1.密碼策略

在mysql 5.6對密碼的強度進行了加強，推出了validate_password 插件。支持密碼的強度要求。

(1)安裝插件

[root@localhost ~]# ll /usr/local/mysql/lib/plugin/validate_password.so

-rwxr-xr-x 1 mysql mysql 204359 Sep 14 01:27 /usr/local/mysql/lib/plugin/validate_password.so

mysql> install plugin validate_password soname 'validate_password.so';

Query OK, 0 rows affected (0.11 sec)

mysql> show plugins;

+----------------------------+----------+--------------------+----------------------+---------+

| Name | Status | Type | Library | License |

+----------------------------+----------+--------------------+----------------------+---------+

| binlog | ACTIVE | STORAGE ENGINE | NULL | GPL |

| mysql_native_password | ACTIVE | AUTHENTICATION | NULL | GPL |

| sha256_password | ACTIVE | AUTHENTICATION | NULL | GPL |

.....................省略

| validate_password | ACTIVE | VALIDATE PASSWORD | validate_password.so | GPL |

+----------------------------+----------+--------------------+----------------------+---------+

45 rows in set (0.00 sec)

(2)添加配置

[root@localhost ~]# cat /etc/my.cnf

[mysqld]

datadir=/data1/mysql/data

plugin-load=validate_password.so

validate_password_policy=2

validate-password=FORCE_PLUS_PERMANENT

(3)檢測配置

mysql> SHOW VARIABLES LIKE 'validate_password%';

+--------------------------------------+--------+

| Variable_name | Value |

+--------------------------------------+--------+

| validate_password_check_user_name | OFF |

| validate_password_dictionary_file | |

| validate_password_length | 8 |

| validate_password_mixed_case_count | 1 |

| validate_password_number_count | 1 |

| validate_password_policy | STRONG |

| validate_password_special_char_count | 1 |

+--------------------------------------+--------+

7 rows in set (0.02 sec)

mysql> set password=password('abc');

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

mysql> set password=password('mysql2017');

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

mysql> set password=password('mysql@)!&');

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

mysql> set password=password('MY@)!&sql2017');

Query OK, 0 rows affected, 1 warning (0.00 sec)

2.策略詳解

mysql> SHOW VARIABLES LIKE 'validate_password%';

+--------------------------------------+--------+

| Variable_name | Value |

+--------------------------------------+--------+

| validate_password_check_user_name | OFF |

| validate_password_dictionary_file | |

| validate_password_length | 8 |

| validate_password_mixed_case_count | 1 |

| validate_password_number_count | 1 |

| validate_password_policy | STRONG |

| validate_password_special_char_count | 1 |

+--------------------------------------+--------+

說明：

validate-password=ON/OFF/FORCE/FORCE_PLUS_PERMANENT: 決定是否使用該插件(及強制/永久強制使用)。

validate_password_dictionary_file：插件用于驗證密碼強度的字典文件路徑。

validate_password_length：密碼最小長度。

validate_password_mixed_case_count：密碼至少要包含的小寫字母個數和大寫字母個數。

validate_password_number_count：密碼至少要包含的數字個數。

validate_password_policy：密碼強度檢查等級，0/LOW、1/MEDIUM、2/STRONG。

validate_password_special_char_count：密碼至少要包含的特殊字符數。

關于validate_password_policy-密碼強度檢查等級：

Policy Tests Performed

0 or LOW Length

1 or MEDIUMLength; numeric, lowercase/uppercase, and special characters

2 or STRONGLength; numeric, lowercase/uppercase, and special characters; dictionary file

3.用戶資源限制

(1)max_user_connections

該參數作用是設置所有用戶在同一時間連接MySQL實例的最大連接數限制。但這個參數無法對每個用戶區別對待。

mysql> show global variables like '%max_user_connect%';

+----------------------+-------+

| Variable_name | Value |

+----------------------+-------+

| max_user_connections | 0 |

+----------------------+-------+

1 row in set (0.00 sec)

mysql> set global max_user_connections=2;

Query OK, 0 rows affected (0.00 sec)

mysql> show global variables like '%max_user_connect%';

+----------------------+-------+

| Variable_name | Value |

+----------------------+-------+

| max_user_connections | 2 |

+----------------------+-------+

1 row in set (0.00 sec)

(2)max_queries_per_hour

該參數設置一個用戶在一小時內可以執行查詢的次數(基本包含所有語句)。

(3)max_updates_per_hour

該參數設置一個用戶在一小時內可以執行修改的次數(僅包含修改數據庫或表的語句)。

(4)max_connections_per_hour

該參數設置一個用戶在一小時內可以連接MySQL的時間。

從5.0.3版本開始，對用戶‘test’@'%.test.com'的資源限制是指所有通過test.com域名主機連接test用戶的連接，而不是分別指host1.test.com和host2.test.com主機過來的連接。

(5)設置用戶資源限制

mysql> create user 'test1'@'localhost' identified by 'MYsql20!&'

-> with max_queries_per_hour 20

-> max_updates_per_hour 10

-> max_user_connections 2;

Query OK, 0 rows affected (0.00 sec)

mysql> alter user 'test1'@'localhost' with max_queries_per_hour 100;

Query OK, 0 rows affected (0.00 sec)

取消某項資源限制既把原先的值改成0.

當某個用戶的max_user_connections非0時，則忽略全局系統參數對應的配置，反之則使用全局參數。

4.密碼過期策略

mysql> show global variables like '%password%';

+---------------------------------------+--------+

| Variable_name | Value |

+---------------------------------------+--------+

| default_password_lifetime | 0 |

| disconnect_on_expired_password | ON |

| log_builtin_as_identified_by_password | OFF |

| mysql_native_password_proxy_users | OFF |

| old_passwords | 0 |

| report_password | |

| sha256_password_proxy_users | OFF |

| validate_password_check_user_name | OFF |

| validate_password_dictionary_file | |

| validate_password_length | 8 |

| validate_password_mixed_case_count | 1 |

| validate_password_number_count | 1 |

| validate_password_policy | STRONG |

| validate_password_special_char_count | 1 |

+---------------------------------------+--------+

14 rows in set (0.01 sec)

說明：

1)default_password_lifetime

設置所有用戶密碼過期時間，0為永不過期；

若為單獨用戶設置了密碼過期策略，則會覆蓋該參數；

alter user 'test3'@'localhost' password expire interval 90 day;

alter user 'test3'@'localhost' password expire never; (永不過期)

alter user 'test3'@'localhost' password expire default; (默認過期策略)

2)手動強制過期

alter user 'test3'@'localhost' password expire;

5.用戶lock機制

通過執行create user/alter user命令中帶account lock/unlock子句設置用戶的lock狀態；

默認創建用戶是unlock狀態；

mysql> create user abc2@localhost identified by 'MY20sql!&' account lock;

Query OK, 0 rows affected (0.00 sec)

mysql> quit

Bye

[root@localhost ~]# mysql -uabc2 -p

Enter password:

ERROR 3118 (HY000): Access denied for user 'abc2'@'localhost'. Account is locked.

mysql> alter user 'abc2'@'localhost' account unlock;

Query OK, 0 rows affected (0.00 sec)

mysql> quit

Bye

[root@localhost ~]# mysql -uabc2 -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 7

6.密碼生成技巧

總結

以上是生活随笔為你收集整理的mysql5.7的资源限制策略_MySQL-5.7密码策略及用户资源限制的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。