MySQL 用户和主机优先级
MySQL user and host precedence
我有两个用户,我们在两个不同的数据库上称他们为 foo:
Database_A:
mysql> select user,host from user where user = 'foo';
+-----------+-----------+
| user | host |
+-----------+-----------+
| foo | % |
| foo | 10.% |
| foo | localhost |
+-----------+-----------+
3 rows in set (0.01 sec)
Database_B:
mysql> select user,host from user where user = 'foo';
+-----------+-----------+
| user | host |
+-----------+-----------+
| foo | % |
| foo | 10.% |
| foo | localhost |
+-----------+-----------+
3 rows in set (0.00 sec)
现在我 运行 正在研究的问题是尝试 运行 带有 DROP 命令的 SQL 脚本。当我连接到 Database_A 上的数据库时,尝试连接时出现错误:
mysql -A -hdatabase_1.foo.bar.domain.com -ufoo -pbar Database_A <dbtables.sql
Warning: Using a password on the command line interface can be insecure.
ERROR 1142 (42000) at line 22: DROP command denied to user 'foo'@'ip-10-128-0-143.ec2.internal' for table 'bar_table'
我可以 运行 在 Database_B 上完成此操作,没有任何问题。到目前为止,我已经检查了两个用户的授权,并使用相同的用户和授权 (foo@'10.%') 登录了 MySQL shell,但我不能 运行 database_1 上的 SQL 脚本。以下是 Database_A 和 Database_B 的赠款情况:
mysql> show grants for foo;
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for foo@% |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, RELOAD ON *.* TO 'foo'@'%' IDENTIFIED BY PASSWORD '<redacted>' REQUIRE SSL |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `reference`.* TO 'foo'@'%' |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for foo@'10.%';
+------------------------------------------------------------------------------------------------------------+
| Grants for foo@10.% |
+------------------------------------------------------------------------------------------------------------+
| GRANT FILE ON *.* TO 'foo'@'10.%' IDENTIFIED BY PASSWORD '<redacted>' |
+------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
现在我似乎无法弄清楚为什么一个数据库服务器会比另一个数据库服务器工作(两者的设置与用户和 my.cnf 中的设置完全相同)。有没有一种方法可以让我专门以 foo@'%' 身份登录?我正在尝试从远程 EC2 实例(相同的 VPC)运行:
mysql -A -hdatabase_1.foo.bar.domain.com -ufoo -pbar Database_A <dbtables.sql
不,您不能以特定用户配置文件的身份强制连接。 MySQL 根据排序顺序使用第一个匹配的配置文件。
阅读https://dev.mysql.com/doc/refman/8.0/en/connection-access.html:
When multiple matches are possible, the server must determine which of
them to use. It resolves this issue as follows:
Whenever the server reads the user table into memory, it sorts the rows.
When a client attempts to connect, the server looks through the rows in sorted order.
The server uses the first row that matches the client host name and user name.
The server uses sorting rules that order rows with the most-specific
Host values first. Literal host names and IP addresses are the most
specific. (The specificity of a literal IP address is not affected by
whether it has a netmask, so 198.51.100.13 and
198.51.100.0/255.255.255.0 are considered equally specific.) The pattern '%' means “any host” and is least specific. The empty string
'' also means “any host” but sorts after '%'. Rows with the same Host
value are ordered with the most-specific User values first (a blank
User value means “any user” and is least specific). For rows with
equally-specific Host and User values, the order is nondeterministic.
我会避免给同一个用户名不同的权限,只是主机名不同。
尽管 MySQL 允许您根据客户端主机定义不同的权限,但以这种方式管理您的授权会让人感到困惑。我从来没有看到这样做的充分理由。
如果您需要一组不同的权限,请定义一个不同的用户名。
我有两个用户,我们在两个不同的数据库上称他们为 foo:
Database_A:
mysql> select user,host from user where user = 'foo';
+-----------+-----------+
| user | host |
+-----------+-----------+
| foo | % |
| foo | 10.% |
| foo | localhost |
+-----------+-----------+
3 rows in set (0.01 sec)
Database_B:
mysql> select user,host from user where user = 'foo';
+-----------+-----------+
| user | host |
+-----------+-----------+
| foo | % |
| foo | 10.% |
| foo | localhost |
+-----------+-----------+
3 rows in set (0.00 sec)
现在我 运行 正在研究的问题是尝试 运行 带有 DROP 命令的 SQL 脚本。当我连接到 Database_A 上的数据库时,尝试连接时出现错误:
mysql -A -hdatabase_1.foo.bar.domain.com -ufoo -pbar Database_A <dbtables.sql
Warning: Using a password on the command line interface can be insecure.
ERROR 1142 (42000) at line 22: DROP command denied to user 'foo'@'ip-10-128-0-143.ec2.internal' for table 'bar_table'
我可以 运行 在 Database_B 上完成此操作,没有任何问题。到目前为止,我已经检查了两个用户的授权,并使用相同的用户和授权 (foo@'10.%') 登录了 MySQL shell,但我不能 运行 database_1 上的 SQL 脚本。以下是 Database_A 和 Database_B 的赠款情况:
mysql> show grants for foo;
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for foo@% |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, RELOAD ON *.* TO 'foo'@'%' IDENTIFIED BY PASSWORD '<redacted>' REQUIRE SSL |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `reference`.* TO 'foo'@'%' |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> show grants for foo@'10.%';
+------------------------------------------------------------------------------------------------------------+
| Grants for foo@10.% |
+------------------------------------------------------------------------------------------------------------+
| GRANT FILE ON *.* TO 'foo'@'10.%' IDENTIFIED BY PASSWORD '<redacted>' |
+------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
现在我似乎无法弄清楚为什么一个数据库服务器会比另一个数据库服务器工作(两者的设置与用户和 my.cnf 中的设置完全相同)。有没有一种方法可以让我专门以 foo@'%' 身份登录?我正在尝试从远程 EC2 实例(相同的 VPC)运行:
mysql -A -hdatabase_1.foo.bar.domain.com -ufoo -pbar Database_A <dbtables.sql
不,您不能以特定用户配置文件的身份强制连接。 MySQL 根据排序顺序使用第一个匹配的配置文件。
阅读https://dev.mysql.com/doc/refman/8.0/en/connection-access.html:
When multiple matches are possible, the server must determine which of them to use. It resolves this issue as follows:
Whenever the server reads the user table into memory, it sorts the rows.
When a client attempts to connect, the server looks through the rows in sorted order.
The server uses the first row that matches the client host name and user name.
The server uses sorting rules that order rows with the most-specific Host values first. Literal host names and IP addresses are the most specific. (The specificity of a literal IP address is not affected by whether it has a netmask, so 198.51.100.13 and 198.51.100.0/255.255.255.0 are considered equally specific.) The pattern '%' means “any host” and is least specific. The empty string '' also means “any host” but sorts after '%'. Rows with the same Host value are ordered with the most-specific User values first (a blank User value means “any user” and is least specific). For rows with equally-specific Host and User values, the order is nondeterministic.
我会避免给同一个用户名不同的权限,只是主机名不同。
尽管 MySQL 允许您根据客户端主机定义不同的权限,但以这种方式管理您的授权会让人感到困惑。我从来没有看到这样做的充分理由。
如果您需要一组不同的权限,请定义一个不同的用户名。