Spec-Zone .ru
спецификации, руководства, описания, API
|
|
Spec-Zone .ru
спецификации, руководства, описания, API
|
CREATE USERuser_specification[,user_specification] ...user_specification:user[ IDENTIFIED BY [PASSWORD] 'password' | IDENTIFIED WITHauth_plugin[AS 'auth_string'] ]
The CREATE USER statement creates new MySQL accounts. To use it, you must have the
global CREATE USER
privilege or the INSERT
privilege for the mysql database. For each account, CREATE USER creates a new row in the mysql.user
table and assigns the account no privileges. An error occurs if the account already exists.
For CREATE USER statements that do not specify an IDENTIFIED
WITH clause, the server associates the account with
the default authentication plugin. As of MySQL 5.6.6, this is the plugin named by the auth_plugin--default-authentication-plugin option at server startup, or mysql_native_password if that option is not used. Before 5.6.6, the default
plugin is mysql_native_password. For information about authentication plugins, see
Section
6.3.7, "Pluggable Authentication".
Each account name uses the format described in Section 6.2.3, "Specifying Account Names". For example:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
If you specify only the user name part of the account name, a host name part of '%'
is used.
The user specification may indicate how the user should authenticate when connecting to the server:
To enable the user to connect with no password (which is insecure), include no IDENTIFIED BY
clause:
CREATE USER 'jeffrey'@'localhost';
In this case, the account uses the default authentication plugin and clients must provide no password.
To assign a password, use IDENTIFIED BY with the
literal plaintext password value:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
The account uses the default authentication plugin and clients must match the given password.
To avoid specifying the plaintext password if you know its hash value (the value
that PASSWORD()
would return for the password), specify the hash value preceded by the keyword PASSWORD:
CREATE USER 'jeffrey'@'localhost'IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
The account uses the default authentication plugin and the has must be in the format required by that plugin. Clients must match the given password.
To authenticate the account using a specific authentication plugin, use IDENTIFIED WITH, where auth_plugin
is the plugin name. It can be an unquoted name or a quoted string literal. ' is an optional quoted string literal
to pass to the plugin. The plugin interprets the meaning of the string, so its format is plugin
specific. Consult the documentation for a given plugin for information about the authentication string
values it accepts. auth_string'
CREATE USER 'jeffrey'@'localhost'IDENTIFIED WITH my_auth_plugin;
For connections that use this account, the server invokes the named plugin and clients must provide credentials as required for the authentication method that the plugin implements. If the server cannot find the plugin, either at account-creation time or connect time, an error occurs.
The IDENTIFIED BY and IDENTIFIED WITH clauses are
mutually exclusive, so at most one of them can be specified for a given user.
For additional information about setting passwords, see Section 6.3.5, "Assigning Account Passwords".
CREATE USER may be recorded in server logs or in a history file such as ~/.mysql_history, which means that cleartext passwords may be read by anyone
having read access to that information. See Section 6.1.2,
"Keeping Passwords Secure".
Some releases of MySQL introduce changes to the structure of the grant tables to add new privileges or features. Whenever you update to a new version of MySQL, you should update your grant tables to make sure that they have the current structure so that you can take advantage of any new capabilities. See Section 4.4.7, "mysql_upgrade — Check and Upgrade MySQL Tables".