mysql grant命令是什么意思? [英] What does it mean on mysql grant command?
问题描述
我需要授予我的root用户所有权限,所以我使用:
GRANT ALL ON *。* TO'root'@'%';
为什么使用'root'@'%'?
我明白这些是用户和主机,但在这种情况下,我处于开发环境中,为什么我要放置一个主机?
在生产服务器的情况下,我明白是仅授予由指定主机托管的数据库,对吗?
谢谢。
'%'是通配符倒退。登录尝试尝试最具体的,然后向通配符移动(朝向更通用)移动,直到找到用户/主机组合帐户,如果您要进行身份验证。如果找不到这样的帐号,登录失败。
所以当你有'root'@'localhost'(调用它acct或用户1),当你坐在本地主机时,这是很好的和dandy。但是,当您从不同的客户端附加时,请说192.168.10.103,您不再是localhost。您现在需要明确的root'@'192.168.10.103(如果您愿意,请使用用户或帐户),或者为了使用'%'的通配符进行理解。为什么,因为没有办法想让你的mysql.user丢弃所有的排列。
你可以看到哪些用户可以使用
选择用户,从mysql.user主机;
根目录有3个用户不太常见
'root'@'localhost'
'root'@'127.0.0.1'
'root'@'%'
给予他们所有相同的权利。上述第三个是自然的安全风险。这是因为'%'意味着任何主机 。
这就是为什么'root'@'localhost'被推荐为系统中唯一的root用户。您可以通过坐在那个盒子或使用具有安全连接的ssh来实现root,如果你愿意,就成为 localhost 。
你需要了解这是关于安全性的方法,而且,无论好坏,MySQL选择实现用户是什么。用户是用户名,加上作为进入的主机名。主机名可能是一个IP地址,或一个DNS主机名,如 casper.comcastbusiness.net 。当MySQL收到连接请求时,它从最特定的方式向%起泡,直到可以或无法验证请求。
作为一个用例,我有一个服务器,我想以root用户身份验证,但由于安全原因,系统中的不具有'root'@'%'用户。所以我明确地创建了一个用户,如'root'@'casper.comcastbusiness.net'。另一层当然是防火墙,但这是一个单独的问题。但是要轻轻点一下,AWS ec2有一个安全组区域,使其只有一些IP地址能够连接到端口3306.所以防火墙是另一层,我所说的是整个事情是关于保护您的服务器。
管理它是一种痛苦。但是这是什么,我们必须和它一起生活。
I am creating my own PHP development environtment and I am setting mysql.
I need to grant to my root user all the privileges so I use:
GRANT ALL ON *.* TO 'root'@'%';
Why It use 'root'@'%'?
I understand that these are user and host, but in this case that I am in a development environment why I have to put a host?
In case of a production server I understand that it is to grant only the database hosted by an specified host, right?
Thanks.
'%' is a wildcard fall-back. The login attempt tries the most specific and then moves toward the wildcard (moving toward more general) until it finds a user/host combo account if you will to authenticate. If it can't find such an account, the login fails.
So when you have 'root'@'localhost' (call it acct or user 1), that is all fine and dandy when you are sitting at localhost. But when you attach from a different client, say '192.168.10.103', you are no longer 'localhost'. You now need either an explicit 'root'@'192.168.10.103' (user or acct if you will), or for sanity we swing for the wildcard with '%'. Why, because there is no way you want to litter your mysql.user with all the permutations.
What users you have can be seen with
select user,host from mysql.user;
It is not uncommon to have 3 users for root
'root'@'localhost'
'root'@'127.0.0.1'
'root'@'%'
Giving them all the same rights. The 3rd one above is a security risk, naturally. That is so because '%' means from any host anywhere.
And that is why 'root'@'localhost' is recommended to be the only root user in your system. You achieve root by either sitting at that box, or using ssh with a secure connection to become localhost if you will.
You need to understand that it is all about security, and the way, for better or worse, MySQL chose to implement what a user is. A user is the username, plus the hostname coming in as. The hostname could be an IP Address, or a DNS hostname like casper.comcastbusiness.net. When MySQL receives the connection request, it bubbles up from most-specific toward '%' until it can or cannot authenticate the request.
As one use case, I have a server that I want to authenticate as root but not have a 'root'@'%' user in the system for security reasons. So I explicitly created a user like 'root'@'casper.comcastbusiness.net'. Another layer of course is the firewall but that is a separate issue. But to touch on it lightly, AWS ec2 has a Security Groups area to have it such that only certain IP Addresses are able to connect to port 3306. So the firewall is another layer, of what I am saying is that the whole thing is about securing your server.
Administrating it is a pain. But it is what is and we have to live with it.
这篇关于mysql grant命令是什么意思?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
