我们使用DDL的"CREATE USER"语句创建用户,新的SQL用户不允许访问属于其他SQL用户的表,也不能立即创建自己的表,它必须被授权。可以授予的权限包括以下几组:
1.列权限:和表中的一个具体列相关
2.表权限:和一个具体数据表中所有数据相关
3.数据库权限:和一个具体数据库中所有数据表相关
4.用户权限:和MySQL所有的数据库相关
可以使用SHOW GRANTS命令查看当前用户的权限。
SHOW GRANTS;/显示当前用户权限 SHOW GRANTS FOR ‘pinnsvin‘@‘localhost‘;/显示指定用户权限 SHOW GRANTS FOR CURRENT_USER();/显示当前用户权限
1.GRANT授权语句
语法:
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level TO user_specification [, user_specification] ... [REQUIRE {NONE | ssl_option [[AND] ssl_option] ...}] [WITH {GRANT OPTION | resource_option} ...] /代理 GRANT PROXY ON user_specification TO user_specification [, user_specification] ... [WITH GRANT OPTION]/联级授权,选了此项,该用户有权将自己的权限授予自己创建的子用户 /授权目标对象类型 object_type: { TABLE | FUNCTION | PROCEDURE } /授权目标 priv_level: { * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name } /授权用户 user_specification: user [ auth_option ] auth_option: { IDENTIFIED BY ‘auth_string‘ | IDENTIFIED BY PASSWORD ‘hash_string‘ | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin AS ‘hash_string‘ } /SSL设置 ssl_option: { SSL | X509 | CIPHER ‘cipher‘ | ISSUER ‘issuer‘ | SUBJECT ‘subject‘ } resource_option: { | MAX_QUERIES_PER_HOUR count /允许用户每小时执行的查询语句数量 | MAX_UPDATES_PER_HOUR count /允许用户每小时执行更新语句数量 | MAX_CONNECTIONS_PER_HOUR count /允许用户每小时连接的次数 | MAX_USER_CONNECTIONS count /允许用户同时连接服务器的数量 }
实例:
/先要创建一个用户,创建了一个名为jeffrey,登录主机为localhost,密码为mypass的用户 CREATE USER ‘jeffrey‘@‘localhost‘ IDENTIFIED BY ‘mypass‘; /授予了用户jeffrey@localhost对数据库db1下所有数据表所有操作权限 GRANT ALL ON db1.* TO ‘jeffrey‘@‘localhost‘; /授予了用户‘jeffrey‘@‘localhost‘对数据库db2下invoice数据表的查询权限 GRANT SELECT ON db2.invoice TO ‘jeffrey‘@‘localhost‘; /USAGE意指无权限,用户[email protected] 在一个小时内只有90次查询权限 GRANT USAGE ON *.* TO ‘jeffrey‘@‘localhost‘ WITH MAX_QUERIES_PER_HOUR 90;
2.REVOKE撤销授权语句
语法:
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user [, user] ... REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ... /授权代理 REVOKE PROXY ON user FROM user [, user] ...
实例:
/撤回了用户jeffrey@localhost对数据库db1下所有数据表所有操作权限 REVOKE ALL ON db1.* FROM ‘jeffrey‘@‘localhost‘; /撤回了用户‘jeffrey‘@‘localhost‘对数据库db2下invoice数据表的查询权限 REVOKE SELECT ON db2.invoice FROM ‘jeffrey‘@‘localhost‘;
时间: 2024-10-20 07:23:44