1. Database Security Initialization
[[email protected] my.cnf.d]# mysql_secure_installation #安全初始化命令NOTE: RUNNING All PARTS of this SCRIPT is RECO mmended for all MariaDB SERVERS in PRODUCTION use! Please READ each STEP carefully! In order to log into MariaDB to secure it, we'll need the CurrentPassword for the root user. If you ' ve just installed MariaDB, Andyou Haven ' t set the root password yet, the password would be a blank,so you should just Press ENTER here. Enter current password to root (enter for none): #输入mysql的root账户默认密码 (default is empty) OK, successfully used password, m Oving on ... Setting The root password ensures that nobody can log into the Mariadbroot user without the proper authorisation. Set root Password? [y/n] Y #是否设置root密码New Password: #为root用户输入一个新密码Re-enter new Passwo RD: #再次输入密码Password Updated successfully! #密码更新成功Reloading privilege tables. ... success! By default, a MariaDB installation has an anonymous user, allowing Anyoneto logs into MariaDB without has to has a user account created Forthem. This was intended only for testing, and the Installationgo a bit smoother. You should remove them before moving into aproduction environment. Remove anonymous users? [y/n] Y #是否删除匿名用户 ... success! Normally, Root should only is allowed to connect from ' localhost '. Thisensures that someone cannot guess at the root of password from the network. Disallow Root login remotely? [y/n] Y #是否允许root用户远程登录 ... success! By default, the MariaDB comes with a database named ' Test ' anyone canaccess. This was also intended only for testing, and should was removedbefore moving into a production environment. Remove test database and access to it? [y/n] #是否删除test数据库-dropping Test Database ... success! -Removing privileges on test database ... success! Reloading the privilege tables would ensure that all changes made so farwill take effect immediately. Reload PRIvilege tables now? [y/n] #是否刷新以上操作 to make it effective immediately ... success! Cleaning up ... All done! If you've completed all of the above steps, your mariadbinstallation should now is secure. Thanks for using mariadb!
- When the above operation is complete, the command line input MySQL cannot log on to the database, and you cannot log on using the native extranet address.
[[email protected] my.cnf.d]# mysqlerror 1045 (28000): Access denied for user ' root ' @ ' localhost ' (using Password:no) [[email protected] my.cnf.d]# mysql-uroot-h192.168.0.194-penter password:error 1130 (HY000): Host ' Node1 ' is not Allowed to connect to this MariaDB server[[email protected] my.cnf.d]# mysql-uroot-h127.0.0.1-penter password:wel Come to the MariaDB monitor. Commands End With; or \g.your MariaDB connection ID is 14Server version:5.5.60-mariadb MariaDB servercopyright (c) $, 2018, Oracle, Maria DB Corporation Ab and others. Type ' help ', ' or ' \h ' for help. Type ' \c ' to clear the current input statement. [[email protected] my.cnf.d]# mysql-uroot-hlocalhost-penter password:welcome to the MariaDB Monitor. Commands End With; or \g.your MariaDB connection ID is 15Server version:5.5.60-mariadb MariaDB servercopyright (c) $, 2018, Oracle, Maria DB Corporation Ab and others. Type ' help ', ' or ' \h ' for help. Type ' \c ' to clear the current input statement. MariaDB [(None)]> show databases;
- View currently authorized users and addresses visible root only authorizes localhost and 127.0.0.1 to log in
MariaDB [(none)]> use mysqlReading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -ADatabase changedMariaDB [mysql]> select User,Host from user;+------+-----------+| User | Host |+------+-----------+| root | 127.0.0.1 || root | ::1
2. To forget the Administrator password solution:
- Before starting MySQL, edit/etc/my.cnf, add skip-grant-tables and skip-networking;
[mysqld]skip-grant-tablesskip-networkingdatadir=/var/lib/mysql
- Modify the administrator password by using the update command;
[[email protected] ~]# systemctl start mariadb[[email protected] ~]# mysqlWelcome to the MariaDB monitor. Commands end with ; or \g.Your MariaDB connection id is 2Server version: 5.5.60-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.MariaDB [(none)]> update mysql.user set authentication_string=password(‘centos‘) where user=‘root‘ and Host = ‘localhost‘;Query OK, 1 row affected (0.00 sec)Rows matched: 1 Changed: 1 Warnings: 0MariaDB [(none)]> flush privileges;Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> exitBye
- Delete the content added in the/etc/my.cnf to start the mysqld process in the normal way;
[[email protected] ~]# mysql -uroot -hlocalhost -pcentosWelcome to the MariaDB monitor.
3. Adding, deleting, changing and checking users
- View Users:
- MySQL User table in Mysql.user
- To view the user example:
MariaDB [(none)]> SELECT User,Host FROM mysql.user;+-------+-------------+| User | Host |+-------+-------------+| root | 127.0.0.1 || root | ::1 || root | localhost |+-------+-------------+6 rows in set (0.01 sec)
- Add user
- Format: Multiple users can be created at once
CREATE USER ‘user‘@‘host‘ [IDENTIFIED BY [PASSWORD] ‘password‘] [,‘user‘@‘host‘ [IDENTIFIED BY [PASSWORD] ‘password‘]...]
# 单条命令创建一个用户:MariaDB [(none)]> CREATE USER ‘lxk‘@‘localhost‘ IDENTIFIED BY PASSWORD ‘linux.centos.com‘;Query OK, 0 rows affected (0.00 sec)# 以逗号为分隔,单条命令创建两个用户:MariaDB [(none)]> CREATE USER ‘test0‘@‘192.168.1.%‘ IDENTIFIED BY ‘maria.centos.com‘,‘test1‘@‘192.168.1.%‘ IDENTIFIED BY ‘maria.centos.com‘;Query OK, 0 rows affected (0.00 sec)
- To rename a user:
- Format:
- RENAME USER Old_user to new_user[, Old_user to New_user] ...
- Example: (An authorized address is added when the user is created, and an authorized address is required for modification)
#查看当前用户:MariaDB [(none)]> SELECT User,Host FROM mysql.user;+-------+-------------+| User | Host |+-------+-------------+| root | 127.0.0.1 || test0 | 192.168.1.% || test1 | 192.168.1.% || root | ::1 || lxk | localhost || root | localhost |+-------+-------------+6 rows in set (0.01 sec)MariaDB [(none)]> RENAME USER ‘test1‘@‘192.168.1.%‘ TO ‘test001‘@‘192.168.1.%‘;Query OK, 0 rows affected (0.01 sec)MariaDB [(none)]> SELECT User,Host FROM mysql.user;+---------+-------------+| User | Host |+---------+-------------+| root | 127.0.0.1 || test0 | 192.168.1.% || test001 | 192.168.1.% |
- To delete a user:
- Format:
- DROP user ' user ' @ ' host ' [, ' User ' @ ' host '] ...
- Cases:
MariaDB [(none)]> DROP USER ‘test001‘@‘192.168.1.%‘;Query OK, 0 rows affected (0.01 sec)MariaDB [(none)]> SELECT User,Host FROM mysql.user;+-------+------------+| User | Host |+-------+------------+| root | 127.0.0.1 || test0 | 192.168.1.%|| root | ::1 || lxk | localhost || root | localhost |+-------+------------+5 rows in set (0.00 sec)
- Reload Authorization table:
- Action: Sometimes the operation does not immediately write to the disk, execute this command to synchronize the operation to disk immediately.
- Cases:
MariaDB [(none)]> FLUSH PRIVILEGES;Query OK, 0 rows affected (0.00 sec)
4. User Authorization Related:
- To view user authorizations:
- Format:
- SHOW GRANTS [for ' user ' @ ' host ']
MariaDB [(none)]> show grants; #不加用户, the default is to find the root user's authorization information. +-------------------------------------------------------------------------------------------------------------- --------------------------+| Grants for [email protected] |+--------------------------------------------------------------------------------------------------- -------------------------------------+| GRANT all privileges on * * to ' root ' @ ' localhost ' identified by PASSWORD ' *128977e278358ff80a246b5046f51043a2b1fced ' with GRANT OPTION | | Grant PROXY on "@" to "root" @ ' localhost ' with GRANT OPTION |+----------------------------------------------------------------------------------------------------------- -----------------------------+2 rows in Set (0.00 sec) MariaDB [(none)]> show grants for ' test0 ' @ ' 192.168.1.% '; #查看指定用User's authorization information. +-------------------------------------------------------------------------------------------------------------- -+| Grants for [email protected]% |+---- -----------------------------------------------------------------------------------------------------------+| GRANT USAGE on *. test0 ' @ ' 192.168.1.% ' identified by PASSWORD ' *5FC1DC57211AE5F87FC504DEEE4B7C65DEB2CBFA ' |+------- --------------------------------------------------------------------------------------------------------+1 Row In Set (0.00 sec)
- To authorize the user:
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... ON [object_type] priv_level TO user_specification [, user_specification] ... [REQUIRE {NONE | ssl_option [[AND] ssl_option] ...}] [WITH with_option ...]
GRANT priv_type ON [object_type] priv_level TO user_specification [, user_specification] object_type: TABLE | FUNCTION | PROCEDURE priv_level: * | *.* #所有库的所有表 | db_name.* #某个库的所有表 | db_name.tbl_name #某个库的某个表 | tbl_name #某个表 | db_name.routine_name #某个库的某个routine
MariaDB [(none)]> GRANT all ON *.* TO ‘test0‘@‘192.168.1%‘;Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> SHOW GRANTS FOR ‘test0‘@‘192.168.1%‘;+------------------------------------------------------------------------------------------------------------------------+| Grants for [email protected]%
- Cancel Authorization: REVOKE
REVOKE priv_type [(column_list)][, priv_type [(column_list)]] ... ON [object_type] priv_level FROM ‘user‘@‘host‘ [, ‘user‘@‘host‘] ...REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...
MariaDB [(None)]> REVOKE all privileges from ' test0 ' @ ' 192.168.1.% '; Error 1064 (42000): You have a error in your SQL syntax; Check the manual, corresponds to your MariaDB server version for the right syntax to use near ' from ' test0 ' @ ' 192.168.1 % ' at line 1MariaDB [(none)]> REVOKE all privileges on * * from ' test0 ' @ ' 192.168.1.% '; Query OK, 0 rows Affected (0.00 sec) MariaDB [(none)]> SHOW GRANTS for ' test0 ' @ ' 192.168.1% '; +-------------------------- -------------------------------------------------------------------------------------+| Grants for [email protected]% |+---- -----------------------------------------------------------------------------------------------------------+| GRANT USAGE on *. test0 ' @ ' 192.168.1.% ' identified by PASSWORD ' *5FC1DC57211AE5F87FC504DEEE4B7C65DEB2CBFA ' |+------- --------------------------------------------------------------------------------------------------------+1 row in Set (0.00 sec)
MySQL initialization, add and revise user, authorization