案例分享-删除MySQL的默认root用户

需求分析:

root密码在多个地方出现过,比如分享的技术文档,邮件,截图.

MySQL默认安装的管理员帐号名称root,众所周知.为了增强安全性,需要更换一个用户名称,例如换成superuser,或者有公司特色的.例如xxx_admin.

应对策略:首先创建一个与root用户权限一样的用户.
GRANT ALL PRIVILEGES ON *.* TO 'x_admin'@'127.0.0.1' IDENTIFIED BY 'xxxx';

删除默认的root用户.
drop user root@'127.0.0.1';
drop user root@'localhost';
drop user root@'::1';

注意问题:视图
曾经用root帐号为DEFINER的视图,如果将root删除,将提示该视图无法使用,没有权限.所以要注意提前查看是否存在视图,存在的话,需要修改该视图的DEFINER属性.
修改视图,是瞬间就能完成的操作,除非该视图被其他sql语句占用,处于锁定的状态.

查看视图

select TABLE_SCHEMA, TABLE_NAME, VIEW_DEFINITION, DEFINER from information_schema.VIEWS;

修改视图(非root的暂不修改)

ALTER DEFINER=`x_admin`@`127.0.0.1` SQL SECURITY DEFINER VIEW v_name AS...

存储过程/函数
情况与视图类似

查看存储过程/视图

select ROUTINE_SCHEMA,ROUTINE_NAME,ROUTINE_TYPE,DEFINER from information_schema.ROUTINES;

或者

select db,name,type,definer from mysql.proc;

修改存储例程,可直接修改mysql.proc

update mysql.proc set definer='x_admin@127.0.0.1'where db='db_name';

如果修改所有库

update mysql.proc set definer='x_admin@127.0.0.1';

用root用户连接MySQL的脚本
此类问题比较好解决,可单独为脚本创建帐号用来执行脚本中指定的操作,该用户名可用script_,或者脚本名命名.权限够用就行,不要分配过多的权限.

方法:一个增加用户的脚本.(配合批量执行)

#!/usr/bin/python

#-*- coding: UTF-8 -*-

# ########################################################################

# This program

# Version: 2.0.0 (2012-10-10)

# Authors: lianjie.ning@qunar.com

# History:

# ########################################################################

import os

import socket

import subprocess

import sys

import traceback

from ConfigParser import ConfigParser

class Finger(object):

'finger.py'

def __init__ (self):

print '---- %s, %s' % (socket.gethostname(), self.__doc__)

def load_config (self, file="finger.ini"):

if not os.path.exists(file):

print file,"is not exists, but is created, please fix it"

temp_ini = '''[conn_db]

login_pwd =

exec_sql =

'''

open(file, 'w').write(temp_ini)

os.chmod(file, 0600)

sys.exit()

config = ConfigParser()

config.read(file)

if config.has_section('conn_db') is True:

if config.has_option('conn_db', 'login_pwd') is True:

login_pwd = config.get('conn_db', 'login_pwd')

if config.has_option('conn_db', 'exec_sql') is True:

exec_sql = config.get('conn_db', 'exec_sql')

return (login_pwd, exec_sql)

def grant_user(self, login_pwd, exec_sql):

if os.path.exists('/usr/local/bin/mysql'):

mysql = '/usr/local/bin/mysql'

elif os.path.exists('/usr/bin/mysql'):

mysql = '/usr/bin/mysql'

elif os.path.exists('/bin/mysql'):

mysql = '/bin/mysql'

else:

print "command not fount of mysql"

sys.exit()

user = 'xxxx'

conn_port = [3306,3307,3308,3309,3310]

for i in conn_port:

ss = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

address = ('127.0.0.1', int(i))

status = ss.connect_ex(address)

ss.settimeout(3)

ss.close()

if status == 0:

conn_mysql = '%s -u%s -p%s -h127.0.0.1 -P%d -N -s -e"%s"' % (mysql, user, login_pwd, i, exec_sql)

p = subprocess.call(conn_mysql, shell=True, stdout=open("/dev/null"))

if p == 0:

print "---- checking port: %s is NORMAL" % i

else:

print "---- checking prot: %s is ERROR" % i

if __name__ == '__main__':

try:

process = Finger()

(login_pwd, exec_sql) = process.load_config()

process.grant_user(login_pwd, exec_sql)

except Exception, e:

print str(e)

traceback.print_exc()

sys.exit()