Of Stack

MySQL's method for authenticating user permissions

  • 2020-11-25 07:38:59
  • OfStack

Knowledge of induction

Since MySQL USES the User and Host fields to identify users, this raises the question of which host a client belongs to.
If one client matches several Host at the same time, the user is determined according to the following priority

The more accurate the basic idea, the better the match On the Host column, the more certain Host is, the higher the priority [localhost, 192.168.1.1, wiki. yfang. cn] takes precedence over [192.168.%, %. yfang. cn], takes precedence over [192.168.%, %.cn], takes precedence over [%] On the User column, explicit username takes precedence over empty username. (Empty username matches all user names, that is, anonymous users matches all users) The Host column takes precedence over the User column

After you log in to the mysql server, you can use user() and current_user() to check who you logged in to.

user() returns the user and host specified when you connected to server current_user() returns the user and host matched in the mysql.user table, which determines your permissions in the database

When you log in to the server and execute the MySQL command, the system checks to see if your current user (current_user) has permission to perform the current operation.

First, the global permissions in the user table are checked and, if the conditions are met, the action is performed If the above fails, check that the permissions in the ES43en.db table meet the criteria, and if so, perform the action If the above failed, check mysql.table_priv and mysql.columns_priv (check mysql.procs_priv if it is a stored procedure operation), and if satisfied, perform the operation If all the above checks fail, the system rejects the operation.

The testing process
Create three USER users with the same name, HOST, and different permissions 


mysql> grant select on *.* to ''@'%' identified by '123';
Query OK, 0 rows affected (0.00 sec)
mysql> grant select,createon *.* to 'bruce'@'10.20.0.232' identified by '123';
Query OK, 0 rows affected (0.01 sec)
mysql> grant select,create,deleteon *.* to 'bruce'@'%' identified by'123';
Query OK, 0rows affected (0.00 sec)

Log in from another machine 


[root@brucetest7 ~]# mysql -ubruce -p -h10.20.0.231
Enter password: 
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.5.20-log MySQL Community Server (GPL)
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome tomodify and redistribute it under the GPL v2 license
Type 'help;' or '\h' for help. Type'\c'to clear the current inputstatement.
MySQL [(none)]> show grants;
+-------------------------------------------------------------------------------------------------------------------------+
| Grants for bruce@10.20.0.232                       |
+-------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, CREATEON *.* TO 'bruce'@'10.20.0.232' IDENTIFIED BY PASSWORD'*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+-------------------------------------------------------------------------------------------------------------------------+
1 row inset (0.00 sec)
MySQL [(none)]> select user(), current_user();
+-------------------+-------------------+
| user()   | current_user() |
+-------------------+-------------------+
| bruce@10.20.0.232 | bruce@10.20.0.232 |
+-------------------+-------------------+
1 row in set (0.03 sec)

Clear user,host, exact match, find user as 'bruce'@'10.20.0.232'
Delete the user before logging in 


mysql> delete from mysql.userwhereuser='bruce'andhost='10.20.0.232';
Query OK, 1row affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

[root@brucetest7 ~]# mysql -ubruce -p -h10.20.0.231
Enter password: 
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.5.20-log MySQL Community Server (GPL)
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome tomodify and redistribute it under the GPL v2 license
Type 'help;' or '\h' for help. Type'\c'to clear the current inputstatement.

MySQL [(none)]>show grants;
+-----------------------------------------------------------------------------------------------------------------------+
| Grants for bruce@%                         |
+-----------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT, DELETE, CREATEON*.* TO 'bruce'@'%' IDENTIFIED BYPASSWORD'*23AE809DDACAF96AF0FD78ED04B6A265E05AA257' |
+-----------------------------------------------------------------------------------------------------------------------+
1 row inset (0.00 sec)
MySQL [(none)]> select user(), current_user();
+-------------------+----------------+
| user()   | current_user() |
+-------------------+----------------+
| bruce@10.20.0.232 | bruce@%  |
+-------------------+----------------+
1 row in set (0.00 sec)

At this point, the matching user is ES74en@ %
Then delete this user and log in again 


[root@brucetest7 ~]# mysql -ubruce -p -h10.20.0.231
Enter password: 
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.5.20-log MySQL Community Server (GPL)
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome tomodify and redistribute it under the GPL v2 license
Type 'help;' or '\h' for help. Type '\c'to clear the current inputstatement.
MySQL [(none)]> show grants;
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for @%                                              |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT SELECT ON*.* TO''@'%' IDENTIFIED BY PASSWORD '*23AE809DDACAF96AF0FD78ED04B6A265E05AA257'                         |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, CREATE VIEW, SHOW VIEW, CREATEROUTINE, EVENT, TRIGGER ON `test`.* TO''@'%' |
| GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATETEMPORARY TABLES, LOCK TABLES, CREATE VIEW, SHOW VIEW, CREATEROUTINE, EVENT, TRIGGER ON `test\_%`.* TO''@'%' |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
MySQL [(none)]> select user(), current_user();
+-------------------+----------------+
| user()   | current_user() |
+-------------------+----------------+
| bruce@10.20.0.232 | @%    |
+-------------------+----------------+
1 row in set (0.00 sec)

This matches the '@'%' user

For empty users, the default is to have permission to the database beginning with test or test.

Above is the MySQL authentication method, I hope to give you some inspiration to learn.

Related articles: