Bootstrap

MySQL日常运维手册

对象创建DDL查询

-- 获取创建 database 的 DDL 
show create database_name;
-- 获取创建 表 的 DDL 
show create table table_name;
-- 获取创建 视图 的 DDL 
show create view index_name;
-- 获取创建 触发器 的 DDL 
show  create trigger trigger_name;
-- 获取创建 用户 的 DDL 
show create user user_name;

查询系统视图/表

-- MySQL 8.0+
select table_schema,table_name,table_type from information_schema.tables
where regexp_like(table_name,'table','i');

用户管理

创建用户

-- 创建超级管理员
CREATE USER 'root'@'%' IDENTIFIED BY 'rootroot';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;

修改用户

-- 锁定用户
ALTER USER 'user'@'host' ACCOUNT LOCK;
-- 设置用户密码有效期
ALTER USER 'root'@'localhost' PASSWORD EXPIRE INTERVAL 180 DAY;

-- 修改用户密码
ALTER USER 'root'@'localhost' IDENTIFIED BY '新密码';

更改用户密码

-- mysql 5.7以下
update user set password=password('123') where user='root' and host='localhost';

-- mysql 5.7以上
update mysql.user set authentication_string=PASSWORD('newpassword') where user='username' and host='localhost';

-- mysql 8.0以上
alter user 'root'@'localhost' identified by 'newpassword';

信息查询

-- 查看创建用户的命令
show create user '用户名'@'localhost';
-- 查看用户的权限
SHOW GRANTS FOR '用户'@'localhost';

修改用户认证方式

CREATE USER 'yaokang'@'%' IDENTIFIED WITH 'mysql_native_password' BY 'yaokang';
GRANT ALL PRIVILEGES ON *.* TO 'new_username'@'your_host';


SELECT user, host, plugin FROM mysql.user;
ALTER USER 'yaokang'@'%' IDENTIFIED WITH 'caching_sha2_password';
FLUSH PRIVILEGES;

vim /etc/my.cnf
default_authentication_plugin=caching_sha2_password
sudo systemctl restart mysql
SHOW PLUGINS;

如果将 MySQL 用户的认证方式从 mysql_native_password 改为 caching_sha2_password 后,用户无法连接到数据库,这可能是因为用户的连接客户端(如应用程序或MySQL客户端)不支持新的认证方式。

在 MySQL 8.0 版本中,默认的认证插件是 caching_sha2_password,而在之前的版本中(如 MySQL 5.7),默认的认证插件是 mysql_native_password。因此,在 MySQL 5.7 中创建的用户默认使用的是 mysql_native_password 认证方式。

如果你将 MySQL 用户的认证方式修改为 caching_sha2_password,但用户的连接客户端不支持该认证方式,用户将无法通过客户端进行连接。在这种情况下,你有以下几个选择:

  1. 升级客户端:更新连接客户端,确保其支持 caching_sha2_password 认证方式。大多数现代的 MySQL 客户端都已经支持该认证方式。
  2. 修改用户认证方式为旧版:如果你不想升级客户端,可以将用户的认证方式修改回 mysql_native_password。这样用户就可以继续使用旧版认证方式连接数据库。

在 MySQL 5.7 中,将用户的认证方式修改为 caching_sha2_password 的步骤如下:

sqlCopy code
ALTER USER 'your_username'@'your_host' IDENTIFIED WITH 'mysql_native_password' BY 'your_password';

请根据实际情况选择适合的认证方式,并确保你已经备份了数据库,并在进行任何更改之前在测试环境进行测试。

MySQL ssl认证

mysql ssl实现的大概流程

  1. 先为MySQL服务器创建SSL证书和秘钥
  2. 在MySQL里面配置SSL,并启动服务
  3. 创建用户的时候带上SSL标签,require ssl
  4. 连接数据库的时候带上SSL
#检查数据库是否启动SSL:
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_crl       |          |
| ssl_crlpath   |          |
| ssl_key       |          |
+---------------+----------+
9 rows in set (0.00 sec)

mysql> 

创建证书并开启SSL验证

#1、查看openssl版本
[root@testos ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
#如果没有安装就安装以下包
yum install -y openssl

#2、安装证书
[root@testos ~]# mysql_ssl_rsa_setup --datadir=/mysql/data/3306 --user=mysql --uid=mysql
Generating a 2048 bit RSA private key
.........................................................+++
.................................+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
............................+++
.........+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
............................+++
.............................................................................................................+++
writing new private key to 'client-key.pem'
-----
[root@testos ~]# ls -lst /mysql/data/3306/*.pem
4 -rw-r--r-- 1 mysql mysql  451 Jul 15 13:37 /mysql/data/3306/public_key.pem
4 -rw------- 1 mysql mysql 1675 Jul 15 13:37 /mysql/data/3306/private_key.pem
4 -rw-r--r-- 1 mysql mysql 1107 Jul 15 13:37 /mysql/data/3306/client-cert.pem
4 -rw------- 1 mysql mysql 1679 Jul 15 13:37 /mysql/data/3306/client-key.pem
4 -rw-r--r-- 1 mysql mysql 1107 Jul 15 13:37 /mysql/data/3306/server-cert.pem
4 -rw------- 1 mysql mysql 1675 Jul 15 13:37 /mysql/data/3306/server-key.pem
4 -rw-r--r-- 1 mysql mysql 1107 Jul 15 13:37 /mysql/data/3306/ca.pem
4 -rw------- 1 mysql mysql 1679 Jul 15 13:37 /mysql/data/3306/ca-key.pem
[root@testos ~]# 

public_key.pem			#公钥
private_key.pem			#私钥
client-cert.pem			#客户端的证书文件
client-key.pem			#客户端的私钥文件
server-cert.pem			#服务器的证书文件
server-key.pem			#服务器的私钥文件
ca.pem					#ca证书
ca-key.pem				#ca证书key



#3、修改my.cnf参数文件,加入以下信息
ssl-ca=/mysql/data/3306/ca.pem
ssl-cert=/mysql/data/3306/server-cert.pem
ssl-key=/mysql/data/3306/server-key.pem

#4、重启MySQL服务
service mysql restart


#5、检查ssl参数配置是否生效
mysql> show global variables like '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value                            |
+---------------+----------------------------------+
| have_openssl  | YES                              |
| have_ssl      | YES                              |
| ssl_ca        | /mysql/data/3306/ca.pem          |
| ssl_capath    |                                  |
| ssl_cert      | /mysql/data/3306/server-cert.pem |
| ssl_cipher    |                                  |
| ssl_crl       |                                  |
| ssl_crlpath   |                                  |
| ssl_key       | /mysql/data/3306/server-key.pem  |
+---------------+----------------------------------+
9 rows in set (0.00 sec)

mysql> show global variables like 'tls_version';
+---------------+---------------+
| Variable_name | Value         |
+---------------+---------------+
| tls_version   | TLSv1,TLSv1.1 |
+---------------+---------------+
1 row in set (0.00 sec)

mysql> 

配置SSL用户与测试(不强制证书认证)

#1、创建普通用户
create user test@'%' identified by 'test';
grant all on *.* to test@'%';
flush privileges;
select user,host,ssl_type,ssl_cipher from mysql.user;

mysql> select user,host,ssl_type,ssl_cipher from mysql.user where user='test';
+------+------+----------+------------+
| user | host | ssl_type | ssl_cipher |
+------+------+----------+------------+
| test | %    |          |            |
+------+------+----------+------------+
1 row in set (0.00 sec)

#ssl_type支持的类型:
ANY
SPECIFIED
X509



#2、登录时的选项
#2.1 方法1:
[root@testos ~]# mysql -uroot -prootroot --ssl-mode=required
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider       #注意这里的提示
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> 

#使用status命令查看是否启动ssl
mysql> status;
--------------
mysql  Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using  EditLine wrapper

Connection id:          4
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA				#注意这里信息
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.20-log MySQL Community Server (GPL)
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /tmp/mysql.sock
Uptime:                 7 min 32 sec

Threads: 3  Questions: 16  Slow queries: 0  Opens: 115  Flush tables: 1  Open tables: 108  Queries per second avg: 0.035
--------------

mysql> 



[root@itpuxdb ~]# mysql -uroot -prootroot --ssl-mode=disable
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> status;
--------------
mysql  Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using  EditLine wrapper

Connection id:          7
Current database:
Current user:           root@localhost
SSL:                    Not in use								#注意这里的信息
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.20-log MySQL Community Server (GPL)
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /tmp/mysql.sock
Uptime:                 9 min 18 sec

Threads: 3  Questions: 21  Slow queries: 0  Opens: 115  Flush tables: 1  Open tables: 108  Queries per second avg: 0.037
--------------

mysql> 






#2.2 方法2:
[root@itpuxdb ~]# mysql -uroot -prootroot --ssl-ca=/mysql/data/3306/ca.pem --ssl-cert=/mysql/data/3306/client-cert.pem --ssl-key=/mysql/data/3306/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> status;
--------------
mysql  Ver 14.14 Distrib 5.7.20, for linux-glibc2.12 (x86_64) using  EditLine wrapper

Connection id:          9
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.7.20-log MySQL Community Server (GPL)
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /tmp/mysql.sock
Uptime:                 13 min 29 sec

Threads: 3  Questions: 26  Slow queries: 0  Opens: 115  Flush tables: 1  Open tables: 108  Queries per second avg: 0.032
--------------

mysql> 

使用navicat连接:

#把服务器上的这两个文件拷贝到其他终端上
[root@testos ~]# ll /mysql/data/3306/client*
-rw-r--r-- 1 mysql mysql 1107 Jul 15 13:37 /mysql/data/3306/client-cert.pem
-rw------- 1 mysql mysql 1679 Jul 15 13:37 /mysql/data/3306/client-key.pem

image-20230727011117668

image-20230727011148746

也可以把ca加进去

image-20230727011335128

配置SSL用户与测试(强制证书认证)

#1、使用 X509证书
create user test2@'%' identified by 'test2' require x509;
grant all on *.* to test2@'%';
flush privileges;
mysql> select user,host,ssl_type,ssl_cipher from mysql.user where user like 'test%';
+-------+------+----------+------------+
| user  | host | ssl_type | ssl_cipher |
+-------+------+----------+------------+
| test  | %    |          |            |
| test2 | %    | X509     |            |
+-------+------+----------+------------+
2 rows in set (0.00 sec)



#2、尝试登录
[root@testos ~]# mysql -utest2 -ptest2
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'test2'@'localhost' (using password: YES)
[root@itpuxdb ~]# 
[root@itpuxdb ~]# mysql -utest2 -ptest2 --ssl-mode=required
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'test2'@'localhost' (using password: YES)
[root@itpuxdb ~]# 
[root@itpuxdb ~]# mysql -utest2 -ptest2 -h 192.168.1.51 --ssl-mode=required
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'test2'@'192.168.1.51' (using password: YES)
[root@itpuxdb ~]# 
[root@itpuxdb ~]# mysql -utest2 -ptest2 -h localhost --ssl-mode=required
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'test2'@'localhost' (using password: YES)
[root@testos ~]# 
#如上可以看出不使用证书,不让登录



#3、使用证书登录
[root@testos ~]# mysql -utest2 -ptest2 --ssl-ca=/mysql/data/3306/ca.pem --ssl-cert=/mysql/data/3306/client-cert.pem --ssl-key=/mysql/data/3306/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> 

#如上必须指定秘钥才可以登录,也就是你把登录选项里面的三个秘钥文件传到需要登录的客户端上,连接的时候需要指定这三个文件才能登录成功

image-20230727012149442

不使用证书普通连接不可以

image-20230727012249225

ssl连接是可以的

#4、ANY的类型(也就是不指定ssl类型)
create user test3@'%' identified by 'test3' require ssl;
grant all on *.* to test3@'%';
flush privileges;
select user,host,ssl_type,ssl_cipher from mysql.user where user like 'test%';

mysql> select user,host,ssl_type,ssl_cipher from mysql.user where user like 'test%';
+-------+------+----------+------------+
| user  | host | ssl_type | ssl_cipher |
+-------+------+----------+------------+
| test  | %    |          |            |
| test2 | %    | X509     |            |
| test3 | %    | ANY      |            |
+-------+------+----------+------------+
3 rows in set (0.00 sec)


#如下ssl_type为any的时候,也可以指定ssl_mode=required的方式登录
[root@itpuxdb ~]# mysql -utest3 -ptest3 --ssl-mode=required
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql>



[root@itpuxdb ~]# mysql -utest3 -ptest3 --ssl-ca=/mysql/data/3306/ca.pem --ssl-cert=/mysql/data/3306/client-cert.pem --ssl-key=/mysql/data/3306/client-key.pem mysql --ssl-mode=required
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: no verification of server certificate will be done. Use --ssl-mode=VERIFY_CA or VERIFY_IDENTITY.
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 33
Server version: 5.7.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> 

取消SSL用户认证

mysql> select user,host,ssl_type,ssl_cipher from mysql.user where user like 'test%';
+-------+------+----------+------------+
| user  | host | ssl_type | ssl_cipher |
+-------+------+----------+------------+
| test  | %    |          |            |
| test2 | %    | X509     |            |
| test3 | %    | ANY      |            |
+-------+------+----------+------------+
3 rows in set (0.00 sec)

mysql> alter user test2@'%' require none;
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host,ssl_type,ssl_cipher from mysql.user where user like 'test%';
+-------+------+----------+------------+
| user  | host | ssl_type | ssl_cipher |
+-------+------+----------+------------+
| test  | %    |          |            |
| test2 | %    |          |            |
| test3 | %    | ANY      |            |
+-------+------+----------+------------+
3 rows in set (0.01 sec)

取消以后普通的连接就可以连接成功了:

image-20230727013035547

取消了ssl用户认证了还可以使用ssl连接:

image-20230727013126584

其它注意事项

  • 使用ssl认证,性能会降低5%~20%
  • JDBC客户端如何连接:在url里面加入ssl=true,ssl=false

performance_schema介绍

https://www.cnblogs.com/Courage129/p/14188422.html

清理数据

  • drop

    丢弃数据,drop table 表名 ,直接将表都删除掉,在删除表的时候使用。

  • truncate

    清空数据, truncate table 表名,只删除表中的数据,再插入数据的时候自增长 id 又从 1 开始,在清空表中数据的时候使用。

  • delete

    删除数据,delete from 表名 where 列名=值,删除某一行的数据,如果不加 where 子句和truncate table 表名作用类似。

总结:

  • truncate 和不带 where 子句的 delete、以及 drop 都会删除表内的数据,但是 truncate 和 delete 只删除数据不删除表的结构(定义),执行 drop 语句,此表的结构也会删除,也就是执行 drop 之后对应的表不复存在。
  • truncate和drop属于DDL(数据定义语言)语句,不能回滚
  • delete属于DML(数据操作语言)语句,可以回滚

执行速度

drop > truncate > delete

delete命令执行的时候会产生数据库的binlog日志,而日志记录是需要消耗时间的,但是也有个好处方便数据回滚恢复。
truncate命令执行的时候不会产生数据库日志,因此比delete要快。除此之外,还会把表的自增值重置和索引恢复到初始大小等。
drop命令会把表占用的空间全部释放掉。

插件管理

connection_control

防暴力破解密码

MySQL 插件之 连接控制插件(Connection-Control)

https://blog.csdn.net/fengge55/article/details/134525572

https://dev.mysql.com/doc/refman/5.7/en/connection-control-installation.html

mysql 连接控制插件

https://blog.51cto.com/wangguishe/6194787

插件connection_control 引发 Mysql hang (SHOW PROCESSLIST出现大量 unauthenticated user进程)详尽测试

https://blog.csdn.net/m0_54619218/article/details/130334944

一个CONNECTION 插件引起的连接问题

https://www.cnblogs.com/cqdba/p/16889117.html

一个MYSQL监控与CONNECTION_CONTROL引起的问题

https://www.cnblogs.com/cqdba/p/17459657.html

;