CREATE USER

This statement creates a new user, specified with a password. In the MySQL privilege system, a user is the combination of a username and the host from which they are connecting from. Thus, it is possible to create a user 'newuser2'@'192.168.1.1' who is only able to connect from the IP address 192.168.1.1. It is also possible to have two users have the same user-portion, and different permissions as they login from different hosts.

Synopsis

CreateUserStmt

CREATE USER - 图1

IfNotExists

CREATE USER - 图2

UserSpecList

CREATE USER - 图3

RequireClauseOpt

CREATE USER - 图4

RequireList

CREATE USER - 图5

UserSpec

CREATE USER - 图6

AuthOption

CREATE USER - 图7

StringName

CREATE USER - 图8

PasswordOption

CREATE USER - 图9

LockOption

CREATE USER - 图10

AttributeOption

CREATE USER - 图11

ResourceGroupNameOption

CREATE USER - 图12

RequireClauseOpt

CREATE USER - 图13

RequireListElement

CREATE USER - 图14

  1. CreateUserStmt ::=
  2.     'CREATE' 'USER' IfNotExists UserSpecList RequireClauseOpt ConnectionOptions PasswordOption LockOption AttributeOption ResourceGroupNameOption
  4. IfNotExists ::=
  5.     ('IF' 'NOT' 'EXISTS')?
  7. UserSpecList ::=
  8.     UserSpec ( ',' UserSpec )*
  10. RequireClauseOpt ::=
  11.     ( 'REQUIRE' 'NONE' | 'REQUIRE' 'SSL' | 'REQUIRE' 'X509' | 'REQUIRE' RequireList )?  
  13. RequireList ::=
  14.     ( "ISSUER" stringLit | "SUBJECT" stringLit | "CIPHER" stringLit | "SAN" stringLit | "TOKEN_ISSUER" stringLit )*
  16. UserSpec ::=
  17.     Username AuthOption
  19. AuthOption ::=
  20.     ( 'IDENTIFIED' ( 'BY' ( AuthString | 'PASSWORD' HashString ) | 'WITH' StringName ( 'BY' AuthString | 'AS' HashString )? ) )?
  22. StringName ::=
  23.     stringLit
  24. |   Identifier
  26. PasswordOption ::= ( 'PASSWORD' 'EXPIRE' ( 'DEFAULT' | 'NEVER' | 'INTERVAL' N 'DAY' )? | 'PASSWORD' 'HISTORY' ( 'DEFAULT' | N ) | 'PASSWORD' 'REUSE' 'INTERVAL' ( 'DEFAULT' | N 'DAY' ) | 'FAILED_LOGIN_ATTEMPTS' N | 'PASSWORD_LOCK_TIME' ( N | 'UNBOUNDED' ) )*
  28. LockOption ::= ( 'ACCOUNT' 'LOCK' | 'ACCOUNT' 'UNLOCK' )?
  30. AttributeOption ::= ( 'COMMENT' CommentString | 'ATTRIBUTE' AttributeString )?
  32. ResourceGroupNameOption::= ( 'RESOURCE' 'GROUP' Identifier)?
  34. RequireClauseOpt ::= ('REQUIRE' ('NONE' | 'SSL' | 'X509' | RequireListElement ('AND'? RequireListElement)*))?
  36. RequireListElement ::= 'ISSUER' Issuer | 'SUBJECT' Subject | 'CIPHER' Cipher | 'SAN' SAN | 'TOKEN_ISSUER' TokenIssuer

Examples

Create a user with the newuserpassword password.

  1. mysql> CREATE USER 'newuser' IDENTIFIED BY 'newuserpassword';
  2. Query OK, 1 row affected (0.04 sec)

Create a user who can only log in to 192.168.1.1.

  1. mysql> CREATE USER 'newuser2'@'192.168.1.1' IDENTIFIED BY 'newuserpassword';
  2. Query OK, 1 row affected (0.02 sec)

Create a user who is enforced to log in using TLS connection.

  1. CREATE USER 'newuser3'@'%' IDENTIFIED BY 'newuserpassword' REQUIRE SSL;
  2. Query OK, 1 row affected (0.02 sec)

Create a user who is required to use X.509 certificate at login.

  1. CREATE USER 'newuser4'@'%' IDENTIFIED BY 'newuserpassword' REQUIRE ISSUER '/C=US/ST=California/L=San Francisco/O=PingCAP';
  2. Query OK, 1 row affected (0.02 sec)

Create a user who is locked upon creation.

  1. CREATE USER 'newuser5'@'%' ACCOUNT LOCK;
  1. Query OK, 1 row affected (0.02 sec)

Create a user with a comment.

  1. CREATE USER 'newuser6'@'%' COMMENT 'This user is created only for test';
  2. SELECT * FROM information_schema.user_attributes;
  1. +-----------+------+---------------------------------------------------+
  2. | USER      | HOST | ATTRIBUTE                                         |
  3. +-----------+------+---------------------------------------------------+
  4. | newuser6  | %    | {"comment": "This user is created only for test"} |
  5. +-----------+------+---------------------------------------------------+
  6. 1 rows in set (0.00 sec)

Create a user with an email attribute.

  1. CREATE USER 'newuser7'@'%' ATTRIBUTE '{"email": "user@pingcap.com"}';
  2. SELECT * FROM information_schema.user_attributes;
  1. +-----------+------+---------------------------------------------------+
  2. | USER      | HOST | ATTRIBUTE                                         |
  3. +-----------+------+---------------------------------------------------+
  4. | newuser7  | %    | {"email": "user@pingcap.com"} |
  5. +-----------+------+---------------------------------------------------+
  6. 1 rows in set (0.00 sec)

Create a user who is not allowed to reuse the last 5 passwords:

  1. CREATE USER 'newuser8'@'%' PASSWORD HISTORY 5;
  1. Query OK, 1 row affected (0.02 sec)

Create a user whose password is manually expired:

  1. CREATE USER 'newuser9'@'%' PASSWORD EXPIRE;
  1. Query OK, 1 row affected (0.02 sec)

Create a user that uses the resource group rg1.

  1. CREATE USER 'newuser7'@'%' RESOURCE GROUP rg1;
  2. SELECT USER, HOST, USER_ATTRIBUTES FROM MYSQL.USER WHERE USER='newuser7';
  1. +----------+------+---------------------------+
  2. | USER     | HOST | USER_ATTRIBUTES           |
  3. +----------+------+---------------------------+
  4. | newuser7 | %    | {"resource_group": "rg1"} |
  5. +----------+------+---------------------------+
  6. 1 rows in set (0.00 sec)

MySQL compatibility

The following CREATE USER options are not yet supported by TiDB, and will be parsed but ignored:

  • TiDB does not support WITH MAX_QUERIES_PER_HOUR, WITH MAX_UPDATES_PER_HOUR, and WITH MAX_USER_CONNECTIONS options.
  • TiDB does not support the DEFAULT ROLE option.

See also