Database Reference
In-Depth Information
REVOKE
syntax is generally similar to
GRANT
but uses
FROM
rather than
TO
:
REVOKE
privileges
ON
scope
FROM
account
;
Thus, to remove the privileges just granted to
'user1'@'localhost'
, use these
RE
VOKE
statements (and
SHOW
GRANTS
to verify that they were removed):
mysql>
REVOKE FILE ON *.* FROM 'user1'@'localhost';
mysql>
REVOKE CREATE TEMPORARY TABLES, LOCK TABLES
->
ON *.* FROM 'user1'@'localhost';
mysql>
REVOKE ALL ON cookbook.* FROM 'user1'@'localhost';
mysql>
REVOKE SELECT ON mysql.user FROM 'user1'@'localhost';
mysql>
REVOKE SELECT(User,Host), UPDATE(password_expired)
->
ON mysql.user FROM 'user1'@'localhost';
mysql>
REVOKE EXECUTE ON PROCEDURE cookbook.exec_stmt
->
FROM 'user1'@'localhost';
mysql>
SHOW GRANTS FOR 'user1'@'localhost';
+-------------------------------------------+
| Grants for user1@localhost |
+-------------------------------------------+
| GRANT USAGE ON *.* TO 'user1'@'localhost' |
+-------------------------------------------+
Removing accounts
To get rid of an account, use the
DROP
USER
statement:
DROP
USER
'user1'
@
'localhost'
;
The statement removes all rows associated with the account in all grant tables; you need
not use
REVOKE
to remove its privileges first. An error occurs if the account does not
exist.
Renaming accounts
To change an account name, use
RENAME
USER
, specifying the current and new names:
RENAME
USER
'currentuser'
@
'localhost'
TO
'newuser'
@
'localhost'
;
An error occurs if the current account does not exist or the new account already exists.
23.3. Implementing a Password Policy
Problem
You want to ensure that MySQL accounts do not use weak passwords.