Account Locking
Syntax
CREATE USER [...]
[lock_option] [password_option]
ALTER USER [...]
[lock_option] [password_option] The lock_option and password_option clauses can occur in either order.
Prior to MariaDB 10.4.7 and MariaDB 10.5.8, the lock_option must be placed before the password_option.
Description
Account locking permits privileged administrators to lock/unlock user accounts. No new client connections will be permitted if an account is locked (existing connections are not affected).
Locking Accounts
User accounts can be locked at creation, with the CREATE USER statement, or modified after creation with the ALTER USER statement. For example:
CREATE USER 'lorin'@'localhost' ACCOUNT LOCK;or
ALTER USER 'marijn'@'localhost' ACCOUNT LOCK;The server will return an ER_ACCOUNT_HAS_BEEN_LOCKED error when locked users attempt to connect:
mariadb -ulorin
ERROR 4151 (HY000): Access denied, this account is lockedUnlocking Accounts
The ALTER USER statement is used to unlock a user:
Show Whether a Specific Account is Locked
The SHOW CREATE USER statement will show whether the account is locked:
as well as querying the mysql.global_priv table:
Find Locked Accounts
This query against the mysql.global_priv table will return all accounts which have "account_locked": true within the Priv json column:
Example Output:
See Also
Account Locking and Password Expiry video tutorial
This page is licensed: CC BY-SA / Gnu FDL
Last updated
Was this helpful?