MySQL Database Administrator FAQ Summary (1)

Who can connect from there?

You can allow a user to connect from a specific host or a series of hosts. There is one extreme. If you want to connect only from one host, you can limit the permissions to a single host:

GRANT ALL ON samp_db.* TO boris@localhost IDENTIFIED BY "ruby"GRANT ALL ON samp_db.* TO fred@res.mars.com IDENTIFIED BY "quartz"

(Samp_db. * indicates "all tables in the samp_db database.) Another extreme is that you may have a user max that is frequently traveling and needs to be connected from hosts around the world. In this case, you can allow him to connect from where:

GRANT ALL ON samp_db.* TO max@% IDENTIFIED BY "diamond"

The "%" character acts as a wildcard and matches the LIKE pattern. In the preceding statement, it means "any host ". So max and max @ % are equivalent. This is the easiest way to build a user, but it is also the least secure.

You can allow a user to access from a restricted host set. For example, to allow mary to be connected from any host in the snake.net domain, use the following identifier:

GRANT ALL ON samp_db.* TO mary@.snake.net IDENTIFIED BY "quartz";

If you like, the host part of the User Identifier can be specified by an IP address instead of a host name. You can specify an IP address or an address that contains a pattern character. In addition, from MySQL 3.23, you can also specify an IP number with a network mask that specifies the number of digits used for the network number:

GRANT ALL ON samp_db.* TO boris@192.168.128.3 IDENTIFIED BY "ruby"  GRANT ALL ON samp_db.* TO fred@192.168.128.% IDENTIFIED BY "quartz"  GRANT ALL ON samp_db.* TO rex@192.168.128.0/17 IDENTIFIED BY "ruby"

The first example indicates that the user can connect to a specific host, and the second specifies the IP Mode for the class C subnet 192.168.128. In the third statement, 192.168.128.0/17: specify a 17-bit network number and match the IP address with the header 192.168.128.

If MySQL complains about the user value you specified, you may need to use quotation marks (only separate the user name and host name with quotation marks ).

GRANT ALL ON samp_db.president TO "my friend"@"boa.snake.net"

What level of permissions should users have and what should they apply?

You can grant different levels of permissions. Global permissions are the most powerful because they apply to any database. To make Etel a Super User who can do anything, including authorizing other users, issue the following statement:

GRANT ALL ON *.* TO ethel@localhost IDENTIFIED BY "coffee" WITH GRANT OPTION

*. * In the ON Clause indicates "all databases and all tables ". For security considerations, we specify that Etel can only be connected locally. It is usually wise to restrict the host that a Super User can connect to because it limits the host that tries to crack the password.

Some permissions (FILE, PROCESS, RELOAD, and SHUTDOWN) are administrative permissions and can only be authorized with the "ON *. *" Global permissions. If you want to, you can grant these permissions without authorizing database permissions. For example, if the following statement sets a flush user, it can only issue flush statements. This may be useful when you need to execute management scripts such as clearing logs:

GRANT RELOAD ON *.* TO flushl@localhost IDENTIFIED BY "flushpass"

Generally, you want to authorize management permissions. The critical point is that users with these permissions can affect the operations on your servers.

Database-level permissions apply to all tables in a specific database. They can be granted by using the ON db_name. * clause:

GRANT ALL ON samp_db TO bill@racer.snake.net INDETIFIED BY "rock" GRANT SELECT ON samp_db TO ro_user@% INDETIFIED BY "rock"

The first statement grants permissions to all tables in the samp_db database to bill, and the second statement creates a user ro_user (read-only user) that strictly restricts access, which can only access all tables in the samp_db database, but only read, that is, you can only issue SELECT statements.

You can list a series of permissions granted at the same time. For example, if you want to allow users to read and modify the content of an existing database but cannot create or delete a new table, grant the following permissions:

GRANT SELECT,INSERT,DELETE,UPDATE ON samp_db TO bill@snake.net INDETIFIED BY "rock"

For more refined access control, you can grant permissions on each table or even on each column of the table. When you want to hide a part of a table from a user, or you want a user to modify only specific columns, column-specific permissions are very useful. For example:

GRANT SELECT ON samp_db.member TO bill@localhost INDETIFIED BY "rock"GRANT UPDATE (expiration) ON samp_db. member TO bill@localhost

The first statement grants the read permission to the entire member table and sets a password. The second statement adds the UPDATE permission when only the expiration column is applied. You do not need to specify a password because the first statement has already been specified.