bluet00 2020-02-21
在项目的新版本发布过程中,暴露出了一些数据库权限管理的问题
开发人员现在都有数据库的写入权限,导致人人都可以在数据库中进行执行权限,这样就有开发人员在环境修改数据库和表但是却没有进行登记 为了避免以后再出现这种情况,建议按照如下规定执行: 收回开发人员对数据库的写入权限,开发人员对数据库只有读取和更新权限,只有一台指定ip的数据库的用户拥有数据库的全部权限
#命令行方式 例子1:mysqladmin -uroot -p123456 password dataexa #update直接修改mysql库中的user表 #进入数据库修改 例子2: mysql5.6 版本 use mysql; update user set password=password('123456') where user='root'; flush privileges; 例子3: mysql5.7版本 use mysql; update mysql.user set authentication_string=password('123456') where user='root'; flush privileges;
##授权全部库用户全部权限 create user jack identified by '123456'; grant all privileges on *.* to '%' identified by '123456'; #授权全部权限 ,也可以是root权限 flush privileges; ##只允许本机操作 create user 'dalei'@'192.168.191.10' identified by '123456'; grant all privileges on *.* to '192.168.191.10' identified by '123456'; #只允许本机操作 flush privileges; ##允许整个网段ip连接 create user 'erlei'@'%' identified by '123456'; #任何ip都可以进行连接 grant select,update on *.* to 'erlei'@'192.168.191.11' identified by '123456'; flush privileges; 远程连接方式 mysql -uerlei -p -h 192.168.191.11 #测试单库查看权限 create user 'sanlei'@'%' identified by '123456'; create database sanlei; use sanlei; create table sanlei( name varchar(11), age int ); grant select on sanlei.* to 'sanlei'@'192.168.191.%' identified by '123456'; #其他ip查看权限 %整个网段 grant select,update on sanlei.* to 'sanlei'@'192.168.191.%' identified by '123456'; #查看查看和更新权限 flush privileges;
grant select,insert,update,delete on test.* to 'erlei'@'192.168.1.142' identified by '123456'; #增删改查所有权限 grant select,update on test2.* to 'sanlei'@'192.168.1.137' identified by '123456'; # grant select on test3.* to 'sanlei'@'192.168.203.%' identified by '123456'; #其他ip查看权限 %整个网段 flush privileges;
revoke all privileges on *.* from 'erlei'@'%'; grant select on *.* to 'erlei'@'%' identified by '123456';