The steps to create a read-only user are as follows: 1. Create a user with the CREATE USER command, 2. GRANT command grant SELECT permissions, 3. Specify the accessed database and tables, 4. Execute FLUSH PRIVILEGES to ensure that the permissions take effect; to improve security, you can restrict visible fields through view or combine the application layer desensitization process; common problems such as mis-granting other permissions, not recycling of unnecessary permissions, not refreshing permissions, and improper host settings. It is recommended to check the user permissions after operation to ensure the configuration is correct.
The steps to create a read-only user are not complicated, but the key is to ensure proper permission control and avoid misoperation, which leads to data leakage or modification. Let’s talk about the key points directly below.
Basic statements for creating read-only users
The most common way to create read-only users in MySQL is to use CREATE USER and GRANT commands. The basic structure is as follows:
CREATE USER 'readonly_user'@'host' IDENTIFIED BY 'password'; GRANT SELECT ON database_name.table_name TO 'readonly_user'@'host';
-
SELECTpermission means that the user can only query data. -
database_name.table_namecan be specified as a specific table, or*.*can be used to represent all databases and tables (not very recommended). -
'host'is usually'localhost'or'%', indicating which host is allowed to connect from.
For example:
CREATE USER 'report_user'@'%' IDENTIFIED BY 'securePass123'; GRANT SELECT ON sales_data.* TO 'report_user'@'%'; FLUSH PRIVILEGES;
Note: After executing the permission change, it is best to run FLUSH PRIVILEGES; ensure that the permissions take effect immediately.
Controlling access scope is more secure
What many people will ignore is that even if only SELECT permission is granted, if there is sensitive information in the database (such as user password, ID number, etc.), this read-only account can still see these fields. so:
- If you want only some fields to be seen by the user, you can consider limiting exposed columns through views (VIEW).
- Or combine the application layer for desensitization.
For example, if you only want users to see the order number and amount, but don't want them to see the customer's mobile number:
CREATE VIEW order_summary AS SELECT order_id, amount FROM orders; GRANT SELECT ON sales_data.order_summary TO 'report_user'@'%';
This way, even if the user has permission, the privacy fields in the original table cannot be seen.
Avoid some common pitfalls
Sometimes you may think that the user is already read-only, but there are actually potential risks. Here are some common questions:
- ? Do not give default permissions other than
USAGEpermissions, otherwise you may have indirect write permissions. - ? Forgot to recycle other permissions, such as
INSERTwas granted before, but later it was changedSELECT, and I need toREVOKE INSERT ... - ?There is no refresh permission when using root user authorization, resulting in the configuration not taking effect.
- ? The appropriate host is not set, such as the use of
'%'when it should have restricted access to the intranet, which brings security risks.
It is recommended to check user permissions after each operation:
SHOW GRANTS FOR 'report_user'@'%';
Basically that's it. As long as you follow the above method, you can create a truly "read-only" MySQL user, which not only meets business needs but does not affect system security.
The above is the detailed content of mysql create read only user. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is the default username and password for MySQL?
Jun 13, 2025 am 12:34 AM
The default user name of MySQL is usually 'root', but the password varies according to the installation environment; in some Linux distributions, the root account may be authenticated by auth_socket plug-in and cannot log in with the password; when installing tools such as XAMPP or WAMP under Windows, root users usually have no password or use common passwords such as root, mysql, etc.; if you forget the password, you can reset it by stopping the MySQL service, starting in --skip-grant-tables mode, updating the mysql.user table to set a new password and restarting the service; note that the MySQL8.0 version requires additional authentication plug-ins.
What is GTID (Global Transaction Identifier) and what are its advantages?
Jun 19, 2025 am 01:03 AM
GTID (Global Transaction Identifier) ??solves the complexity of replication and failover in MySQL databases by assigning a unique identity to each transaction. 1. It simplifies replication management, automatically handles log files and locations, allowing slave servers to request transactions based on the last executed GTID. 2. Ensure consistency across servers, ensure that each transaction is applied only once on each server, and avoid data inconsistency. 3. Improve troubleshooting efficiency. GTID includes server UUID and serial number, which is convenient for tracking transaction flow and accurately locate problems. These three core advantages make MySQL replication more robust and easy to manage, significantly improving system reliability and data integrity.
How to change or reset the MySQL root user password?
Jun 13, 2025 am 12:33 AM
There are three ways to modify or reset MySQLroot user password: 1. Use the ALTERUSER command to modify existing passwords, and execute the corresponding statement after logging in; 2. If you forget your password, you need to stop the service and start it in --skip-grant-tables mode before modifying; 3. The mysqladmin command can be used to modify it directly by modifying it. Each method is suitable for different scenarios and the operation sequence must not be messed up. After the modification is completed, verification must be made and permission protection must be paid attention to.
What is a typical process for MySQL master failover?
Jun 19, 2025 am 01:06 AM
MySQL main library failover mainly includes four steps. 1. Fault detection: Regularly check the main library process, connection status and simple query to determine whether it is downtime, set up a retry mechanism to avoid misjudgment, and can use tools such as MHA, Orchestrator or Keepalived to assist in detection; 2. Select the new main library: select the most suitable slave library to replace it according to the data synchronization progress (Seconds_Behind_Master), binlog data integrity, network delay and load conditions, and perform data compensation or manual intervention if necessary; 3. Switch topology: Point other slave libraries to the new master library, execute RESETMASTER or enable GTID, update the VIP, DNS or proxy configuration to
How to connect to a MySQL database using the command line?
Jun 19, 2025 am 01:05 AM
The steps to connect to the MySQL database are as follows: 1. Use the basic command format mysql-u username-p-h host address to connect, enter the username and password to log in; 2. If you need to directly enter the specified database, you can add the database name after the command, such as mysql-uroot-pmyproject; 3. If the port is not the default 3306, you need to add the -P parameter to specify the port number, such as mysql-uroot-p-h192.168.1.100-P3307; In addition, if you encounter a password error, you can re-enter it. If the connection fails, check the network, firewall or permission settings. If the client is missing, you can install mysql-client on Linux through the package manager. Master these commands
How does InnoDB implement Repeatable Read isolation level?
Jun 14, 2025 am 12:33 AM
InnoDB implements repeatable reads through MVCC and gap lock. MVCC realizes consistent reading through snapshots, and the transaction query results remain unchanged after multiple transactions; gap lock prevents other transactions from inserting data and avoids phantom reading. For example, transaction A first query gets a value of 100, transaction B is modified to 200 and submitted, A is still 100 in query again; and when performing scope query, gap lock prevents other transactions from inserting records. In addition, non-unique index scans may add gap locks by default, and primary key or unique index equivalent queries may not be added, and gap locks can be cancelled by reducing isolation levels or explicit lock control.
How to alter a large table without locking it (Online DDL)?
Jun 14, 2025 am 12:36 AM
Toalteralargeproductiontablewithoutlonglocks,useonlineDDLtechniques.1)IdentifyifyourALTERoperationisfast(e.g.,adding/droppingcolumns,modifyingNULL/NOTNULL)orslow(e.g.,changingdatatypes,reorderingcolumns,addingindexesonlargedata).2)Usedatabase-specifi
What are the transaction isolation levels in MySQL, and which is the default?
Jun 23, 2025 pm 03:05 PM
MySQL's default transaction isolation level is RepeatableRead, which prevents dirty reads and non-repeatable reads through MVCC and gap locks, and avoids phantom reading in most cases; other major levels include read uncommitted (ReadUncommitted), allowing dirty reads but the fastest performance, 1. Read Committed (ReadCommitted) ensures that the submitted data is read but may encounter non-repeatable reads and phantom readings, 2. RepeatableRead default level ensures that multiple reads within the transaction are consistent, 3. Serialization (Serializable) the highest level, prevents other transactions from modifying data through locks, ensuring data integrity but sacrificing performance;
