search
HomeDatabaseMysql TutorialMySQL access authorization policy

I think everyone knows that if authorization is the simplest, easiest and most convenient, and the maintenance workload is the least, it is naturally the easiest and most convenient way to grant all permissions to all users. However, we all certainly know that the greater the authority a user has, the greater the potential threat he brings to our system. Therefore, from a security perspective, the smaller the permissions granted, the better. An administrator with sufficient security awareness will only grant necessary permissions when granting authorization, and will not grant any unnecessary permissions. Since our chapter is dedicated to discussing security, we will now consider how to design a more secure and reasonable authorization strategy from a security perspective.

First, you need to know about the visiting host.

Since the MySQL database login verifies the user, in addition to the user name and password, the source host must also be verified. So we also need to know which hosts each user may initiate connections from. Of course, we can also directly use the "%" wildcard to give all hosts access permissions during authorization, but this violates the principles of our security policy and brings potential risks, so it is not advisable. Especially in the absence of firewall protection on the LAN, users who can log in from any host cannot be easily allowed to exist. If it can be specified by a specific host name or IP address, try to limit the visiting host by using a specific host name and IP address. If it cannot be specified by a specific host name or IP address, it also needs to be limited by using a wildcard range as small as possible.

Secondly, understand user needs.

Since we want to grant only the necessary permissions, we must understand the role played by each user. In other words, we need to fully understand what work each user needs to connect to the database to complete. Understand whether the user is a read-only application user or a read-write account; whether the user is a backup job user or a daily management account; whether the user only needs to access a specific (or a few) database (Schema) ), still need to access all databases. Only by understanding what needs to be done can we accurately understand what permissions need to be granted. Because if the permissions are too low, the work will not be completed normally, and if the permissions are too high, there are potential security risks.

Once again, classify the work.

In order to perform their respective duties, we need to classify the work that needs to be done, use different users for different types of work, and separate users well. Although this may increase some workload in terms of management costs, based on security considerations, this increase in management workload is well worth it. And the user separation we need to do is only a moderate separation. For example, separate specific accounts for backup work, replication work, general application access, read-only application access, and daily management work to grant the required permissions to each. In this way, security risks can be minimized, and similar permissions of the same type and level can be merged together without being intertwined with each other. Special permissions such as PROCESS, FILE and SUPER are only required for administrative accounts and should not be granted to other non-administrative accounts.

Finally, make sure only those who absolutely need to have GRANT OPTION permissions.

We have already learned about the particularity of the GRANT OPTION permission and the potential risks of having this permission when introducing the permission system before, so we will not repeat it here. In short, for security reasons, the fewer users with GRANT OPTION permissions, the better. As much as possible, only users with super permissions have GRANT OPTION permissions.

The above is the content of MySQL access authorization policy. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!


Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
图文详解mysql架构原理图文详解mysql架构原理May 17, 2022 pm 05:54 PM

本篇文章给大家带来了关于mysql的相关知识,其中主要介绍了关于架构原理的相关内容,MySQL Server架构自顶向下大致可以分网络连接层、服务层、存储引擎层和系统文件层,下面一起来看一下,希望对大家有帮助。

mysql怎么替换换行符mysql怎么替换换行符Apr 18, 2022 pm 03:14 PM

在mysql中,可以利用char()和REPLACE()函数来替换换行符;REPLACE()函数可以用新字符串替换列中的换行符,而换行符可使用“char(13)”来表示,语法为“replace(字段名,char(13),'新字符串') ”。

mysql怎么去掉第一个字符mysql怎么去掉第一个字符May 19, 2022 am 10:21 AM

方法:1、利用right函数,语法为“update 表名 set 指定字段 = right(指定字段, length(指定字段)-1)...”;2、利用substring函数,语法为“select substring(指定字段,2)..”。

mysql的msi与zip版本有什么区别mysql的msi与zip版本有什么区别May 16, 2022 pm 04:33 PM

mysql的msi与zip版本的区别:1、zip包含的安装程序是一种主动安装,而msi包含的是被installer所用的安装文件以提交请求的方式安装;2、zip是一种数据压缩和文档存储的文件格式,msi是微软格式的安装包。

mysql怎么将varchar转换为int类型mysql怎么将varchar转换为int类型May 12, 2022 pm 04:51 PM

转换方法:1、利用cast函数,语法“select * from 表名 order by cast(字段名 as SIGNED)”;2、利用“select * from 表名 order by CONVERT(字段名,SIGNED)”语句。

MySQL复制技术之异步复制和半同步复制MySQL复制技术之异步复制和半同步复制Apr 25, 2022 pm 07:21 PM

本篇文章给大家带来了关于mysql的相关知识,其中主要介绍了关于MySQL复制技术的相关问题,包括了异步复制、半同步复制等等内容,下面一起来看一下,希望对大家有帮助。

带你把MySQL索引吃透了带你把MySQL索引吃透了Apr 22, 2022 am 11:48 AM

本篇文章给大家带来了关于mysql的相关知识,其中主要介绍了mysql高级篇的一些问题,包括了索引是什么、索引底层实现等等问题,下面一起来看一下,希望对大家有帮助。

mysql怎么判断是否是数字类型mysql怎么判断是否是数字类型May 16, 2022 am 10:09 AM

在mysql中,可以利用REGEXP运算符判断数据是否是数字类型,语法为“String REGEXP '[^0-9.]'”;该运算符是正则表达式的缩写,若数据字符中含有数字时,返回的结果是true,反之返回的结果是false。

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

VSCode Windows 64-bit Download

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

Atom editor mac version download

Atom editor mac version download

The most popular open source editor

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)