第13章 mysql系统库之访问权限控制系统 - xiaoboluo768/qianjinliangfang GitHub Wiki
13.1 访问权限控制系统概述
mysql> show grants for test_a@'localhost';
......
1 row in set (0.00 sec)
mysql> show grants for test_a@'%';
......
1 row in set (0.00 sec)
13.4.1 第一阶段(账号和密码认证)
mysql> select host,user,authentication_string, account_locked from mysql.user;
......
7 rows in set (0.00 sec)
# 账号锁定状态可以通过ALTER USER语句进行更改
ALTER USER [IF EXISTS]
user [auth_option] [, user [auth_option]] ...
[REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
[WITH resource_option [resource_option] ...]
[password_option | lock_option] ...
......
lock_option: {
ACCOUNT LOCK
| ACCOUNT UNLOCK
}
+--------------+-------------+-
| Host | User | ...
+--------------+-------------+-
| % | root | ...
| % | jeffrey | ...
| localhost | root | ...
| localhost | | ...
+--------------+-------------+-
# 当服务器将表中的内容读入内存时,会使用刚刚描述的规则在内存中对用户身份认证信息进行排序。排序后的结果如下
+--------------+-------------+-
| Host | User | ...
+--------------+-------------+-
| localhost | root | ...
| localhost | | ...
| % | jeffrey | ...
| % | root | ...
+--------------+-------------+-
# 当客户端尝试连接时,服务器会查看在内存中已排好序的用户身份认证信息,并使用第一个匹配行进行许可。如:对于用户jeffrey的localhost主机连接,首先精确匹配localhost主机名字段,有两行记录匹配,然后匹配用户名字段,也有两行记录匹配(空值和jeffrey),它们的交集最终确定匹配项:Host=localhost,User='',即''@'localhost'身份
+-------------------+----------+-
| Host | User | ...
+-------------------+----------+-
| % | jeffrey | ...
| h1.example.net | | ...
+-------------------+----------+-
# 在内存中排序之后的内容如下
+-------------------+----------+-
| Host | User | ...
+-------------------+----------+-
| h1.example.net | | ...
| % | jeffrey | ...
+-------------------+----------+-
# 来自h1.example.net主机的jeffrey用户的连接与第一行记录匹配成功,而来自任意主机的jeffrey用户的连接与第二行记录匹配成功
mysql> SELECT CURRENT_USER();
......
13.4.2 第二阶段(权限检查)
global privileges
OR (database privileges AND host privileges)
OR table privileges
OR column privileges
OR routine privileges
上一篇:第12章 mysql系统库之权限系统表 | 下一篇:第14章 mysql系统库之统计信息表