MySQL 如何设置密码过期

MySQL 从 5.6.6 版本开始，支持密码过期功能，在 mysql.user 表中添加 password_expired 功能 [1]，这样用户可以像 Oracle 一样设置密码自动过期。 从 MySQL 5.7.4 开始，增加了新的参数 default_password_lifetime [2]，允许全局的为数据库中的用户设置密码过期策略。

初始创建用户，我们可以看到密码默认不过期，最近一次修改密码的时间为 2022-04-07 14:30:32。

mysql> create user rudonx1@'%' identified by 'xxxxxxxx';
Query OK, 0 rows affected (0.04 sec)

mysql> select user,host,password_expired,password_last_changed,password_lifetime from mysql.user where user='rudonx1';
+---------+------+------------------+-----------------------+-------------------+
| user    | host | password_expired | password_last_changed | password_lifetime |
+---------+------+------------------+-----------------------+-------------------+
| rudonx1 | %    | N                | 2022-04-07 14:30:32   |              NULL |
+---------+------+------------------+-----------------------+-------------------+
1 row in set (0.03 sec)

1. 设置密码 60 天过期

mysql> ALTER USER 'rudonx1'@'%' PASSWORD EXPIRE INTERVAL 60 DAY;
Query OK, 0 rows affected (0.03 sec)

mysql> select user,host,password_expired,password_last_changed,password_lifetime from mysql.user where user='rudonx1';
+---------+------+------------------+-----------------------+-------------------+
| user    | host | password_expired | password_last_changed | password_lifetime |
+---------+------+------------------+-----------------------+-------------------+
| rudonx1 | %    | N                | 2022-04-07 14:30:32   |                60 |
+---------+------+------------------+-----------------------+-------------------+
1 row in set (0.02 sec)
```
`
### 2. 设置密码立即过期
```sql
mysql> ALTER USER 'rudonx1'@'%' PASSWORD EXPIRE;
Query OK, 0 rows affected (0.02 sec)
```

设置账号密码过期后，会发现我们可以登录到命令行，但是在执行命令时出现密码过期的提示
```sql
(base) [root@ip-10-0-0-22 ~]# mysql -h xx.xx.xx.xx  -urudonx1 -p'xxxxxx'
mysql>

mysql> select user,host,password_expired,password_last_changed,password_lifetime from mysql.user where user='rudonx1';
ERROR 1862 (HY000): Your password has expired. To log in you must change it using a client that supports expired passwords.

在之前的版本，如 5.7.19 中，密码过期提示为：

ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
```

前面我们先设置了 60 天的过期时间，随后使用户自动过期，查看 MySQL user 表，如下：
```sql
mysql> select user,host,password_expired,password_last_changed,password_lifetime from mysql.user where user='rudonx1';
+---------+------+------------------+-----------------------+-------------------+
| user    | host | password_expired | password_last_changed | password_lifetime |
+---------+------+------------------+-----------------------+-------------------+
| rudonx1 | %    | Y                | 2022-04-07 14:30:32   |                60 |
+---------+------+------------------+-----------------------+-------------------+
1 row in set (0.03 sec)
```

### 3. default_password_lifetime 和 手动修改 PASSWORD EXPIRE 优先级问题
当我们手动运行 `ALTER USER 'rudonx1'@'%' PASSWORD EXPIRE INTERVAL 30 DAY` 和 设置 全局参数 `default_password_lifetime = 60`，会发现手动设置的优先级更高。
```sql
mysql> show variables like 'default_password_lifetime';
+---------------------------+-------+
| Variable_name             | Value |
+---------------------------+-------+
| default_password_lifetime | 60    |
+---------------------------+-------+
1 row in set (0.00 sec)

mysql> ALTER USER 'rudonx1'@'%' PASSWORD EXPIRE INTERVAL 30 DAY;
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host,password_expired,password_last_changed,password_lifetime from mysql.user where user like '%rudonx1%';
+-----------+------+------------------+-----------------------+-------------------+
| user      | host | password_expired | password_last_changed | password_lifetime |
+-----------+------+------------------+-----------------------+-------------------+
| rudonx12  | %    | N                | 2022-01-09 12:54:10   |              NULL |
| rudonx111 | %    | N                | 2022-02-09 02:42:33   |              NULL |
| rudonx1   | %    | N                | 2022-04-07 07:38:59   |                30 |
+-----------+------+------------------+-----------------------+-------------------+
3 rows in set (0.00 sec)
```

# 如何解决密码过期的问题
当您发现用户密码过期之后，您可以使用最高权限的用户进行密码重置，命令如下：
```sql
mysql> alter user rudonx1@'%' identified by 'xxxxxx';
Query OK, 0 rows affected (0.03 sec)
```

同时，火山引擎 RDS for MySQL 提供了控制台操作的方法，您只需要在 "账号管理" 部分找到被锁定的用户，重置密码即可，对于主用户也是同样的操作。
# 参考文档
[1] [https://dev.mysql.com/doc/refman/5.6/en/expired-password-handling.html](https://dev.mysql.com/doc/refman/5.6/en/expired-password-handling.html)
[2] [https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-4.html](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-4.html)
**如果您有其他问题，欢迎您联系火山引擎**[技术支持服务](https://console.volcengine.com/ticket/createTicketV2/)