我們使用DDL的"CREATE USER"語句創建用戶,新的SQL用戶不允許訪問屬於其他SQL用戶的表,也不能立即創建自己的表,它必須被授權。可以授予的權限包括以下幾組:
1.列權限:和表中的一個具體列相關
2.表權限:和一個具體數據表中所有數據相關
3.數據庫權限:和一個具體數據庫中所有數據表相關
4.用戶權限:和MySQL所有的數據庫相關
可以使用SHOW GRANTS命令查看當前用戶的權限。
SHOW GRANTS;/顯示當前用戶權限 SHOW GRANTS FOR 'pinnsvin'@'localhost';/顯示指定用戶權限 SHOW GRANTS FOR CURRENT_USER();/顯示當前用戶權限
語法:
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level TO user_specification [, user_specification] ... [REQUIRE {NONE | ssl_option [[AND] ssl_option] ...}] [WITH {GRANT OPTION | resource_option} ...] /代理 GRANT PROXY ON user_specification TO user_specification [, user_specification] ... [WITH GRANT OPTION]/聯級授權,選了此項,該用戶有權將自己的權限授予自己創建的子用戶 /授權目標對象類型 object_type: { TABLE | FUNCTION | PROCEDURE } /授權目標 priv_level: { * | *.* | db_name.* | db_name.tbl_name | tbl_name | db_name.routine_name } /授權用戶 user_specification: user [ auth_option ] auth_option: { IDENTIFIED BY 'auth_string' | IDENTIFIED BY PASSWORD 'hash_string' | IDENTIFIED WITH auth_plugin | IDENTIFIED WITH auth_plugin AS 'hash_string' } /SSL設置 ssl_option: { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject' } resource_option: { | MAX_QUERIES_PER_HOUR count /允許用戶每小時執行的查詢語句數量 | MAX_UPDATES_PER_HOUR count /允許用戶每小時執行更新語句數量 | MAX_CONNECTIONS_PER_HOUR count /允許用戶每小時連接的次數 | MAX_USER_CONNECTIONS count /允許用戶同時連接服務器的數量 }
實例:
/先要創建一個用戶,創建了一個名為jeffrey,登錄主機為localhost,密碼為mypass的用戶 CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass'; /授予了用戶jeffrey@localhost對數據庫db1下所有數據表所有操作權限 GRANT ALL ON db1.* TO 'jeffrey'@'localhost'; /授予了用戶'jeffrey'@'localhost'對數據庫db2下invoice數據表的查詢權限 GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost'; /USAGE意指無權限,用戶jeffrey@localhost 在一個小時內只有90次查詢權限 GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;
語法:
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level FROM user [, user] ... REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ... /授權代理 REVOKE PROXY ON user FROM user [, user] ...
實例:/撤回了用戶jeffrey@localhost對數據庫db1下所有數據表所有操作權限 REVOKE ALL ON db1.* FROM 'jeffrey'@'localhost'; /撤回了用戶'jeffrey'@'localhost'對數據庫db2下invoice數據表的查詢權限 REVOKE SELECT ON db2.invoice FROM 'jeffrey'@'localhost';