
mysql> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';

mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'localhost'


mysql> CREATE USER 'monty'@'%' IDENTIFIED BY 'some_pass';

mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%'



Two accounts have a user name of monty and a password of some_pass. Both are superuser accounts with full privileges to do anything. The 'monty'@'localhost' account can be used only when connecting from the local host. The 'monty'@'%' account uses the '%' wildcard for the host part, so it can be used to connect from any host.



The 'monty'@'localhost' account is necessary if there is an anonymous-user account for localhost. Without the 'monty'@'localhost' account, that anonymous-user account takes precedence when monty connects from the local host and monty is treated as an anonymous user. The reason for this is that the anonymous-user account has a more specific Host column value than the 'monty'@'%' account and thus comes earlier in the user table sort order. (user table sorting is discussed in Section 6.2.4, “Access Control, Stage 1: Connection Verification”.)



Your identity is based on two pieces of information:

  • The client host from which      you connect
  • Your MySQL user name

It is possible for the client host name and user name of an incoming connection to match more than one row in the user table. The preceding set of examples demonstrates this: Several of the entries shown match a connection from thomas.loc.gov by fred.

When multiple matches are possible, the server must determine which of them to use. It resolves this issue as follows:

  • Whenever the server reads the user table into memory, it sorts the rows.
  • When a client attempts to connect, the server looks through the rows      in sorted order.
  • The server uses the first row that matches the client host name and      user name.


  • 连接过来的主机信息
  • 连接过来的MySQL用户名


  • 无论何时MySQL服务都读取user表到内存中,并对其排序
  • 当一个客户端尝试连接MySQL数据库,MySQL服务浏览排序后的user表数据
  • MySQL服务使用匹配上hostuser的第一行数据

The server uses sorting rules that order rows with the most-specific Host values first. Literal host names and IP addresses are the most specific. (The specificity of a literal IP address is not affected by whether it has a netmask, so and are considered equally specific.) The pattern '%' means “any host” and is least specific. The empty string '' also means “any host” but sorts after '%'. Rows with the same Host value are ordered with the most-specific User values first (a blank User value means “any user” and is least specific). For rows with equally-specific Host and User values, the order is indeterminate.

MySQL服务对user表的排序规则为有最具体的host值排到首位。文本形式的主机名和ip地址是最具体的。(文本形式的IP地址不受netmask的影响,因此192.168.1.13192.168.1.0/被认为同样具体的。)'%'形式表示“any host”,是最少具体的,因此排序位置靠后。而空字符串('')也表示“any host”,但是排序在'%'之后。如果user表排序后host值一样,那么有最具体的user值的行排到首位(user值为空时表示“any user”并且是最少具体的)。对于同样具体的hostuser值,在user表中的排序是不确定的。

To see how this works, suppose that the user table looks like this:


| Host      | User     | ...


| %         | root     | ...

| %         | jeffrey  | ...

| localhost | root     | ...

| localhost |          | ...


When the server reads the table into memory, it sorts the rows using the rules just described. The result after sorting looks like this:



| Host      | User     | ...


| localhost | root     | ...

| localhost |          | ...

| %         | jeffrey  | ...

| %         | root     | ...


When a client attempts to connect, the server looks through the sorted rows and uses the first match found. For a connection from localhost by jeffrey, two of the rows from the table match: the one with Host and User values of 'localhost' and '', and the one with values of '%' and 'jeffrey'. The 'localhost' row appears first in sorted order, so that is the one the server uses.


Here is another example. Suppose that the user table looks like this:


| Host           | User     | ...


| %              | jeffrey  | ...

| thomas.loc.gov |          | ...


The sorted table looks like this:


| Host           | User     | ...


| thomas.loc.gov |          | ...

| %              | jeffrey  | ...


A connection by jeffrey from thomas.loc.gov is matched by the first row, whereas a connection by jeffrey from any host is matched by the second.



It is a common misconception to think that, for a given user name, all rows that explicitly name that user are used first when the server attempts to find a match for the connection. This is not true. The preceding example illustrates this, where a connection from thomas.loc.gov by jeffrey is first matched not by the row containing 'jeffrey' as the User column value, but by the row with no user name. As a result, jeffrey is authenticated as an anonymous user, even though he specified a user name when connecting.


If you are able to connect to the server, but your privileges are not what you expect, you probably are being authenticated as some other account. To find out what account the server used to authenticate you, use the CURRENT_USER() function. (See Section 12.14, “Information Functions”.) It returns a value in user_name@host_name format that indicates the User and Host values from the matching user table row. Suppose that jeffrey connects and issues the following query:





| @localhost     |


The result shown here indicates that the matching user table row had a blank User column value. In other words, the server is treating jeffrey as an anonymous user.

Another way to diagnose authentication problems is to print out the user table and sort it by hand to see where the first match is being made.