数据控制语言(DCL)

CREATE USER 'username'@'host' [IDENTIFIED BY 'password']
[IDENTIFIED WITH auth_plugin]
[PASSWORD EXPIRE]
[ACCOUNT LOCK | ACCOUNT UNLOCK];

-- 创建本地用户
CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'secure_password';

-- 创建可从任何主机连接的用户
CREATE USER 'remote_user'@'%' IDENTIFIED BY 'remote_pass';

-- 创建可从特定IP段连接的用户
CREATE USER 'network_user'@'192.168.1.%' IDENTIFIED BY 'network_pass';

-- 创建使用caching_sha2_password认证插件的用户（MySQL 8.0+）
CREATE USER 'secure_user'@'localhost' 
IDENTIFIED WITH caching_sha2_password BY 'password';

-- 创建密码立即过期的用户
CREATE USER 'temp_user'@'localhost' 
IDENTIFIED BY 'temp_pass' PASSWORD EXPIRE;

-- 创建被锁定的用户
CREATE USER 'locked_user'@'localhost' 
IDENTIFIED BY 'locked_pass' ACCOUNT LOCK;

-- MySQL 5.7.6+ 和 8.0+ 语法
ALTER USER 'username'@'host' IDENTIFIED BY 'new_password';

-- 传统语法（已弃用）
SET PASSWORD FOR 'username'@'host' = PASSWORD('new_password');

-- 修改用户密码
ALTER USER 'app_user'@'localhost' IDENTIFIED BY 'new_secure_password';

-- 修改当前用户密码
ALTER USER CURRENT_USER() IDENTIFIED BY 'new_password';

-- 修改用户认证插件
ALTER USER 'old_user'@'localhost' 
IDENTIFIED WITH caching_sha2_password BY 'new_password';

-- 设置密码永不过期
ALTER USER 'app_user'@'localhost' PASSWORD EXPIRE NEVER;

-- 解锁用户账户
ALTER USER 'locked_user'@'localhost' ACCOUNT UNLOCK;

DROP USER [IF EXISTS] 'username'@'host' [, 'username'@'host'] ...;

-- 删除用户
DROP USER 'old_user'@'localhost';

-- 删除多个用户
DROP USER 'user1'@'localhost', 'user2'@'%';

-- 安全删除用户（如果存在）
DROP USER IF EXISTS 'temp_user'@'localhost';

RENAME USER old_user TO new_user
[, old_user TO new_user] ...;

-- 重命名用户
RENAME USER 'old_name'@'localhost' TO 'new_name'@'localhost';

-- 同时修改用户名和主机
RENAME USER 
'user1'@'localhost' TO 'user1'@'%',
'user2'@'192.168.1.100' TO 'user2'@'192.168.1.%';

-- 查看所有用户
SELECT user, host, authentication_string FROM mysql.user;

-- 查看用户详细信息
SELECT * FROM mysql.user WHERE user = 'app_user';

-- 查看当前用户
SELECT CURRENT_USER();

-- 查看用户账户状态
SELECT user, host, account_locked, password_expired 
FROM mysql.user 
WHERE user = 'app_user';

GRANT privilege_type [(column_list)]
    [, privilege_type [(column_list)]] ...
ON [object_type] privilege_level
TO user [IDENTIFIED BY 'password']
    [, user [IDENTIFIED BY 'password']] ...
[WITH grant_option]

-- 授予所有数据库的所有权限
GRANT ALL PRIVILEGES ON *.* TO 'admin_user'@'localhost';

-- 授予创建用户的权限
GRANT CREATE USER ON *.* TO 'manager'@'localhost';

-- 授予进程管理和重新加载权限
GRANT PROCESS, RELOAD ON *.* TO 'monitor_user'@'localhost';

-- 授予文件操作权限（谨慎使用）
GRANT FILE ON *.* TO 'backup_user'@'localhost';

-- 授予对特定数据库的所有权限
GRANT ALL PRIVILEGES ON my_database.* TO 'db_admin'@'localhost';

-- 授予对数据库的查询和插入权限
GRANT SELECT, INSERT ON my_database.* TO 'app_user'@'localhost';

-- 授予创建和删除表的权限
GRANT CREATE, DROP ON my_database.* TO 'developer'@'localhost';

-- 授予创建临时表的权限
GRANT CREATE TEMPORARY TABLES ON my_database.* TO 'app_user'@'localhost';

-- 授予对特定表的所有权限
GRANT ALL PRIVILEGES ON my_database.users TO 'user_manager'@'localhost';

-- 授予对表的查询、插入、更新权限
GRANT SELECT, INSERT, UPDATE ON my_database.products TO 'product_user'@'localhost';

-- 授予对表的索引操作权限
GRANT INDEX ON my_database.products TO 'dba'@'localhost';

-- 授予对多个表的权限
GRANT SELECT ON my_database.users TO 'report_user'@'localhost';
GRANT SELECT ON my_database.orders TO 'report_user'@'localhost';

-- 授予对特定列的更新权限
GRANT UPDATE (price, stock_quantity) ON my_database.products TO 'price_manager'@'localhost';

-- 授予对特定列的查询权限
GRANT SELECT (username, email) ON my_database.users TO 'support_user'@'localhost';

-- 授予对多个列的权限
GRANT SELECT (user_id, username, email), 
UPDATE (last_login) 
ON my_database.users TO 'audit_user'@'localhost';

-- 授予执行存储过程的权限
GRANT EXECUTE ON PROCEDURE my_database.calculate_stats TO 'report_user'@'localhost';

-- 授予执行函数的权限
GRANT EXECUTE ON FUNCTION my_database.get_user_count TO 'app_user'@'localhost';

-- 授予对所有存储过程和函数的执行权限
GRANT EXECUTE ON my_database.* TO 'api_user'@'localhost';

-- 授予权限并允许用户将权限授予其他用户
GRANT SELECT, INSERT ON my_database.* TO 'team_lead'@'localhost'
WITH GRANT OPTION;

-- 授予所有权限并允许授权
GRANT ALL PRIVILEGES ON my_database.* TO 'db_owner'@'localhost'
WITH GRANT OPTION;

-- 一次性创建用户并授予权限
GRANT SELECT, INSERT, UPDATE ON my_database.* 
TO 'new_user'@'localhost' IDENTIFIED BY 'user_password';

-- 创建用户并授予所有权限
GRANT ALL PRIVILEGES ON my_database.* 
TO 'admin_user'@'localhost' 
IDENTIFIED BY 'admin_password'
WITH GRANT OPTION;

REVOKE privilege_type [(column_list)]
    [, privilege_type [(column_list)]] ...
ON [object_type] privilege_level
FROM user [, user] ...;

-- 撤销所有权限
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...;

-- 撤销所有权限
REVOKE ALL PRIVILEGES ON *.* FROM 'old_admin'@'localhost';

-- 撤销特定数据库的权限
REVOKE ALL PRIVILEGES ON my_database.* FROM 'former_user'@'localhost';

-- 撤销特定权限
REVOKE INSERT, UPDATE ON my_database.products FROM 'product_user'@'localhost';

-- 撤销GRANT OPTION权限
REVOKE GRANT OPTION ON my_database.* FROM 'team_lead'@'localhost';

-- 撤销列权限
REVOKE UPDATE (price) ON my_database.products FROM 'price_manager'@'localhost';

-- 撤销存储过程权限
REVOKE EXECUTE ON PROCEDURE my_database.calculate_stats FROM 'report_user'@'localhost';

-- 撤销所有权限和授权选项
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'problem_user'@'localhost';

-- 查看当前用户权限
SHOW GRANTS;

-- 查看特定用户权限
SHOW GRANTS FOR 'app_user'@'localhost';

-- 查看当前用户权限（详细格式）
SHOW GRANTS FOR CURRENT_USER();

-- 从权限表查看权限
SELECT * FROM mysql.user WHERE user = 'app_user';
SELECT * FROM mysql.db WHERE user = 'app_user';
SELECT * FROM mysql.tables_priv WHERE user = 'app_user';
SELECT * FROM mysql.columns_priv WHERE user = 'app_user';
SELECT * FROM mysql.procs_priv WHERE user = 'app_user';

-- 查看所有具有特定权限的用户
SELECT user, host FROM mysql.user WHERE Super_priv = 'Y';

FLUSH PRIVILEGES;

-- 创建角色
CREATE ROLE 'read_only', 'read_write', 'admin';

-- 为角色授予权限
GRANT SELECT ON my_database.* TO 'read_only';
GRANT SELECT, INSERT, UPDATE ON my_database.* TO 'read_write';
GRANT ALL PRIVILEGES ON my_database.* TO 'admin';

-- 将角色授予用户
GRANT 'read_only' TO 'report_user'@'localhost';
GRANT 'read_write' TO 'app_user'@'localhost';

-- 激活角色
SET DEFAULT ROLE 'read_write' TO 'app_user'@'localhost';

-- 激活所有角色
SET ROLE ALL;

-- 查看角色
SELECT * FROM mysql.roles_mapping;

-- 查看用户角色
SHOW GRANTS FOR 'app_user'@'localhost' USING 'read_write';

-- 撤销角色
REVOKE 'read_write' FROM 'app_user'@'localhost';

-- 删除角色
DROP ROLE 'read_only';

-- 删除匿名用户
DROP USER ''@'localhost';
DROP USER ''@'%';

-- 确保root用户只能本地访问
RENAME USER 'root'@'%' TO 'root'@'localhost';

-- 创建应用程序专用用户
CREATE USER 'myapp'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON my_database.* TO 'myapp'@'localhost';

-- 创建只读报表用户
CREATE USER 'reports'@'192.168.1.%' IDENTIFIED BY 'report_password';
GRANT SELECT ON my_database.* TO 'reports'@'192.168.1.%';

-- 限制用户连接数
ALTER USER 'app_user'@'localhost' WITH MAX_QUERIES_PER_HOUR 1000;
ALTER USER 'app_user'@'localhost' WITH MAX_CONNECTIONS_PER_HOUR 100;
ALTER USER 'app_user'@'localhost' WITH MAX_UPDATES_PER_HOUR 50;

-- 查看所有具有管理员权限的用户
SELECT user, host FROM mysql.user WHERE Super_priv = 'Y';

-- 查看所有具有文件操作权限的用户
SELECT user, host FROM mysql.user WHERE File_priv = 'Y';

-- 查看所有具有GRANT OPTION权限的用户
SELECT user, host, db, table_name, grantor 
FROM mysql.tables_priv 
WHERE table_priv LIKE '%Grant%';

-- 查看最近创建的用户
SELECT user, host, password_last_changed 
FROM mysql.user 
ORDER BY password_last_changed DESC;

-- 创建Web应用数据库用户
CREATE USER 'webapp'@'application_server_ip' 
IDENTIFIED BY 'secure_app_password';

-- 授予应用所需的最小权限
GRANT SELECT, INSERT, UPDATE, DELETE ON ecommerce.* 
TO 'webapp'@'application_server_ip';

-- 特别排除敏感表的写权限
GRANT SELECT ON ecommerce.audit_log TO 'webapp'@'application_server_ip';
REVOKE INSERT, UPDATE, DELETE ON ecommerce.audit_log FROM 'webapp'@'application_server_ip';

-- 创建报表用户
CREATE USER 'reports'@'report_server_ip' 
IDENTIFIED BY 'report_password';

-- 授予只读权限
GRANT SELECT ON sales.* TO 'reports'@'report_server_ip';
GRANT SELECT ON inventory.* TO 'reports'@'report_server_ip';

-- 限制查询频率
ALTER USER 'reports'@'report_server_ip' 
WITH MAX_QUERIES_PER_HOUR 1000;

-- 备份权限
SELECT CONCAT('SHOW GRANTS FOR \'', user, '\'@\'', host, '\';') 
FROM mysql.user 
WHERE user != '';

-- 执行生成的SHOW GRANTS语句来获取所有权限