Rechercher dans le manuel MySQL
13.7.1.1 ALTER USER Syntax
- [password_option | lock_option] ...
- user:
- (see Section 6.2.4, “Specifying Account Names”)
- auth_option: {
- IDENTIFIED BY 'auth_string'
- | IDENTIFIED WITH auth_plugin
- }
- user_func_auth_option: {
- IDENTIFIED BY 'auth_string'
- }
- tls_option: {
- | X509
- | CIPHER 'cipher'
- | ISSUER 'issuer'
- | SUBJECT 'subject'
- }
- resource_option: {
- MAX_QUERIES_PER_HOUR count
- | MAX_UPDATES_PER_HOUR count
- | MAX_CONNECTIONS_PER_HOUR count
- | MAX_USER_CONNECTIONS count
- }
- password_option: {
- }
- lock_option: {
- ACCOUNT LOCK
- | ACCOUNT UNLOCK
- }
The ALTER USER statement modifies
MySQL accounts. It enables authentication, role, SSL/TLS,
resource-limit, and password-management properties to be
modified for existing accounts. It can also be used to lock and
unlock accounts.
In most cases, ALTER USER
requires the global CREATE USER
privilege, or the UPDATE
privilege for the mysql system database. The
exceptions are:
Any client who connects to the server using a nonanonymous account can change the password for that account. (In particular, you can change your own password.) To see which account the server authenticated you as, invoke the
CURRENT_USER()function:For
DEFAULT ROLEsyntax,ALTER USERrequires these privileges:Setting the default roles for another user requires the global
CREATE USERprivilege, or theUPDATEprivilege for themysql.default_rolessystem table.Setting the default roles for yourself requires no special privileges, as long as the roles you want as the default have been granted to you.
Statements that modify secondary passwords require these privileges:
The
APPLICATION_PASSWORD_ADMINprivilege is required to use theRETAIN CURRENT PASSWORDorDISCARD OLD PASSWORDclause forALTER USERstatements that apply to your own account. The privilege is required to manipulate your own secondary password because most users require only one password.If an account is to be permitted to manipulate secondary passwords for all accounts, it should be granted the
CREATE USERprivilege rather thanAPPLICATION_PASSWORD_ADMIN.
When the read_only system
variable is enabled, ALTER USER
additionally requires the
CONNECTION_ADMIN or
SUPER privilege.
By default, an error occurs if you try to modify a user that
does not exist. If the IF EXISTS clause is
given, the statement produces a warning for each named user that
does not exist, rather than an error.
Under some circumstances, ALTER
USER may be recorded in server logs or on the client
side in a history file such as
~/.mysql_history, which means that
cleartext passwords may be read by anyone having read access
to that information. For information about the conditions
under which this occurs for the server logs and how to control
it, see Section 6.1.2.3, “Passwords and Logging”. For similar
information about client-side logging, see
Section 4.5.1.3, “mysql Client Logging”.
There are several aspects to the ALTER
USER statement, described under the following topics:
ALTER USER Overview
For each affected account, ALTER
USER modifies the corresponding row in the
mysql.user system table to reflect the
properties specified in the statement. Unspecified properties
retain their current values.
Each account name uses the format described in
Section 6.2.4, “Specifying Account Names”. The host name part of the
account name, if omitted, defaults to '%'.
It is also possible to specify
CURRENT_USER or
CURRENT_USER() to refer to the
account associated with the current session.
For one syntax only, the account may be specified with the
USER() function:
This syntax enables changing your own password without naming
your account literally. (The syntax also supports the
REPLACE, RETAIN CURRENT
PASSWORD, and DISCARD OLD
PASSWORD clauses described at
ALTER USER Authentication Options.)
For ALTER USER syntaxes that
permit an auth_option value to
follow a user value,
auth_option indicates how the
account authenticates by specifying an account authentication
plugin, credentials (for example, a password), or both. Each
auth_option value applies
only to the account named immediately
preceding it.
Following the user specifications,
the statement may include options for SSL/TLS, resource-limit,
password-management, and locking properties. All such options
are global to the statement and apply to
all accounts named in the statement.
Example: Change an account's password and expire it. As a result, the user must connect with the named password and choose a new one at the next connection:
Example: Modify an account to use the
sha256_password authentication plugin and
the given password. Require that a new password be chosen
every 180 days:
- IDENTIFIED WITH sha256_password BY 'new_password'
Example: Lock or unlock an account:
Example: Require an account to connect using SSL and establish a limit of 20 connections per hour:
Example: Alter multiple accounts, specifying some per-account properties and some global properties:
The IDENTIFIED BY value following
jeffrey applies only to its immediately
preceding account, so it changes the password to
'
only for jeffrey_new_password'jeffrey. For
jeanne, there is no per-account value (thus
leaving the password unchanged). For josh,
IDENTIFIED BY establishes a new password
('),
josh_new_password'REPLACE is specified to verify that the
user issuing the ALTER USER
statement knows the current password
('),
and that current password is also retained as the account
secondary password. (As a result, josh_current_password'josh can
connect with either the primary or secondary password.)
The remaining properties apply globally to all accounts named in the statement, so for both accounts:
Connections are required to use SSL.
The account can be used for a maximum of two simultaneous connections.
Password changes cannot reuse any of the five most recent passwords.
Example: Discard the secondary password for
josh, leaving the account with only its
primary password:
In the absence of a particular type of option, the account remains unchanged in that respect. For example, with no locking option, the locking state of the account is not changed.
An account name may be followed by an
auth_option authentication option
that specifies the account authentication plugin, credentials,
or both. It may also include a password-verification clause
that specifies the account current password to be replaced,
and clauses that manage whether an account has a secondary
password.
Clauses for password verification and secondary passwords
apply only to accounts that store credentials internally in
the mysql.user system table
(mysql_native_password,
sha256_password, or
caching_sha2_password). For accounts that
use plugins that perform authentication against an external
credential system, password management must be handled
externally against that system as well.
auth_pluginnames an authentication plugin. The plugin name can be a quoted string literal or an unquoted name. Plugin names are stored in theplugincolumn of themysql.usersystem table.For
auth_optionsyntaxes that do not specify an authentication plugin, the default plugin is indicated by the value of thedefault_authentication_pluginsystem variable. For descriptions of each plugin, see Section 6.4.1, “Authentication Plugins”.Credentials are stored in the
mysql.usersystem table. An'value specifies account credentials, either as a cleartext (unencrypted) string or hashed in the format expected by the authentication plugin associated with the account, respectively:auth_string'For syntaxes that use
BY ', the string is cleartext and is passed to the authentication plugin for possible hashing. The result returned by the plugin is stored in theauth_string'mysql.usertable. A plugin may use the value as specified, in which case no hashing occurs.For syntaxes that use
AS ', the string is assumed to be already in the format the authentication plugin requires, and is stored as is in theauth_string'mysql.usertable. If a plugin requires a hashed value, the value must be hashed in a format appropriate for the plugin. Otherwise, the value is not usable by the plugin and correct authentication of client connections will not occur.As of MySQL 8.0.17, a hashed string can be either a string literal or a hexadecimal value. The latter corresponds to the type of value displayed by
SHOW CREATE USERfor password hashes containing unprintable characters when theprint_identified_with_as_hexsystem variable is enabled.If an authentication plugin does not perform hashing of the authentication string, the
BY 'andauth_string'AS 'clauses have the same effect: Storage of the authentication string as is in theauth_string'mysql.usersystem table.
The
REPLACE 'clause is available as of MySQL 8.0.13. If given:current_auth_string'REPLACEspecifies the account current password to be replaced, as a cleartext (unencrypted) string.The clause must be given if password changes for the are required to specify the current password, as verification that the user attempting to make the change actually knows the current password.
The clause is optional if password changes for the account may but need not specify the current password.
The statement fails if the clause is given but does not match the current password, even if the clause is optional.
REPLACEcan be specified only when changing the account password for the current user.
For more information about password verification by specifying the current password, see Section 6.2.15, “Password Management”.
The
RETAIN CURRENT PASSWORDandDISCARD OLD PASSWORDclauses implement dual-password capability and are available as of MySQL 8.0.14. Both are optional, but if given, have the following effects:RETAIN CURRENT PASSWORDretains an account current password as its secondary password, replacing any existing secondary password. The new password becomes the primary password, but clients can use the account to connect to the server using either the primary or secondary password. (Exception: If the new password specified by theALTER USERstatement is empty, the secondary password becomes empty as well, even ifRETAIN CURRENT PASSWORDis given.)If you specify
RETAIN CURRENT PASSWORDfor an account that has an empty primary password, the statement fails.If an account has a secondary password and you change its primary password without specifying
RETAIN CURRENT PASSWORD, the secondary password remains unchanged.If you change the authentication plugin assigned to the account, the secondary password is discarded. If you change the authentication plugin and also specify
RETAIN CURRENT PASSWORD, the statement fails.DISCARD OLD PASSWORDdiscards the secondary password, if one exists. The account retains only its primary password, and clients can use the account to connect to the server only with the primary password.
For more information about use of dual passwords, see Section 6.2.15, “Password Management”.
ALTER USER permits these
auth_option syntaxes:
IDENTIFIED BY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD]Sets the account authentication plugin to the default plugin, passes the cleartext
'value to the plugin for possible hashing, and stores the result in the account row in theauth_string'mysql.usersystem table.The
REPLACEclause, if given, specifies the account current password, as described previously in this section.The
RETAIN CURRENT PASSWORDclause, if given, causes the account current password to be retained as its secondary password, as described previously in this section.IDENTIFIED WITHauth_pluginSets the account authentication plugin to
auth_plugin, clears the credentials to the empty string (the credentials are associated with the old authentication plugin, not the new one), and stores the result in the account row in themysql.usersystem table.In addition, the password is marked expired. The user must choose a new one when next connecting.
IDENTIFIED WITHauth_pluginBY 'auth_string' [REPLACE 'current_auth_string'] [RETAIN CURRENT PASSWORD]Sets the account authentication plugin to
auth_plugin, passes the cleartext'value to the plugin for possible hashing, and stores the result in the account row in theauth_string'mysql.usersystem table.The
REPLACEclause, if given, specifies the account current password, as described previously in this section.The
RETAIN CURRENT PASSWORDclause, if given, causes the account current password to be retained as its secondary password, as described previously in this section.IDENTIFIED WITHauth_pluginAS 'auth_string'Sets the account authentication plugin to
auth_pluginand stores the'value as is in theauth_string'mysql.useraccount row. If the plugin requires a hashed string, the string is assumed to be already hashed in the format the plugin requires.DISCARD OLD PASSWORDDiscards the account secondary password, if there is one, as described previously in this section.
Example: Specify the password as cleartext; the default plugin is used:
Example: Specify the authentication plugin, along with a cleartext password value:
Example: Like the preceding example, but in addition, specify the current password as a cleartext value to satisfy any account requirement that the user making the change knows that password:
- IDENTIFIED WITH mysql_native_password
- BY 'password'
The preceding statement fails unless the current user is
jeffrey because REPLACE
is permitted only for changes to the current user's password.
Example: Establish a new primary password and retain the existing password as the secondary password:
Example: Discard the secondary password, leaving the account with only its primary password:
Example: Specify the authentication plugin, along with a hashed password value:
- IDENTIFIED WITH mysql_native_password
For additional information about setting passwords and authentication plugins, see Section 6.2.14, “Assigning Account Passwords”, and Section 6.2.17, “Pluggable Authentication”.
ALTER USER ...
DEFAULT ROLE defines which roles become active when
the user connects to the server and authenticates, or when the
user executes the
SET ROLE
DEFAULT statement during a session.
ALTER USER ...
DEFAULT ROLE is alternative syntax for
SET DEFAULT ROLE (see
Section 13.7.1.9, “SET DEFAULT ROLE Syntax”). However,
ALTER USER can set the default
for only a single user, whereas SET
DEFAULT ROLE can set the default for multiple users.
On the other hand, you can specify
CURRENT_USER as the user name for the
ALTER USER statement, whereas
you cannot for SET DEFAULT
ROLE.
Each user account name uses the format described previously.
Each role name uses the format described in Section 6.2.5, “Specifying Role Names”. For example:
The host name part of the role name, if omitted, defaults to
'%'.
The clause following the DEFAULT ROLE
keywords permits these values:
NONE: Set the default toNONE(no roles).ALL: Set the default to all roles granted to the account.role[,role] ...ALTER USER ... DEFAULT ROLEis executed.
MySQL can check X.509 certificate attributes in addition to the usual authentication that is based on the user name and credentials. For background information on the use of SSL/TLS with MySQL, see Section 6.3, “Using Encrypted Connections”.
To specify SSL/TLS-related options for a MySQL account, use a
REQUIRE clause that specifies one or more
tls_option values.
Order of REQUIRE options does not matter,
but no option can be specified twice. The
AND keyword is optional between
REQUIRE options.
ALTER USER permits these
tls_option values:
NONEIndicates that all accounts named by the statement have no SSL or X.509 requirements. Unencrypted connections are permitted if the user name and password are valid. Encrypted connections can be used, at the client's option, if the client has the proper certificate and key files.
Clients attempt to establish a secure connection by default. For clients that have
REQUIRE NONE, the connection attempt falls back to an unencrypted connection if a secure connection cannot be established. To require an encrypted connection, a client need specify only the--ssl-mode=REQUIREDoption; the connection attempt fails if a secure connection cannot be established.SSLTells the server to permit only encrypted connections for all accounts named by the statement.
Clients attempt to establish a secure connection by default. For accounts that have
REQUIRE SSL, the connection attempt fails if a secure connection cannot be established.X509For all accounts named by the statement, requires that clients present a valid certificate, but the exact certificate, issuer, and subject do not matter. The only requirement is that it should be possible to verify its signature with one of the CA certificates. Use of X.509 certificates always implies encryption, so the
SSLoption is unnecessary in this case.For accounts with
REQUIRE X509, clients must specify the--ssl-keyand--ssl-certoptions to connect. (It is recommended but not required that--ssl-caalso be specified so that the public certificate provided by the server can be verified.) This is true forISSUERandSUBJECTas well because thoseREQUIREoptions imply the requirements ofX509.ISSUER 'issuer'For all accounts named by the statement, requires that clients present a valid X.509 certificate issued by CA
'. If a client presents a certificate that is valid but has a different issuer, the server rejects the connection. Use of X.509 certificates always implies encryption, so theissuer'SSLoption is unnecessary in this case.- REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
- O=MySQL/CN=CA/emailAddress=ca@example.com';
Because
ISSUERimplies the requirements ofX509, clients must specify the--ssl-keyand--ssl-certoptions to connect. (It is recommended but not required that--ssl-caalso be specified so that the public certificate provided by the server can be verified.)SUBJECT 'subject'For all accounts named by the statement, requires that clients present a valid X.509 certificate containing the subject
subject. If a client presents a certificate that is valid but has a different subject, the server rejects the connection. Use of X.509 certificates always implies encryption, so theSSLoption is unnecessary in this case.- REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
- O=MySQL demo client certificate/
- CN=client/emailAddress=client@example.com';
MySQL does a simple string comparison of the
'value to the value in the certificate, so lettercase and component ordering must be given exactly as present in the certificate.subject'Because
SUBJECTimplies the requirements ofX509, clients must specify the--ssl-keyand--ssl-certoptions to connect. (It is recommended but not required that--ssl-caalso be specified so that the public certificate provided by the server can be verified.)CIPHER 'cipher'For all accounts named by the statement, requires a specific cipher method for encrypting connections. This option is needed to ensure that ciphers and key lengths of sufficient strength are used. Encryption can be weak if old algorithms using short encryption keys are used.
The SUBJECT, ISSUER, and
CIPHER options can be combined in the
REQUIRE clause:
It is possible to place limits on use of server resources by
an account, as discussed in Section 6.2.20, “Setting Account Resource Limits”.
To do so, use a WITH clause that specifies
one or more resource_option values.
Order of WITH options does not matter,
except that if a given resource limit is specified multiple
times, the last instance takes precedence.
ALTER USER permits these
resource_option values:
MAX_QUERIES_PER_HOUR,countMAX_UPDATES_PER_HOUR,countMAX_CONNECTIONS_PER_HOURcountFor all accounts named by the statement, these options restrict how many queries, updates, and connections to the server are permitted to each account during any given one-hour period. If
countis0(the default), this means that there is no limitation for the account.MAX_USER_CONNECTIONScountFor all accounts named by the statement, restricts the maximum number of simultaneous connections to the server by each account. A nonzero
countspecifies the limit for the account explicitly. Ifcountis0(the default), the server determines the number of simultaneous connections for the account from the global value of themax_user_connectionssystem variable. Ifmax_user_connectionsis also zero, there is no limit for the account.
Example:
ALTER USER supports several
password_option values for password
management:
Password expiration options: You can expire an account password manually and establish its password expiration policy. Policy options do not expire the password. Instead, they determine how the server applies automatic expiration to the account based on password age, which is assessed from the date and time of the most recent account password change.
Password reuse options: You can restrict password reuse based on number of password changes, time elapsed, or both.
Password verification-required options: You can indicate whether attempts to change an account password must specify the current password, as verification that the user attempting to make the change actually knows the current password.
This section describes the syntax for password-management options. For information about establishing policy for password management, see Section 6.2.15, “Password Management”.
If multiple password-management options of a given type
(PASSWORD EXPIRE, PASSWORD
HISTORY, PASSWORD REUSE INTERVAL,
PASSWORD REQUIRE) are specified, the last
one takes precedence.
Password-management options apply only to accounts that
store credentials internally in the
mysql.user system table
(mysql_native_password,
sha256_password, or
caching_sha2_password). For accounts that
use plugins that perform authentication against an external
credential system, password management must be handled
externally against that system as well.
A client has an expired password if the account password was expired manually or the password age is considered greater than its permitted lifetime per the automatic expiration policy. In this case, the server either disconnects the client or restricts the operations permitted to it (see Section 6.2.16, “Server Handling of Expired Passwords”). Operations performed by a restricted client result in an error until the user establishes a new account password.
Although it is possible to “reset” an expired password by setting it to its current value, it is preferable, as a matter of good policy, to choose a different password. DBAs can enforce non-reuse by establishing an appropriate password-reuse policy. See Password Reuse Policy.
ALTER USER permits these
password_option values for
controlling password expiration:
PASSWORD EXPIREImmediately marks the password expired for all accounts named by the statement.
PASSWORD EXPIRE DEFAULTSets all accounts named by the statement so that the global expiration policy applies, as specified by the
default_password_lifetimesystem variable.PASSWORD EXPIRE NEVERThis expiration option overrides the global policy for all accounts named by the statement. For each, it disables password expiration so that the password never expires.
PASSWORD EXPIRE INTERVALNDAYThis expiration option overrides the global policy for all accounts named by the statement. For each, it sets the password lifetime to
Ndays. The following statement requires the password to be changed every 180 days:
ALTER USER permits these
password_option values for
controlling reuse of previous passwords based on required
minimum number of password changes:
PASSWORD HISTORY DEFAULTSets all accounts named by the statement so that the global policy about password history length applies, to prohibit reuse of passwords before the number of changes specified by the
password_historysystem variable.PASSWORD HISTORYNThis history-length option overrides the global policy for all accounts named by the statement. For each, it sets the password history length to
Npasswords, to prohibit reusing any of theNmost recently chosen passwords. The following statement prohibits reuse of any of the previous 6 passwords:
ALTER USER permits these
password_option values for
controlling reuse of previous passwords based on time elapsed:
PASSWORD REUSE INTERVAL DEFAULTSets all statements named by the account so that the global policy about time elapsed applies, to prohibit reuse of passwords newer than the number of days specified by the
password_reuse_intervalsystem variable.PASSWORD REUSE INTERVALNDAYThis time-elapsed option overrides the global policy for all accounts named by the statement. For each, it sets the password reuse interval to
Ndays, to prohibit reuse of passwords newer than that many days. The following statement prohibits password reuse for 360 days:
ALTER USER permits these
password_option values for
controlling whether attempts to change an account password
must specify the current password, as verification that the
user attempting to make the change actually knows the current
password:
PASSWORD REQUIRE CURRENTThis verification option overrides the global policy for all accounts named by the statement. For each, it requires that password changes specify the current password.
PASSWORD REQUIRE CURRENT OPTIONALThis verification option overrides the global policy for all accounts named by the statement. For each, it does not require that password changes specify the current password. (The current password may but need not be given.)
PASSWORD REQUIRE CURRENT DEFAULTSets all statements named by the account so that the global policy about password verification applies, as specified by the
password_require_currentsystem variable.
MySQL supports account locking and unlocking using the
ACCOUNT LOCK and ACCOUNT
UNLOCK options, which specify the locking state for
an account. For additional discussion, see
Section 6.2.19, “Account Locking”.
If multiple account-locking options are specified, the last one takes precedence.
ALTER USER is written to the
binary log if it succeeds, but not if it fails; in that case,
rollback occurs and no changes are made. A statement written
to the binary log includes all named users. If the IF
EXISTS clause is given, this includes even users
that do not exist and were not altered.
If the original statement changes the credentials for a user, the statement written to the binary log specifies the applicable authentication plugin for that user, determined as follows:
The plugin named in the original statement, if one was specified.
Otherwise, the plugin associated with the user account if the user exists, or the default authentication plugin if the user does not exist. (If the statement written to the binary log must specify a particular authentication plugin for a user, include it in the original statement.)
If the server adds the default authentication plugin for any users in the statement written to the binary log, it writes a warning to the error log naming those users.
Deutsche Übersetzung
Sie haben gebeten, diese Seite auf Deutsch zu besuchen. Momentan ist nur die Oberfläche übersetzt, aber noch nicht der gesamte Inhalt.Wenn Sie mir bei Übersetzungen helfen wollen, ist Ihr Beitrag willkommen. Alles, was Sie tun müssen, ist, sich auf der Website zu registrieren und mir eine Nachricht zu schicken, in der Sie gebeten werden, Sie der Gruppe der Übersetzer hinzuzufügen, die Ihnen die Möglichkeit gibt, die gewünschten Seiten zu übersetzen. Ein Link am Ende jeder übersetzten Seite zeigt an, dass Sie der Übersetzer sind und einen Link zu Ihrem Profil haben.
Vielen Dank im Voraus.
Dokument erstellt 26/06/2006, zuletzt geändert 26/10/2018
Quelle des gedruckten Dokuments:https://www.gaudry.be/de/mysql-rf-alter-user.html
Die Infobro ist eine persönliche Seite, deren Inhalt in meiner alleinigen Verantwortung liegt. Der Text ist unter der CreativeCommons-Lizenz (BY-NC-SA) verfügbar. Weitere Informationen auf die Nutzungsbedingungen und dem Autor.
Referenzen
Diese Verweise und Links verweisen auf Dokumente, die während des Schreibens dieser Seite konsultiert wurden, oder die zusätzliche Informationen liefern können, aber die Autoren dieser Quellen können nicht für den Inhalt dieser Seite verantwortlich gemacht werden.
Der Autor Diese Website ist allein dafür verantwortlich, wie die verschiedenen Konzepte und Freiheiten, die mit den Nachschlagewerken gemacht werden, hier dargestellt werden. Denken Sie daran, dass Sie mehrere Quellinformationen austauschen müssen, um das Risiko von Fehlern zu reduzieren.
