Security - MySQL - page 787

Database Reference

In-Depth Information

With the second syntax, you must set the password separately using a subsequent SET

PASSWORD statement, but because you specify the plug-in explicitly, it's always clear which

one the user table row for the account will contain.

To create an account in a way that works consistently for any version of MySQL from

5.5 or later to ensure a designated nonempty plugin value, use this approach:

1. Create the account using a CREATE USER statement that names the authentication

plug-in explicitly. Also, set the old_passwords system variable to select the pass‐

word hashing method appropriate for the plug-in (this affects the PASSWORD()

function in the next step). The following sequences show how to do this for each

plug-in:

CREATE USER ' user_name '@' host_name ' IDENTIFIED WITH ' mysql_native_password ';

SET old_passwords = 0;

CREATE USER ' user_name '@' host_name ' IDENTIFIED WITH ' mysql_old_password ';

SET old_passwords = 1;

CREATE USER ' user_name '@' host_name ' IDENTIFIED WITH ' sha256_password ' ;

SET old_passwords = 2 ;

2. Set the account password:

SET PASSWORD FOR ' user_name '@' host_name ' = PASSWORD(' password ' );

The PASSWORD() function hashes the password according to the old_passwords

value just specified.

To assign privileges to the new account, which has none initially, use the GRANT statement

described later in this section.

CREATE USER fails if the account already exists.

Writing an account-creation helper procedure

To make it easier to create new accounts, we can write a helper stored procedure named

create_user() that does all the work, given the account username, hostname, pass‐

word, and authentication plug-in:

• It issues the proper CREATE USER statement to specify the plug-in explicitly.

• It sets the password, or, if the password is given as NULL , leaves the password unset.

(Presumably you'd specify NULL if you intend to assign the password later.)

• Before setting the password, it takes care of setting the old_passwords system vari‐

able to the appropriate value for the specified plug-in. It also saves and restores the

current old_passwords value, to leave its value in your session undisturbed.

• To implement a policy that users must select their own password, it uses ALTER USER

to expire the password immediately. The procedure skips this part if ALTER USER is

MySQL

Search WWH ::

Custom Search

Home