Table of Contents
Advertisement
Access Control, Stage 1: Connection Verification
Nonblank
values in the
Password
store passwords in plaintext form for anyone to see. Rather, the password supplied by a user who is
attempting to connect is encrypted (using the
then is used during the connection process when checking whether the password is correct. This is
done without the encrypted password ever traveling over the connection. See
Names and
Passwords".
From MySQL's point of view, the encrypted password is the real password, so you should never give
anyone access to it. In particular, do not give nonadministrative users read access to tables in the
database.
mysql
The following table shows how various combinations of
to incoming connections.
Value
Host
'thomas.loc.gov'
'thomas.loc.gov'
'%'
'%'
'%.loc.gov'
'x.y.%'
'144.155.166.177'
'144.155.166.%'
'144.155.166.0/255.255.255.0'
It is possible for the client host name and user name of an incoming connection to match more than
one row in the
table. The preceding set of examples demonstrates this: Several of the entries
user
shown match a connection from
When multiple matches are possible, the server must determine which of them to use. It resolves this
issue as follows:
• Whenever the server reads the
• When a client attempts to connect, the server looks through the rows in sorted order.
• The server uses the first row that matches the client host name and user name.
The server uses sorting rules that order rows with the most-specific
names and IP addresses are the most specific. (The specificity of a literal IP address is not affected by
whether it has a netmask, so
equally specific.) The pattern
means "any host" but sorts after '%'. Rows with the same
specific
values first (a blank
User
To see how this works, suppose that the
+-----------+----------+-
| Host
| User
+-----------+----------+-
| %
| root
| %
| jeffrey
| localhost | root
| localhost |
+-----------+----------+-
table represent encrypted passwords. MySQL does not
user
PASSWORD()
Value
User
'fred'
''
'fred'
''
'fred'
'fred'
'fred'
'fred'
'fred'
thomas.loc.gov
table into memory, it sorts the rows.
user
and
192.168.1.13
means "any host" and is least specific. The empty string
'%'
value means "any user" and is least specific).
User
table looks like this:
user
| ...
| ...
| ...
| ...
| ...
586
[956]
function). The encrypted password
and
values in the
Host
User
Permissible Connections
fred, connecting from
Any user, connecting from
fred, connecting from any host
Any user, connecting from any host
fred, connecting from any host in the
domain
fred, connecting from x.y.net, x.y.com,
x.y.edu, and so on; this is probably not useful
fred, connecting from the host with IP address
144.155.166.177
fred, connecting from any host in the
class C subnet
144.155.166
Same as previous example
by fred.
Host
192.168.1.0/255.255.255.0
value are ordered with the most-
Host
Section 6.3.1, "User
table apply
user
thomas.loc.gov
thomas.loc.gov
loc.gov
values first. Literal host
are considered
also
''
Advertisement
Chapters
Table of Contents
Troubleshooting
