我感觉,了解一个数据库,会了一些基本的皮毛之后,就要去了解权限系统。
mysql中权限是存储在名为mysql的数据库中的。在数据库启动之后,权限表被加载到内存。
mysql使用hostname和username来辨识一个用户。看下面这段解释:
MySQL considers both your host name and user name in identifying you because there is no reason to assume that a given user name belongs to the same person on all hosts. For example, the user joe who connects from office.example.com need not be the same person as the user joe who connects from home.example.com.
通过这种方法,在不同host上的同名用户名可以被辨识为不同的数据库用户。
mysql权限控制分为两步,
第一步、根据用户名和密码确认用户是否能够连接。
第二步、如果用户连接上了数据库,那么还要判断用户是否有权限执行请求的操作。比如说,如果只有select权限,就不能执行drop操作。
那么设置的权限什么时候生效呢?
When mysqld starts, it reads all grant table contents into memory. The in-memory tables become effective for access control at that point.
If you modify the grant tables indirectly using account-management statements such as GRANT, REVOKE, SET PASSWORD, or RENAME USER, the server notices these changes and loads the grant tables into memory again immediately.
If you modify the grant tables directly using statements such as INSERT, UPDATE, or DELETE, your changes have no effect on privilege checking until you either restart the server or tell it to reload the tables. If you change the grant tables directly but forget to reload them, your changes have no effect until you restart the server. This may leave you wondering why your changes seem to make no difference!
To tell the server to reload the grant tables, perform a flush-privileges operation. This can be done by issuing aFLUSH PRIVILEGES statement or by executing a mysqladmin flush-privileges or mysqladmin reloadcommand.
A grant table reload affects privileges for eachexisting client connectionas follows:
-
Table and column privilege changes take effect with the client's next request.【对于表或者列的权限变化,下一个请求生效】
-
Database privilege changes take effect the next time the client executes a
USEstatement.【对于数据库层次上的权限,下次use db_name的时候才会生效】db_nameNoteClient applications may cache the database name; thus, this effect may not be visible to them without actually changing to a different database or flushing the privileges.【客户端有可能会一直cache数据库名,所以有可能】
-
Global privileges and passwords are unaffected for a connected client. These changes take effect only for subsequent connections.
If the server is started with the --skip-grant-tables option, it does not read the grant tables or implement any access control. Anyone can connect and do anything, which is insecure. To cause a server thus started to read the tables and enable access checking, flush the privileges.
总结来说,就是,使用了grant、revoke等功能来设置权限的话,立即会生效。如果是直接insert或者delete等操作了权限表,那么直到数据库重启或者是reload权限之前,都不回有任何效果。可以通过flush privileges命令来重新加载权限。
使用skip-grant-tables可以跳过权限控制,直接进入mysql。这点可以用在忘记密码的情况下。修改好了密码之后再次启动mysql即可【此次不用skip-grant-tables选项】。
看下关于这个选项:
This option causes the server to start without using the privilege system at all, which gives anyone with access to the server unrestricted access to all databases. You can cause a running server to start using the grant tables again by executing mysqladmin flush-privileges or mysqladmin reload command from a system shell, or by issuing a MySQL FLUSH PRIVILEGES statement after connecting to the server.
如果开启了这个选项,可以在数据库运行期间再flush privileges重新装载权限,这样就会有权限判断了。
--------------------------------------------------------------------------------------------
当我们修改了权限之后,可以用show grants命令来验证一下。
--修改MySQL 帐号的一些rules:
(1)Syntax for account names is 'user_name'@'host_name'.
--帐号格式
(2) An account name consisting only of a user name is equivalent to 'user_name'@'%'. For example, 'me' is equivalentto 'me'@'%'.
--帐号可以仅由一个用户名组成,host 使用%来代替,表示所有的host都可以。
(3) The user name and host name need not be quoted if they are legal as unquoted identifiers. Quotes are necessary to specify a user_name string containing special characters (such as “-”), or ahost_name string containing special characters or wildcard characters (such as“%”); for example, 'test-user'@'%.com'.
--帐号的user 和host 如果是规则的,可以不使用单引号,如果不规则,如使用特殊符号,或者有通配符,就需要用单引号括起来。
(4) Quote user names and host names as identifiers or as strings, using either backticks (“`”), single quotation marks(“'”), or double quotation marks (“"”).
(5) The user name and host name parts,if quoted, must be quoted separately. That is, write 'me'@'localhost', not 'me@localhost';the latter is interpreted as 'me@localhost'@'%'.
(6) A reference to the CURRENT_USER() (orCURRENT_USER) function is equivalent to specifying the current user's name and host name literally.
-------------------------------------------
具体权限介绍
权限信息用user、db、host、tables_priv和columns_priv表被存储在mysql数据库中(即在名为mysql的数据库中)。在MySQL启动时和在权限修改何时生效所说的情况时,服务器读入这些数据库表内容。
| 权限 | 列 | 上下文 |
| select | Select_priv | 表 |
| insert | Insert_priv | 表 |
| update | Update_priv | 表 |
| delete | Delete_priv | 表 |
| index | Index_priv | 表 |
| alter | Alter_priv | 表 |
| create | Create_priv | 数据库、表或索引 |
| drop | Drop_priv | 数据库或表 |
| grant | Grant_priv | 数据库或表 |
| references | References_priv | 数据库或表 |
| reload | Reload_priv | 服务器管理 |
| shutdown | Shutdown_priv | 服务器管理 |
| process | Process_priv | 服务器管理 |
| file | File_priv | 在服务器上的文件存取 |
grant权限允许你把你自己拥有的那些权限授给其他的用户。
file权限给予你用LOAD DATA INFILE和SELECT ... INTO OUTFILE语句读和写服务器上的文件,任何被授予这个权限的用户都能读或写MySQL服务器能读或写的任何文件。
1107
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
