Documentation Home
MySQL 8.0 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 32.3Mb
PDF (A4) - 32.3Mb
PDF (RPM) - 30.4Mb
HTML Download (TGZ) - 7.8Mb
HTML Download (Zip) - 7.8Mb
HTML Download (RPM) - 6.7Mb
Man Pages (TGZ) - 142.5Kb
Man Pages (Zip) - 201.7Kb
Info (Gzip) - 3.0Mb
Info (Zip) - 3.0Mb


Pre-General Availability Draft: 2017-05-25

14.7.1.3 CREATE USER Syntax

CREATE USER [IF NOT EXISTS]
    user [auth_option] [, user [auth_option]] ...
    [REQUIRE {NONE | tls_option [[AND] tls_option] ...}]
    [WITH resource_option [resource_option] ...]
    [password_option | lock_option] ...

user:
    (see Section 7.2.4, “Specifying Account Names”)

auth_option: {
    IDENTIFIED BY 'auth_string'
  | IDENTIFIED BY PASSWORD 'hash_string'
  | IDENTIFIED WITH auth_plugin
  | IDENTIFIED WITH auth_plugin BY 'auth_string'
  | IDENTIFIED WITH auth_plugin AS 'hash_string'
}

tls_option: {
   SSL
 | X509
 | CIPHER 'cipher'
 | ISSUER 'issuer'
 | SUBJECT 'subject'
}

resource_option: {
    MAX_QUERIES_PER_HOUR count
  | MAX_UPDATES_PER_HOUR count
  | MAX_CONNECTIONS_PER_HOUR count
  | MAX_USER_CONNECTIONS count
}

password_option: {
    PASSWORD EXPIRE
  | PASSWORD EXPIRE DEFAULT
  | PASSWORD EXPIRE NEVER
  | PASSWORD EXPIRE INTERVAL N DAY
}

lock_option: {
    ACCOUNT LOCK
  | ACCOUNT UNLOCK
}

The CREATE USER statement creates new MySQL accounts. It enables authentication, SSL/TLS, resource-limit, and password-expiration properties to be established for new accounts, and controls whether accounts are initially locked or unlocked.

An account when first created has no privileges and a default role of NONE.

To use CREATE USER, you must have the global CREATE USER privilege, or the INSERT privilege for the mysql database. When the read_only system variable is enabled, CREATE USER additionally requires the SUPER privilege.

CREATE USER either succeeds for all named users or rolls back and has no effect if any error occurs. By default, an error occurs if you try to create a user that already exists. If the IF NOT EXISTS clause is given, the statement produces a warning for each named user that already exists, rather than an error.

The statement is written to the binary log if it succeeds, but not if it fails; in that case, rollback occurs and no changes are made. A statement written to the binary log includes all named users. If the IF NOT EXISTS clause is given, this includes even users that already exist and were not created.

The statement written to the binary log specifies an authentication plugin for each user, determined as follows:

  • The plugin named in the original statement, if one was specified.

  • Otherwise, the default authentication plugin. In particular, if a user u1 already exists and uses a nondefault authentication plugin, the statement written to the binary log for CREATE USER IF NOT EXISTS u1 names the default authentication plugin. (If the statement written to the binary log must specify a nondefault authentication plugin for a user, include it in the original statement.)

If the server adds the default authentication plugin for any nonexisting users in the statement written to the binary log, it writes a warning to the error log naming those users.

For each account, CREATE USER creates a new row in the mysql.user table. The row reflects the properties specified in the statement. Unspecified properties are set to their default values.

Example 1: Create an account that uses the default authentication plugin and the given password. Mark the password expired so that the user must choose a new one at the first connection to the server:

CREATE USER 'jeffrey'@'localhost'
  IDENTIFIED BY 'new_password' PASSWORD EXPIRE;

Example 2: Create an account that uses the sha256_password authentication plugin and the given password. Require that a new password be chosen every 180 days:

CREATE USER 'jeffrey'@'localhost'
  IDENTIFIED WITH sha256_password BY 'new_password'
  PASSWORD EXPIRE INTERVAL 180 DAY;
Important

Under some circumstances, CREATE USER may be recorded in server logs or on the client side in a history file such as ~/.mysql_history, which means that cleartext passwords may be read by anyone having read access to that information. For information about the conditions under which this occurs for the server logs and how to control it, see Section 7.1.2.3, “Passwords and Logging”. For similar information about client-side logging, see Section 5.5.1.3, “mysql Logging”.

For additional information about setting passwords and authentication plugins, see Section 7.3.6, “Assigning Account Passwords”, and Section 7.3.9, “Pluggable Authentication”.

Each account name uses the format described in Section 7.2.4, “Specifying Account Names”. For example:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

The host name part of the account name, if omitted, defaults to '%'.

Each user value naming an account may be followed by an optional auth_option value that specifies how the account authenticates. These values enable account authentication plugins and credentials (passwords) to be specified. Each auth_option value applies only to the user named immediately preceding it.

Following the user specifications, the statement may include options for SSL/TLS, resource-limit, password-expiration, and locking properties. All these options are global to the statement and apply to all named users.

Example: This statement creates two accounts, each with the default authentication plugin and named password. For both accounts, connections must be made using a valid X509 certificate and up to 60 queries per hour are permitted. Both accounts are locked initially, so effectively they are placeholders and cannot be used until an administrator unlocks them:

CREATE USER
  'jeffrey'@'localhost' IDENTIFIED BY 'new_password1',
  'jeanne'@'localhost' IDENTIFIED BY 'new_password2'
  REQUIRE X509 WITH MAX_QUERIES_PER_HOUR 60
  ACCOUNT LOCK;

For omitted options, these default values are used:

  • Authentication: The authentication plugin defined by the default_authentication_plugin system variable, and empty credentials

  • SSL/TLS: NONE

  • Resource limits: Unlimited

  • Password expiration: PASSWORD EXPIRE DEFAULT

  • Account locking: ACCOUNT UNLOCK

There are several aspects to the CREATE USER statement, described under the following topics in this section:

Authentication Options

An account name may be followed by an authentication option that specifies the account authentication plugin, credentials, or both:

  • auth_plugin names an authentication plugin. The plugin name can be a quoted string literal or an unquoted name. Plugin names are stored in the plugin column of the mysql.user table.

  • 'auth_string' or 'hash_string' specifiy account credentials, either as cleartext or hashed in the format expected by the authentication plugin, respectively. Credentials are stored in the authentication_string column of the mysql.user table.

CREATE USER permits these auth_option syntaxes:

  • IDENTIFIED BY 'auth_string'

    Sets the account authentication plugin to the default plugin, hashes the cleartext 'auth_string' value, and stores the result in the mysql.user account row.

  • IDENTIFIED BY PASSWORD 'hash_string'

    Sets the account authentication plugin to the default plugin, takes the hashed 'hash_string' value as is, and stores the result in the mysql.user account row. The string is assumed to be already hashed in the format required by the plugin.

    Note

    This syntax is deprecated and will be removed in a future MySQL release.

  • IDENTIFIED WITH auth_plugin

    Sets the account authentication plugin to auth_plugin, clears the credentials to the empty string, and stores the result in the mysql.user account row.

  • IDENTIFIED WITH auth_plugin BY 'auth_string'

    Sets the account authentication plugin to auth_plugin, hashes the cleartext 'auth_string' value, and stores the result in the mysql.user account row.

  • IDENTIFIED WITH auth_plugin AS 'hash_string'

    Sets the account authentication plugin to auth_plugin, takes the 'hash_string' value as is, and stores the result in the mysql.user account row. The string is assumed to be already hashed in the format required by the plugin.

The default plugin is mysql_native_password unless the default_authentication_plugin system variable is set otherwise. For descriptions of each plugin, see Section 7.5.1, “Authentication Plugins”.

Example 1: Specify the password as cleartext; the default plugin is used:

CREATE USER 'jeffrey'@'localhost'
  IDENTIFIED BY 'mypass';

Example 2: Specify the authentication plugin, along with a cleartext password value:

CREATE USER 'jeffrey'@'localhost'
  IDENTIFIED WITH mysql_native_password BY 'mypass';
SSL/TLS Options

MySQL can check X509 certificate attributes in addition to the usual authentication that is based on the user name and credentials. For background information on the use of SSL/TLS with MySQL, see Section 7.4, “Using Secure Connections”.

To specify SSL/TLS-related options for a MySQL account, use a REQUIRE clause that specifies one or more tls_option values:

CREATE USER permits these tls_option values:

  • NONE

    Indicates that the account has no SSL or X509 requirements. Unencrypted connections are permitted if the user name and password are valid. However, encrypted connections can also be used, at the client's option, if the client has the proper certificate and key files.

    A client need specify only the --ssl-mode=REQUIRED option to obtain an encrypted connection. The connection attempt fails if an encrypted connection cannot be established.

  • SSL

    Tells the server to permit only encrypted connections for the account.

    CREATE USER 'jeffrey'@'localhost' REQUIRE SSL;
    

    A client need specify only the --ssl-mode=REQUIRED option to obtain an encrypted connection. The connection attempt fails if an encrypted connection cannot be established.

  • X509

    Requires that the client must have a valid certificate but the exact certificate, issuer, and subject do not matter. The only requirement is that it should be possible to verify its signature with one of the CA certificates. Use of X509 certificates always implies encryption, so the SSL option is unnecessary in this case.

    CREATE USER 'jeffrey'@'localhost' REQUIRE X509;
    

    The client must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.) This is true for ISSUER and SUBJECT as well because those REQUIRE options imply the requirements of X509.

  • ISSUER 'issuer'

    Places the restriction on connection attempts that the client must present a valid X509 certificate issued by CA 'issuer'. If the client presents a certificate that is valid but has a different issuer, the server rejects the connection. Use of X509 certificates always implies encryption, so the SSL option is unnecessary in this case.

    Because ISSUER implies the requirements of X509, the client must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.)

    CREATE USER 'jeffrey'@'localhost'
      REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
        O=MySQL/CN=CA/emailAddress=ca@example.com';
    
  • SUBJECT 'subject'

    Places the restriction on connection attempts that the client must present a valid X509 certificate containing the subject subject. If the client presents a certificate that is valid but has a different subject, the server rejects the connection. Use of X509 certificates always implies encryption, so the SSL option is unnecessary in this case.

    Because SUBJECT implies the requirements of X509, the client must specify the --ssl-key and --ssl-cert options to connect. (It is recommended but not required that --ssl-ca also be specified so that the public certificate provided by the server can be verified.)

    CREATE USER 'jeffrey'@'localhost'
      REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
        O=MySQL demo client certificate/
        CN=client/emailAddress=client@example.com';
    

    MySQL does a simple string comparison of the 'subject' value to the value in the certificate, so lettercase and component ordering must be given exactly as present in the certificate.

    Note

    Regarding emailAddress, see the note in the description of REQUIRE ISSUER.

  • CIPHER 'cipher'

    Requests a specific cipher method for encrypting connections. This option is needed to ensure that ciphers and key lengths of sufficient strength are used. Encryption can be weak if old algorithms using short encryption keys are used.

    CREATE USER 'jeffrey'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';
    

The SUBJECT, ISSUER, and CIPHER options can be combined in the REQUIRE clause:

CREATE USER 'jeffrey'@'localhost'
  REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/
    O=MySQL demo client certificate/
    CN=client/emailAddress=client@example.com'
  AND ISSUER '/C=SE/ST=Stockholm/L=Stockholm/
    O=MySQL/CN=CA/emailAddress=ca@example.com'
  AND CIPHER 'EDH-RSA-DES-CBC3-SHA';

The order of the options does not matter, but no option can be specified twice. The AND keyword is optional between REQUIRE options.

Resource-Limit Options

It is possible to place limits on use of server resources by an account, as discussed in Section 7.3.5, “Setting Account Resource Limits”. To do so, use a WITH clause that specifies one or more resource_option values.

CREATE USER permits these resource_option values:

  • MAX_QUERIES_PER_HOUR count, MAX_UPDATES_PER_HOUR count, MAX_CONNECTIONS_PER_HOUR count

    These options restrict the number of queries, updates, and connections to the server permitted to this account during any given one-hour period. (Queries for which results are served from the query cache do not count against the MAX_QUERIES_PER_HOUR limit.) If count is 0 (the default), this means that there is no limitation for the account.

  • MAX_USER_CONNECTIONS count

    Restricts the maximum number of simultaneous connections to the server by the account. A nonzero count specifies the limit for the account explicitly. If count is 0 (the default), the server determines the number of simultaneous connections for the account from the global value of the max_user_connections system variable. If max_user_connections is also zero, there is no limit for the account.

Example:

CREATE USER 'jeffrey'@'localhost'
  WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;

If a given resource limit is specified multiple times, the last instance takes precedence.

Password-Expiration Options

CREATE USER supports several password_option values for password expiration management, to either expire an account password or establish its password expiration policy. Policy options do not expire the password; instead, they determine how the server applies automatic expiration to the account (see Section 7.3.7, “Password Expiration Policy”).

The lifetime of a password is assessed from the date and time it was last changed.

CREATE USER permits these password_option values:

  • PASSWORD EXPIRE

    Expires the account password.

    CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE;
    
  • PASSWORD EXPIRE DEFAULT

    Sets the account so that the global expiration policy applies, as specified by the default_password_lifetime system variable.

    CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT;
    
  • PASSWORD EXPIRE NEVER

    Disables password expiration for the account so that its password never expires.

    CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE NEVER;
    
  • PASSWORD EXPIRE INTERVAL N DAY

    Sets the account password lifetime to N days. This statement requires the password to be changed every 180 days:

    CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 180 DAY;
    

If multiple password-expiration options are specified, the last one takes precedence.

A client session operates in restricted mode if the account password was expired manually or if the password is considered past its lifetime per the automatic expiration policy. In restricted mode, operations performed within the session result in an error until the user establishes a new account password. See Section 7.3.7, “Password Expiration Policy”.

Account-Locking Options

MySQL supports account locking and unlocking using the ACCOUNT LOCK and ACCOUNT UNLOCK options, which specify the locking state for an account. For additional discussion, see Section 7.3.11, “User Account Locking”.

If multiple account-locking options are specified, the last one takes precedence.


User Comments
  Posted by Andrew Bikadorov on March 19, 2015
-- Create Admin user allow access from anywhere, remove WITH GRANT OPTION and change ALL PRIVILEGES to SELECT,INSERT,UPDATE,DELETE or/and other if not admin user is needed
GRANT ALL PRIVILEGES ON *.* TO 'UserName'@'%' IDENTIFIED BY 'UnencriptedPa55w0RdHeRe' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Sign Up Login You must be logged in to post a comment.