Rechercher dans le manuel MySQL
6.2 Access Control and Account Management
[+/-]
- 6.2.1 Account User Names and Passwords
- 6.2.2 Privileges Provided by MySQL
- 6.2.3 Grant Tables
- 6.2.4 Specifying Account Names
- 6.2.5 Specifying Role Names
- 6.2.6 Access Control, Stage 1: Connection Verification
- 6.2.7 Access Control, Stage 2: Request Verification
- 6.2.8 Adding Accounts, Assigning Privileges, and Dropping Accounts
- 6.2.9 Reserved Accounts
- 6.2.10 Using Roles
- 6.2.11 Account Categories
- 6.2.12 Privilege Restriction Using Partial Revokes
- 6.2.13 When Privilege Changes Take Effect
- 6.2.14 Assigning Account Passwords
- 6.2.15 Password Management
- 6.2.16 Server Handling of Expired Passwords
- 6.2.17 Pluggable Authentication
- 6.2.18 Proxy Users
- 6.2.19 Account Locking
- 6.2.20 Setting Account Resource Limits
- 6.2.21 Troubleshooting Problems Connecting to MySQL
- 6.2.22 SQL-Based Account Activity Auditing
MySQL enables the creation of accounts that permit client users to
connect to the server and access data managed by the server. The
primary function of the MySQL privilege system is to authenticate a
user who connects from a given host and to associate that user with
privileges on a database such as
SELECT
,
INSERT
,
UPDATE
, and
DELETE
. Additional functionality
includes the ability to grant privileges for administrative
operations.
To control which users can connect, each account can be assigned
authentication credentials such as a password. The user interface to
MySQL accounts consists of SQL statements such as
CREATE USER
,
GRANT
, and
REVOKE
. See
Section 13.7.1, “Account Management Statements”.
The MySQL privilege system ensures that all users may perform only the operations permitted to them. As a user, when you connect to a MySQL server, your identity is determined by the host from which you connect and the user name you specify. When you issue requests after connecting, the system grants privileges according to your identity and what you want to do.
MySQL considers both your host name and user name in identifying you
because there is no reason to assume that a given user name belongs
to the same person on all hosts. For example, the user
joe
who connects from
office.example.com
need not be the same person as
the user joe
who connects from
home.example.com
. MySQL handles this by enabling
you to distinguish users on different hosts that happen to have the
same name: You can grant one set of privileges for connections by
joe
from office.example.com
,
and a different set of privileges for connections by
joe
from home.example.com
. To
see what privileges a given account has, use the
SHOW GRANTS
statement. For example:
Internally, the server stores privilege information in the grant
tables of the mysql
system database. The MySQL
server reads the contents of these tables into memory when it starts
and bases access-control decisions on the in-memory copies of the
grant tables.
MySQL access control involves two stages when you run a client program that connects to the server:
Stage 1: The server accepts or rejects the connection based on your identity and whether you can verify your identity by supplying the correct password.
Stage 2: Assuming that you can
connect, the server checks each statement you issue to determine
whether you have sufficient privileges to perform it. For example,
if you try to select rows from a table in a database or drop a table
from the database, the server verifies that you have the
SELECT
privilege for the table or the
DROP
privilege for the database.
For a more detailed description of what happens during each stage, see Section 6.2.6, “Access Control, Stage 1: Connection Verification”, and Section 6.2.7, “Access Control, Stage 2: Request Verification”. For help in diagnosing privilege-related problems, see Section 6.2.21, “Troubleshooting Problems Connecting to MySQL”.
If your privileges are changed (either by yourself or someone else) while you are connected, those changes do not necessarily take effect immediately for the next statement that you issue. For details about the conditions under which the server reloads the grant tables, see Section 6.2.13, “When Privilege Changes Take Effect”.
There are some things that you cannot do with the MySQL privilege system:
You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly match a user and then refuse the connection.
You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.
A password applies globally to an account. You cannot associate a password with a specific object such as a database, table, or routine.
Deutsche Übersetzung
Sie haben gebeten, diese Seite auf Deutsch zu besuchen. Momentan ist nur die Oberfläche übersetzt, aber noch nicht der gesamte Inhalt.Wenn Sie mir bei Übersetzungen helfen wollen, ist Ihr Beitrag willkommen. Alles, was Sie tun müssen, ist, sich auf der Website zu registrieren und mir eine Nachricht zu schicken, in der Sie gebeten werden, Sie der Gruppe der Übersetzer hinzuzufügen, die Ihnen die Möglichkeit gibt, die gewünschten Seiten zu übersetzen. Ein Link am Ende jeder übersetzten Seite zeigt an, dass Sie der Übersetzer sind und einen Link zu Ihrem Profil haben.
Vielen Dank im Voraus.
Dokument erstellt 26/06/2006, zuletzt geändert 26/10/2018
Quelle des gedruckten Dokuments:https://www.gaudry.be/de/mysql-rf-access-control.html
Die Infobro ist eine persönliche Seite, deren Inhalt in meiner alleinigen Verantwortung liegt. Der Text ist unter der CreativeCommons-Lizenz (BY-NC-SA) verfügbar. Weitere Informationen auf die Nutzungsbedingungen und dem Autor.
Referenzen
Diese Verweise und Links verweisen auf Dokumente, die während des Schreibens dieser Seite konsultiert wurden, oder die zusätzliche Informationen liefern können, aber die Autoren dieser Quellen können nicht für den Inhalt dieser Seite verantwortlich gemacht werden.
Der Autor Diese Website ist allein dafür verantwortlich, wie die verschiedenen Konzepte und Freiheiten, die mit den Nachschlagewerken gemacht werden, hier dargestellt werden. Denken Sie daran, dass Sie mehrere Quellinformationen austauschen müssen, um das Risiko von Fehlern zu reduzieren.