ALTER USER
This statement changes an existing user inside the TiDB privilege system. In the MySQL privilege system, a user is the combination of a username and the host from which they are connecting from. Thus, it is possible to create a user 'newuser2'@'192.168.1.1'
who is only able to connect from the IP address 192.168.1.1
. It is also possible to have two users have the same user-portion, and different permissions as they login from different hosts.
Synopsis
- AlterUserStmt
- UserSpecList
- UserSpec
- RequireClauseOpt
- RequireList
- Username
- AuthOption
- PasswordOption
- LockOption
- AttributeOption
AlterUserStmt ::=
'ALTER' 'USER' IfExists (UserSpecList RequireClauseOpt ConnectionOptions PasswordOption LockOption AttributeOption | 'USER' '(' ')' 'IDENTIFIED' 'BY' AuthString)
UserSpecList ::=
UserSpec ( ',' UserSpec )*
UserSpec ::=
Username AuthOption
RequireClauseOpt ::=
( 'REQUIRE' 'NONE' | 'REQUIRE' 'SSL' | 'REQUIRE' 'X509' | 'REQUIRE' RequireList )?
RequireList ::=
( "ISSUER" stringLit | "SUBJECT" stringLit | "CIPHER" stringLit | "SAN" stringLit | "TOKEN_ISSUER" stringLit )*
Username ::=
StringName ('@' StringName | singleAtIdentifier)? | 'CURRENT_USER' OptionalBraces
AuthOption ::=
( 'IDENTIFIED' ( 'BY' ( AuthString | 'PASSWORD' HashString ) | 'WITH' StringName ( 'BY' AuthString | 'AS' HashString )? ) )?
PasswordOption ::= ( 'PASSWORD' 'EXPIRE' ( 'DEFAULT' | 'NEVER' | 'INTERVAL' N 'DAY' )? | 'PASSWORD' 'HISTORY' ( 'DEFAULT' | N ) | 'PASSWORD' 'REUSE' 'INTERVAL' ( 'DEFAULT' | N 'DAY' ) | 'FAILED_LOGIN_ATTEMPTS' N | 'PASSWORD_LOCK_TIME' ( N | 'UNBOUNDED' ) )*
LockOption ::= ( 'ACCOUNT' 'LOCK' | 'ACCOUNT' 'UNLOCK' )?
AttributeOption ::= ( 'COMMENT' CommentString | 'ATTRIBUTE' AttributeString )?
Examples
mysql> CREATE USER 'newuser' IDENTIFIED BY 'newuserpassword';
Query OK, 1 row affected (0.01 sec)
mysql> SHOW CREATE USER 'newuser';
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for newuser@% |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'newuser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*5806E04BBEE79E1899964C6A04D68BCA69B1A879' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> ALTER USER 'newuser' IDENTIFIED BY 'newnewpassword';
Query OK, 0 rows affected (0.02 sec)
mysql> SHOW CREATE USER 'newuser';
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for newuser@% |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'newuser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*FB8A1EA1353E8775CA836233E367FBDFCB37BE73' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
ALTER USER 'newuser' ACCOUNT LOCK;
Query OK, 0 rows affected (0.02 sec)
Modify the attributes of newuser
:
ALTER USER 'newuser' ATTRIBUTE '{"newAttr": "value", "deprecatedAttr": null}';
SELECT * FROM information_schema.user_attributes;
+-----------+------+--------------------------+
| USER | HOST | ATTRIBUTE |
+-----------+------+--------------------------+
| newuser | % | {"newAttr": "value"} |
+-----------+------+--------------------------+
1 rows in set (0.00 sec)
Modify the comment of newuser
using ALTER USER ... COMMENT
:
ALTER USER 'newuser' COMMENT 'Here is the comment';
SELECT * FROM information_schema.user_attributes;
+-----------+------+--------------------------------------------------------+
| USER | HOST | ATTRIBUTE |
+-----------+------+--------------------------------------------------------+
| newuser | % | {"comment": "Here is the comment", "newAttr": "value"} |
+-----------+------+--------------------------------------------------------+
1 rows in set (0.00 sec)
Remove the comment of newuser
using ALTER USER ... ATTRIBUTE
:
ALTER USER 'newuser' ATTRIBUTE '{"comment": null}';
SELECT * FROM information_schema.user_attributes;
+-----------+------+---------------------------+
| USER | HOST | ATTRIBUTE |
+-----------+------+---------------------------+
| newuser | % | {"newAttr": "value"} |
+-----------+------+---------------------------+
1 rows in set (0.00 sec)
Change the automatic password expiration policy for newuser
to never expire via ALTER USER ... PASSWORD EXPIRE NEVER
:
ALTER USER 'newuser' PASSWORD EXPIRE NEVER;
Query OK, 0 rows affected (0.02 sec)
Modify the password reuse policy for newuser
to disallow the reuse of any password used within the last 90 days using ALTER USER ... PASSWORD REUSE INTERVAL ... DAY
:
ALTER USER 'newuser' PASSWORD REUSE INTERVAL 90 DAY;
Query OK, 0 rows affected (0.02 sec)