Openstack数据库初始化时为何要重复授权
本帖最后由 frtd 于 2013-10-10 09:04 编辑问题;为什么Openstack在创建数据库时要同时赋予用户在%和localhost登陆的权限而在MySQL中的%已经包含了localhost?要回答这个问题我们可以先看看不这样做会怎样;openstack-db --init --service keystone --pass keystone做了三件事情:1、mysql> CREATE DATABASE keystone;2、mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';3、mysql> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';我们看看不做第三步会发生什么:
mysql> create database keystone;Query OK, 1 row affected (0.01 sec)mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';Query OK, 0 rows affected (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)mysql> select user,host,password from mysql.user;+----------+-----------+-------------------------------------------+| user | host | password |+----------+-----------+-------------------------------------------+| root | localhost | || root | db1 | || root | 127.0.0.1 | || | localhost | || | db1 | || keystone | % | *936E8F7AB2E21B47F6C9A7E5D9FE14DBA2255E5A |+----------+-----------+-------------------------------------------+6 rows in set (0.00 sec)模拟登陆:12# mysql -u keystone -pkeystoneERROR 1045 (28000): Access denied for user 'keystone'@'localhost' (using password: YES)被拒绝登陆了用空密码尝试登陆:
# mysql -u keystoneWelcome to the MySQL monitor.Commands end with ; or g.Your MySQL connection id is 14Server version: 5.1.52-log Source distributionCopyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.This software comes with ABSOLUTELY NO WARRANTY. This is free software,and you are welcome to modify and redistribute it under the GPL v2 licenseType 'help;' or 'h' for help. Type 'c' to clear the current input statement.mysql> show databases;+--------------------+| Database |+--------------------+| information_schema || test |+--------------------+2 rows in set (0.00 sec)登陆成功,不过不能显示keystone数据库
那么执行第三步会怎样呢?
mysql> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';Query OK, 0 rows affected (0.01 sec)再次模拟登陆:
# mysql -u keystone -pkeystoneWelcome to the MySQL monitor.Commands end with ; or g.Your MySQL connection id is 11Server version: 5.1.52-log Source distributionCopyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.This software comes with ABSOLUTELY NO WARRANTY. This is free software,and you are welcome to modify and redistribute it under the GPL v2 licenseType 'help;' or 'h' for help. Type 'c' to clear the current input statement.mysql> show databases;+--------------------+| Database |+--------------------+| information_schema || keystone || test |+--------------------+3 rows in set (0.01 sec)登陆成功了
分析:执行第三步前:
mysql> select user,host,password from mysql.user;+----------+-----------+-------------------------------------------+| user | host | password |+----------+-----------+-------------------------------------------+| root | localhost | || root | db1 | || root | 127.0.0.1 | || | localhost | || | db1 | || keystone | % | *936E8F7AB2E21B47F6C9A7E5D9FE14DBA2255E5A |+----------+-----------+-------------------------------------------+6 rows in set (0.00 sec)mysql -u keystone -pkeystone使用的用户是keystone@localhost,此时的权限表里并没有明确匹配这一用户的授权,于是MySQL将优先查找host='localhost,'的权限,这里匹配到了''@'localhost'密码为空,而mysql -u keystone -pkeystone提交的密码是keystone,MySQL认为密码不匹配于是拒绝登陆.而mysql -u keystone使用空密码恰好能匹配上于是反而空密码能登陆,不过由于''@'localhost'不具有keystone数据库的访问权限,所以登陆后看不到keystone库。
为了安全考虑应该移除该权限,那么openstack初始化数据库时可以不用重复授权
脱了衣服我是禽兽,穿上衣服我是衣冠禽兽! 我真想亲口管你爷爷叫声:爹! 我本非随便的人,但如果你想随便,那我就随你的便好啦! 写的真的很不错 微机原理闹危机,随机过程随机过,实变函数学十遍,汇编语言不会编! 找到好贴不容易,我顶你了,谢了
页:
[1]