Authentication：系统变量定义的认证插件 default_authentication_plugin ，凭证为空

SSL/TLS：NONE

资源限制：无限制

密码管理：PASSWORD EXPIRE DEFAULT

账户锁定：ACCOUNT UNLOCK

必须使用有效的 X.509 证书进行连接。

每小时最多允许 60 个查询。

该帐户最初是锁定的，因此实际上它是一个占位符，在管理员解锁之前无法使用。

auth_plugin命名身份验证插件。插件名称可以是带引号的字符串文字或不带引号的名称。插件名称存储在系统表 的plugin列中 。mysql.user

对于未指定身份验证插件的语法，默认插件由 系统变量auth_option的值指示 。default_authentication_plugin有关每个插件的说明，请参阅 第 6.4.1 节，“身份验证插件”。

凭据存储在 mysql.user系统表中。一个 值指定帐户凭据，可以是明文（未加密）字符串，也可以是与帐户关联的身份验证插件所期望的格式的哈希值，分别为： 'auth_string'

IDENTIFIED BY 'auth_string'

将帐户身份验证插件设置为默认插件，将明文 值传递给插件以进行可能的哈希处理，并将结果存储在 系统表的帐户行中。 'auth_string'mysql.user

IDENTIFIED WITH auth_plugin

将帐户认证插件设置为 auth_plugin，将凭据清除为空字符串，并将结果存储在mysql.user 系统表的帐户行中。

IDENTIFIED WITH auth_plugin BY 'auth_string'

将帐户身份验证插件设置为 auth_plugin，将明文 值传递给插件以进行可能的哈希处理，并将结果存储在 系统表的帐户行中。 'auth_string'mysql.user

IDENTIFIED WITH auth_plugin AS 'auth_string'

将帐户身份验证插件设置为 auth_plugin并将 值按原样存储在帐户行中。如果插件需要哈希字符串，则假定该字符串已经按照插件所需的格式进行了哈希处理。 'auth_string'mysql.user

IDENTIFIED BY PASSWORD 'auth_string'

将帐户身份验证插件设置为默认插件并将 值按原样存储在帐户行中。如果插件需要哈希字符串，则假定该字符串已经按照插件所需的格式进行了哈希处理。 'auth_string'mysql.user

NONE

表示该语句命名的所有帐户都没有 SSL 或 X.509 要求。如果用户名和密码有效，则允许未加密的连接。如果客户端具有适当的证书和密钥文件，则可以根据客户端的选择使用加密连接。

CREATE USER 'jeffrey'@'localhost' REQUIRE NONE;

默认情况下，客户端会尝试建立安全连接。对于具有REQUIRE NONE的客户端，如果无法建立安全连接，连接尝试将退回到未加密的连接。要要求加密连接，客户端只需要指定 --ssl-mode=REQUIRED 选项；如果无法建立安全连接，则连接尝试失败。

NONE如果未指定与 SSL 相关的 REQUIRE选项，则为默认值。

SSL

告诉服务器只允许语句指定的所有帐户的加密连接。

CREATE USER 'jeffrey'@'localhost' REQUIRE SSL;

默认情况下，客户端会尝试建立安全连接。对于具有REQUIRE SSL的帐户，如果无法建立安全连接，连接尝试将失败。

X509

对于声明命名的所有帐户，要求客户出示有效证书，但确切的证书、发行人和主题无关紧要。唯一的要求是应该可以使用其中一个 CA 证书来验证其签名。使用 X.509 证书总是意味着加密，因此 SSL在这种情况下不需要该选项。

CREATE USER 'jeffrey'@'localhost' REQUIRE X509;

对于具有 的帐户REQUIRE X509，客户端必须指定--ssl-key 和--ssl-cert选项才能连接。（建议但不要求 --ssl-ca也指定，以便可以验证服务器提供的公共证书。）这也是正确的ISSUER ，SUBJECT因为这些 REQUIRE选项暗示了X509.

ISSUER 'issuer'

For all accounts named by the statement, requires that clients present a valid X.509 certificate issued by CA 'issuer'. If a client presents a certificate that is valid but has a different issuer, the server rejects the connection. Use of X.509 certificates always implies encryption, so the SSL option is unnecessary in this case.

CREATE USER 'jeffrey'@'localhost'
  REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
    O=MySQL/CN=CA/emailAddress=ca@example.com';

Because ISSUER implies the requirements of X509, clients must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.)

SUBJECT 'subject'

For all accounts named by the statement, requires that clients present a valid X.509 certificate containing the subject subject. If a client presents a certificate that is valid but has a different subject, the server rejects the connection. Use of X.509 certificates always implies encryption, so the SSL option is unnecessary in this case.

CREATE USER 'jeffrey'@'localhost'
  REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
    O=MySQL demo client certificate/
    CN=client/emailAddress=client@example.com';

MySQL does a simple string comparison of the 'subject' value to the value in the certificate, so lettercase and component ordering must be given exactly as present in the certificate.

Because SUBJECT implies the requirements of X509, clients must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.)

CIPHER 'cipher'

For all accounts named by the statement, requires a specific cipher method for encrypting connections. This option is needed to ensure that ciphers and key lengths of sufficient strength are used. Encryption can be weak if old algorithms using short encryption keys are used.

CREATE USER 'jeffrey'@'localhost'
  REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';

MAX_QUERIES_PER_HOUR count, MAX_UPDATES_PER_HOUR count, MAX_CONNECTIONS_PER_HOUR count

For all accounts named by the statement, these options restrict how many queries, updates, and connections to the server are permitted to each account during any given one-hour period. (Queries for which results are served from the query cache do not count against the MAX_QUERIES_PER_HOUR limit.) If count is 0 (the default), this means that there is no limitation for the account.

MAX_USER_CONNECTIONS count

For all accounts named by the statement, restricts the maximum number of simultaneous connections to the server by each account. A nonzero count specifies the limit for the account explicitly. If count is 0 (the default), the server determines the number of simultaneous connections for the account from the global value of the max_user_connections system variable. If max_user_connections is also zero, there is no limit for the account.

PASSWORD EXPIRE

Immediately marks the password expired for all accounts named by the statement.

CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE;

PASSWORD EXPIRE DEFAULT

Sets all accounts named by the statement so that the global expiration policy applies, as specified by the default_password_lifetime system variable.

CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT;

PASSWORD EXPIRE NEVER

This expiration option overrides the global policy for all accounts named by the statement. For each, it disables password expiration so that the password never expires.

CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE NEVER;

PASSWORD EXPIRE INTERVAL N DAY

This expiration option overrides the global policy for all accounts named by the statement. For each, it sets the password lifetime to N days. The following statement requires the password to be changed every 180 days:

CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 180 DAY;