The Ultimate Guide to High Availability with MariaDB

CREATE USER

You are viewing an old version of this article. View the current version here.

Syntax

CREATE USER user [IDENTIFIED BY [PASSWORD] 'password']
    [, user [IDENTIFIED BY [PASSWORD] 'password']] ...

Description

The CREATE USER statement creates new MariaDB accounts. To use it, you must have the global CREATE USER privilege or the INSERT privilege for the mysql database. For each account, CREATE USER creates a new row in the mysql.user table that has no privileges.

See Account Names below for details on how account names are specified.

If any of the specified user accounts already exist, ERROR 1396 (HY000) results. If an error occurs, CREATE USER will still create the accounts that do not result in an error.

The account can be given a password with the optional IDENTIFIED BY clause. To specify the password in plain text, omit the PASSWORD keyword. To specify the password as the hashed value as returned by the PASSWORD function, include the PASSWORD keyword.

If you do not specify a password with the IDENTIFIED BY clause, the user will be able to connect without a password. A blank password is not a wildcard to match any password. The user must connect without providing a password if no password is set.

Account Names

Account names have both a user name and a host name, and are specified as 'user_name'@'host_name'. If the host name is not provided, it is assumed to be '%'. When you connect to a MariaDB server, your user name and host must match a single account.

Host names may contain the wildcard characters % and _. They are matched as if by the LIKE clause. If you need to use a wildcard character literally (for example, to match a domain name with an underscore), prefix the character with a backslash. See LIKE for more information on escaping wildcard characters.

Host name matches are case-insensitive. Host names can match either domain names or IP addresses. Use 'localhost' as the host name to allow only local client connections.

You can use a netmask to match a range of IP addresses using 'base_ip/netmask' as the host name. A user with an IP address ip_addr will be allowed to connect if the following condition is true:

ip_addr & netmask = base_ip

You can only use netmasks that specify a multiple of 8 bits of the address to match. That is, only the following netmasks are allowed:

255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.255

Using 255.255.255.255 is equivalent to not using a netmask at all.

The user name and host name may be unquoted, quoted as strings using double quotes or single quotes, or quoted as identifiers using backticks. You must use quotes when using special characters (such as a hyphen) or wildcard characters. If you quote, you must quote the user name and host name separately as 'user_name'@'host_name'.

User names must match exactly, including case. You can use the empty string to allow a user with any user name.

It is possible for more than one account to match when a user connects. MariaDB selects the first matching account after sorting according to the following criteria:

  • Accounts with an exact host name are sorted before accounts using a wildcard in the host name. Host names using a netmask are considered to be exact for sorting.
  • Accounts with a wildcard in the host name are sorted according to the position of the first wildcard character. Those with a wildcard character later in the host name sort before those with a wildcard character earlier in the host name.
  • Accounts with a non-empty user name sort before accounts with an empty user name.

The following table shows a list of example account as sorted by these criteria:

+---------+-------------+
| User    | Host        |
+---------+-------------+
| jeffrey | 192.168.0.3 |
|         | 192.168.0.% |
| jeffrey | 192.168.%   |
|         | 192.168.%   |
+---------+-------------+

Once connected, you only have the privileges granted to the account that matched, not all accounts that could have matched. For example, consider the following commands:

CREATE USER 'jeffrey'@'192.168.0.3';
CREATE USER 'jeffrey'@'%';
GRANT SELECT ON test.t1 to 'jeffrey'@'192.168.0.3';
GRANT SELECT ON test.t2 to 'jeffrey'@'%';

If you connect as jeffrey from 192.168.0.3, you will have the SELECT privilege on the table test.t1, but not on the table test.t2. If you connect as jeffrey from any other IP address, you will have the SELECT privilege on the table test.t2, but not on the table test.t1.

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.