ALTER USER
This statement changes an existing user inside the TiDB privilege system. In the MySQL privilege system, a user is the combination of a username and the host from which they are connecting from. Thus, it is possible to create a user 'newuser2'@'192.168.1.1'
who is only able to connect from the IP address 192.168.1.1
. It is also possible to have two users have the same user-portion, and different permissions as they login from different hosts.
Synopsis
- AlterUserStmt
- UserSpecList
- UserSpec
- RequireClauseOpt
- RequireList
- Username
- AuthOption
- PasswordOption
- LockOption
- AttributeOption
- ResourceGroupNameOption
- RequireClauseOpt
- RequireListElement
AlterUserStmt ::=
'ALTER' 'USER' IfExists (UserSpecList RequireClauseOpt ConnectionOptions PasswordOption LockOption AttributeOption | 'USER' '(' ')' 'IDENTIFIED' 'BY' AuthString) ResourceGroupNameOption
UserSpecList ::=
UserSpec ( ',' UserSpec )*
UserSpec ::=
Username AuthOption
RequireClauseOpt ::=
( 'REQUIRE' 'NONE' | 'REQUIRE' 'SSL' | 'REQUIRE' 'X509' | 'REQUIRE' RequireList )?
RequireList ::=
( "ISSUER" stringLit | "SUBJECT" stringLit | "CIPHER" stringLit | "SAN" stringLit | "TOKEN_ISSUER" stringLit )*
Username ::=
StringName ('@' StringName | singleAtIdentifier)? | 'CURRENT_USER' OptionalBraces
AuthOption ::=
( 'IDENTIFIED' ( 'BY' ( AuthString | 'PASSWORD' HashString ) | 'WITH' StringName ( 'BY' AuthString | 'AS' HashString )? ) )?
PasswordOption ::= ( 'PASSWORD' 'EXPIRE' ( 'DEFAULT' | 'NEVER' | 'INTERVAL' N 'DAY' )? | 'PASSWORD' 'HISTORY' ( 'DEFAULT' | N ) | 'PASSWORD' 'REUSE' 'INTERVAL' ( 'DEFAULT' | N 'DAY' ) | 'FAILED_LOGIN_ATTEMPTS' N | 'PASSWORD_LOCK_TIME' ( N | 'UNBOUNDED' ) )*
LockOption ::= ( 'ACCOUNT' 'LOCK' | 'ACCOUNT' 'UNLOCK' )?
AttributeOption ::= ( 'COMMENT' CommentString | 'ATTRIBUTE' AttributeString )?
ResourceGroupNameOption::= ( 'RESOURCE' 'GROUP' Identifier)?
RequireClauseOpt ::= ('REQUIRE' ('NONE' | 'SSL' | 'X509' | RequireListElement ('AND'? RequireListElement)*))?
RequireListElement ::= 'ISSUER' Issuer | 'SUBJECT' Subject | 'CIPHER' Cipher | 'SAN' SAN | 'TOKEN_ISSUER' TokenIssuer
Examples
mysql> CREATE USER 'newuser' IDENTIFIED BY 'newuserpassword';
Query OK, 1 row affected (0.01 sec)
mysql> SHOW CREATE USER 'newuser';
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for newuser@% |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'newuser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*5806E04BBEE79E1899964C6A04D68BCA69B1A879' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
Modify basic user information
Change the password for user newuser
:
mysql> ALTER USER 'newuser' IDENTIFIED BY 'newnewpassword';
Query OK, 0 rows affected (0.02 sec)
mysql> SHOW CREATE USER 'newuser';
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for newuser@% |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'newuser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*FB8A1EA1353E8775CA836233E367FBDFCB37BE73' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
Lock the user newuser
:
ALTER USER 'newuser' ACCOUNT LOCK;
Query OK, 0 rows affected (0.02 sec)
Modify the attributes of newuser
:
ALTER USER 'newuser' ATTRIBUTE '{"newAttr": "value", "deprecatedAttr": null}';
SELECT * FROM information_schema.user_attributes;
+-----------+------+--------------------------+
| USER | HOST | ATTRIBUTE |
+-----------+------+--------------------------+
| newuser | % | {"newAttr": "value"} |
+-----------+------+--------------------------+
1 rows in set (0.00 sec)
Modify the comment of newuser
using ALTER USER ... COMMENT
:
ALTER USER 'newuser' COMMENT 'Here is the comment';
SELECT * FROM information_schema.user_attributes;
+-----------+------+--------------------------------------------------------+
| USER | HOST | ATTRIBUTE |
+-----------+------+--------------------------------------------------------+
| newuser | % | {"comment": "Here is the comment", "newAttr": "value"} |
+-----------+------+--------------------------------------------------------+
1 rows in set (0.00 sec)
Remove the comment of newuser
using ALTER USER ... ATTRIBUTE
:
ALTER USER 'newuser' ATTRIBUTE '{"comment": null}';
SELECT * FROM information_schema.user_attributes;
+-----------+------+---------------------------+
| USER | HOST | ATTRIBUTE |
+-----------+------+---------------------------+
| newuser | % | {"newAttr": "value"} |
+-----------+------+---------------------------+
1 rows in set (0.00 sec)
Change the automatic password expiration policy for newuser
to never expire via ALTER USER ... PASSWORD EXPIRE NEVER
:
ALTER USER 'newuser' PASSWORD EXPIRE NEVER;
Query OK, 0 rows affected (0.02 sec)
Modify the password reuse policy for newuser
to disallow the reuse of any password used within the last 90 days using ALTER USER ... PASSWORD REUSE INTERVAL ... DAY
:
ALTER USER 'newuser' PASSWORD REUSE INTERVAL 90 DAY;
Query OK, 0 rows affected (0.02 sec)
Modify the resource group bound to the user
Use ALTER USER ... RESOURCE GROUP
to modify the resource group of the user newuser
to rg1
.
ALTER USER 'newuser' RESOURCE GROUP rg1;
Query OK, 0 rows affected (0.02 sec)
View the resource group bound to the current user:
SELECT USER, JSON_EXTRACT(User_attributes, "$.resource_group") FROM mysql.user WHERE user = "newuser";
+---------+---------------------------------------------------+
| USER | JSON_EXTRACT(User_attributes, "$.resource_group") |
+---------+---------------------------------------------------+
| newuser | "rg1" |
+---------+---------------------------------------------------+
1 row in set (0.02 sec)
Unbind the user to a resource group, that is, bind the user to the default
resource group.
ALTER USER 'newuser' RESOURCE GROUP `default`;
SELECT USER, JSON_EXTRACT(User_attributes, "$.resource_group") FROM mysql.user WHERE user = "newuser";
+---------+---------------------------------------------------+
| USER | JSON_EXTRACT(User_attributes, "$.resource_group") |
+---------+---------------------------------------------------+
| newuser | "default" |
+---------+---------------------------------------------------+
1 row in set (0.02 sec)