10bet网址
MySQL 8.0 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr)- 41.6Mb
PDF (A4)- 41.7Mb
Man Pages (TGZ)- 262.2Kb
Man Pages (Zip)- 372.3Kb
Info (Gzip)- 4.0Mb
Info (Zip)- 4.0Mb
Excerpts from this Manual

6.4.1.9 No-Login Pluggable Authentication

Themysql_no_loginserver-side authentication plugin prevents all client connections to any account that uses it. Use cases for this plugin include:

  • 账户,必须能够执行存储课题ams and views with elevated privileges without exposing those privileges to ordinary users.

  • 代理账户,不应该允许直接login but are intended to be accessed only through proxy accounts.

The following table shows the plugin and library file names. The file name suffix might differ on your system. The file must be located in the directory named by theplugin_dirsystem variable.

Table 6.21 Plugin and Library Names for No-Login Authentication

Plugin or File Plugin or File Name
Server-side plugin mysql_no_login
Client-side plugin None
Library file mysql_no_login.so

The following sections provide installation and usage information specific to no-login pluggable authentication:

For general information about pluggable authentication in MySQL, seeSection 6.2.17, “Pluggable Authentication”. For proxy user information, seeSection 6.2.18, “Proxy Users”.

Installing No-Login Pluggable Authentication

This section describes how to install the no-login authentication plugin. For general information about installing plugins, seeSection 5.6.1, “Installing and Uninstalling Plugins”.

To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by theplugin_dirsystem variable). If necessary, configure the plugin directory location by setting the value ofplugin_dirat server startup.

The plugin library file base name ismysql_no_login. The file name suffix differs per platform (for example,.sofor Unix and Unix-like systems,.dllfor Windows).

To load the plugin at server startup, use the--plugin-load-addoption to name the library file that contains it. With this plugin-loading method, the option must be given each time the server starts. For example, put these lines in the servermy.cnffile, adjusting the.sosuffix for your platform as necessary:

[mysqld] plugin-load-add=mysql_no_login.so

After modifyingmy.cnf, restart the server to cause the new settings to take effect.

Alternatively, to load the plugin at runtime, use this statement, adjusting the.sosuffix for your platform as necessary:

INSTALL PLUGIN mysql_no_login SONAME 'mysql_no_login.so';

INSTALL PLUGINloads the plugin immediately, and also registers it in themysql.pluginssystem table to cause the server to load it for each subsequent normal startup without the need for--plugin-load-add.

To verify plugin installation, examine theINFORMATION_SCHEMA.PLUGINStable or use theSHOW PLUGINSstatement (seeSection 5.6.2, “Obtaining Server Plugin Information”). For example:

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE '%login%'; +----------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +----------------+---------------+ | mysql_no_login | ACTIVE | +----------------+---------------+

If the plugin fails to initialize, check the server error log for diagnostic messages.

To associate MySQL accounts with the no-login plugin, seeUsing No-Login Pluggable Authentication.

Uninstalling No-Login Pluggable Authentication

The method used to uninstall the no-login authentication plugin depends on how you installed it:

  • If you installed the plugin at server startup using a--plugin-load-addoption, restart the server without the option.

  • If you installed the plugin at runtime using anINSTALL PLUGINstatement, it remains installed across server restarts. To uninstall it, useUNINSTALL PLUGIN:

    UNINSTALL PLUGIN mysql_no_login;
Using No-Login Pluggable Authentication

本节描述如何使用aut任何登录hentication plugin to prevent accounts from being used for connecting from MySQL client programs to the server. It is assumed that the server is running with the no-login plugin enabled, as described inInstalling No-Login Pluggable Authentication.

To refer to the no-login authentication plugin in theIDENTIFIED WITHclause of aCREATE USERstatement, use the namemysql_no_login.

An account that authenticates usingmysql_no_loginmay be used as theDEFINERfor stored program and view objects. If such an object definition also includesSQL SECURITY DEFINER, it executes with that account's privileges. DBAs can use this behavior to provide access to confidential or sensitive data that is exposed only through well-controlled interfaces.

The following example illustrates these principles. It defines an account that does not permit client connections, and associates with it a view that exposes only certain columns of themysql.usersystem table:

CREATE DATABASE nologindb; CREATE USER 'nologin'@'localhost' IDENTIFIED WITH mysql_no_login; GRANT ALL ON nologindb.* TO 'nologin'@'localhost'; GRANT SELECT ON mysql.user TO 'nologin'@'localhost'; CREATE DEFINER = 'nologin'@'localhost' SQL SECURITY DEFINER VIEW nologindb.myview AS SELECT User, Host FROM mysql.user;

To provide protected access to the view to an ordinary user, do this:

GRANT SELECT ON nologindb.myview TO 'ordinaryuser'@'localhost';

Now the ordinary user can use the view to access the limited information it presents:

SELECT * FROM nologindb.myview;

Attempts by the user to access columns other than those exposed by the view result in an error, as do attempts to select from the view by users not granted access to it.

Note

Because thenologinaccount cannot be used directly, the operations required to set up objects that it uses must be performed byrootor similar account that has the privileges required to create the objects and setDEFINERvalues.

Themysql_no_loginplugin is also useful in proxying scenarios. (For a discussion of concepts involved in proxying, seeSection 6.2.18, “Proxy Users”.) An account that authenticates usingmysql_no_loginmay be used as a proxied user for proxy accounts:

-- create proxied account CREATE USER 'proxied_user'@'localhost' IDENTIFIED WITH mysql_no_login; -- grant privileges to proxied account GRANT ... ON ... TO 'proxied_user'@'localhost'; -- permit proxy_user to be a proxy account for proxied account GRANT PROXY ON 'proxied_user'@'localhost' TO 'proxy_user'@'localhost';

This enables clients to access MySQL through the proxy account (proxy_user) but not to bypass the proxy mechanism by connecting directly as the proxied user (proxied_user). A client who connects using theproxy_useraccount has the privileges of theproxied_useraccount, butproxied_useritself cannot be used to connect.

For alternative methods of protecting proxied accounts against direct use, seePreventing Direct Login to Proxied Accounts.