如何实现只允许应用服务器连接mysql
2017-02-23 21:53
190 查看
1.环境描述
abc0781 192.168.65.30 ---应用服务器1
abc0782 192.168.65.31 ---应用服务器2
abc0783 192.168.65.32 ---mysql数据库
abc0784 192.168.65.33 ---应用服务器3
mysql数据库的帐号和允许主机访问清单:
select user,host from mysql.user;
+-------------+------------+
| user | host |
+-------------+------------+
| ab_prd | % |
| ab_read | % |
| abadmin | % |
| rep | % |
|
| root | localhost |
+-------------+------------+
以上表示通过ab_prd帐号在所有主机上访问。
先更改密码,方便测试:
grant usage on sa_ab.* to ab_prd@'%' identified by 'slave2017';
2.实现用ab_prd帐号只能在192.168.65.30和192.168.65.31主机上访问mysql,而其它主机不能访问
这里有两种方案来实现:
方案一:
1.标识skip_name_resolve参数,并重启mysql
2.在/etc/hosts文件中加入:
192.168.65.30 abap1
192.168.65.31 abap2
3.针对IP建立ab_prd帐号,并授权
create user 'ab_prd'@'abap%' identified by 'slave2017';
grant select,insert,update,delete on sa_ab.* to 'ab_prd'@'abap%';
4.drop ab_prd@'%’帐号
方案二:
直接对两个IP分别建立ab_prd帐号,然后再drop掉带有ab_prd@'%'(所有)的帐号.
综合考虑,采用方案二,风险小。
先在三台AP上通过ab_prd@'%'帐号连接mysql,并查看mysql的主机名和当前登入帐号。
由于没有限制IP,可以在192.168.65.30主机上访问mysql:
[root@abc0781 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
(product)ab_prd@192.168.65.32 [(none)]> select @@hostname;
+------------+
| @@hostname |
+------------+
| abc0783 |
+------------+
1 row in set (0.00 sec)
(product)ab_prd@192.168.65.32 [(none)]> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.30 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
同样可以在192.168.65.31上访问mysql:
[root@abc0782 local]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
mysql> select @@hostname;
+------------+
| @@hostname |
+------------+
| abc0783 |
+------------+
1 row in set (0.00 sec)
mysql> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.31 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
同样可以在192.168.65.33上访问mysql:
[root@abc0784 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
(product)ab_prd@192.168.65.32 [(none)]> select @@hostname;
+------------+
| @@hostname |
+------------+
| abc0783 |
+------------+
1 row in set (0.00 sec)
(product)ab_prd@192.168.65.32 [(none)]> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.33 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
针对IP分别建立两个帐号:
create user 'ab_prd'@'192.168.65.30%' identified by 'slave2017';
grant select,insert,update,delete on sa_ab.* to 'ab_prd'@'192.168.65.30%';
create user 'ab_prd'@'192.168.65.31%' identified by 'slave2017';
grant select,insert,update,delete on sa_ab.* to 'ab_prd'@'192.168.65.31%';
(product)root@localhost [sa_ab]> select user,host from mysql.user;
+-------------+--------------+
| user | host |
+-------------+--------------+
| ab_prd | % |
| ab_read | % |
| abadmin | % |
| ab_prd | 192.168.65.30% |
| ab_prd | 192.168.65.31% |
|| root | localhost |
+-------------+--------------+
查看权限:
(product)root@localhost [sa_ab]> show grants for 'ab_prd'@'192.168.65.30%';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for ab_prd@192.168.65.30% |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ab_prd'@'192.168.65.30%' IDENTIFIED BY PASSWORD '*712F0BF9C9DD2D02CE9F4C73CsddddFEB' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `sa_ab`.* TO 'ab_prd'@'192.168.65.30%' |
+-------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
(product)root@localhost [sa_ab]> show grants for'ab_prd'@'192.168.65.31%';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for ab_prd@192.168.65.31% |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ab_prd'@'192.168.65.31%' IDENTIFIED BY PASSWORD '*712F0BF9dddddddddddddddB' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `sa_ab`.* TO 'ab_prd'@'192.168.65.31%' |
+-------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
(product)root@localhost [sa_ab]> show grants for'ab_prd'@'%';
+--------------------------------------------------------------------------------------------------------+
| Grants for ab_prd@% |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ab_prd'@'%' IDENTIFIED BY PASSWORD '*712F0BF9dddddddddddddddddddddddddddd' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `sa_ab`.* TO 'ab_prd'@'%' |
+--------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
执行drop操作:
drop user ab_prd@'%';
drop ab_prd@'%'帐号后,没有授权的AP3主机上在操作和重新连接时均报错:
(product)ab_prd@192.168.65.32 [(none)]> use sa_ab
ERROR 1044 (42000): Access denied for user 'ab_prd'@'%' to database 'sa_ab'
[root@abc0784 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
ERROR 1045 (28000): Access denied for user 'ab_prd'@'192.168.65.33' (using password: YES)
验证AP1服务器是否有insert权限:
(product)ab_prd@192.168.65.32 [sa_ab]> select * from zeng;
+-------+----------+
| _id | a |
+-------+----------+
| 28129 | 70000 |
| 28130 | 800000 |
| 28131 | 900000 |
| 28132 | 9000000 |
| 28133 | 99999999 |
+-------+----------+
5 rows in set (0.04 sec)
(product)ab_prd@192.168.65.32 [sa_ab]> insert into zeng(a) values(2222);
Query OK, 1 row affected (0.00 sec)
(product)ab_prd@192.168.65.32 [sa_ab]> select * from zeng;
+-------+----------+
| _id | a |
+-------+----------+
| 28129 | 70000 |
| 28130 | 800000 |
| 28131 | 900000 |
| 28132 | 9000000 |
| 28133 | 99999999 |
| 28134 | 2222 |
+-------+----------+
6 rows in set (0.00 sec)
虽然已drop掉ab_prd%帐号,但当前所用帐号还是ab_prd%.
product)ab_prd@192.168.65.32 [sa_ab]> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.30 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
重新连接后,才变成ab_prd@192.168.65.30%
[root@abc0781 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
(product)ab_prd@192.168.65.32 [(none)]> select user(),current_user();
+---------------------+----------------------+
| user() | current_user() |
+---------------------+----------------------+
| ab_prd@192.168.65.30 |ab_prd@192.168.65.30% |
+---------------------+----------------------+
1 row in set (0.00 sec)
从上面可看到设置对应用服务器的IP访问限制,不会影响应用使用,不需要重启应用。
abc0781 192.168.65.30 ---应用服务器1
abc0782 192.168.65.31 ---应用服务器2
abc0783 192.168.65.32 ---mysql数据库
abc0784 192.168.65.33 ---应用服务器3
mysql数据库的帐号和允许主机访问清单:
select user,host from mysql.user;
+-------------+------------+
| user | host |
+-------------+------------+
| ab_prd | % |
| ab_read | % |
| abadmin | % |
| rep | % |
|
| root | localhost |
+-------------+------------+
以上表示通过ab_prd帐号在所有主机上访问。
先更改密码,方便测试:
grant usage on sa_ab.* to ab_prd@'%' identified by 'slave2017';
2.实现用ab_prd帐号只能在192.168.65.30和192.168.65.31主机上访问mysql,而其它主机不能访问
这里有两种方案来实现:
方案一:
1.标识skip_name_resolve参数,并重启mysql
2.在/etc/hosts文件中加入:
192.168.65.30 abap1
192.168.65.31 abap2
3.针对IP建立ab_prd帐号,并授权
create user 'ab_prd'@'abap%' identified by 'slave2017';
grant select,insert,update,delete on sa_ab.* to 'ab_prd'@'abap%';
4.drop ab_prd@'%’帐号
方案二:
直接对两个IP分别建立ab_prd帐号,然后再drop掉带有ab_prd@'%'(所有)的帐号.
综合考虑,采用方案二,风险小。
先在三台AP上通过ab_prd@'%'帐号连接mysql,并查看mysql的主机名和当前登入帐号。
由于没有限制IP,可以在192.168.65.30主机上访问mysql:
[root@abc0781 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
(product)ab_prd@192.168.65.32 [(none)]> select @@hostname;
+------------+
| @@hostname |
+------------+
| abc0783 |
+------------+
1 row in set (0.00 sec)
(product)ab_prd@192.168.65.32 [(none)]> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.30 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
同样可以在192.168.65.31上访问mysql:
[root@abc0782 local]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
mysql> select @@hostname;
+------------+
| @@hostname |
+------------+
| abc0783 |
+------------+
1 row in set (0.00 sec)
mysql> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.31 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
同样可以在192.168.65.33上访问mysql:
[root@abc0784 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
(product)ab_prd@192.168.65.32 [(none)]> select @@hostname;
+------------+
| @@hostname |
+------------+
| abc0783 |
+------------+
1 row in set (0.00 sec)
(product)ab_prd@192.168.65.32 [(none)]> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.33 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
针对IP分别建立两个帐号:
create user 'ab_prd'@'192.168.65.30%' identified by 'slave2017';
grant select,insert,update,delete on sa_ab.* to 'ab_prd'@'192.168.65.30%';
create user 'ab_prd'@'192.168.65.31%' identified by 'slave2017';
grant select,insert,update,delete on sa_ab.* to 'ab_prd'@'192.168.65.31%';
(product)root@localhost [sa_ab]> select user,host from mysql.user;
+-------------+--------------+
| user | host |
+-------------+--------------+
| ab_prd | % |
| ab_read | % |
| abadmin | % |
| ab_prd | 192.168.65.30% |
| ab_prd | 192.168.65.31% |
|| root | localhost |
+-------------+--------------+
查看权限:
(product)root@localhost [sa_ab]> show grants for 'ab_prd'@'192.168.65.30%';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for ab_prd@192.168.65.30% |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ab_prd'@'192.168.65.30%' IDENTIFIED BY PASSWORD '*712F0BF9C9DD2D02CE9F4C73CsddddFEB' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `sa_ab`.* TO 'ab_prd'@'192.168.65.30%' |
+-------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
(product)root@localhost [sa_ab]> show grants for'ab_prd'@'192.168.65.31%';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for ab_prd@192.168.65.31% |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ab_prd'@'192.168.65.31%' IDENTIFIED BY PASSWORD '*712F0BF9dddddddddddddddB' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `sa_ab`.* TO 'ab_prd'@'192.168.65.31%' |
+-------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
(product)root@localhost [sa_ab]> show grants for'ab_prd'@'%';
+--------------------------------------------------------------------------------------------------------+
| Grants for ab_prd@% |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'ab_prd'@'%' IDENTIFIED BY PASSWORD '*712F0BF9dddddddddddddddddddddddddddd' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `sa_ab`.* TO 'ab_prd'@'%' |
+--------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
执行drop操作:
drop user ab_prd@'%';
drop ab_prd@'%'帐号后,没有授权的AP3主机上在操作和重新连接时均报错:
(product)ab_prd@192.168.65.32 [(none)]> use sa_ab
ERROR 1044 (42000): Access denied for user 'ab_prd'@'%' to database 'sa_ab'
[root@abc0784 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
ERROR 1045 (28000): Access denied for user 'ab_prd'@'192.168.65.33' (using password: YES)
验证AP1服务器是否有insert权限:
(product)ab_prd@192.168.65.32 [sa_ab]> select * from zeng;
+-------+----------+
| _id | a |
+-------+----------+
| 28129 | 70000 |
| 28130 | 800000 |
| 28131 | 900000 |
| 28132 | 9000000 |
| 28133 | 99999999 |
+-------+----------+
5 rows in set (0.04 sec)
(product)ab_prd@192.168.65.32 [sa_ab]> insert into zeng(a) values(2222);
Query OK, 1 row affected (0.00 sec)
(product)ab_prd@192.168.65.32 [sa_ab]> select * from zeng;
+-------+----------+
| _id | a |
+-------+----------+
| 28129 | 70000 |
| 28130 | 800000 |
| 28131 | 900000 |
| 28132 | 9000000 |
| 28133 | 99999999 |
| 28134 | 2222 |
+-------+----------+
6 rows in set (0.00 sec)
虽然已drop掉ab_prd%帐号,但当前所用帐号还是ab_prd%.
product)ab_prd@192.168.65.32 [sa_ab]> select user(),current_user();
+---------------------+----------------+
| user() | current_user() |
+---------------------+----------------+
| ab_prd@192.168.65.30 |ab_prd@% |
+---------------------+----------------+
1 row in set (0.00 sec)
重新连接后,才变成ab_prd@192.168.65.30%
[root@abc0781 ~]# mysql -u ab_prd -p -h 192.168.65.32
Enter password:
(product)ab_prd@192.168.65.32 [(none)]> select user(),current_user();
+---------------------+----------------------+
| user() | current_user() |
+---------------------+----------------------+
| ab_prd@192.168.65.30 |ab_prd@192.168.65.30% |
+---------------------+----------------------+
1 row in set (0.00 sec)
从上面可看到设置对应用服务器的IP访问限制,不会影响应用使用,不需要重启应用。
相关文章推荐
- 阿里云服务器安装mysql,如何实现远程连接
- Ubuntu环境变量的设置 && 桌面添加应用的快捷方式 && OTA服务器的搭建和发布 && 允许mysql远程连接
- 如何实现以root身份telnet连接rhel服务器?
- 服务器连接错误Host 'XXX' is not allowed to connect to this MySQL server如何解决
- [Web] 如何实现Web服务器和应用服务器的负载均衡?
- 不同服务器上mysql如何实现同步备份
- MySQL Workbench 如何连接 Amazon EC2 上的MySQL服务器?
- 如何实现Mysql远程连接
- 如何用sqlyog实现远程连接mysql
- 【Android开发】如何实现android和服务器长连接呢?推送消息的原理
- MySQL Workbench 如何连接 Amazon EC2 上的MySQL服务器?
- 实现MySQL允许远程连接
- mysql 允许多台远程服务器连接(外网连接)
- Sql Server2005如何以IP为服务器名实现远程连接
- Windows命令提示符CMD如何连接到远程MySql服务器(笔记)
- 各应用服务器下MySQL连接参数配置
- 如何从SQLServer到Oracle实现服务器连接
- 如何让mysql数据库允许被远程连接访问?就是从其他的电脑连接我的电脑上的mysql
- 使用了星外的Ipsec如何允许MySQL远程连接?
- 【Android开发】如何实现android和服务器长连接呢?推送消息的原理