使用 docker 安裝 MySQL 并快速啟動(dòng)畔规,現(xiàn)在我們進(jìn)入docker容器。
? ~ docker exec -it mysql8 /bin/bash
root@dedd71769326:/#
MySQL數(shù)據(jù)庫連接
MySQL命令語法
用戶名是你登錄的用戶惦银,主機(jī)名或者IP地址為可選項(xiàng),如果是本地連接則不需要設(shè)置祝高,遠(yuǎn)程連接服務(wù)端則需要填寫,密碼是對(duì)應(yīng)用戶的密碼。
mysql –u用戶名 [–h主機(jī)名或者IP地址,-P端口號(hào)] –p密碼
-
-u:登錄的用戶名。 -
-h:遠(yuǎn)程主機(jī)名或IP地址兽掰,不填寫則默認(rèn)本地地址。 -
-P:MySQL端口號(hào)徒役,默認(rèn)為3306孽尽。 -
-p:該登錄用戶對(duì)應(yīng)的登錄密碼。
root@dedd71769326:/# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.21 MySQL Community Server - GPL
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL賬戶查看
由于 root 權(quán)限很高忧勿,所以一般項(xiàng)目上會(huì)分配不同的賬戶和權(quán)限供程序員操作杉女。
查看已有賬戶
mysql> select user from mysql.user;
+------------------+
| user |
+------------------+
| root |
| mysql.infoschema |
| mysql.session |
| mysql.sys |
| root |
+------------------+
5 rows in set (0.03 sec)
為什么有兩條 root 信息瞻讽?我們來詳細(xì)看一下。
mysql> select user, host from mysql.user;
+------------------+-----------+
| user | host |
+------------------+-----------+
| root | % |
| mysql.infoschema | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+------------------+-----------+
5 rows in set (0.00 sec)
這里host字段代表允許任意ip地址登錄MySQL熏挎。目前root賬戶允許遠(yuǎn)程和本地登錄速勇。
查看當(dāng)前賬戶
mysql> select current_user;
+----------------+
| current_user |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
如果我們使用外部電腦連接
mysql> select current_user;
+----------------+
| current_user |
+----------------+
| root@% |
+----------------+
1 row in set (0.00 sec)
則表示當(dāng)前登陸root賬戶允許遠(yuǎn)程和本地登錄。
MySQL賬戶創(chuàng)建
MySQL命令語法
CREATE USER [IF NOT EXISTS]
user [auth_option] [, user [auth_option]] ...
DEFAULT ROLE role [, role ] ...
[REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
[WITH resource_option [resource_option] ...]
[password_option | lock_option] ...
user:
(see Section 6.2.4, “Specifying Account Names”)
auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin BY 'auth_string'
| IDENTIFIED WITH auth_plugin AS 'hash_string'
}
tls_option: {
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
}
resource_option: {
MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}
password_option: {
PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY]
| PASSWORD HISTORY {DEFAULT | N}
| PASSWORD REUSE INTERVAL {DEFAULT | N DAY}
| PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]
}
lock_option: {
ACCOUNT LOCK
| ACCOUNT UNLOCK
}
user:賬戶名稱坎拐,語法是'user_name'@'host_name'烦磁,其中主機(jī)地址可以寫為%表示接受任何地址的連接。auth_option:身份驗(yàn)證方式哼勇,可以指定密碼以及認(rèn)證插件(mysql_native_password个初、sha256_password、caching_sha2_password)猴蹂。tls_option: 加密連接選項(xiàng)。resource_option: 用戶資源限制楣嘁,比如每小時(shí)最大連接數(shù)磅轻。password_option: 密碼額外的控制,比如設(shè)定失效時(shí)間逐虚。lock_option: 賬戶鎖定選項(xiàng)聋溜,由管理員上鎖或者解鎖(ACCOUNT LOCK | ACCOUNT UNLOCK)。
最簡單的就是指定賬戶名+密碼
CREATE USER 'tian'@'localhost' IDENTIFIED BY 'password';
加上認(rèn)證插件
CREATE USER 'tian'@'localhost' IDENTIFIED WITH sha256_password BY 'password';
指定密碼過期叭爱,以便用戶第一次使用的時(shí)候需要修改密碼
CREATE USER 'tian'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE;
也可以指定每隔一段時(shí)間修改一次新密碼
CREATE USER 'tian'@'localhost' IDENTIFIED BY 'new_password' PASSWORD EXPIRE INTERVAL 180 DAY;
可以指定加密連接
-- 不使用加密連接
CREATE USER 'tian'@'localhost' REQUIRE NONE撮躁;
-- 使用加密連接
CREATE USER 'tian'@'localhost' REQUIRE SSL;
-- 使用加密連接,并要求客戶端提供有效證書
CREATE USER 'tian'@'localhost' REQUIRE X509;
CREATE USER 'tian'@'localhost' REQUIRE ISSUER 'CA頒發(fā)的有效X.509證書';
CREATE USER 'tian'@'localhost' REQUIRE SUBJECT '包含主題的有效X.509證書';
CREATE USER 'tian'@'localhost' REQUIRE CIPHER '指定的加密方法';
可以指定資源控制
-- 單位小時(shí)內(nèi)买雾,賬戶被允許查詢500次把曼,更新100次,單位小時(shí)內(nèi)最大連接數(shù)不限制漓穿。最大并發(fā)連接數(shù)不限制
CREATE USER 'tian'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100 MAX_CONNECTIONS_PER_HOUR 0 MAX_USER_CONNECTIONS 0嗤军;
可以鎖定賬戶
-- 鎖定
CREATE USER 'tian'@'localhost' ACCOUNT LOCK
-- 解鎖
ALTER USER 'tian'@'localhost' ACCOUNT UNLOCK
最后完整的命令選項(xiàng)大概這個(gè)樣子
CREATE USER 'user_name'@'host_name' IDENTIFIED [WITH auth_plugin] BY 'auth_string' [REQUIRE NONE(SSL,X509)] [WITH MAX_QUERIES_PER_HOUR count | MAX_UPDATES_PER_HOUR count | MAX_CONNECTIONS_PER_HOUR count | MAX_USER_CONNECTIONS count] [PASSWORD EXPIRE] [ACCOUNT LOCK]
如果你要?jiǎng)h除賬戶
DROP USER 'tian'@'localhost';
如果你要修改名稱
RENAME USER 'tian'@'localhost' TO 'tina'@'127.0.0.1';
MySQL角色創(chuàng)建
MySQL8里新加入了對(duì)于角色的管理,下面就簡單的說一下如何使用:
角色可以理解為一組權(quán)限的集合晃危,然后將角色賦給某個(gè)帳戶叙赚,該帳戶就擁有了角色對(duì)應(yīng)的權(quán)限,每個(gè)帳戶可以擁有多個(gè)角色僚饭,就像游戲里震叮,你可以有很多稱號(hào)一樣。
-- 名字規(guī)范
'role_name'@'host_name'
-- 通常僅使用用戶名部分指定角色名稱鳍鸵,并隱式使用主機(jī)名部分 '%'苇瓣,主機(jī)名部分沒有任何意義
'admin'
創(chuàng)建角色
-- 省略主機(jī)名,默認(rèn)為 '%'
CREATE ROLE 'admin', 'dev';
-- 這種也可以权纤,但是沒意義
CREATE ROLE 'app'@'localhost';
移除角色
DROP ROLE 'admin', 'dev';
MySQL賬戶更新
MySQL命令語法
ALTER USER [IF EXISTS]
user [auth_option] [, user [auth_option]] ...
[REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
[WITH resource_option [resource_option] ...]
[password_option | lock_option] ...
ALTER USER [IF EXISTS] USER() user_func_auth_option
ALTER USER [IF EXISTS]
user DEFAULT ROLE
{NONE | ALL | role [, role ] ...}
user:
(see Section 6.2.4, “Specifying Account Names”)
auth_option: {
IDENTIFIED BY 'auth_string'
[REPLACE 'current_auth_string']
[RETAIN CURRENT PASSWORD]
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin BY 'auth_string'
[REPLACE 'current_auth_string']
[RETAIN CURRENT PASSWORD]
| IDENTIFIED WITH auth_plugin AS 'auth_string'
| DISCARD OLD PASSWORD
}
user_func_auth_option: {
IDENTIFIED BY 'auth_string'
[REPLACE 'current_auth_string']
[RETAIN CURRENT PASSWORD]
| DISCARD OLD PASSWORD
}
tls_option: {
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
}
resource_option: {
MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}
password_option: {
PASSWORD EXPIRE [DEFAULT | NEVER | INTERVAL N DAY]
| PASSWORD HISTORY {DEFAULT | N}
| PASSWORD REUSE INTERVAL {DEFAULT | N DAY}
| PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]
}
lock_option: {
ACCOUNT LOCK
| ACCOUNT UNLOCK
}
參數(shù)選項(xiàng)參考創(chuàng)建賬戶钓简。
修改自己當(dāng)前的密碼
ALTER USER USER() IDENTIFIED BY 'new_password';
修改賬戶密碼
ALTER USER 'tian'@'localhost' IDENTIFIED BY 'new_password';
修改認(rèn)證插件
ALTER USER 'tian'@'localhost' IDENTIFIED WITH mysql_native_password;
修改密碼和插件
ALTER USER 'tian'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_password';
修改角色
-- 授予自定義角色
ALTER USER 'tian'@'localhost' DEFAULT ROLE your_role_name;
-- 無角色
ALTER USER 'tian'@'localhost' DEFAULT ROLE NONE;
-- 所有角色
ALTER USER 'tian'@'localhost' DEFAULT ROLE ALL;
修改加密方式
-- 只有賬戶密碼正確乌妒,無須加密連接
ALTER USER 'tian'@'localhost' REQUIRE NONE;
-- 需要加密連接
ALTER USER 'tian'@'localhost' REQUIRE SSL;
...
修改資源訪問
-- 單位小時(shí)內(nèi),最大查詢數(shù)量和更新數(shù)量
ALTER USER 'tian'@'localhost' WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;
指定密碼過期
ALTER USER 'tian'@'localhost' PASSWORD EXPIRE;
修改鎖定解鎖
ALTER USER 'tian'@'localhost' ACCOUNT LOCK;
ALTER USER 'tian'@'localhost' ACCOUNT UNLOCK;
MySQL賬戶授權(quán)
MySQL命令語法
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user_or_role [, user_or_role] ...
[WITH GRANT OPTION]
[AS user
[WITH ROLE
DEFAULT
| NONE
| ALL
| ALL EXCEPT role [, role ] ...
| role [, role ] ...
]
]
}
GRANT PROXY ON user_or_role
TO user_or_role [, user_or_role] ...
[WITH GRANT OPTION]
GRANT role [, role] ...
TO user_or_role [, user_or_role] ...
[WITH ADMIN OPTION]
object_type: {
TABLE
| FUNCTION
| PROCEDURE
}
priv_level: {
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
| db_name.routine_name
}
user_or_role: {
user
| role
}
user:
(see Section 6.2.4, “Specifying Account Names”)
role:
(see Section 6.2.5, “Specifying Role Names”)
GRANT語法使得管理員能夠授予賬戶權(quán)限或者角色外邓,但是GRANT不能再一個(gè)語句中同時(shí)授予權(quán)限和角色撤蚊。
- 有ON,是授予權(quán)限
- 無ON损话,是授予角色
-- 授予數(shù)據(jù)庫db1的所有權(quán)限給指定賬戶
GRANT ALL ON db1.* TO 'tian'@'localhost';
-- 授予角色給指定的賬戶
GRANT 'role1', 'role2' TO 'user1'@'localhost', 'user2'@'localhost';
-- 授予數(shù)據(jù)庫world的SELECT權(quán)限給指定的角色
GRANT SELECT ON world.* TO 'role3';
基本語法
GRANT [權(quán)限] ON [數(shù)據(jù)庫名].[表名] TO 'user_name'@'localhost' ...;
-- 授予所有數(shù)據(jù)庫的權(quán)限
GRANT [權(quán)限] ON *.* TO 'user_name'@'localhost' ...;
注:全局權(quán)限是管理或適用于給定服務(wù)器上的所有數(shù)據(jù)庫侦啸。要分配全局權(quán)限,請(qǐng)使用 ON *.*語法
下面是權(quán)限列表
mysql> show privileges;
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Privilege | Context | Comment |
+----------------------------+---------------------------------------+-------------------------------------------------------+
| Alter | Tables | To alter the table |
| Alter routine | Functions,Procedures | To alter or drop stored functions/procedures |
| Create | Databases,Tables,Indexes | To create new databases and tables |
| Create routine | Databases | To use CREATE FUNCTION/PROCEDURE |
| Create role | Server Admin | To create new roles |
| Create temporary tables | Databases | To use CREATE TEMPORARY TABLE |
| Create view | Tables | To create new views |
| Create user | Server Admin | To create new users |
| Delete | Tables | To delete existing rows |
| Drop | Databases,Tables | To drop databases, tables, and views |
| Drop role | Server Admin | To drop roles |
| Event | Server Admin | To create, alter, drop and execute events |
| Execute | Functions,Procedures | To execute stored routines |
| File | File access on server | To read and write files on the server |
| Grant option | Databases,Tables,Functions,Procedures | To give to other users those privileges you possess |
| Index | Tables | To create or drop indexes |
| Insert | Tables | To insert data into tables |
| Lock tables | Databases | To use LOCK TABLES (together with SELECT privilege) |
| Process | Server Admin | To view the plain text of currently executing queries |
| Proxy | Server Admin | To make proxy user possible |
| References | Databases,Tables | To have references on tables |
| Reload | Server Admin | To reload or refresh tables, logs and privileges |
| Replication client | Server Admin | To ask where the slave or master servers are |
| Replication slave | Server Admin | To read binary log events from the master |
| Select | Tables | To retrieve rows from table |
| Show databases | Server Admin | To see all databases with SHOW DATABASES |
| Show view | Tables | To see views with SHOW CREATE VIEW |
| Shutdown | Server Admin | To shut down the server |
| Super | Server Admin | To use KILL thread, SET GLOBAL, CHANGE MASTER, etc. |
| Trigger | Tables | To use triggers |
| Create tablespace | Server Admin | To create/alter/drop tablespaces |
| Update | Tables | To update existing rows |
| Usage | Server Admin | No privileges - allow connect only |
| XA_RECOVER_ADMIN | Server Admin | |
| SHOW_ROUTINE | Server Admin | |
| RESOURCE_GROUP_USER | Server Admin | |
| SET_USER_ID | Server Admin | |
| SESSION_VARIABLES_ADMIN | Server Admin | |
| CLONE_ADMIN | Server Admin | |
| PERSIST_RO_VARIABLES_ADMIN | Server Admin | |
| ROLE_ADMIN | Server Admin | |
| BACKUP_ADMIN | Server Admin | |
| CONNECTION_ADMIN | Server Admin | |
| RESOURCE_GROUP_ADMIN | Server Admin | |
| INNODB_REDO_LOG_ARCHIVE | Server Admin | |
| BINLOG_ENCRYPTION_ADMIN | Server Admin | |
| REPLICATION_SLAVE_ADMIN | Server Admin | |
| SYSTEM_VARIABLES_ADMIN | Server Admin | |
| GROUP_REPLICATION_ADMIN | Server Admin | |
| SYSTEM_USER | Server Admin | |
| APPLICATION_PASSWORD_ADMIN | Server Admin | |
| TABLE_ENCRYPTION_ADMIN | Server Admin | |
| SERVICE_CONNECTION_ADMIN | Server Admin | |
| AUDIT_ADMIN | Server Admin | |
| BINLOG_ADMIN | Server Admin | |
| ENCRYPTION_KEY_ADMIN | Server Admin | |
| INNODB_REDO_LOG_ENABLE | Server Admin | |
| REPLICATION_APPLIER | Server Admin | |
+----------------------------+---------------------------------------+-------------------------------------------------------+
58 rows in set (0.00 sec)
權(quán)限范圍示例
-- 數(shù)據(jù)庫權(quán)限
GRANT ALL ON mydb.* TO 'user_name'@'host_name';
-- 表權(quán)限
GRANT ALL ON mydb.mytable TO 'user_name'@'host_name';
-- 列權(quán)限
GRANT SELECT (col1), INSERT (col1, col2) ON mydb.mytable TO 'user_name'@'host_name';
-- 存儲(chǔ)過程權(quán)限
GRANT CREATE ROUTINE ON mydb.* TO 'user_name'@'host_name';
GRANT EXECUTE ON PROCEDURE mydb.myproc TO 'user_name'@'host_name';
授權(quán)之后可以使用flush命令使其立即生效
FLUSH PRIVILEGES
FLUSH語法
FLUSH [NO_WRITE_TO_BINLOG | LOCAL] {
flush_option [, flush_option] ...
| tables_option
}
flush_option: {
BINARY LOGS
| ENGINE LOGS
| ERROR LOGS
| GENERAL LOGS
| HOSTS
| LOGS
| PRIVILEGES
| OPTIMIZER_COSTS
| RELAY LOGS [FOR CHANNEL channel]
| SLOW LOGS
| STATUS
| USER_RESOURCES
}
tables_option: {
TABLES
| TABLES tbl_name [, tbl_name] ...
| TABLES WITH READ LOCK
| TABLES tbl_name [, tbl_name] ... WITH READ LOCK
| TABLES tbl_name [, tbl_name] ... FOR EXPORT
}
FLUSH PRIVILEGES 包含以下操作
重新加載
mysql系統(tǒng)數(shù)據(jù)庫中的grant表中的權(quán)限信息丧枪,并清除caching_sha2_password身份驗(yàn)證插件使用的內(nèi)存緩存光涂。服務(wù)器讀取包含動(dòng)態(tài)特權(quán)分配的
global_grants表,并注冊(cè)其中的任何未注冊(cè)特權(quán)拧烦。服務(wù)器通過
GRANT忘闻、CREATE USER、CREATE SERVER和INSTALL PLUGIN語句將信息緩存到內(nèi)存中恋博。對(duì)應(yīng)的REVOKE齐佳、DROP USER、DROP SERVER和UNINSTALL插件語句不會(huì)釋放這些內(nèi)存债沮,因此對(duì)于執(zhí)行許多導(dǎo)致緩存的語句實(shí)例的服務(wù)器炼吴,內(nèi)存使用量將會(huì)增加∫唏茫可以使用刷新特權(quán)釋放此緩存內(nèi)存硅蹦。
FLUSH TABLES 包含以下操作
關(guān)閉所有打開的表,強(qiáng)制關(guān)閉所有正在使用的表闷煤,并刷新準(zhǔn)備好的語句緩存童芹。
REVOKE語法
既然可以授權(quán),那么就可以撤銷
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
FROM user_or_role [, user_or_role] ...
REVOKE ALL [PRIVILEGES], GRANT OPTION
FROM user_or_role [, user_or_role] ...
REVOKE PROXY ON user_or_role
FROM user_or_role [, user_or_role] ...
REVOKE role [, role ] ...
FROM user_or_role [, user_or_role ] ...
user_or_role: {
user
| role
}
user:
(see Section 6.2.4, “Specifying Account Names”)
role:
(see Section 6.2.5, “Specifying Role Names”.
REVOKE可以實(shí)現(xiàn)權(quán)限或者角色的撤銷(前提:擁有GRANT權(quán)限和REVOKE權(quán)限)
-- 撤銷用戶的INSERT權(quán)限
REVOKE INSERT ON *.* FROM 'tian'@'localhost';
-- 撤銷用戶的指定角色
REVOKE 'role1', 'role2' FROM 'user1'@'localhost', 'user2'@'localhost';
-- 撤銷角色的INSERT權(quán)限
REVOKE SELECT ON world.* FROM 'role3';
撤銷所有權(quán)限(只能撤銷權(quán)限曹傀,不能撤銷角色)
-- 從賬戶或者角色上撤銷所有權(quán)限
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user_or_role [, user_or_role] ...
-- 撤銷賬戶
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'tian'@'localhost'
-- 撤銷角色
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'role3'
在全局上撤銷權(quán)限(.)
-- 全局上撤銷所有權(quán)限
REVOKE ALL ON *.* FROM 'tian'@'localhost';
