Author: paul
Date: 2009-03-26 17:33:53 +0100 (Thu, 26 Mar 2009)
New Revision: 14388
Log:
r39953@frost: paul | 2009-03-26 11:30:13 -0500
User access: General revisions
Modified:
trunk/refman-4.1/dba-user-management-core.xml
trunk/refman-5.0/dba-user-management-core.xml
trunk/refman-5.1/dba-user-management-core.xml
trunk/refman-6.0/dba-user-management-core.xml
Property changes on: trunk
___________________________________________________________________
Name: svk:merge
- 4767c598-dc10-0410-bea0-d01b485662eb:/mysqldoc-local/mysqldoc/trunk:41755
7d8d2c4e-af1d-0410-ab9f-b038ce55645b:/mysqldoc-local/mysqldoc:39952
b5ec3a16-e900-0410-9ad2-d183a3acac99:/mysqldoc-local/mysqldoc/trunk:14218
bf112a9c-6c03-0410-a055-ad865cd57414:/mysqldoc-local/mysqldoc/trunk:37251
+ 4767c598-dc10-0410-bea0-d01b485662eb:/mysqldoc-local/mysqldoc/trunk:41755
7d8d2c4e-af1d-0410-ab9f-b038ce55645b:/mysqldoc-local/mysqldoc:39953
b5ec3a16-e900-0410-9ad2-d183a3acac99:/mysqldoc-local/mysqldoc/trunk:14218
bf112a9c-6c03-0410-a055-ad865cd57414:/mysqldoc-local/mysqldoc/trunk:37251
Modified: trunk/refman-4.1/dba-user-management-core.xml
===================================================================
--- trunk/refman-4.1/dba-user-management-core.xml 2009-03-26 16:33:46 UTC (rev 14387)
+++ trunk/refman-4.1/dba-user-management-core.xml 2009-03-26 16:33:53 UTC (rev 14388)
Changed blocks: 15, Lines Added: 72, Lines Deleted: 55; 9751 bytes
@@ -99,15 +99,23 @@
<listitem>
<para>
- MySQL user names can be up to 16 characters long. This limit
- is hard-coded in the MySQL servers and clients, and trying to
- circumvent it by modifying the definitions of the tables in
- the <literal>mysql</literal> database <emphasis>does not
- work</emphasis>.
+ MySQL user names can be up to 16 characters long. Operating
+ system user names, because they are completely unrelated to
+ MySQL user names, may be of a different maximum length. For
+ example, Unix user names typically are limited to eight
+ characters.
</para>
<warning>
<para>
+ The limit on MySQL user name length is hard-coded in the
+ MySQL servers and clients, and trying to circumvent it by
+ modifying the definitions of the tables in the
+ <literal>mysql</literal> database <emphasis>does not
+ work</emphasis>.
+ </para>
+
+ <para>
You should never alter any of the tables in the
<literal>mysql</literal> database in any manner whatsoever
except by means of the procedure prescribed that is
@@ -116,13 +124,6 @@
fashion results in undefined (and unsupported!) behavior.
</para>
</warning>
-
- <para>
- Operating system user names, because they are completely unrelated to MySQL
- user names, may be of a different maximum length. For
- example, Unix user names typically are limited to eight
- characters.
- </para>
</listitem>
<listitem>
@@ -160,20 +161,19 @@
descriptions of the <literal role="func">PASSWORD()</literal>
and <literal role="func">ENCRYPT()</literal> functions in
<xref linkend="encryption-functions"/>.
-</para>
+ </para>
-<para>
- From version 4.1 on,
- MySQL employs a stronger authentication method that has better
- password protection during the connection process than in
- earlier versions. It is secure even if TCP/IP packets are
- sniffed or the <literal>mysql</literal> database is captured.
- (In earlier versions, even though passwords are stored in
- encrypted form in the <literal>user</literal> table, knowledge
- of the encrypted password value could be used to connect to
- the MySQL server.)
- <xref linkend="password-hashing"/>, discusses password encryption
- further.
+ <para>
+ From version 4.1 on, MySQL employs a stronger authentication
+ method that has better password protection during the
+ connection process than in earlier versions. It is secure even
+ if TCP/IP packets are sniffed or the <literal>mysql</literal>
+ database is captured. (In earlier versions, even though
+ passwords are stored in encrypted form in the
+ <literal>user</literal> table, knowledge of the encrypted
+ password value could be used to connect to the MySQL server.)
+ <xref linkend="password-hashing"/>, discusses password
+ encryption further.
</para>
</listitem>
@@ -382,11 +382,12 @@
Two of the accounts have a user name of
<literal>monty</literal> and a password of
<literal>some_pass</literal>. Both accounts are superuser
- accounts with full privileges to do anything. One account
- (<literal>'monty'@'localhost'</literal>) can be used only when
- connecting from the local host. The other
- (<literal>'monty'@'%'</literal>) can be used to connect from
- any other host.
+ accounts with full privileges to do anything. The
+ <literal>'monty'@'localhost'</literal> account can be used
+ only when connecting from the local host. The
+ <literal>'monty'@'%'</literal> account uses the
+ <literal>'%'</literal> wildcard for the host part, so it can
+ be used to connect from any host.
</para>
<para>
@@ -409,10 +410,10 @@
<listitem>
<para>
- One account has a user name of <literal>admin</literal> and no
- password. This account can be used only by connecting from the
- local host. It is granted the
- <literal role="priv">RELOAD</literal> and
+ The <literal>'admin'@'localhost'</literal> account has no
+ password. This account can be used only by
+ <literal>admin</literal> to connect from the local host. It is
+ granted the <literal role="priv">RELOAD</literal> and
<literal role="priv">PROCESS</literal> administrative
privileges. These privileges allow the
<literal>admin</literal> user to execute the
@@ -428,8 +429,8 @@
<listitem>
<para>
- One account has a user name of <literal>dummy</literal> and no
- password. This account can be used only by connecting from the
+ The <literal>'dummy'@'localhost'</literal> account has no
+ password. This account can be used only to connect from the
local host. No privileges are granted. The
<literal role="priv">USAGE</literal> privilege in the
<literal role="stmt">GRANT</literal> statement enables you to
@@ -527,8 +528,8 @@
<literal>Password</literal> columns in the <literal>user</literal>
table row are assigned values. None of the privilege columns are
set explicitly, so MySQL assigns them all the default value of
- <literal>'N'</literal>. This is equivalent to what <literal role="stmt" condition="grant">GRANT
- USAGE</literal> does.
+ <literal>'N'</literal>. This is equivalent to what
+ <literal role="stmt" condition="grant">GRANT USAGE</literal> does.
</para>
<para>
@@ -853,10 +854,11 @@
</para>
<para>
- To modify limits for an existing account, use a <literal role="stmt" condition="grant">GRANT
- USAGE</literal> statement at the global level (<literal>ON
- *.*</literal>). The following statement changes the query limit
- for <literal>francis</literal> to 100:
+ To modify limits for an existing account, use a
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ statement at the global level (<literal>ON *.*</literal>). The
+ following statement changes the query limit for
+ <literal>francis</literal> to 100:
</para>
<programlisting>
@@ -923,9 +925,9 @@
<para>
The counts for an individual account can be set to zero by
re-granting it any of its limits. To do this, use
- <literal role="stmt" condition="grant">GRANT USAGE</literal> as described earlier and
- specify a limit value equal to the value that the account
- currently has.
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ as described earlier and specify a limit value equal to the
+ value that the account currently has.
</para>
</listitem>
@@ -987,9 +989,10 @@
</programlisting>
<para>
- You can also use a <literal role="stmt" condition="grant">GRANT USAGE</literal> statement at the
- global level (<literal>ON *.*</literal>) to assign a password to
- an account without affecting the account's current privileges:
+ You can also use a <literal role="stmt" condition="grant">GRANT
+ USAGE</literal> statement at the global level (<literal>ON
+ *.*</literal>) to assign a password to an account without
+ affecting the account's current privileges:
</para>
<programlisting>
@@ -1055,10 +1058,10 @@
<para>
When you assign passwords using
- <literal role="stmt">GRANT</literal> with an
- <literal>IDENTIFIED BY</literal> clause or with the
- <command>mysqladmin password</command> command, they take care of
- encrypting the password for you.
+ <literal role="stmt">GRANT</literal> with an <literal>IDENTIFIED
+ BY</literal> clause or with the <command>mysqladmin
+ password</command> command, they take care of encrypting the
+ password for you.
</para>
<para>
@@ -1098,9 +1101,8 @@
<note>
<para>
- <literal role="func">PASSWORD()</literal> encryption
- differs from Unix password encryption. See
- <xref linkend="user-names"/>.
+ <literal role="func">PASSWORD()</literal> encryption differs
+ from Unix password encryption. See <xref linkend="user-names"/>.
</para>
</note>
@@ -1127,6 +1129,11 @@
<title>Administrator Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>administrator guidelines</secondary>
+ </indexterm>
+
<para>
Database administrators should use the following guidelines to
keep passwords secure.
@@ -1166,6 +1173,11 @@
<title>End-User Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>user guidelines</secondary>
+ </indexterm>
+
<para>
MySQL users should use the following guidelines to keep
passwords secure.
@@ -1339,6 +1351,11 @@
<title>Password Hashing in MySQL</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>hashing</secondary>
+ </indexterm>
+
<remark role="todo">
discuss -secure-auth option
</remark>
Modified: trunk/refman-5.0/dba-user-management-core.xml
===================================================================
--- trunk/refman-5.0/dba-user-management-core.xml 2009-03-26 16:33:46 UTC (rev 14387)
+++ trunk/refman-5.0/dba-user-management-core.xml 2009-03-26 16:33:53 UTC (rev 14388)
Changed blocks: 15, Lines Added: 71, Lines Deleted: 55; 9671 bytes
@@ -99,15 +99,23 @@
<listitem>
<para>
- MySQL user names can be up to 16 characters long. This limit
- is hard-coded in the MySQL servers and clients, and trying to
- circumvent it by modifying the definitions of the tables in
- the <literal>mysql</literal> database <emphasis>does not
- work</emphasis>.
+ MySQL user names can be up to 16 characters long. Operating
+ system user names, because they are completely unrelated to
+ MySQL user names, may be of a different maximum length. For
+ example, Unix user names typically are limited to eight
+ characters.
</para>
<warning>
<para>
+ The limit on MySQL user name length is hard-coded in the
+ MySQL servers and clients, and trying to circumvent it by
+ modifying the definitions of the tables in the
+ <literal>mysql</literal> database <emphasis>does not
+ work</emphasis>.
+ </para>
+
+ <para>
You should never alter any of the tables in the
<literal>mysql</literal> database in any manner whatsoever
except by means of the procedure that is described in
@@ -116,13 +124,6 @@
undefined (and unsupported!) behavior.
</para>
</warning>
-
- <para>
- Operating system user names, because they are completely unrelated to MySQL
- user names, may be of a different maximum length. For
- example, Unix user names typically are limited to eight
- characters.
- </para>
</listitem>
<listitem>
@@ -146,20 +147,19 @@
descriptions of the <literal role="func">PASSWORD()</literal>
and <literal role="func">ENCRYPT()</literal> functions in
<xref linkend="encryption-functions"/>.
-</para>
+ </para>
-<para>
- From version 4.1 on,
- MySQL employs a stronger authentication method that has better
- password protection during the connection process than in
- earlier versions. It is secure even if TCP/IP packets are
- sniffed or the <literal>mysql</literal> database is captured.
- (In earlier versions, even though passwords are stored in
- encrypted form in the <literal>user</literal> table, knowledge
- of the encrypted password value could be used to connect to
- the MySQL server.)
- <xref linkend="password-hashing"/>, discusses password encryption
- further.
+ <para>
+ From version 4.1 on, MySQL employs a stronger authentication
+ method that has better password protection during the
+ connection process than in earlier versions. It is secure even
+ if TCP/IP packets are sniffed or the <literal>mysql</literal>
+ database is captured. (In earlier versions, even though
+ passwords are stored in encrypted form in the
+ <literal>user</literal> table, knowledge of the encrypted
+ password value could be used to connect to the MySQL server.)
+ <xref linkend="password-hashing"/>, discusses password
+ encryption further.
</para>
</listitem>
@@ -197,10 +197,9 @@
<para>
There must be <emphasis>no space</emphasis> between the
- <option>-p</option> option and the following password value.
-For additional information about specifying user names, passwords, and other connection parameters,
-see
- <xref linkend="connecting"/>.
+ <option>-p</option> option and the following password value. For
+ additional information about specifying user names, passwords, and
+ other connection parameters, see <xref linkend="connecting"/>.
</para>
</section>
@@ -358,11 +357,12 @@
Two of the accounts have a user name of
<literal>monty</literal> and a password of
<literal>some_pass</literal>. Both accounts are superuser
- accounts with full privileges to do anything. One account
- (<literal>'monty'@'localhost'</literal>) can be used only when
- connecting from the local host. The other
- (<literal>'monty'@'%'</literal>) can be used to connect from
- any other host.
+ accounts with full privileges to do anything. The
+ <literal>'monty'@'localhost'</literal> account can be used
+ only when connecting from the local host. The
+ <literal>'monty'@'%'</literal> account uses the
+ <literal>'%'</literal> wildcard for the host part, so it can
+ be used to connect from any host.
</para>
<para>
@@ -385,10 +385,10 @@
<listitem>
<para>
- One account has a user name of <literal>admin</literal> and no
- password. This account can be used only by connecting from the
- local host. It is granted the
- <literal role="priv">RELOAD</literal> and
+ The <literal>'admin'@'localhost'</literal> account has no
+ password. This account can be used only by
+ <literal>admin</literal> to connect from the local host. It is
+ granted the <literal role="priv">RELOAD</literal> and
<literal role="priv">PROCESS</literal> administrative
privileges. These privileges allow the
<literal>admin</literal> user to execute the
@@ -404,8 +404,8 @@
<listitem>
<para>
- One account has a user name of <literal>dummy</literal> and no
- password. This account can be used only by connecting from the
+ The <literal>'dummy'@'localhost'</literal> account has no
+ password. This account can be used only to connect from the
local host. No privileges are granted. It is assumed that you
will grant specific privileges to the account later.
</para>
@@ -484,8 +484,8 @@
<para>
The reason for using the <literal role="func">PASSWORD()</literal>
function with <literal role="stmt">INSERT</literal> is to encrypt
- the password. The <literal role="stmt">CREATE USER</literal> statement
- encrypts the password for you, so
+ the password. The <literal role="stmt">CREATE USER</literal>
+ statement encrypts the password for you, so
<literal role="func">PASSWORD()</literal> is unnecessary.
</para>
@@ -868,10 +868,11 @@
</para>
<para>
- To modify limits for an existing account, use a <literal role="stmt" condition="grant">GRANT
- USAGE</literal> statement at the global level (<literal>ON
- *.*</literal>). The following statement changes the query limit
- for <literal>francis</literal> to 100:
+ To modify limits for an existing account, use a
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ statement at the global level (<literal>ON *.*</literal>). The
+ following statement changes the query limit for
+ <literal>francis</literal> to 100:
</para>
<programlisting>
@@ -951,9 +952,9 @@
<para>
The counts for an individual account can be set to zero by
re-granting it any of its limits. To do this, use
- <literal role="stmt" condition="grant">GRANT USAGE</literal> as described earlier and
- specify a limit value equal to the value that the account
- currently has.
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ as described earlier and specify a limit value equal to the
+ value that the account currently has.
</para>
</listitem>
@@ -1037,9 +1038,10 @@
</programlisting>
<para>
- You can also use a <literal role="stmt" condition="grant">GRANT USAGE</literal> statement at the
- global level (<literal>ON *.*</literal>) to assign a password to
- an account without affecting the account's current privileges:
+ You can also use a <literal role="stmt" condition="grant">GRANT
+ USAGE</literal> statement at the global level (<literal>ON
+ *.*</literal>) to assign a password to an account without
+ affecting the account's current privileges:
</para>
<programlisting>
@@ -1148,9 +1150,8 @@
<note>
<para>
- <literal role="func">PASSWORD()</literal> encryption
- differs from Unix password encryption. See
- <xref linkend="user-names"/>.
+ <literal role="func">PASSWORD()</literal> encryption differs
+ from Unix password encryption. See <xref linkend="user-names"/>.
</para>
</note>
@@ -1177,6 +1178,11 @@
<title>Administrator Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>administrator guidelines</secondary>
+ </indexterm>
+
<para>
Database administrators should use the following guidelines to
keep passwords secure.
@@ -1213,6 +1219,11 @@
<title>End-User Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>user guidelines</secondary>
+ </indexterm>
+
<para>
MySQL users should use the following guidelines to keep
passwords secure.
@@ -1387,6 +1398,11 @@
<title>Password Hashing in MySQL</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>hashing</secondary>
+ </indexterm>
+
<remark role="todo">
discuss -secure-auth option
</remark>
Modified: trunk/refman-5.1/dba-user-management-core.xml
===================================================================
--- trunk/refman-5.1/dba-user-management-core.xml 2009-03-26 16:33:46 UTC (rev 14387)
+++ trunk/refman-5.1/dba-user-management-core.xml 2009-03-26 16:33:53 UTC (rev 14388)
Changed blocks: 15, Lines Added: 71, Lines Deleted: 55; 9671 bytes
@@ -99,15 +99,23 @@
<listitem>
<para>
- MySQL user names can be up to 16 characters long. This limit
- is hard-coded in the MySQL servers and clients, and trying to
- circumvent it by modifying the definitions of the tables in
- the <literal>mysql</literal> database <emphasis>does not
- work</emphasis>.
+ MySQL user names can be up to 16 characters long. Operating
+ system user names, because they are completely unrelated to
+ MySQL user names, may be of a different maximum length. For
+ example, Unix user names typically are limited to eight
+ characters.
</para>
<warning>
<para>
+ The limit on MySQL user name length is hard-coded in the
+ MySQL servers and clients, and trying to circumvent it by
+ modifying the definitions of the tables in the
+ <literal>mysql</literal> database <emphasis>does not
+ work</emphasis>.
+ </para>
+
+ <para>
You should never alter any of the tables in the
<literal>mysql</literal> database in any manner whatsoever
except by means of the procedure that is described in
@@ -116,13 +124,6 @@
undefined (and unsupported!) behavior.
</para>
</warning>
-
- <para>
- Operating system user names, because they are completely unrelated to MySQL
- user names, may be of a different maximum length. For
- example, Unix user names typically are limited to eight
- characters.
- </para>
</listitem>
<listitem>
@@ -146,20 +147,19 @@
descriptions of the <literal role="func">PASSWORD()</literal>
and <literal role="func">ENCRYPT()</literal> functions in
<xref linkend="encryption-functions"/>.
-</para>
+ </para>
-<para>
- From version 4.1 on,
- MySQL employs a stronger authentication method that has better
- password protection during the connection process than in
- earlier versions. It is secure even if TCP/IP packets are
- sniffed or the <literal>mysql</literal> database is captured.
- (In earlier versions, even though passwords are stored in
- encrypted form in the <literal>user</literal> table, knowledge
- of the encrypted password value could be used to connect to
- the MySQL server.)
- <xref linkend="password-hashing"/>, discusses password encryption
- further.
+ <para>
+ From version 4.1 on, MySQL employs a stronger authentication
+ method that has better password protection during the
+ connection process than in earlier versions. It is secure even
+ if TCP/IP packets are sniffed or the <literal>mysql</literal>
+ database is captured. (In earlier versions, even though
+ passwords are stored in encrypted form in the
+ <literal>user</literal> table, knowledge of the encrypted
+ password value could be used to connect to the MySQL server.)
+ <xref linkend="password-hashing"/>, discusses password
+ encryption further.
</para>
</listitem>
@@ -197,10 +197,9 @@
<para>
There must be <emphasis>no space</emphasis> between the
- <option>-p</option> option and the following password value.
-For additional information about specifying user names, passwords, and other connection parameters,
-see
- <xref linkend="connecting"/>.
+ <option>-p</option> option and the following password value. For
+ additional information about specifying user names, passwords, and
+ other connection parameters, see <xref linkend="connecting"/>.
</para>
</section>
@@ -358,11 +357,12 @@
Two of the accounts have a user name of
<literal>monty</literal> and a password of
<literal>some_pass</literal>. Both accounts are superuser
- accounts with full privileges to do anything. One account
- (<literal>'monty'@'localhost'</literal>) can be used only when
- connecting from the local host. The other
- (<literal>'monty'@'%'</literal>) can be used to connect from
- any other host.
+ accounts with full privileges to do anything. The
+ <literal>'monty'@'localhost'</literal> account can be used
+ only when connecting from the local host. The
+ <literal>'monty'@'%'</literal> account uses the
+ <literal>'%'</literal> wildcard for the host part, so it can
+ be used to connect from any host.
</para>
<para>
@@ -385,10 +385,10 @@
<listitem>
<para>
- One account has a user name of <literal>admin</literal> and no
- password. This account can be used only by connecting from the
- local host. It is granted the
- <literal role="priv">RELOAD</literal> and
+ The <literal>'admin'@'localhost'</literal> account has no
+ password. This account can be used only by
+ <literal>admin</literal> to connect from the local host. It is
+ granted the <literal role="priv">RELOAD</literal> and
<literal role="priv">PROCESS</literal> administrative
privileges. These privileges allow the
<literal>admin</literal> user to execute the
@@ -404,8 +404,8 @@
<listitem>
<para>
- One account has a user name of <literal>dummy</literal> and no
- password. This account can be used only by connecting from the
+ The <literal>'dummy'@'localhost'</literal> account has no
+ password. This account can be used only to connect from the
local host. No privileges are granted. It is assumed that you
will grant specific privileges to the account later.
</para>
@@ -484,8 +484,8 @@
<para>
The reason for using the <literal role="func">PASSWORD()</literal>
function with <literal role="stmt">INSERT</literal> is to encrypt
- the password. The <literal role="stmt">CREATE USER</literal> statement
- encrypts the password for you, so
+ the password. The <literal role="stmt">CREATE USER</literal>
+ statement encrypts the password for you, so
<literal role="func">PASSWORD()</literal> is unnecessary.
</para>
@@ -868,10 +868,11 @@
</para>
<para>
- To modify limits for an existing account, use a <literal role="stmt" condition="grant">GRANT
- USAGE</literal> statement at the global level (<literal>ON
- *.*</literal>). The following statement changes the query limit
- for <literal>francis</literal> to 100:
+ To modify limits for an existing account, use a
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ statement at the global level (<literal>ON *.*</literal>). The
+ following statement changes the query limit for
+ <literal>francis</literal> to 100:
</para>
<programlisting>
@@ -946,9 +947,9 @@
<para>
The counts for an individual account can be set to zero by
re-granting it any of its limits. To do this, use
- <literal role="stmt" condition="grant">GRANT USAGE</literal> as described earlier and
- specify a limit value equal to the value that the account
- currently has.
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ as described earlier and specify a limit value equal to the
+ value that the account currently has.
</para>
</listitem>
@@ -1032,9 +1033,10 @@
</programlisting>
<para>
- You can also use a <literal role="stmt" condition="grant">GRANT USAGE</literal> statement at the
- global level (<literal>ON *.*</literal>) to assign a password to
- an account without affecting the account's current privileges:
+ You can also use a <literal role="stmt" condition="grant">GRANT
+ USAGE</literal> statement at the global level (<literal>ON
+ *.*</literal>) to assign a password to an account without
+ affecting the account's current privileges:
</para>
<programlisting>
@@ -1143,9 +1145,8 @@
<note>
<para>
- <literal role="func">PASSWORD()</literal> encryption
- differs from Unix password encryption. See
- <xref linkend="user-names"/>.
+ <literal role="func">PASSWORD()</literal> encryption differs
+ from Unix password encryption. See <xref linkend="user-names"/>.
</para>
</note>
@@ -1172,6 +1173,11 @@
<title>Administrator Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>administrator guidelines</secondary>
+ </indexterm>
+
<para>
Database administrators should use the following guidelines to
keep passwords secure.
@@ -1210,6 +1216,11 @@
<title>End-User Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>user guidelines</secondary>
+ </indexterm>
+
<para>
MySQL users should use the following guidelines to keep
passwords secure.
@@ -1384,6 +1395,11 @@
<title>Password Hashing in MySQL</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>hashing</secondary>
+ </indexterm>
+
<remark role="todo">
discuss -secure-auth option
</remark>
Modified: trunk/refman-6.0/dba-user-management-core.xml
===================================================================
--- trunk/refman-6.0/dba-user-management-core.xml 2009-03-26 16:33:46 UTC (rev 14387)
+++ trunk/refman-6.0/dba-user-management-core.xml 2009-03-26 16:33:53 UTC (rev 14388)
Changed blocks: 15, Lines Added: 71, Lines Deleted: 55; 9671 bytes
@@ -99,15 +99,23 @@
<listitem>
<para>
- MySQL user names can be up to 16 characters long. This limit
- is hard-coded in the MySQL servers and clients, and trying to
- circumvent it by modifying the definitions of the tables in
- the <literal>mysql</literal> database <emphasis>does not
- work</emphasis>.
+ MySQL user names can be up to 16 characters long. Operating
+ system user names, because they are completely unrelated to
+ MySQL user names, may be of a different maximum length. For
+ example, Unix user names typically are limited to eight
+ characters.
</para>
<warning>
<para>
+ The limit on MySQL user name length is hard-coded in the
+ MySQL servers and clients, and trying to circumvent it by
+ modifying the definitions of the tables in the
+ <literal>mysql</literal> database <emphasis>does not
+ work</emphasis>.
+ </para>
+
+ <para>
You should never alter any of the tables in the
<literal>mysql</literal> database in any manner whatsoever
except by means of the procedure that is described in
@@ -116,13 +124,6 @@
undefined (and unsupported!) behavior.
</para>
</warning>
-
- <para>
- Operating system user names, because they are completely unrelated to MySQL
- user names, may be of a different maximum length. For
- example, Unix user names typically are limited to eight
- characters.
- </para>
</listitem>
<listitem>
@@ -146,20 +147,19 @@
descriptions of the <literal role="func">PASSWORD()</literal>
and <literal role="func">ENCRYPT()</literal> functions in
<xref linkend="encryption-functions"/>.
-</para>
+ </para>
-<para>
- From version 4.1 on,
- MySQL employs a stronger authentication method that has better
- password protection during the connection process than in
- earlier versions. It is secure even if TCP/IP packets are
- sniffed or the <literal>mysql</literal> database is captured.
- (In earlier versions, even though passwords are stored in
- encrypted form in the <literal>user</literal> table, knowledge
- of the encrypted password value could be used to connect to
- the MySQL server.)
- <xref linkend="password-hashing"/>, discusses password encryption
- further.
+ <para>
+ From version 4.1 on, MySQL employs a stronger authentication
+ method that has better password protection during the
+ connection process than in earlier versions. It is secure even
+ if TCP/IP packets are sniffed or the <literal>mysql</literal>
+ database is captured. (In earlier versions, even though
+ passwords are stored in encrypted form in the
+ <literal>user</literal> table, knowledge of the encrypted
+ password value could be used to connect to the MySQL server.)
+ <xref linkend="password-hashing"/>, discusses password
+ encryption further.
</para>
</listitem>
@@ -197,10 +197,9 @@
<para>
There must be <emphasis>no space</emphasis> between the
- <option>-p</option> option and the following password value.
-For additional information about specifying user names, passwords, and other connection parameters,
-see
- <xref linkend="connecting"/>.
+ <option>-p</option> option and the following password value. For
+ additional information about specifying user names, passwords, and
+ other connection parameters, see <xref linkend="connecting"/>.
</para>
</section>
@@ -358,11 +357,12 @@
Two of the accounts have a user name of
<literal>monty</literal> and a password of
<literal>some_pass</literal>. Both accounts are superuser
- accounts with full privileges to do anything. One account
- (<literal>'monty'@'localhost'</literal>) can be used only when
- connecting from the local host. The other
- (<literal>'monty'@'%'</literal>) can be used to connect from
- any other host.
+ accounts with full privileges to do anything. The
+ <literal>'monty'@'localhost'</literal> account can be used
+ only when connecting from the local host. The
+ <literal>'monty'@'%'</literal> account uses the
+ <literal>'%'</literal> wildcard for the host part, so it can
+ be used to connect from any host.
</para>
<para>
@@ -385,10 +385,10 @@
<listitem>
<para>
- One account has a user name of <literal>admin</literal> and no
- password. This account can be used only by connecting from the
- local host. It is granted the
- <literal role="priv">RELOAD</literal> and
+ The <literal>'admin'@'localhost'</literal> account has no
+ password. This account can be used only by
+ <literal>admin</literal> to connect from the local host. It is
+ granted the <literal role="priv">RELOAD</literal> and
<literal role="priv">PROCESS</literal> administrative
privileges. These privileges allow the
<literal>admin</literal> user to execute the
@@ -404,8 +404,8 @@
<listitem>
<para>
- One account has a user name of <literal>dummy</literal> and no
- password. This account can be used only by connecting from the
+ The <literal>'dummy'@'localhost'</literal> account has no
+ password. This account can be used only to connect from the
local host. No privileges are granted. It is assumed that you
will grant specific privileges to the account later.
</para>
@@ -484,8 +484,8 @@
<para>
The reason for using the <literal role="func">PASSWORD()</literal>
function with <literal role="stmt">INSERT</literal> is to encrypt
- the password. The <literal role="stmt">CREATE USER</literal> statement
- encrypts the password for you, so
+ the password. The <literal role="stmt">CREATE USER</literal>
+ statement encrypts the password for you, so
<literal role="func">PASSWORD()</literal> is unnecessary.
</para>
@@ -868,10 +868,11 @@
</para>
<para>
- To modify limits for an existing account, use a <literal role="stmt" condition="grant">GRANT
- USAGE</literal> statement at the global level (<literal>ON
- *.*</literal>). The following statement changes the query limit
- for <literal>francis</literal> to 100:
+ To modify limits for an existing account, use a
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ statement at the global level (<literal>ON *.*</literal>). The
+ following statement changes the query limit for
+ <literal>francis</literal> to 100:
</para>
<programlisting>
@@ -946,9 +947,9 @@
<para>
The counts for an individual account can be set to zero by
re-granting it any of its limits. To do this, use
- <literal role="stmt" condition="grant">GRANT USAGE</literal> as described earlier and
- specify a limit value equal to the value that the account
- currently has.
+ <literal role="stmt" condition="grant">GRANT USAGE</literal>
+ as described earlier and specify a limit value equal to the
+ value that the account currently has.
</para>
</listitem>
@@ -1032,9 +1033,10 @@
</programlisting>
<para>
- You can also use a <literal role="stmt" condition="grant">GRANT USAGE</literal> statement at the
- global level (<literal>ON *.*</literal>) to assign a password to
- an account without affecting the account's current privileges:
+ You can also use a <literal role="stmt" condition="grant">GRANT
+ USAGE</literal> statement at the global level (<literal>ON
+ *.*</literal>) to assign a password to an account without
+ affecting the account's current privileges:
</para>
<programlisting>
@@ -1143,9 +1145,8 @@
<note>
<para>
- <literal role="func">PASSWORD()</literal> encryption
- differs from Unix password encryption. See
- <xref linkend="user-names"/>.
+ <literal role="func">PASSWORD()</literal> encryption differs
+ from Unix password encryption. See <xref linkend="user-names"/>.
</para>
</note>
@@ -1172,6 +1173,11 @@
<title>Administrator Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>administrator guidelines</secondary>
+ </indexterm>
+
<para>
Database administrators should use the following guidelines to
keep passwords secure.
@@ -1210,6 +1216,11 @@
<title>End-User Guidelines for Password Security</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>user guidelines</secondary>
+ </indexterm>
+
<para>
MySQL users should use the following guidelines to keep
passwords secure.
@@ -1384,6 +1395,11 @@
<title>Password Hashing in MySQL</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>hashing</secondary>
+ </indexterm>
+
<remark role="todo">
discuss -secure-auth option
</remark>
| Thread |
|---|
| • svn commit - mysqldoc@docsrva: r14388 - in trunk: . refman-4.1 refman-5.0 refman-5.1 refman-6.0 | paul.dubois | 26 Mar |
