using the MySQL使用ACCOUNT LOCK and ACCOUNT UNLOCK options, which specify the locking state for an account. ACCOUNT LOCK选项和ACCOUNT UNLOCK选项支持帐户锁定和解锁,这两个选项指定帐户的锁定状态。For additional discussion, see Section 6.2.19, “Account Locking”.有关更多讨论,请参阅第6.2.19节,“账户锁定”。
If multiple account-locking options are specified, the last one takes precedence.如果指定了多个帐户锁定选项,则最后一个选项优先。
CREATE USER is written to the binary log if it succeeds, but not if it fails; in that case, rollback occurs and no changes are made. CREATE USER成功,则将其写入二进制日志,但如果失败,则不会写入;在这种情况下,会发生回滚,并且不会进行任何更改。A statement written to the binary log includes all named users. 写入二进制日志的语句包括所有命名用户。If the 如果给出了IF NOT EXISTS clause is given, this includes even users that already exist and were not created.IF NOT EXISTS子句,这甚至包括已经存在且未创建的用户。
The statement written to the binary log specifies an authentication plugin for each user, determined as follows:写入二进制日志的语句为每个用户指定一个身份验证插件,确定如下:
The plugin named in the original statement, if one was specified.原始语句中指定的插件(如果已指定)。
Otherwise, the default authentication plugin. 否则,默认的身份验证插件。In particular, if a user 特别是,如果用户u1 already exists and uses a nondefault authentication plugin, the statement written to the binary log for CREATE USER IF NOT EXISTS u1 names the default authentication plugin. u1已经存在并使用了非默认身份验证插件,则写入二进制日志中的CREATE USER IF NOT EXISTS u1语句将命名为默认身份验证插件。(If the statement written to the binary log must specify a nondefault authentication plugin for a user, include it in the original statement.)(如果写入二进制日志的语句必须为用户指定非默认身份验证插件,请将其包含在原始语句中。)
If the server adds the default authentication plugin for any nonexisting users in the statement written to the binary log, it writes a warning to the error log naming those users.如果服务器在写入二进制日志的语句中为任何不存在的用户添加默认身份验证插件,它会向错误日志中写入一条警告,指明这些用户。
If the original statement specifies the 如果原始语句指定FAILED_LOGIN_ATTEMPTS or PASSWORD_LOCK_TIME option, the statement written to the binary log includes the option.FAILED_LOGIN_ATTEMPTS选项或PASSWORD_LOCK_TIME选项,则写入二进制日志的语句将包含该选项。