本文目录一览:
- 问哈各位大神,mysql怎么给一个用户赋予grant权限
- 如何设置mysql用户的权限
- 如何给mysql用户分配权限
- MySQL的权限有哪些?
- mysql grant 权限是什么权限
- MySQL:grant 语法详解(MySQL5.X)
问哈各位大神,mysql怎么给一个用户赋予grant权限
当权限1,权限2 mysql grant 权限1,权限2,…权限n on 名称.表名称 to 用户名@用户地址 identified by ‘连接口令’; 权限1,权限2,…权限n代表select,insert,update,delete,create,drop,index,alter,grant,references,reload,shutdown,process,file等14个权限。 当权限1,权限2,…权限n被all privileges或者all代替,表示赋予用户全部权限。 当数据库名称.表名称被*.*代替,表示赋予用户操作服务器上所有数据库所有表的权限。 用户地址可以是localhost,也可以是ip地址、机器名字、域名。也可以用’%表示从任何地址连接。 ‘连接口令’不能为空,否则创建失败。
如何设置mysql用户的权限
1、创建新用户
通过root用户登录之后创建
grant all privileges on *.* to testuser@localhost identified by "123456";
创建新用户,用户名为testuser,密码为123456;
grant all privileges on *.* to testuser@localhost identified by "123456";
设置用户testuser,可以在本地访问mysql
grant all privileges on *.* to testuser@"%" identified by "123456";
设置用户testuser,可以在远程访问mysql
flush privileges;
mysql 新设置用户或更改密码后需用flush privileges刷新MySQL的系统权限相关表,否则会出现拒绝访问,还有一种方法,就是重新启动mysql服务器,来使新设置生效
2、设置用户访问数据库权限
grant all privileges on test_db.* to testuser@localhost identified by "123456";
设置用户testuser,只能访问数据库test_db,其他数据库均不能访问;
grant all privileges on *.* to testuser@localhost identified by "123456";
设置用户testuser,可以访问mysql上的所有数据库;
grant all privileges on test_db.user_infor to testuser@localhost identified by "123456";
设置用户testuser,只能访问数据库test_db的表user_infor,数据库中的其他表均不能访问;
3、设置用户操作权限
grant all privileges on *.* to testuser@localhost identified by "123456" WITH GRANT OPTION;
设置用户testuser,拥有所有的操作权限,也就是管理员;
grant select on *.* to testuser@localhost identified by "123456" WITH GRANT OPTION;
设置用户testuser,只拥有【查询】操作权限;
grant select,insert on *.* to testuser@localhost identified by "123456";
设置用户testuser,只拥有【查询\插入】操作权限;
grant select,insert,update,delete on *.* to testuser@localhost identified by "123456";
设置用户testuser,只拥有【查询\插入】操作权限;
REVOKE select,insert ON what FROM testuser
取消用户testuser的【查询\插入】操作权限;
如何给mysql用户分配权限
查看用户权限
mysql show grants for zx_root;
赋予权限
mysql grant select on dmc_db.* to zx_root;
回收权限
mysql revoke select on dmc_db.* from zx_root;
如果权限不存在会报错 设置权限时必须给出一下信息:
- 要授予的权限
- 被授予访问权限的数据库或表
- 用户名 grant和revoke可以在几个层次上控制访问权限:
- 整个服务器,使用 grant ALL 和revoke ALL
- 整个数据库,使用on database.*
- 特定表,使用on database.table
- 特定的列
- 特定的存储过程
MySQL的权限有哪些?
MySQL各种权限(共27个) (以下操作都是以root身份登陆进行grant授权,以p1@localhost身份登陆执行各种命令。)
- usage
连接(登陆)权限,建立一个用户,就会自动授予其usage权限(默认授予)。
该权限只能用于数据库登陆,不能执行任何操作;且usage权限不能被回收,也即REVOKE用户并不能删除用户。mysql grant usage on *.* to ‘p1′@’localhost’ identified by ‘123′; - select
必须有select的权限,才可以使用select tablemysql grant select on pyt.* to ‘p1′@’localhost’; mysql select * from shop; - create
必须有create的权限,才可以使用create tablemysql grant create on pyt.* to ‘p1′@’localhost’; - create routine
必须具有create routine的权限,才可以使用{create |alter|drop} {procedure|function}
当授予create routine时,自动授予EXECUTE, ALTER ROUTINE权限给它的创建者:mysql grant create routine on pyt.* to ‘p1′@’localhost’;mysql show grants for ‘p1′@’localhost’;+-----------------------------------------------------------+ Grants for p1@localhost +-----------------------------------------------------------+ | GRANT USAGE ON *.* TO ‘p1′@’localhost’ IDENTIFIED BY PASSWORD ‘*23AE809DDACAF96AF0FD78ED04B6A265E05AA257′ | | GRANT SELECT, CREATE, CREATE ROUTINE ON `pyt`.* TO ‘p1′@’localhost’| | GRANT EXECUTE, ALTER ROUTINE ON PROCEDURE `pyt`.`pro_shop1` TO ‘p1′@’localhost’ | +-----------------------------------------------------------+ - create temporary tables
必须有create temporary tables的权限,才可以使用create temporary tables.mysql grant create temporary tables on pyt.* to ‘p1′@’localhost’;[mysql@mydev ~]$ mysql -h localhost -u p1 -p pyt mysql create temporary table tt1(id int); - create view
必须有create view的权限,才可以使用create viewmysql grant create view on pyt.* to ‘p1′@’localhost’; mysql create view v_shop as select price from shop; - create user
要使用CREATE USER,必须拥有mysql数据库的全局CREATE USER权限,或拥有INSERT权限。
或:mysql grant create user on *.* to ‘p1′@’localhost’;mysql grant insert on *.* to p1@localhost; - insert
必须有insert的权限,才可以使用insert into ….. values…. - alter
必须有alter的权限,才可以使用alter tablealter table shop modify dealer char(15); - alter routine
必须具有alter routine的权限,才可以使用{alter |drop} {procedure|function}
Query OK, 0 rows affected (0.00 sec)mysql grant alter routine on pyt.* to ‘p1′@’ localhost ‘; mysql drop procedure pro_shop;mysql revoke alter routine on pyt.* from ‘p1′@’localhost’;
ERROR 1370 (42000): alter routine command denied to user ‘p1′@’localhost’ for routine ‘pyt.pro_shop’[mysql@mydev ~]$ mysql -h localhost -u p1 -p pyt mysql drop procedure pro_shop; - update
必须有update的权限,才可以使用update tablemysql update shop set price=3.5 where article=0001 and dealer=’A'; - delete
必须有delete的权限,才可以使用delete from ….where….(删除表中的记录) - drop
必须有drop的权限,才可以使用drop database db_name; drop table tab_name; drop view vi_name; drop index in_name; - show database
通过show database只能看到你拥有的某些权限的数据库,除非你拥有全局SHOW DATABASES权限。 对于p1@localhost用户来说,没有对mysql数据库的权限,所以以此身份登陆查询时,无法看到mysql数据库:mysql show databases;+------------------+ | Database | +------------------+ | information_schema| | pyt | | test | +------------------+ - show view
必须拥有show view权限,才能执行show create view。mysql grant show view on pyt.* to p1@localhost; mysql show create view v_shop; - index
必须拥有index权限,才能执行[create |drop] indexmysql grant index on pyt.* to p1@localhost; mysql create index ix_shop on shop(article); mysql drop index ix_shop on shop; - execute
执行存在的Functions,Proceduresmysql call pro_shop1(0001,@a);+---------+ | article | +---------+ | 0001 | | 0001 | +---------+mysql select @a;+------+ | @a | +------+ | 2 | +------+ - lock tables
必须拥有lock tables权限,才可以使用lock tablesmysql grant lock tables on pyt.* to p1@localhost; mysql lock tables a1 read; mysql unlock tables; - references
有了REFERENCES权限,用户就可以将其它表的一个字段作为某一个表的外键约束。 - reload
必须拥有reload权限,才可以执行flush [tables | logs | privileges]
ERROR 1221 (HY000): Incorrect usage of DB GRANT and GLOBAL PRIVILEGESmysql grant reload on pyt.* to p1@localhost;mysql grant reload on *.* to ‘p1′@’localhost’; Query OK, 0 rows affected (0.00 sec) mysql flush tables; - replication client
拥有此权限可以查询master server、slave server状态。
ERROR 1227 (42000): Access denied; you need the SUPER,REPLICATION CLIENT privilege for this operationmysql show master status;
或:mysql grant Replication client on *.* to p1@localhost;mysql grant super on *.* to p1@localhost;mysql show master status;+------------------+----------+--------------+------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | +------------------+----------+--------------+------------------+ | mysql-bin.000006 | 2111 | | | +------------------+----------+--------------+------------------+mysql show slave status; - replication slave
拥有此权限可以查看从服务器,从主服务器读取二进制日志。
ERROR 1227 (42000): Access denied; you need the REPLICATION SLAVE privilege for this operationmysql show slave hosts;
ERROR 1227 (42000): Access denied; you need the REPLICATION SLAVE privilege for this operationmysql show binlog events;
Empty set (0.00 sec)mysql grant replication slave on *.* to p1@localhost; mysql show slave hosts;mysql show binlog events;+-------------+-----+----------------+-----------+-------------+----------------+ | Log_name | Pos | Event_type | Server_id | End_log_pos | Info | +-------------+-----+----------------+-----------+-------------+----------------+ | mysql-bin.000005 | 4 | Format_desc | 1 | 98 | Server ver: 5.0.77-log, Binlog ver: 4 | | mysql-bin.000005 | 98 | Query | 1 | 197 | use `mysql`; create table a1(i int)engine=myisam | +-------------+-----+----------------+-----------+-------------+----------------+ - Shutdown
关闭MySQL:
重新连接:[mysql@mydev ~]$ mysqladmin shutdown
ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2)[mysql@mydev ~]$ mysql[mysql@mydev ~]$ cd /u01/mysql/bin [mysql@mydev bin]$ ./mysqld_safe [mysql@mydev bin]$ mysql - grant option
拥有grant option,就可以将自己拥有的权限授予其他用户(仅限于自己已经拥有的权限)mysql grant Grant option on pyt.* to p1@localhost; mysql grant select on pyt.* to p2@localhost; - file
拥有file权限才可以执行 select ..into outfile和load data infile…操作,但是不要把file, process, super权限授予管理员以外的账号,这样存在严重的安全隐患。mysql grant file on *.* to p1@localhost; mysql load data infile ‘/home/mysql/pet.txt’ into table pet; - super
这个权限允许用户终止任何查询;修改全局变量的SET语句;使用CHANGE MASTER,PURGE MASTER LOGS。mysql grant super on *.* to p1@localhost; mysql purge master logs before ‘mysql-bin.000006′; - process
通过这个权限,用户可以执行SHOW PROCESSLIST和KILL命令。默认情况下,每个用户都可以执行SHOW PROCESSLIST命令,但是只能查询本用户的进程。mysql show processlist;+----+------+-----------+------+---------+------+-------+------------------+ | Id | User | Host | db | Command | Time | State | Info | +----+------+-----------+------+---------+------+-------+------------------+ | 12 | p1 | localhost | pyt | Query | 0 | NULL | show processlist | +----+------+-----------+------+---------+------+-------+------------------+
另外: 管理权限(如 super, process, file等)不能够指定某个数据库,on后面必须跟*.*
mysql grant super on pyt.* to p1@localhost;
ERROR 1221 (HY000): Incorrect usage of DB GRANT and GLOBAL PRIVILEGES
mysql grant super on *.* to p1@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql grant 权限是什么权限
本文转自:DBAplus社群 Mysql 有多个个权限?经常记不住,今天总结一下,看后都能牢牢的记在心里啦!! 很明显总共28个权限:下面是具体的权限介绍:转载的,记录一下:
一.权限表
mysql数据库中的3个权限表:user、db、host 权限表的存取过程是:
- 先从user表中的host、user、password这3个字段中判断连接的IP、用户名、密码是否存在表中,存在则通过身份验证;
- 通过权限验证,进行权限分配时,按照user→db→tables_priv→columns_priv的顺序进行分配。即先检查全局权限表user,如果user中对应的权限为Y,则此用户对所有数据库的权限都为Y,将不再检查db, tables_priv,columns_priv;如果为N,则到db表中检查此用户对应的具体数据库,并得到db中为Y的权限;如果db中为N,则检查tables_priv中此数据库对应的具体表,取得表中的权限Y,以此类推。
二.MySQL各种权限(共27个)
(以下操作都是以root身份登陆进行grant授权,以p1@localhost身份登陆执行各种命令。)
- usage
连接(登陆)权限,建立一个用户,就会自动授予其usage权限(默认授予)。
该权限只能用于数据库登陆,不能执行任何操作;且usage权限不能被回收,也即REVOKE用户并不能删除用户。mysql grant usage on *.* to ‘p1′@’localhost’ identified by ‘123′; - select
必须有select的权限,才可以使用select tablemysql grant select on pyt.* to ‘p1′@’localhost’; mysql select * from shop; - create
必须有create的权限,才可以使用create tablemysql grant create on pyt.* to ‘p1′@’localhost’; - create routine
必须具有create routine的权限,才可以使用{create |alter|drop} {procedure|function}
当授予create routine时,自动授予EXECUTE, ALTER ROUTINE权限给它的创建者:mysql grant create routine on pyt.* to ‘p1′@’localhost’;mysql show grants for ‘p1′@’localhost’;+-----------------------------------------------------------+ Grants for p1@localhost +-----------------------------------------------------------+ | GRANT USAGE ON *.* TO ‘p1′@’localhost’ IDENTIFIED BY PASSWORD ‘*23AE809DDACAF96AF0FD78ED04B6A265E05AA257′ | | GRANT SELECT, CREATE, CREATE ROUTINE ON `pyt`.* TO ‘p1′@’localhost’| | GRANT EXECUTE, ALTER ROUTINE ON PROCEDURE `pyt`.`pro_shop1` TO ‘p1′@’localhost’ | +-----------------------------------------------------------+ - create temporary tables
必须有create temporary tables的权限,才可以使用create temporary tables.mysql grant create temporary tables on pyt.* to ‘p1′@’localhost’;[mysql@mydev ~]$ mysql -h localhost -u p1 -p pyt mysql create temporary table tt1(id int); - create view
必须有create view的权限,才可以使用create viewmysql grant create view on pyt.* to ‘p1′@’localhost’; mysql create view v_shop as select price from shop; - create user
要使用CREATE USER,必须拥有mysql数据库的全局CREATE USER权限,或拥有INSERT权限。
或:mysql grant create user on *.* to ‘p1′@’localhost’;mysql grant insert on *.* to p1@localhost; - insert
必须有insert的权限,才可以使用insert into ….. values…. - alter
必须有alter的权限,才可以使用alter tablealter table shop modify dealer char(15); - alter routine
必须具有alter routine的权限,才可以使用{alter |drop} {procedure|function}
Query OK, 0 rows affected (0.00 sec)mysql grant alter routine on pyt.* to ‘p1′@’ localhost ‘; mysql drop procedure pro_shop;mysql revoke alter routine on pyt.* from ‘p1′@’localhost’;
ERROR 1370 (42000): alter routine command denied to user ‘p1′@’localhost’ for routine ‘pyt.pro_shop’[mysql@mydev ~]$ mysql -h localhost -u p1 -p pyt mysql drop procedure pro_shop; - update
必须有update的权限,才可以使用update tablemysql update shop set price=3.5 where article=0001 and dealer=’A'; - delete
必须有delete的权限,才可以使用delete from ….where….(删除表中的记录) - drop
必须有drop的权限,才可以使用drop database db_name; drop table tab_name; drop view vi_name; drop index in_name; - show database
通过show database只能看到你拥有的某些权限的数据库,除非你拥有全局SHOW DATABASES权限。 对于p1@localhost用户来说,没有对mysql数据库的权限,所以以此身份登陆查询时,无法看到mysql数据库:mysql show databases;+------------------+ | Database | +------------------+ | information_schema| | pyt | | test | +------------------+ - show view
必须拥有show view权限,才能执行show create view。mysql grant show view on pyt.* to p1@localhost; mysql show create view v_shop; - index
必须拥有index权限,才能执行[create |drop] indexmysql grant index on pyt.* to p1@localhost; mysql create index ix_shop on shop(article); mysql drop index ix_shop on shop; - execute
执行存在的Functions,Proceduresmysql call pro_shop1(0001,@a);+---------+ | article | +---------+ | 0001 | | 0001 | +---------+mysql select @a;+------+ | @a | +------+ | 2 | +------+ - lock tables
必须拥有lock tables权限,才可以使用lock tablesmysql grant lock tables on pyt.* to p1@localhost; mysql lock tables a1 read; mysql unlock tables; - references
有了REFERENCES权限,用户就可以将其它表的一个字段作为某一个表的外键约束。 - reload
必须拥有reload权限,才可以执行flush [tables | logs | privileges]
ERROR 1221 (HY000): Incorrect usage of DB GRANT and GLOBAL PRIVILEGESmysql grant reload on pyt.* to p1@localhost;
Query OK, 0 rows affected (0.00 sec)mysql grant reload on *.* to ‘p1′@’localhost’;mysql flush tables; - replication client
拥有此权限可以查询master server、slave server状态。
ERROR 1227 (42000): Access denied; you need the SUPER,REPLICATION CLIENT privilege for this operationmysql show master status;
或:mysql grant Replication client on *.* to p1@localhost;mysql grant super on *.* to p1@localhost;mysql show master status;+------------------+----------+--------------+------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | +------------------+----------+--------------+------------------+ | mysql-bin.000006 | 2111 | | | +------------------+----------+--------------+------------------+mysql show slave status; - replication slave
拥有此权限可以查看从服务器,从主服务器读取二进制日志。
ERROR 1227 (42000): Access denied; you need the REPLICATION SLAVE privilege for this operationmysql show slave hosts;
ERROR 1227 (42000): Access denied; you need the REPLICATION SLAVE privilege for this operationmysql show binlog events;
Empty set (0.00 sec)mysql grant replication slave on *.* to p1@localhost; mysql show slave hosts;mysql show binlog events;+-------------+-----+----------------+-----------+-------------+----------------+ | Log_name | Pos | Event_type | Server_id | End_log_pos | Info | +-------------+-----+----------------+-----------+-------------+----------------+ | mysql-bin.000005 | 4 | Format_desc | 1 | 98 | Server ver: 5.0.77-log, Binlog ver: 4 | | mysql-bin.000005 | 98 | Query | 1 | 197 | use `mysql`; create table a1(i int)engine=myisam | +-------------+-----+----------------+-----------+-------------+----------------+ - Shutdown
关闭MySQL:
重新连接:[mysql@mydev ~]$ mysqladmin shutdown
ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2)[mysql@mydev ~]$ mysql[mysql@mydev ~]$ cd /u01/mysql/bin [mysql@mydev bin]$ ./mysqld_safe [mysql@mydev bin]$ mysql - grant option
拥有grant option,就可以将自己拥有的权限授予其他用户(仅限于自己已经拥有的权限)mysql grant Grant option on pyt.* to p1@localhost; mysql grant select on pyt.* to p2@localhost; - file
拥有file权限才可以执行 select ..into outfile和load data infile…操作,但是不要把file, process, super权限授予管理员以外的账号,这样存在严重的安全隐患。mysql grant file on *.* to p1@localhost; mysql load data infile ‘/home/mysql/pet.txt’ into table pet; - super
这个权限允许用户终止任何查询;修改全局变量的SET语句;使用CHANGE MASTER,PURGE MASTER LOGS。mysql grant super on *.* to p1@localhost; mysql purge master logs before ‘mysql-bin.000006′; - process
通过这个权限,用户可以执行SHOW PROCESSLIST和KILL命令。默认情况下,每个用户都可以执行SHOW PROCESSLIST命令,但是只能查询本用户的进程。mysql show processlist;+----+------+-----------+------+---------+------+-------+------------------+ | Id | User | Host | db | Command | Time | State | Info | +----+------+-----------+------+---------+------+-------+------------------+ | 12 | p1 | localhost | pyt | Query | 0 | NULL | show processlist | +----+------+-----------+------+---------+------+-------+------------------+
另外: 管理权限(如 super, process, file等)不能够指定某个数据库,on后面必须跟*.*
mysql grant super on pyt.* to p1@localhost;
ERROR 1221 (HY000): Incorrect usage of DB GRANT and GLOBAL PRIVILEGES
mysql grant super on *.* to p1@localhost;
Query OK, 0 rows affected (0.01 sec)
MySQL:grant 语法详解(MySQL5.X)
本文实例,运行于MySQL5.0及以上版本。 MySQL赋予用户权限命令的简单格式可概括为:
grant
权限
on
数据库对象
to
用户
一、grant
普通数据用户,查询、插入、更新、删除数据库中所有表数据的权利。
grant select on testdb.* to common_user@'%'
grant insert on testdb.* to common_user@'%'
grant update on testdb.* to common_user@'%'
grant delete on testdb.* to common_user@'%'
或者,用一条MySQL命令来替代:
grant select, insert, update, delete on testdb.* to common_user@'%'
二、grant
数据库开发人员,创建表、索引、视图、存储过程、函数。。。等权限。 grant 创建、修改、删除MySQL数据表结构权限。
grant create on testdb.* to developer@'192.168.0.%';
grant alter on testdb.* to developer@'192.168.0.%';
grant drop on testdb.* to developer@'192.168.0.%';
grant 操作MySQL外键权限。
grant references on testdb.* to developer@'192.168.0.%';
grant 操作MySQL临时表权限。
grant create temporary tables on testdb.* to developer@'192.168.0.%';
grant 操作MySQL索引权限。
grant index on testdb.* to developer@'192.168.0.%';
grant 操作MySQL视图、查看视图源代码权限。
grant create view on testdb.* to developer@'192.168.0.%';
grant show view on testdb.* to developer@'192.168.0.%';
grant 操作MySQL存储过程、函数权限。
grant create routine on testdb.* to developer@'192.168.0.%';
-- now, can show procedure status
grant alter routine on testdb.* to developer@'192.168.0.%';
-- now, you can drop a procedure
grant execute on testdb.* to developer@'192.168.0.%';
三、grant
普通DBA管理某个MySQL数据库的权限。
grant all privileges on testdb to dba@'localhost'
其中,关键字“privileges”可以省略。
四、grant
高级DBA管理MySQL中所有数据库的权限。
grant all on *.* to dba@'localhost'
五、MySQLgrant权限,分别可以作用在多个层次上。
- grant作用在整个MySQL服务器上:
grant select on *.* to dba@localhost; -- dba可以查询MySQL中所有数据库中的表。 grant all on *.* to dba@localhost; -- dba可以管理MySQL中的所有数据库 - grant作用在单个数据库上:
grant select on testdb.* to dba@localhost; -- dba可以查询testdb中的表。 - grant作用在单个数据表上:
grant select, insert, update, delete on testdb.orders to dba@localhost; - grant作用在表中的列上:
grant select(id, se, rank) on testdb.apache_log to dba@localhost; - grant作用在存储过程、函数上:
grant execute on procedure testdb.pr_add to 'dba'@'localhost' grant execute on function testdb.fn_add to 'dba'@'localhost'
六、查看MySQL用户权限
查看当前用户(自己)权限:
show grants;
查看其他MySQL用户权限:
show grants for dba@localhost;
七、撤销已经赋予给MySQL用户权限的权限。
revoke跟grant的语法差不多,只需要把关键字“to”换成“from”即可:
grant all on *.* to dba@localhost;
revoke all on *.* from dba@localhost;
八、MySQLgrant、revoke用户权限注意事项
- grant, revoke用户权限后,该用户只有重新连接MySQL数据库,权限才能生效。
- 如果想让授权的用户,也可以将这些权限grant给其他用户,需要选项“grant option”
这个特性一般用不到。实际中,数据库权限最好由DBA来统一管理。grant select on testdb.* to dba@localhost with grant option;
