標籤:多少 簡單 修改 log res 預設值 上班 host sys
一、起源:
今天一上班就聽到說error-log裡記錄了大量的
ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
二、mysql 使用者密碼到期的處理:
1、從一條簡單的create user 看mysql密碼到期的內在邏輯
mysql> create user [email protected]‘%‘ identified by ‘[email protected]‘; Query OK, 0 rows affected (0.01 sec)mysql> show create user [email protected]‘%‘;+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+| CREATE USER for [email protected]% |+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+| CREATE USER ‘exuser‘@‘%‘ IDENTIFIED WITH ‘mysql_native_password‘ AS ‘*CD089516E876A47FEBF3BB6A9ADD45F02F4BF73B‘ REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+1 row in set (0.00 sec)
2、從上面的show create user 可以看出 mysql會悄悄的在create user 語句的後面加上一個 password expire defautl 子句;這個
password expire default 子句就是用來設定mysql 帳號的密碼到期時間的(單位天)。
3、看寫死mysql 帳號密碼的到期時間時mysql是怎麼處理的
mysql> create user [email protected]‘%‘ identified by ‘123456‘ password expire interval 30 day;Query OK, 0 rows affected (0.00 sec)mysql> show create user [email protected]‘%‘; +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| CREATE USER for [email protected]% |+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| CREATE USER ‘tt‘@‘%‘ IDENTIFIED WITH ‘mysql_native_password‘ AS ‘*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9‘ REQUIRE NONE PASSWORD EXPIRE INTERVAL 30 DAY ACCOUNT UNLOCK |+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
4、password expire default 這裡的default的值是參照default_password_lifetime這個variable的,也就是說可以通過
改變default_password_lifetime的值來靈活的控制帳號的到期時間。
三、default_password_lifetime 地預設值:
目前 default_password_lifetime 這個參數的預設值是0 ,也就是說預設情況下 create user [email protected] identified by ‘xxx‘ 這樣
建立出來的帳號密碼是永不到期的。
四、回答一下起源中的問題:
“起源”中提到的密碼到期是因為在mysql-5.7.4 ~ mysql-5.7.10 這些版本中default_password_lifetime的預設值是360,
這樣就尷尬了,這樣的設定使得預設情況下mysql運行個360天就要改一下密碼,這不科學!於是呢在mysql-5.7.11 以後
的mysql就把default_password_lifetime這個參數的預設值設定成了0.
五、給你一個環境怎麼才看出來使用者的密碼有沒有到期
對於這裡所提到的密碼到期的判定不能簡單的看user.password_expired 這個列來區分帳號的密碼有沒有到期,而是要根據mysql帳號到期的
內在邏輯來看
1、第一步:查看user.assword_last_changed 列來看對應帳號密碼的最近一次的修改時間
mysql> select user,host,password_expired,password_last_changed,password_lifetime from user; +---------------+-----------+------------------+-----------------------+-------------------+| user | host | password_expired | password_last_changed | password_lifetime |+---------------+-----------+------------------+-----------------------+-------------------+| root | localhost | N | 2017-10-15 10:07:32 | NULL || mysql.session | localhost | N | 2017-10-04 12:27:10 | NULL || mysql.sys | localhost | N | 2017-10-04 12:27:10 | NULL || jianglexing | localhost | N | 2017-10-07 09:48:14 | NULL || repl | % | N | 2017-10-07 19:16:44 | NULL || tstuser | localhost | N | 2017-10-12 10:04:17 | NULL |+---------------+-----------+------------------+-----------------------+-------------------+
2、第二步:查看default_password_lifetime這個變數的值是多少
mysql> show global variables like ‘default_password_lifetime‘; +---------------------------+-------+| Variable_name | Value |+---------------------------+-------+| default_password_lifetime | 1 |+---------------------------+-------+1 row in set (0.00 sec)
3、確定使用者是不是用的mysql全域的密碼到期策略
mysql> show create user [email protected]‘localhost‘; +-------------------------------------------------------------------------------------------------------------------------------+| CREATE USER for tstuser@localhost |+-------------------------------------------------------------------------------------------------------------------------------+| CREATE USER ‘tstuser‘@‘localhost‘ IDENTIFIED WITH ‘mysql_native_password‘ REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |+-------------------------------------------------------------------------------------------------------------------------------+1 row in set (0.00 sec)
4、確定當前的時間
mysql> select now();+---------------------+| now() |+---------------------+| 2017-10-15 11:02:36 |+---------------------+1 row in set (0.00 sec)
5、結論:
對於tstuser來說它用的是全域的密碼到期策略,也就是一天后密碼就到期,然而它最近一次更新密碼的時間是2017-10-12,而當前的時間已經是
2017-10-15 所以可以確定的說tstuser的密碼已經到期了。
mysql-5.7 密碼到期詳解
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
