我们拥有一个生产 MySQL 服务器,并具有以下授权:
mysql> show grants for the_db;
+------------------------------------------------------------------------------------------------------------+
| Grants for db_user@% |
+------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'db_user'@'%' IDENTIFIED BY PASSWORD '*A236932DB5549260BDC088C4BC2F0C6DB04424D7' |
| GRANT ALL PRIVILEGES ON `xydb`.* TO 'db_user'@'%' |
| GRANT SELECT ON `xyie-db`.* TO 'db_user'@'%' |
| GRANT SELECT ON `supportdb`.* TO 'db_user'@'%' |
| GRANT SELECT ON `xbs`.* TO 'db_user'@'%' |
+------------------------------------------------------------------------------------------------------------+
是否可以阻止特定主机访问这些数据库?我们有一台新服务器上线,它将使用同一服务器上的其他测试数据库。我不希望新服务器意外地对生产数据库执行任何操作。
我知道我可以使用 REVOKE 访问权限,但我不确定这是否需要更改现有的 GRANTS,使其更具体到它们允许的主机。我不想猜测,因为这里的生产数据库一直在使用,意外阻止实时主机的访问会很糟糕。
理想情况下,我只需要说:
BLOCK ACCESS ON 'xydb'.* TO 'db_user'@'192.168.1.4'
答案1
我不确定您是否可以使用来做到这一点REVOKE,但您绝对可以通过在模式中的相关表中插入一个条目来做到这一点mysql:
INSERT INTO mysql.db (Host,Db) VALUES ('192.0.2.42','xydb');
INSERT INTO mysql.db (Host,Db) VALUES ('host.example.com','xydb');
FLUSH PRIVILEGES;
前两行负责将数据插入到数据库中;为了清晰起见,最好将 IP 和主机名都放入其中,同时确保即使反向查找不起作用,IP 仍将被阻止。这是FLUSH PRIVILEGES必需的,因为 MySQL 不会在每次需要了解某些信息时都查看表格——它会将信息缓存在内存中。您需要告诉 MySQL 刷新其缓存。
答案2
如果xydb生产和测试数据库服务器上的 mysql 密码可能不同,那么你可以在实时服务器上给 mysql 用户一个“错误”的密码
mysql> SELECT VERSION();
+-------------------------+
| VERSION() |
+-------------------------+
| 5.1.73-0ubuntu0.10.04.1 |
+-------------------------+
重现你的情况:
mysql> SHOW GRANTS FOR db_user@`localhost`;
ERROR 1141 (42000): There is no such grant defined for user 'db_user' on host 'localhost'
mysql> SHOW GRANTS FOR db_user@`%`;
ERROR 1141 (42000): There is no such grant defined for user 'db_user' on host '%'
mysql> CREATE DATABASE xydb;
mysql> GRANT USAGE ON *.* TO 'db_user'@'%' IDENTIFIED BY '1234';
mysql> GRANT ALL PRIVILEGES ON `xydb`.* TO 'db_user'@'%';
mysql> SHOW GRANTS FOR db_user@`%`;
+--------------------------------------------------------------------------------------------------------+
| Grants for db_user@% |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'db_user'@'%' IDENTIFIED BY PASSWORD '*A4B6157319038724E3560894F7F932C8886EBFCF' |
| GRANT ALL PRIVILEGES ON `xydb`.* TO 'db_user'@'%' |
+--------------------------------------------------------------------------------------------------------+
mysql> FLUSH PRIVILEGES;
这导致用户可以从本地主机登录
$ mysql -u db_user -p1234 --host localhost xydb -e 'SHOW DATABASES'
+--------------------+
| Database |
+--------------------+
| information_schema |
| xydb |
+--------------------+
然后专门为将被列入黑名单的主机添加一个用户。
mysql> GRANT USAGE ON *.* TO 'db_user'@'localhost' IDENTIFIED BY 'AAAAAA';
mysql> SHOW GRANTS FOR db_user@`localhost`;
+----------------------------------------------------------------------------------------------------------------+
| Grants for db_user@localhost |
+----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'db_user'@'localhost' IDENTIFIED BY PASSWORD '*4F1779C9918AA4ADD1DDB16A274A8D098DDCC0D0' |
+----------------------------------------------------------------------------------------------------------------+
然后用户就不能再登录了(当然,除非他输入正确的密码)
mysql -u db_user -p1234 --host localhost xydb -e 'SHOW DATABASES'
ERROR 1045 (28000): Access denied for user 'db_user'@'localhost' (using password: YES)