MySQL supports locking and unlocking user accounts using the
ACCOUNT LOCK
and ACCOUNT
UNLOCK
clauses for the CREATE
USER
and ALTER USER
statements:
When used with
CREATE USER
, these clauses specify the initial locking state for a new account. In the absence of either clause, the account is created in an unlocked state.If the
validate_password
plugin is enabled, it does not permit creating an account without a password, even if the account is locked. See Section 6.4.3, “The Password Validation Plugin”.When used with
ALTER USER
, these clauses specify the new locking state for an existing account. In the absence of either clause, the account locking state remains unchanged.
Account locking state is recorded in the
account_locked
column of the
mysql.user
system table. The output from
SHOW CREATE USER
indicates whether
an account is locked or unlocked.
If a client attempts to connect to a locked account, the attempt
fails. The server increments the
Locked_connects
status variable
that indicates the number of attempts to connect to a locked
account, returns an
ER_ACCOUNT_HAS_BEEN_LOCKED
error,
and writes a message to the error log:
Access denied for user 'user_name'@'host_name'.
Account is locked.
Locking an account does not affect being able to connect using a
proxy user that assumes the identity of the locked account. It
also does not affect the ability to execute stored programs or
views that have a DEFINER
attribute naming the
locked account. That is, the ability to use a proxied account or
stored programs or views is not affected by locking the account.
The account-locking capability depends on the presence of the
account_locked
column in the
mysql.user
system table. For upgrades from
MySQL versions older than 5.7.6, perform the MySQL upgrade
procedure to ensure that this column exists. See
Section 2.10, “Upgrading MySQL”. For nonupgraded installations that
have no account_locked
column, the server
treats all accounts as unlocked, and using the ACCOUNT
LOCK
or ACCOUNT UNLOCK
clauses
produces an error.