mysql安装后配置数据库权限与角色管理

MySQL 8.0+ 默认禁用 root 远程登录，必须显式授权

安装完 MySQL 8.0 或更高版本后，

root@localhost

root

Access denied for user 'root'@'xxx.xxx.xxx.xxx'

解决方法不是改配置文件（如

my.cnf

root@localhost

CREATE USER 'admin'@'%' IDENTIFIED WITH mysql_native_password BY 'StrongPass123!';
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;

注意点：

'admin'@'%'

%

'admin'@'192.168.1.%'

caching_sha2_password

mysql_native_password

GRANT ... WITH GRANT OPTION

GRANT

用角色（ROLE）批量管理权限比反复 GRANT 更可靠

给几十个开发人员逐个

GRANT SELECT, INSERT ON app_db.* TO 'dev1'@'...'

ROLE

典型流程：

CREATE ROLE 'app_reader', 'app_writer';
GRANT SELECT ON app_db.* TO 'app_reader';
GRANT SELECT, INSERT, UPDATE ON app_db.* TO 'app_writer';
GRANT 'app_reader' TO 'dev1'@'%', 'dev2'@'%';
GRANT 'app_writer' TO 'dev3'@'%';
SET DEFAULT ROLE 'app_reader' TO 'dev1'@'%';

关键细节：

SET DEFAULT ROLE

SET ROLE 'app_reader'

DROP ROLE 'app_reader'

REVOKE 'app_reader' FROM 'dev1'@'%'

SHOW GRANTS 不显示角色继承的权限，容易误判实际权限

执行

SHOW GRANTS FOR 'dev1'@'%'

GRANT USAGE ON *.*

要查完整权限，必须用：

SHOW GRANTS FOR 'dev1'@'%' USING 'app_reader';

或者更彻底的方式（模拟用户视角）：

SELECT * FROM information_schema.role_table_grants 
WHERE grantee = "'dev1'@'%'" OR role_name = 'app_reader';

常见误区：

SHOW GRANTS

SELECT * FROM mysql.role_edges WHERE to_role = 'app_reader';

USE app_db

生产环境务必关闭匿名用户和 test 数据库

MySQL 安装后常残留

''@'localhost'

test

test

清理命令（用

root@localhost

DROP USER ''@'localhost';
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db = 'test' OR Db = 'test\_%';
FLUSH PRIVILEGES;

额外提醒：

skip-grant-tables

root

ALTER USER 'root'@'localhost' IDENTIFIED BY 'NewPass123!';

SET PASSWORD

权限模型比想象中细：用户、角色、代理用户、动态权限（如

BACKUP_ADMIN

SHOW GRANTS