在设置权限前,需先完成MySQL的安装及初始安全加固:
sudo apt update
sudo apt install mysql-server mysql-client
mysql_secure_installation,完成以下关键操作:
使用root用户登录MySQL命令行(需输入root密码):
sudo mysql -u root -p
为避免直接使用root账户,建议创建专用用户。语法如下:
CREATE USER 'username'@'host' IDENTIFIED BY 'password';
username:自定义用户名;host:允许连接的主机(localhost仅本地登录,%允许任意IP远程登录,具体IP如192.168.1.100限制特定主机);password:用户密码(需符合MySQL密码策略)。dev_user,密码DevPass123:CREATE USER 'dev_user'@'localhost' IDENTIFIED BY 'DevPass123';
使用GRANT语句为用户分配权限,常见场景如下:
GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'host';
dev_user管理mydb数据库的所有操作:GRANT ALL PRIVILEGES ON mydb.* TO 'dev_user'@'localhost';
SELECT、插入INSERT、更新UPDATE、删除DELETE),降低安全风险。dev_user对mydb的users表进行增删改查:GRANT SELECT, INSERT, UPDATE, DELETE ON mydb.users TO 'dev_user'@'localhost';
admin:GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;
WITH GRANT OPTION允许该用户授予他人权限,需严格控制)授予权限后,需执行以下命令使变更立即生效:
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'username'@'host';
dev_user的权限:SHOW GRANTS FOR 'dev_user'@'localhost';
SHOW GRANTS;使用REVOKE语句撤销指定权限,语法与GRANT相反:
REVOKE privilege_type ON database_name.table_name FROM 'username'@'host';
示例:撤销dev_user对mydb.users表的DELETE权限:
REVOKE DELETE ON mydb.users FROM 'dev_user'@'localhost';
FLUSH PRIVILEGES;
若需允许用户从远程主机连接,需完成以下步骤:
/etc/mysql/mysql.conf.d/mysqld.cnf,注释bind-address行(允许所有IP连接):sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
# 找到并注释:bind-address = 127.0.0.1
sudo systemctl restart mysql
sudo ufw allow 3306
host改为%(或指定IP),并授予权限:CREATE USER 'remote_user'@'%' IDENTIFIED BY 'RemotePass123';
GRANT ALL PRIVILEGES ON mydb.* TO 'remote_user'@'%';
FLUSH PRIVILEGES;
SELECT、INSERT,无需DROP);SHOW GRANTS检查用户权限,及时撤销不必要的权限;localhost或特定IP,避免%开放所有主机。完成以上步骤后,即可完成Ubuntu下MySQL的权限设置。根据实际需求调整用户权限,确保数据库安全。