Account Locking

MariaDB starting with 10.4.2

Account locking was introduced in MariaDB 10.4.2.


Account locking permits privileged administrators to lock/unlock user accounts. No new client connections will be permitted if an account is locked (existing connections are not affected).

User accounts can be locked at creation, with the CREATE USER statement, or modified after creation with the ALTER USER statement. For example:

CREATE USER 'lorin'@'localhost' ACCOUNT LOCK;


ALTER USER 'marijn'@'localhost' ACCOUNT LOCK;

The server will return an ER_ACCOUNT_HAS_BEEN_LOCKED error when locked users attempt to connect:

mariadb -ulorin
  ERROR 4151 (HY000): Access denied, this account is locked

The ALTER USER statement is also used to unlock a user:

ALTER USER 'lorin'@'localhost' ACCOUNT UNLOCK;

The SHOW CREATE USER statement will show whether the account is locked:

SHOW CREATE USER 'marijn'@'localhost';
| CREATE USER for marijn@localhost              |
| CREATE USER 'marijn'@'localhost' ACCOUNT LOCK |

as well as querying the mysql.global_priv table:

SELECT CONCAT(user, '@', host, ' => ', JSON_DETAILED(priv)) FROM mysql.global_priv 
  WHERE user='marijn';
| CONCAT(user, '@', host, ' => ', JSON_DETAILED(priv))                                 |
| marijn@localhost => {
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
    "account_locked": true,
    "password_last_changed": 1558017158
} |

See Also


Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.