Mysql glibc版本的安装与配置、密码安全策略、角色 及权限

Day 17

Mysql glibc版本的安装与配置

# 清空/etc目录下的my.cnf

[root@mysql001 ~]# ls -l /etc/my.cnf

-rw-r--r--. 1 root root 570 6月 8 2017 /etc/my.cnf

[root@mysql001 ~]# rm -rf /etc/my.cnf

[root@mysql001 ~]# find / -name "*mysql*" -exec rm -rf {} \;

[root@mysql001 ~]# tar -xvf mysql-8.0.33-linux-glibc2.12-x86_64.tar

[root@mysql001 ~]# ls

anaconda-ks.cfg

mysql-8.0.33-linux-glibc2.12-x86_64.tar

mysql-8.0.33-linux-glibc2.12-x86_64.tar.xz

mysql-router-8.0.33-linux-glibc2.12-x86_64.tar.xz

mysql-test-8.0.33-linux-glibc2.12-x86_64.tar.xz

soft

[root@mysql001 ~]# tar -xf mysql-8.0.33-linux-glibc2.12-x86_64.tar.xz

[root@mysql001 ~]# ls

anaconda-ks.cfg

mysql-8.0.33-linux-glibc2.12-x86_64

mysql-8.0.33-linux-glibc2.12-x86_64.tar

mysql-8.0.33-linux-glibc2.12-x86_64.tar.xz

mysql-router-8.0.33-linux-glibc2.12-x86_64.tar.xz

mysql-test-8.0.33-linux-glibc2.12-x86_64.tar.xz

soft

[root@mysql01 ~]# cd mysql-8.0.33-linux-glibc2.12-x86_64/

[root@mysql001 mysql-8.0.33-linux-glibc2.12-x86_64]# cat support-files/mysql.server

可以直接进入添加环境变量

[root@mysql001 mysql-8.0.33-linux-glibc2.12-x86_64]# ls

bin include LICENSE README support-files

docs lib man share

# 将项目文件移动到/usr/local/mysql

[root@mysql001 mysql-8.0.33-linux-glibc2.12-x86_64]# cd

[root@mysql001 ~]# mkdir -p /usr/local/mysql/

[root@mysql02 ~]# cp -r mysql-8.0.33-linux-glibc2.12-x86_64/ /usr/local/mysql

[root@mysql001 ~]# tree /usr/local/mysql/

└── support-files

├── mysqld_multi.server

├── mysql-log-rotate

└── mysql.server

[root@mysql001 ~]# yum list installed|grep libaio

Repository 'samba': Error parsing config: Error parsing "baseurl = '/root/soft'": URL must be http, ftp, file or https not ""

libaio.x86_64 0.3.109-13.el7 @anaconda

[root@mysql001 ~]# echo $? # 上一步命令执行成功

0

# 创建账户，在此之前查看是否有账户

[root@mysql001 ~]# id mysql

id: mysql: no such user

[root@mysql001 ~]# useradd -r -s /sbin/nolog mysql

[root@mysql001 ~]# id mysql

uid=997(mysql) gid=994(mysql) 组=994(mysql)

# 在/usr/local/mysql/目录下创建mysql-files 目录

[root@mysql001 ~]# mkdir /usr/local/mysql/mysql-files

# 修改mysql-files的权限为750，所属组和属主都是mysql

[root@mysql001 ~]# chown mysql:mysql /usr/local/mysql/mysql-files/

[root@mysql001 ~]# chmod 750 /usr/local/mysql/mysql-files/

[root@mysql001 ~]# ll /usr/local/mysql/

drwxr-x---. 2 mysql mysql 6 8月 5 09:55 mysql-files

[root@mysql001 ~]# cd /usr/local/mysql/bin/

[root@mysql001 bin]# ls

ibd2sdi mysqld_multi

innochecksum mysqld_safe

lz4_decompress mysqldump

myisamchk mysqldumpslow

myisam_ftdump mysqlimport

myisamlog mysql_migrate_keyring

myisampack mysqlpump

my_print_defaults mysql_secure_installation

mysql mysqlshow

mysqladmin mysqlslap

mysqlbinlog mysql_ssl_rsa_setup

mysqlcheck mysql_tzinfo_to_sql

mysql_config mysql_upgrade

mysql_config_editor perror

mysqld zlib_decompress

mysqld-debug

# 初始化数据库，找到初始密码

[root@mysql01 bin]# pwd

/usr/local/mysql/bin

[root@mysql001 bin]# ./mysqld --initialize --user=mysql --basedir=/usr/local/mysql/

A temporary password is generated for root@localhost: PvuZkro#p3<j

# 判断是否生成data目录

[root@mysql001 bin]# ls /usr/local/mysql/

bin docs lib man README support-files

data include LICENSE mysql-files share

[root@mysql001 bin]# ./mysql_ssl_rsa_setup --datadir=/usr/local/mysql/data

[root@mysql001 bin]# ls /usr/local/mysql/data/

auto.cnf mysql

ca-key.pem mysql.ibd

ca.pem performance_schema

client-cert.pem private_key.pem

client-key.pem public_key.pem

#ib_16384_0.dblwr server-cert.pem

#ib_16384_1.dblwr server-key.pem

ib_buffer_pool sys

ibdata1 undo_001

#innodb_redo undo_002

#innodb_temp

[root@mysql001 bin]# ls /usr/local/mysql/mysql-8.0.33-linux-glibc2.12-x86_64/support-files/

mysqld_multi.server mysql.server

mysql-log-rotate

# 把mysql.server文件放到/etc/init.d/目录下，方便使用service mysql start命令启动

[root@mysql001bin]#

cp /usr/local/mysql/mysql-8.0.33-linux-glibc2.12-x86_64/support-files/mysql.server/etc/init.d/mysql8

[root@mysql001 bin]# service mysql8 start

Starting MySQL.Logging to '/usr/local/mysql/data/mysql001.err'.

. SUCCESS!

注意：此时登录进入mysql可能显示未找到命令，需要设置环境变量

[root@mysql01 ~]#vim /etc/profile

export MYSQL_HOME=/usr/local/mysql

export PATH=PATH:MYSQL_HOME/bin

[root@mysql01 ~]# mysql -uroot -p

Enter password: PvuZkro#p3<j

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 11

Server version: 8.0.33

mysql>

mysql> exit

Bye

# 常见问题！！！

1.为什么要删除/etc/my.cnf文件：

数据库初始化时候，会自动找my.cnf配置，但是原有的mariadb配置文件，会失败。

2. mysql-files文件夹：

⽬前没有⽤，必须创建，可能导致⽆法启动，数据的备份和还原，导⼊和到处所指定的默认⽬录。

3. 判断数据库初始化成功：

数据库的安装容易出错的地方是初始化，无法正常启动，确认方式安装⽬录下是否⽣成data⽬录。

4. 为什么要修改mysql.server放在/etc/init.d⽬录下：

不放也可以，但是就⽆法使⽤service mysql8 start启动只能使⽤bin/mysqld可执⾏⽂件启动

5. 为什么需要修改basedir和datadir

glibc是二进制绿色版本，默认配置很多，需要修改

1. 开机启动

shell

添加开机启动

[root@mysql001 mysql8]#chkconfig --add mysql8

#查看启动该列表

[root@mysql001 mysql8]# chkconfig --list

注：该输出结果只显示 SysV 服务，并不包含

原生systemd 服务。SysV 配置数据可能被原生systemd 配置覆盖；

要列出 systemd 服务，请执行 'systemctl listunit-files'；

查看在具体 target 启⽤的服务请执⾏ 'systemctl list-dependencies [target]'。

netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关

network 0:关 1:关 2:开 3:开 4:开 5:开 6:关

启动2345

[root@mysql001 mysql8]# chkconfig mysql8 on

[root@mysql001 mysql8]# chkconfig --list

注：该输出结果只显示 SysV 服务，并不包含

原生 systemd 服务。SysV 配置数据

可能被原生 systemd 配置覆盖。

要列出 systemd 服务，请执⾏ 'systemctl listunit-files'。

查看在具体 target 启⽤的服务请执⾏

'systemctl list-dependencies [target]'。

mysql8 0:关 1:关 2:开 3:开 4:开 5:开 6:关

netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关

network 0:关 1:关 2:开 3:开 4:开 5:开 6:关

3是字符界⾯，5是图形界⾯

7.修改密码1

[root@mysql001 mysql8]#./bin/mysqladmin -uroot

password '123' -p

Enter password: # 输⼊123

8.修改密码2

mysql> set password='456';

Query OK, 0 rows affected (0.02 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.01 sec)

[root@mysql001 mysql8]# ./bin/mysql -uroot -p456

mysql: [Warning] Using a password on the command line

interface can be insecure.

9.将mysql的bin⽬录添加到环境变量中

[root@mysql001 mysql8]# sed -i '$aexport

PATH=/mysql8/bin/:$PATH' /etc/profile

[root@mysql001 mysql8]# sed -n '$p'

/etc/profile

export PATH=/mysql8/bin/:$PATH

[root@mysql001 mysql8]# source /etc/profile

[root@mysql001 mysql8]# which mysql

/mysql8/bin/mysql

[root@mysql001mysql8]# mysqld

2024-08-03T15:53:05.871244Z 0 [System] [MY-

010116] [Server] /mysql8/bin/mysqld (mysqld 8.0.33)

starting as process 2861

2024-08-03T15:53:05.874283Z 0 [ERROR] [MY-

010123] [Server] Fatal error: Please read

"Security" section of the manual to find out how to

run mysqld as root!

2024-08-03T15:53:05.874333Z 0 [ERROR] [MY-

010119] [Server] Aborting

2024-08-03T15:53:05.874776Z 0 [System] [MY-

010910] [Server] /mysql8/bin/mysqld: Shutdown

complete (mysqld 8.0.33) MySQL Community Server -

GPL.

10.配置⽂件

[root@mysql001 mysql8]# fg

vim ./my.cnf

[mysqld]

basedir=/mysql8

datadir=/mysql8/data

socket=/tmp/mysql.sock

#重启服务

[root@mysql001 mysql8]# service mysql8 restart

Shutting down MySQL.. SUCCESS!

Starting MySQL.. SUCCESS!

查看套接字⽂件

[root@localhost mysql8]# ll /tmp/

总⽤量 12

-rwx------. 1 root root 836 8⽉ 2 23:02 ksscript-64N_oN

srwxrwxrwx. 1 mysql mysql 0 8⽉ 4 00:02

mysql.sock

-rw-------. 1 mysql mysql 5 8⽉ 4 00:02

mysql.sock.lock

srwxrwxrwx. 1 mysql mysql 0 8⽉ 4 00:02

mysqlx.sock

-rw-------. 1 mysql mysql 5 8⽉ 4 00:02

mysqlx.sock.lock

drwx------. 3 root root 17 8⽉ 3 20:49

systemd-private-23259a7f757e44ec9ab58b88e07ceefachronyd.service-poengE

-rw-------. 1 root root 0 8⽉ 2 22:58

yum.log

#有套接字⽂件，就可以链接mysql服务

10.安全配置，生产环境

[root@localhost mysql8]# mysql_secure_installation

⼀路y下去 改密码，不允许远程等等

# 设置新的密码

[root@mysql01 bin]# mysql -uroot -p

Enter password: 旧密码

mysql> set password='Juan@1888$';

Query OK, 0 rows affected (0.02 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.01 sec)

mysql> exit;

Bye

[root@mysql01 bin]# pwd

/usr/local/mysql/bin

[root@mysql01 bin]# mysql -uroot -pJuan@1888$

# 远程连接：mysql -h主机ip或者域名 -P端口号 -u账号 -p密码

[root@mysql01 bin]# mysql -h127.0.0.1 -P3306 -uroot -pJuan@1888$

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| mysql |

| performance_schema |

| sys |

| test |

+--------------------+

5 rows in set (0.02 sec)

mysql> use test;

Database changed

# 创建表

mysql> create table user(

-> id int primary key,

-> username varchar(50) not null,

-> password varchar(50) not null

-> );

Query OK, 0 rows affected (0.02 sec)

# 插入数据

mysql> insert into user values(1, "huajuan", "123");

Query OK, 1 row affected (0.06 sec)

mysql> insert into user values(2, "tangping", "456");

Query OK, 1 row affected (0.01 sec)

mysql> insert into user values(3, "keshui", "789");

Query OK, 1 row affected (0.01 sec)

mysql> insert into user values(4, "shangke", "aaa");

Query OK, 1 row affected (0.00 sec)

# 查看表

mysql> select * from test.user;

+----+----------+----------+

| id | username | password |

+----+----------+----------+

| 1 | huajuan | 123 |

| 2 | tangping | 456 |

| 3 | keshui | 789 |

| 4 | shangke | aaa |

+----+----------+----------+

4 rows in set (0.00 sec)

Mysql glibc版本安装的脚本实现

#!/bin/bash

cp $1 /usr/local/mysql/

mdkir /usr/local/mysql/mysql-files/

grep /mysql/ /etc/password

if [ $? ne 0 ];then

useradd -r -s /sbin/nologin mysql

fi

chown mysql:msyql /usr/local/mysql/mysql-files

chmod 750 /usr/local/msyql/msyql-files

init

/usr/local/mysql/bin/mysqld --initialize --user=mysql --basedir=/usr/local/mysql/

password

service

cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysql8

start server

service mysql8 start

安全用户组权限

⽬标包含mysql 可执⾏⽂件，那么就是由使⽤，在终端使⽤：

./bin/mysql -h192.168.2.42 -P3306 -uroot -proot

1.远程登录前提条件是mysql.user表中的host属性为%，如果是localhost就不允许远程登录，update mysql.user set host="%"

where user="root",flush privileges;

2.远程管理，可以使⽤图形化⼯具，sqlyog，navicat，掌握命令工具，客户端工具 mysql

3.mysql -h192.168.2.42 -P3306 -uzhangmin -pCzj_123

-h 主机 ip或者是域名 如果是localshost或者是127.0.0.1可省略

-P 端⼝ 默认是3306，如果是默认的，可以省略

-u ⽤户名

-p 密码，可以不换⾏直接输⼊，也可以换⾏ 不回显输⼊密码

4.创建账户

mysql>alter user 'lilaosi'@'%' identified by 'Lilaosi_123'; # 修改密码

mysql> create user 'czj'@'%' identified by 'Czj_890';

Query OK, 0 rows affected (0.00 sec)

mysql> select host, user from mysql.user;

+-----------+------------------+

| host | user |

+-----------+------------------+

| % | aaa |

| % | czj |

| localhost | mysql.infoschema |

| localhost | mysql.session |

| localhost | mysql.sys |

| localhost | root |

+-----------+------------------+

6 rows in set (0.00 sec)

5.赋予权限

mysql> grant all on *.* to 'czj'

6.创建库

create database if not exists test;

7.创建表

use test;

create table user(

id int primary key,

username varchar(45) not null,

password varchar(45) not null

);

8.添加数据

insert into test.user values(1,"zhangsan","123");

insert into test.user values(2,"lisi","456");

insert into test.user values(3,"wamngwi","789");

insert into test.user values(4,"zhaoliu","aaa");

如：添加lilaosi账号、修改密码；查看mysql.user中lilaosi的信息

mysql>create user 'lilaosi'@'%' identified by 'Lilaosi_123';

mysql> alter user 'lilaosi'@'%' identified by

'Lilaosi_123';

Query OK, 0 rows affected (0.01 sec)

mysql> select host,user from mysql.user;

+-----------+------------------+

| host | user |

+-----------+------------------+

| % | lilaosi |

| % | root |

| % | czj |

| localhost | mysql.infoschema |

| localhost | mysql.session |

| localhost | mysql.sys |

+-----------+------------------+

6 rows in set (0.00 sec)

9.使⽤root账号，为lilaosi账号添加test库存中所有的表的所有权限

mysql>grant all on test.* to 'lilaosi';

lilaosi就获得了test库中所有的表的操作权限，但是，由于

root没有个lilaosimysql库的权限，所以lilaosi账号⽆法查看

mysql库

密码安全策略

# 查看密码策略

mysql> show variables like 'validate%';

+--------------------------------------+--------+

| Variable_name | Value |

+--------------------------------------+--------+

| validate_password.check_user_name | ON |

| validate_password.dictionary_file | |

| validate_password.length | 8 |

| validate_password.mixed_case_count | 1 |

| validate_password.number_count | 1 |

| validate_password.policy | MEDIUM |

| validate_password.special_char_count | 1 |

+--------------------------------------+--------+

7 rows in set (0.00 sec)

# 修改策略

mysql> set global validate_password.length=0;

mysql> set global validate_password.policy=LOW;

mysql> show variables like 'validate%';

+--------------------------------------+-------+

| Variable_name | Value |

+--------------------------------------+-------+

| validate_password.check_user_name | ON |

| validate_password.dictionary_file | |

| validate_password.length | 4 |

| validate_password.mixed_case_count | 0 |

| validate_password.number_count | 0 |

| validate_password.policy | LOW |

| validate_password.special_char_count | 0 |

+--------------------------------------+-------+

# 创建⽤户

创建三个账号，abc[abcd],ccc[a1b2c3] ,ddd[231343]

mysql> create user 'abc'@'%' identified by 'abcd';

mysql> create user 'ccc'@'%' identified by 'a1b2c3';

mysql> create user 'ddd'@'%' identified by '231343';

mysql> select host,user from mysql.user;

+-----------+------------------+

| host | user |

+-----------+------------------+

| % | abc |

| % | ccc |

| % | ddd |

| localhost | mysql.infoschema |

| localhost | mysql.session |

| localhost | mysql.sys |

| localhost | test1 |

+-----------+------------------+

# 删除 ⽤户

mysql> drop user 'ccc';

Query OK, 0 rows affected (0.02 sec)

mysql> select user from mysql.user;

+------------------+

| user |

+------------------+

| abc |

| ddd |

| mysql.infoschema |

| mysql.session |

| mysql.sys |

| test1 |

+------------------+

6 rows in set (0.00 sec)

# 修改 ⽤户

mysql> alter user 'abc' identified by'abc123';

Query OK, 0 rows affected (0.01 sec)

角色

# 创建 角色

mysql> create role 'a';

Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'a';

+-------------------------------+

| Grants for a@% |

+-------------------------------+

| GRANT USAGE ON *.* TO `a`@`%` |

+-------------------------------+

1 row in set (0.00 sec)

# 练习1

1.添加jingli角色

create role 'jingli';

2.添加yuangong角色

craete role 'yaungong';

3.为jingli添加select insert delete update权限

grant select ,insert,delete,update on test.user to

'jingli';

4.为yuangong添加select，insert权限

grant select,insert on test.user to 'yuangong';

5.查看角色保存的表格

selet host,user from mysql.user;

6.查看角色的权限

show grants for 'jingli';

show grants for 'yaungogng';

新增bbb和ccc两个⽤户bbb是经理需要增删改查权限，ccc是员⼯是

只需要新增和查看的权限

grant jingli to 'bbb'；

grant yuangong to 'ccc';

权限

# 刷新权限

mysql> flush privileges;

Query OK, 0 rows affected (0.01 sec)

# 为root账号添加权限

mysql> grant system_user on *.* to "root";

mysql> show grants for 'root';

# 删除权限

mysql> revoke all on *.* from "efgh";

Query OK, 0 rows affected (0.00 sec)

mysql> show grants for "efgh";

+----------------------------------+

| Grants for efgh@% |

+----------------------------------+

| GRANT USAGE ON *.* TO `efgh`@`%` |

+----------------------------------+

1 row in set (0.00 sec)

# 练习2

1.添加aaa账户，设置密码aaaa

mysql> drop user aaa;

mysql> create user 'aaa'@'%' identified by 'aaaa';

2.使用aaa账户访问mysql服务

[root@mysql01 ~]#mysql -h127.0.0.1 -P3306 -uaaa -paaaa

1. 查看test数据库发现么有权限

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| performance_schema |

+--------------------+

2 rows in set (0.02 sec)

4.退出并使用root账户登录

mysql> quit|exit

[root@mysql01 ~]# mysql -h127.0.0.1 -P3306 -uroot -proot密码

5.为aaa账户添加查看test.user表的权限

mysql>grant select on test.user to 'aaa';

6.退出root，使用aaa账户登录

mysql>quit|exit

[root@mysql01 ~]#mysql -h127.0.0.1 -P3306 -uaaa -paaaa

7.查看数据库、查看表、查看表内容 能够正常查看

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| performance_schema |

| test |

+--------------------+

3 rows in set (0.00 sec)

mysql> use test;

mysql> show tables;

+----------------+

| Tables_in_test |

+----------------+

| user |

+----------------+

1 row in set (0.01 sec)

mysql> select * from user;

+----+----------+----------+

| id | username | password |

+----+----------+----------+

| 1 | huajuan | 123 |

| 2 | tangping | 456 |

| 3 | keshui | 789 |

| 4 | shangke | aaa |

+----+----------+----------+

4 rows in set (0.00 sec)

8.输入数据，没有权限

mysql>insert into user values(5,"ermazi","ermazi");

ERROR 1142 (42000): INSERT command denied to user 'aaa'@'localhost' for table 'user'

9.退出aaa使用root登录

mysql> quit|exit

[root@mysql01 ~]# mysql -h127.0.0.1 -P3306 -uroot -proot密码

10.为aaa添加insert权限

mysql>grant insert on test.user to 'aaa';

Query OK, 0 rows affected (0.00 sec)

11.退出root使用aaa登录

mysql>exit|quit

[root@mysql01 ~]#mysql -h127.0.0.1 -P3306 -uaaa -paaaa

12.向user表添加一行新的数据

mysql>insert into test.user values(6,"zhangsanfeng","zhangsanfen");

13.修改user中一行的数据的password（密码）为111，没有update权限

mysql> insert into test.user values(6, "haofan", "ennn");

Query OK, 1 row affected (0.00 sec)

mysql> update test.user set password='kx' where username="bf";

ERROR 1142 (42000): UPDATEcommand denied to user 'aaa'@'localhost' for table 'user'