MySQL 可以为用户设置密码的过期时间,在这之后用户就需要修改他们的密码才可以操作MySQL。
当一个应用的开发者需要访问数据库时,你可以使用一个黙认的密码来创建一个帐户,然后设置密码的过期规则。你可以将此密码告诉开发者,但是他们登录后需要修改密码后才能继续操作MySQL。
创建的所有帐户密码的过期时间都是存在default_password_lifetime变量中的,这个变量黙认情况下是禁用的:使用过期的密码创建一个用户。当开发者首次登录数据库时是无法执行任何SQL语句的,当执行操作时就会报
ERROR 1820 (HY000) 这样一样错误,也就是要在操作之前密码必须要使用ALTER USER 语句进行重置:mysql> CREATE USER 'developer'@'%' IDENTIFIED
WITH mysql_native_password AS
'*EBD9E3BFD1489CA1EB0D2B4F29F6665F321E8C18'
PASSWORD EXPIRE;
Query OK, 0 rows affected (0.04 sec
shell> mysql -u developer -pcompany_pass
mysql: [Warning] Using a password on the command
line interface can be insecure.
Welcome to the MySQL monitor. Commands end with
; or \g.
Your MySQL connection id is 31
Server version: 8.0.3-rc-log
Copyright (c) 2000, 2017, Oracle and/or its
affiliates. All rights reserved.
Oracle is a registered trademark of Oracle
Corporation and/or its
affiliates. Other names may be trademarks of
their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to
clear the current input statement.
mysql> SHOW DATABASES;
ERROR 1820 (HY000): You must reset your password
using ALTER USER statement before executing this
statement.
开发者需要使用下面的语句来修改用户密码:mysql> ALTER USER 'developer'@'%' IDENTIFIED WITH
mysql_native_password BY 'new_company_pass';
Query OK, 0 rows affected (0.03 sec)手动使已存在的用户密码过期:mysql> ALTER USER 'developer'@'%' PASSWORD
EXPIRE;
Query OK, 0 rows affected (0.06 sec)使用户的密码每180天就需要修改一次:mysql> ALTER USER 'developer'@'%' PASSWORD
EXPIRE INTERVAL 90 DAY;
Query OK, 0 rows affected (0.04 sec)如果要禁用密码过期策略,可以使用下面语句:mysql> ALTER USER 'testuser'@'localhost' PASSWORD EXPIRE NEVER;
mysql> ALTER USER 'testuser'@'localhost' PASSWORD EXPIRE DEFAULT;也可以在配置文件中配置密码的过期策略:[mysqld]
# 这是黙认值,可以不配
default_password_lifetime=0
# 配置每180天修改一次
default_password_filetime=180