grant 授权

什么是用户授权：在数据库服务器上添加新的连接用户，并设置权限和密码。

为什么要用授权：如果没有授权用户，那么只能有root用户在本机登陆数据库，其它用户无法登陆。

没有授权时，其它主机也无法访问数据库。

指令格式:

mysql> grant  权限列表  on  库名  to  用户名@"客户端地址" identified by "密码" ;

权限列表:

all       所有权限

usage  只能连接上数据库，没有任何权限

select,update,inseret ...    个别权限，这个权限对所有字段有效

select,update(字段1,字段2...)   只能对指定的字段有相应的权

库名:

*.*              所有库所有表

库名.*         一个库

库名.表名   一张表

用户名:

授权时可以自定义,要有标识性,容易记,可以名中看出用途存储在mysql库的user表里

客户端地址:

% 表示互联网上的所有主机0

192.168.4.% 网段内的所有主机

192.168.4.1 1台主机

localhost 数据库服务器本机

授权举例1:

添加admin用户,允许从192.168.4.0/24网段连接,对db3库的user表有查询权限,密码为123456

mysql> grant select on db3.user to admin@"192.168.4.%" identified by "123456";

授权举例2:

添加admin2,允许从本机连接,允许以db3库的所有表有 查询,更新,插入删除记录权限,密码为123456

mysql> grant select ,insert,update,delete on db3.* toadmin2@"localhost" identifiedby "123456";

授权库

grant授权的信息是保存在授权库中的，mysql库记录了授权信息，主要的表如下：

user                 记录已有的授权用户及权限

db                    记录已有授权用户对数据库的访问权限

tables_priv      记录已有授权用户对表的访问权限

columns_priv  记录已有授权用户对字段的访问权限

一 查看当前columns_priv，tables_priv,db,user表中的授权用户

mysql> select user,host,db,table_name,column_name frommysql.columns_priv;

Emptyset (0.00sec) #columns_priv表当前为空，说明当前数据库没有真对某些字段的授权mysql> select user,host,db,table_name frommysql.tables_priv;+-----------+-----------+-----+------------+ #tables_priv表中只有系统默认的授权用户msyql.sys

| user | host | db | table_name |

+-----------+-----------+-----+------------+

| mysql.sys | localhost | sys | sys_config |

+-----------+-----------+-----+------------+mysql> select user,host,db frommysql.db;+-----------+-----------+-----+ #db表中也是系统默认授权用户mysql.sys

| user | host | db |

+-----------+-----------+-----+

| mysql.sys | localhost | sys |

+-----------+-----------+-----+mysql> select user,host from mysql.user;+-----------+-----------+ #user表中有系统默认用户mysql.sys和root

| user | host |

+-----------+-----------+

| mysql.sys | localhost |

| root | localhost |

+-----------+-----------+二 添加真对school.student表中“学号”，“姓名”，“性别”这三个字段的授权用户col_user

mysql> grant select,update(学号,姓名,性别),insert on school.student to col_user@'%' identified by "123456";mysql> select user,host,db,table_name,column_name frommysql.columns_priv;

#在columns_priv表中查看授权用户,每条记录是一个授权字段+----------+------+--------+------------+-------------+

| user | host | db | table_name | column_name |

+----------+------+--------+------------+-------------+

| col_user | % | school | student | 姓名 |

| col_user | % | school | student | 学号 |

| col_user | % | school | student | 性别 |

+----------+------+--------+------------+-------------+mysql> select user,host,db,table_name frommysql.tables_priv;+-----------+-----------+--------+------------+ #在tables_priv表中也可以看到该用户对school.student表有访问权限

| user | host | db | table_name | #具体权限需要用show grants查看

+-----------+-----------+--------+------------+

| col_user | % | school | student |

| mysql.sys | localhost | sys | sys_config |

+-----------+-----------+--------+------------+

mysql> show grants for col_user@'%';                 #通过show grants查看col_user对school.student的具体权限

+-----------------------------------------------------------------------------------------------+

| Grants for col_user@%                                                                         |

+-----------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'col_user'@'%'                                                          |

| GRANT SELECT, INSERT, UPDATE (性别, 学号, 姓名) ON `school`.`student` TO 'col_user'@'%'         |

+-----------------------------------------------------------------------------------------------+

mysql> select user,host,db frommysql.db;+-----------+-----------+-----+ #db表中看不到该用户

| user | host | db |

+-----------+-----------+-----+

| mysql.sys | localhost | sys |

+-----------+-----------+-----+mysql> select user,host from mysql.user;+-----------+-----------+ #在user表中可以看到该用户

| user | host |

+-----------+-----------+

| col_user | % |

| mysql.sys | localhost |

| root | localhost |

+-----------+-----------+mysql>三 添加授权用户tab_user1,tab_user2对表school.teacher，school.student的访问权限

mysql> grant all on school.teacher to tab_user1@'%' identified by "123456";mysql> grant select on school.student to tab_user2@'%' identified by "123456";mysql> select user,host,db,table_name,column_name frommysql.columns_priv;

#colunm_priv表中授权记录的用户没有变化+----------+------+--------+------------+-------------+

| user | host | db | table_name | column_name |

+----------+------+--------+------------+-------------+

| col_user | % | school | student | 姓名 |

| col_user | % | school | student | 学号 |

| col_user | % | school | student | 性别 |

+----------+------+--------+------------+-------------+#tables_priv表中可以看到tab_user1,tab_user2用户

mysql> select user,host,db,table_name frommysql.tables_priv;+-----------+-----------+--------+------------+

| user | host | db | table_name |

+-----------+-----------+--------+------------+

| col_user | % | school | student |

| tab_user1 | % | school | teacher |

| tab_user2 | % | school | student |

| mysql.sys | localhost | sys | sys_config |

+-----------+-----------+--------+------------+mysql> show grants for tab_user1@'%'; #通过show grants可以看出tab_user1,tab_user2的具体授权权限+---------------------------------------------------------------+

| Grants for tab_user1@% |

+---------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'tab_user1'@'%' |

| GRANT ALL PRIVILEGES ON `school`.`teacher` TO 'tab_user1'@'%' |

+---------------------------------------------------------------+mysql> show grants for tab_user2@'%';+-------------------------------------------------------+

| Grants for tab_user2@% |

+-------------------------------------------------------+

| GRANT USAGE ON *.* TO 'tab_user2'@'%' |

| GRANT SELECT ON `school`.`student` TO 'tab_user2'@'%' |

+-------------------------------------------------------+mysql> select user,host,db frommysql.db; #db表中没有变化+-----------+-----------+-----+

| user | host | db |

+-----------+-----------+-----+

| mysql.sys | localhost | sys |

+-----------+-----------+-----+mysql> select user,host from mysql.user; #user表中可以看到tab_user1,tab_user2+-----------+-----------+

| user | host |

+-----------+-----------+

| col_user | % |

| tab_user1 | % |

| tab_user2 | % |

| mysql.sys | localhost |

| root | localhost |

+-----------+-----------+mysql>四 添加授权用户db_user1,db_user2用户对库school,school2的访问权限

mysql> grant all on school.* to db_user1@'%' identified by "123456";mysql> grant select on school2.* to db_user2@'%' identified by "123456";mysql> select user,host,db,table_name,column_name frommysql.columns_priv;

#只要没有对任意表中字段的授权，column_priv表不会有变化+----------+------+--------+------------+-------------+

| user | host | db | table_name | column_name |

+----------+------+--------+------------+-------------+

| col_user | % | school | student | 姓名 |

| col_user | % | school | student | 学号 |

| col_user | % | school | student | 性别 |

+----------+------+--------+------------+-------------+mysql> select user,host,db,table_name frommysql.tables_priv;

#添加了真对库的授权用户，没有对表的授权用户所以db表中也不会变化+-----------+-----------+--------+------------+

| user | host | db | table_name |

+-----------+-----------+--------+------------+

| col_user | % | school | student |

| tab_user1 | % | school | teacher |

| tab_user2 | % | school | student |

| mysql.sys | localhost | sys | sys_config |

+-----------+-----------+--------+------------+mysql> select user,host,db frommysql.db; #db表中可以看到添加的授权用户+-----------+-----------+---------+

| user | host | db |

+-----------+-----------+---------+

| db_user1 | % | school |

| db_user2 | % | school2 |

| mysql.sys | localhost | sys |

+-----------+-----------+---------+mysql> select user,host from mysql.user; #只要添加了授权用户user表中都会有记录+-----------+-----------+

| user | host |

+-----------+-----------+

| col_user | % |

| db_user1 | % |

| db_user2 | % |

| tab_user1 | % |

| tab_user2 | % |

| mysql.sys | localhost |

| root | localhost |

+-----------+-----------+mysql>五 添加授权用户user对所有库和表有访问权限

mysql> grant all on *.* to user@'%' identified by "123456";mysql> select user,host,db,table_name,column_name frommysql.columns_priv;+----------+------+--------+------------+-------------+

| user | host | db | table_name | column_name |

+----------+------+--------+------------+-------------+

| col_user | % | school | student | 姓名 |

| col_user | % | school | student | 学号 |

| col_user | % | school | student | 性别 |

+----------+------+--------+------------+-------------+

3 rows in set (0.00sec)

mysql> select user,host,db,table_name frommysql.tables_priv;+-----------+-----------+--------+------------+

| user | host | db | table_name |

+-----------+-----------+--------+------------+

| col_user | % | school | student |

| tab_user1 | % | school | teacher |

| tab_user2 | % | school | student |

| mysql.sys | localhost | sys | sys_config |

+-----------+-----------+--------+------------+

4 rows in set (0.01sec)

mysql> select user,host,db frommysql.db;+-----------+-----------+---------+

| user | host | db |

+-----------+-----------+---------+

| db_user1 | % | school |

| db_user2 | % | school2 |

| mysql.sys | localhost | sys |

+-----------+-----------+---------+

3 rows in set (0.00sec)

mysql> select user,host from mysql.user; #只有在user表中可以看到use_user+-----------+-----------+

| user | host |

+-----------+-----------+

| col_user | % |

| db_user1 | % |

| db_user2 | % |

| tab_user1 | % |

| tab_user2 | % |

| use_user | % |

| mysql.sys | localhost |

| root | localhost |

+-----------+-----------+mysql>