MySQL用户管理 #

-- 查看当前所有用户
SELECT User, Host FROM mysql.user;

-- 创建用户的基本语法
CREATE USER 'username'@'hostname' IDENTIFIED BY 'password';

-- 示例：创建不同类型的用户
CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'secure_password';
CREATE USER 'app_user'@'192.168.1.%' IDENTIFIED BY 'secure_password';
CREATE USER 'admin'@'%' IDENTIFIED BY 'strong_admin_password';

-- 本地连接用户
CREATE USER 'local_user'@'localhost' IDENTIFIED BY 'password';
CREATE USER 'local_user'@'127.0.0.1' IDENTIFIED BY 'password';
CREATE USER 'local_user'@'::1' IDENTIFIED BY 'password';  -- IPv6本地地址

-- 特定IP地址
CREATE USER 'specific_user'@'192.168.1.100' IDENTIFIED BY 'password';

-- IP段
CREATE USER 'subnet_user'@'192.168.1.%' IDENTIFIED BY 'password';

-- 任意主机
CREATE USER 'any_host_user'@'%' IDENTIFIED BY 'password';

-- 创建用户（MySQL 8.0+推荐方式）
CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password123';

-- 创建多个用户
CREATE USER 
    'user1'@'localhost' IDENTIFIED BY 'password1',
    'user2'@'localhost' IDENTIFIED BY 'password2',
    'user3'@'%' IDENTIFIED BY 'password3';

-- 创建用户并指定认证插件
CREATE USER 'oauth_user'@'localhost' 
IDENTIFIED WITH mysql_native_password BY 'password';

-- 创建不需要密码的用户（不推荐）
CREATE USER 'test_user'@'localhost';

-- 删除单个用户
DROP USER 'username'@'hostname';

-- 删除多个用户
DROP USER 'user1'@'localhost', 'user2'@'localhost';

-- 安全删除（如果存在）
DROP USER IF EXISTS 'username'@'hostname';

-- 重命名用户
RENAME USER 'old_name'@'localhost' TO 'new_name'@'localhost';

-- 修改用户密码
ALTER USER 'username'@'localhost' IDENTIFIED BY 'new_password';

-- 设置密码过期
ALTER USER 'username'@'localhost' PASSWORD EXPIRE;

-- 设置密码永不过期
ALTER USER 'username'@'localhost' PASSWORD EXPIRE NEVER;

-- 设置密码下次登录时必须更改
ALTER USER 'username'@'localhost' PASSWORD EXPIRE DEFAULT;

-- 全局权限
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost';

-- 数据库级别权限
GRANT ALL PRIVILEGES ON database_name.* TO 'db_admin'@'localhost';

-- 表级别权限
GRANT SELECT, INSERT, UPDATE ON database_name.table_name TO 'table_user'@'localhost';

-- 列级别权限
GRANT SELECT (column1, column2) ON database_name.table_name TO 'column_user'@'localhost';

-- 数据库操作权限
GRANT CREATE, DROP, ALTER ON database_name.* TO 'schema_user'@'localhost';

-- 数据操作权限
GRANT SELECT, INSERT, UPDATE, DELETE ON database_name.* TO 'data_user'@'localhost';

-- 特殊权限
GRANT FILE ON *.* TO 'file_user'@'localhost';  -- 文件操作权限
GRANT PROCESS ON *.* TO 'monitor_user'@'localhost';  -- 查看进程权限
GRANT RELOAD ON *.* TO 'reload_user'@'localhost';  -- 重新加载权限
GRANT SHUTDOWN ON *.* TO 'shutdown_user'@'localhost';  -- 关闭服务器权限
GRANT SUPER ON *.* TO 'super_user'@'localhost';  -- 超级权限

-- 授予所有权限
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;

-- 授予特定数据库的所有权限
GRANT ALL PRIVILEGES ON app_db.* TO 'app_admin'@'localhost';

-- 授予特定表的特定权限
GRANT SELECT, INSERT, UPDATE ON app_db.users TO 'app_user'@'localhost';

-- 授予权限并允许该用户授予相同权限给其他用户
GRANT SELECT ON reporting_db.* TO 'report_user'@'localhost' WITH GRANT OPTION;

-- 撤销特定权限
REVOKE INSERT, UPDATE ON app_db.users FROM 'app_user'@'localhost';

-- 撤销所有权限
REVOKE ALL PRIVILEGES ON *.* FROM 'username'@'localhost';

-- 撤销grant option权限
REVOKE GRANT OPTION ON *.* FROM 'username'@'localhost';

-- 查看当前用户的权限
SHOW GRANTS;

-- 查看特定用户的权限
SHOW GRANTS FOR 'username'@'hostname';

-- 查看所有用户的权限（需要足够权限）
SELECT User, Host, Select_priv, Insert_priv, Update_priv, Delete_priv 
FROM mysql.user;

-- 为Web应用程序创建专用用户
CREATE USER 'webapp_user'@'localhost' IDENTIFIED BY 'complex_password_123';
GRANT SELECT, INSERT, UPDATE, DELETE ON webapp_db.* TO 'webapp_user'@'localhost';
FLUSH PRIVILEGES;

-- 设置资源限制
ALTER USER 'webapp_user'@'localhost' 
WITH MAX_QUERIES_PER_HOUR 1000
MAX_CONNECTIONS_PER_HOUR 100
MAX_UPDATES_PER_HOUR 100;

-- 创建报表用户，只允许查询
CREATE USER 'report_user'@'%' IDENTIFIED BY 'report_password_456';
GRANT SELECT ON business_db.* TO 'report_user'@'%';
GRANT SELECT ON analytics_db.* TO 'report_user'@'%';
FLUSH PRIVILEGES;

-- 创建数据库管理员
CREATE USER 'db_admin'@'localhost' IDENTIFIED BY 'very_secure_password_789';
GRANT ALL PRIVILEGES ON *.* TO 'db_admin'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;

-- 创建备份专用用户
CREATE USER 'backup_user'@'localhost' IDENTIFIED BY 'backup_password_321';
GRANT SELECT, LOCK TABLES, SHOW VIEW, EVENT, TRIGGER ON *.* TO 'backup_user'@'localhost';
FLUSH PRIVILEGES;

-- 设置密码验证强度（MySQL 8.0+）
INSTALL COMPONENT 'file://component_validate_password';
SET GLOBAL validate_password.policy = MEDIUM;
SET GLOBAL validate_password.length = 12;

-- 创建符合策略的用户
CREATE USER 'secure_user'@'localhost' IDENTIFIED BY 'StrongPass123!';

-- 使用哈希值设置密码
SET @hash = PASSWORD('new_password');  -- 适用于MySQL 5.7及以下
-- 在MySQL 8.0+中，使用ALTER USER直接设置
ALTER USER 'username'@'localhost' IDENTIFIED BY 'new_password';

-- 设置密码定期过期
ALTER USER 'regular_user'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;

-- 设置用户首次登录后必须更改密码
ALTER USER 'new_user'@'localhost' PASSWORD EXPIRE;

-- 设置密码历史记录，防止重复使用最近的密码
SET GLOBAL password_history = 6;
SET GLOBAL password_reuse_interval = 365;  -- 天数

-- 为不同应用创建具有最小必要权限的用户
CREATE USER 'api_user'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE ON app_api.* TO 'api_user'@'localhost';

CREATE USER 'readonly_user'@'localhost' IDENTIFIED BY 'readonly_password';
GRANT SELECT ON app_reports.* TO 'readonly_user'@'localhost';

CREATE USER 'log_user'@'localhost' IDENTIFIED BY 'log_password';
GRANT INSERT ON app_logs.* TO 'log_user'@'localhost';

-- 定期检查用户账户
SELECT 
    User, 
    Host, 
    authentication_string, 
    password_expired, 
    password_last_changed,
    account_locked
FROM mysql.user;

-- 检查权限分配
SELECT 
    User, 
    Host, 
    Select_priv, 
    Insert_priv, 
    Update_priv, 
    Delete_priv,
    Create_priv,
    Drop_priv
FROM mysql.user;

-- 锁定/解锁用户账户
ALTER USER 'inactive_user'@'localhost' ACCOUNT LOCK;
ALTER USER 'active_user'@'localhost' ACCOUNT UNLOCK;

-- 检查账户锁定状态
SELECT User, Host, account_locked FROM mysql.user;

-- 设置用户资源使用限制
ALTER USER 'limited_user'@'localhost'
WITH 
    MAX_QUERIES_PER_HOUR 1000
    MAX_UPDATES_PER_HOUR 100
    MAX_CONNECTIONS_PER_HOUR 10
    MAX_USER_CONNECTIONS 5;

-- 查看资源限制
SELECT 
    User, 
    Host, 
    max_questions, 
    max_updates, 
    max_connections, 
    max_user_connections
FROM mysql.user;

-- 查看当前连接
SHOW PROCESSLIST;

-- 查看连接统计
SHOW STATUS LIKE 'Connections';
SHOW STATUS LIKE 'Max_used_connections';

-- 设置全局连接限制
SET GLOBAL max_connections = 200;

-- 创建角色
CREATE ROLE 'app_developer', 'app_analyst', 'app_admin';

-- 为角色授予权限
GRANT SELECT, INSERT, UPDATE, DELETE ON app_db.* TO 'app_developer';
GRANT SELECT ON app_db.* TO 'app_analyst';
GRANT ALL PRIVILEGES ON app_db.* TO 'app_admin';

-- 将角色分配给用户
GRANT 'app_developer' TO 'dev_user'@'localhost';
GRANT 'app_analyst' TO 'analyst_user'@'localhost';

-- 设置默认激活的角色
SET DEFAULT ROLE 'app_developer' TO 'dev_user'@'localhost';

-- 激活角色（当前会话）
SET ROLE 'app_developer';

-- 需要企业版或安装审计插件
-- 设置审计策略
SET GLOBAL audit_log_policy = 'ALL';
SET GLOBAL audit_log_exclude_accounts = 'user1@localhost,user2@localhost';

-- 查看当前活动连接
SELECT 
    ID, 
    USER, 
    HOST, 
    DB, 
    COMMAND, 
    TIME, 
    STATE, 
    INFO
FROM INFORMATION_SCHEMA.PROCESSLIST
WHERE COMMAND != 'Sleep';

-- 查看连接统计
SHOW ENGINE PERFORMANCE_SCHEMA STATUS;

-- 停止MySQL服务
-- 以安全模式启动MySQL（跳过权限表）
-- mysqld --skip-grant-tables &
-- 连接到MySQL并重置密码
-- UPDATE mysql.user SET authentication_string = PASSWORD('new_root_password') WHERE User = 'root';
-- FLUSH PRIVILEGES;
-- 重启MySQL服务

-- 刷新权限
FLUSH PRIVILEGES;

-- 检查权限表
SELECT User, Host FROM mysql.user;
SHOW GRANTS FOR 'username'@'hostname';

-- 检查用户是否存在且主机匹配
SELECT User, Host FROM mysql.user WHERE User = 'username';

-- 检查账户是否被锁定
SELECT User, Host, account_locked FROM mysql.user WHERE User = 'username';

-- 检查匿名用户
SELECT User, Host FROM mysql.user WHERE User = '';

-- 删除匿名用户
DROP USER ''@'localhost';
DROP USER ''@'%';

-- 删除测试数据库（如果不需要）
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db = 'test' OR Db = 'test\\_%';

-- 创建要求SSL连接的用户
CREATE USER 'secure_user'@'%' IDENTIFIED BY 'password' REQUIRE SSL;

-- 创建要求特定证书的用户
CREATE USER 'cert_user'@'%' IDENTIFIED BY 'password' 
REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/O=MySQL/CN=CA' 
AND SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/O=MySQL AB/OU=Support/CN=Client';