Movatterモバイル変換

MySQL 9.4 Reference Manual

15.7.1.3 CREATE USER Statement

CREATE USER [IF NOT EXISTS]user [auth_option] [,user [auth_option]] ...    DEFAULT ROLErole [,role ] ...    [REQUIRE {NONE |tls_option [[AND]tls_option] ...}]    [WITHresource_option [resource_option] ...]    [password_option |lock_option] ...    [COMMENT 'comment_string' | ATTRIBUTE 'json_object']user:    (see Section 8.2.4, “Specifying Account Names”)auth_option: {    IDENTIFIED BY 'auth_string' [AND2fa_auth_option]  | IDENTIFIED BY RANDOM PASSWORD [AND2fa_auth_option]  | IDENTIFIED WITHauth_plugin [AND2fa_auth_option]  | IDENTIFIED WITHauth_plugin BY 'auth_string' [AND2fa_auth_option]  | IDENTIFIED WITHauth_plugin BY RANDOM PASSWORD [AND2fa_auth_option]  | IDENTIFIED WITHauth_plugin AS 'auth_string' [AND2fa_auth_option]  | IDENTIFIED WITHauth_plugin [initial_auth_option]}2fa_auth_option: {    IDENTIFIED BY 'auth_string' [AND3fa_auth_option]  | IDENTIFIED BY RANDOM PASSWORD [AND3fa_auth_option]  | IDENTIFIED WITHauth_plugin [AND3fa_auth_option]  | IDENTIFIED WITHauth_plugin BY 'auth_string' [AND3fa_auth_option]  | IDENTIFIED WITHauth_plugin BY RANDOM PASSWORD [AND3fa_auth_option]  | IDENTIFIED WITHauth_plugin AS 'auth_string' [AND3fa_auth_option]}3fa_auth_option: {    IDENTIFIED BY 'auth_string'  | IDENTIFIED BY RANDOM PASSWORD  | IDENTIFIED WITHauth_plugin  | IDENTIFIED WITHauth_plugin BY 'auth_string'  | IDENTIFIED WITHauth_plugin BY RANDOM PASSWORD  | IDENTIFIED WITHauth_plugin AS 'auth_string'}initial_auth_option: {    INITIAL AUTHENTICATION IDENTIFIED BY {RANDOM PASSWORD | 'auth_string'}  | INITIAL AUTHENTICATION IDENTIFIED WITHauth_plugin AS 'auth_string'}tls_option: {   SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject'}resource_option: {    MAX_QUERIES_PER_HOURcount  | MAX_UPDATES_PER_HOURcount  | MAX_CONNECTIONS_PER_HOURcount  | MAX_USER_CONNECTIONScount}password_option: {    PASSWORD EXPIRE [DEFAULT | NEVER | INTERVALN DAY]  | PASSWORD HISTORY {DEFAULT |N}  | PASSWORD REUSE INTERVAL {DEFAULT |N DAY}  | PASSWORD REQUIRE CURRENT [DEFAULT | OPTIONAL]  | FAILED_LOGIN_ATTEMPTSN  | PASSWORD_LOCK_TIME {N | UNBOUNDED}}lock_option: {    ACCOUNT LOCK  | ACCOUNT UNLOCK}

TheCREATE USER statement creates new MySQL accounts. It enables authentication, role, SSL/TLS, resource-limit, password-management, comment, and attribute properties to be established for new accounts. It also controls whether accounts are initially locked or unlocked.

To useCREATE USER, you must have the globalCREATE USER privilege, or theINSERT privilege for themysql system schema. When theread_only system variable is enabled,CREATE USER additionally requires theCONNECTION_ADMIN privilege (or the deprecatedSUPER privilege).

These additional privilege considerations also apply:

Theauthentication_policy system variable places certain constraints on how the authentication-related clauses ofCREATE USER statements may be used; for details, see the description of that variable. These constraints do not apply if you have theAUTHENTICATION_POLICY_ADMIN privilege.
To create an account that uses passwordless authentication, you must have thePASSWORDLESS_USER_ADMIN privilege.

CREATE USER fails with an error if any account to be created is named as theDEFINER attribute for any stored object. (That is, the statement fails if creating an account would cause the account to adopt a currently orphaned stored object.) To perform the operation anyway, you must have theSET_ANY_DEFINER orALLOW_NONEXISTENT_DEFINER privilege; in this case, the statement succeeds with a warning rather than failing with an error. To perform the user-creation operation without either of these, drop the orphan objects, create the account and grant its privileges, and then re-create the dropped objects. For additional information, including how to identify which objects name a given account as theDEFINER attribute, seeOrphan Stored Objects.

CREATE USER either succeeds for all named users or rolls back and has no effect if any error occurs. By default, an error occurs if you try to create a user that already exists. If theIF NOT EXISTS clause is given, the statement produces a warning for each named user that already exists, rather than an error.

Important

Under some circumstances,CREATE USER may be recorded in server logs or on the client side in a history file such as~/.mysql_history, which means that cleartext passwords may be read by anyone having read access to that information. For information about the conditions under which this occurs for the server logs and how to control it, seeSection 8.1.2.3, “Passwords and Logging”. For similar information about client-side logging, seeSection 6.5.1.3, “mysql Client Logging”.

There are several aspects to theCREATE USER statement, described under the following topics:

CREATE USER Overview

For each account,CREATE USER creates a new row in themysql.user system table. The account row reflects the properties specified in the statement. Unspecified properties are set to their default values:

Authentication: The default authentication plugin (determined as described inThe Default Authentication Plugin), and empty credentials
Default role:NONE
SSL/TLS:NONE
Resource limits: Unlimited
Password management:PASSWORD EXPIRE DEFAULT PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT; failed-login tracking and temporary account locking are disabled
Account locking:ACCOUNT UNLOCK

An account when first created has no privileges and the default roleNONE. To assign privileges or roles to this account, use one or moreGRANT statements.

Each account name uses the format described inSection 8.2.4, “Specifying Account Names”. For example:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'password';

The host name part of the account name, if omitted, defaults to'%'. You should be aware that, while MySQL 9.4 treats grants made to such a user as though they had been granted to'user'@'localhost', this behavior is deprecated, and thus subject to removal in a future version of MySQL.

Eachuser value naming an account may be followed by an optionalauth_option value that indicates how the account authenticates. These values enable account authentication plugins and credentials (for example, a password) to be specified. Eachauth_option value appliesonly to the account named immediately preceding it.

Following theuser specifications, the statement may include options for SSL/TLS, resource-limit, password-management, and locking properties. All such options areglobal to the statement and apply toall accounts named in the statement.

Example: Create an account that uses the default authentication plugin and the given password. Mark the password expired so that the user must choose a new one at the first connection to the server:

CREATE USER 'jeffrey'@'localhost'  IDENTIFIED BY 'new_password' PASSWORD EXPIRE;

Example: Create an account that uses thecaching_sha2_password authentication plugin and the given password. Require that a new password be chosen every 180 days, and enable failed-login tracking, such that three consecutive incorrect passwords cause temporary account locking for two days:

CREATE USER 'jeffrey'@'localhost'  IDENTIFIED WITH caching_sha2_password BY 'new_password'  PASSWORD EXPIRE INTERVAL 180 DAY  FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 2;

Example: Create multiple accounts, specifying some per-account properties and some global properties:

CREATE USER  'jeffrey'@'localhost' IDENTIFIED WITH caching_sha2_password                                BY 'new_password1',  'jeanne'@'localhost' IDENTIFIED WITH caching_sha2_password                                BY 'new_password2'  REQUIRE X509 WITH MAX_QUERIES_PER_HOUR 60  PASSWORD HISTORY 5  ACCOUNT LOCK;

Eachauth_option value (IDENTIFIED WITH ... BY in this case) applies only to the account named immediately preceding it, so each account uses the immediately following authentication plugin and password.

The remaining properties apply globally to all accounts named in the statement, so for both accounts:

Connections must be made using a valid X.509 certificate.
Up to 60 queries per hour are permitted.
Password changes cannot reuse any of the five most recent passwords.
The account is locked initially, so effectively it is a placeholder and cannot be used until an administrator unlocks it.

CREATE USER Authentication Options

An account name may be followed by anauth_option authentication option that specifies the account authentication plugin, credentials, or both.

Note

MySQL 9.4 supports multifactor authentication (MFA), such that accounts can have up to three authentication methods. That is, accounts can use two-factor authentication (2FA) or three-factor authentication (3FA). The syntax and semantics ofauth_option remain unchanged, butauth_option may be followed by specifications for additional authentication methods. This section describesauth_option. For details about the optional MFA-related following clauses, seeCREATE USER Multifactor Authentication Options.

Note

Clauses for random password generation apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well. For more information about internal credentials storage, seeSection 8.2.15, “Password Management”.

auth_plugin names an authentication plugin. The plugin name can be a quoted string literal or an unquoted name. Plugin names are stored in theplugin column of themysql.user system table.
Forauth_option syntax that does not specify an authentication plugin, the server assigns the default plugin, determined as described inThe Default Authentication Plugin. For descriptions of each plugin, seeSection 8.4.1, “Authentication Plugins”.
Credentials that are stored internally are stored in themysql.user system table. An'auth_string' value orRANDOM PASSWORD specifies account credentials, either as a cleartext (unencrypted) string or hashed in the format expected by the authentication plugin associated with the account, respectively:
- For syntax that usesBY 'auth_string', the string is cleartext and is passed to the authentication plugin for possible hashing. The result returned by the plugin is stored in themysql.user table. A plugin may use the value as specified, in which case no hashing occurs.
- For syntax that usesBY RANDOM PASSWORD, MySQL generates a random password and as cleartext and passes it to the authentication plugin for possible hashing. The result returned by the plugin is stored in themysql.user table. A plugin may use the value as specified, in which case no hashing occurs.
  Randomly generated passwords have the characteristics described inRandom Password Generation.
- For syntax that usesAS 'auth_string', the string is assumed to be already in the format the authentication plugin requires, and is stored as is in themysql.user table. If a plugin requires a hashed value, the value must be already hashed in a format appropriate for the plugin; otherwise, the value cannot be used by the plugin and correct authentication of client connections does not occur.
  A hashed string can be either a string literal or a hexadecimal value. The latter corresponds to the type of value displayed bySHOW CREATE USER for password hashes containing unprintable characters when theprint_identified_with_as_hex system variable is enabled.
  Important
  Although we show'auth_string' with quotation marks, a hexadecimal value used for this purpose mustnot be quoted.
- If an authentication plugin performs no hashing of the authentication string, theBY 'auth_string' andAS 'auth_string' clauses have the same effect: The authentication string is stored as is in themysql.user system table.

CREATE USER permits theseauth_option syntaxes:

IDENTIFIED BY 'auth_string'
Sets the account authentication plugin to the default plugin, passes the cleartext'auth_string' value to the plugin for possible hashing, and stores the result in the account row in themysql.user system table.
IDENTIFIED BY RANDOM PASSWORD
Sets the account authentication plugin to the default plugin, generates a random password, passes the cleartext password value to the plugin for possible hashing, and stores the result in the account row in themysql.user system table. The statement also returns the cleartext password in a result set to make it available to the user or application executing the statement. For details about the result set and characteristics of randomly generated passwords, seeRandom Password Generation.
IDENTIFIED WITHauth_plugin
Sets the account authentication plugin toauth_plugin, clears the credentials to the empty string, and stores the result in the account row in themysql.user system table.
IDENTIFIED WITHauth_plugin BY 'auth_string'
Sets the account authentication plugin toauth_plugin, passes the cleartext'auth_string' value to the plugin for possible hashing, and stores the result in the account row in themysql.user system table.
IDENTIFIED WITHauth_plugin BY RANDOM PASSWORD
Sets the account authentication plugin toauth_plugin, generates a random password, passes the cleartext password value to the plugin for possible hashing, and stores the result in the account row in themysql.user system table. The statement also returns the cleartext password in a result set to make it available to the user or application executing the statement. For details about the result set and characteristics of randomly generated passwords, seeRandom Password Generation.
IDENTIFIED WITHauth_plugin AS 'auth_string'
Sets the account authentication plugin toauth_plugin and stores the'auth_string' value as is in themysql.user account row. If the plugin requires a hashed string, the string is assumed to be already hashed in the format the plugin requires.

Example: Specify the password as cleartext; the default plugin is used:

CREATE USER 'jeffrey'@'localhost'  IDENTIFIED BY 'password';

Example: Specify the authentication plugin, along with a cleartext password value:

CREATE USER 'jeffrey'@'localhost'  IDENTIFIED WITH caching_sha2_password BY 'password';

In each case, the password value stored in the account row is the cleartext value'password' after it has been hashed by the authentication plugin associated with the account.

For additional information about setting passwords and authentication plugins, seeSection 8.2.14, “Assigning Account Passwords”, andSection 8.2.17, “Pluggable Authentication”.

CREATE USER Multifactor Authentication Options

Theauth_option part ofCREATE USER defines an authentication method for one-factor/single-factor authentication (1FA/SFA).CREATE USER also supports multifactor authentication (MFA), such that accounts can have up to three authentication methods. That is, accounts can use two-factor authentication (2FA) or three-factor authentication (3FA).

Theauthentication_policy system variable defines constraints forCREATE USER statements with multifactor authentication (MFA) clauses. For example, theauthentication_policy setting controls the number of authentication factors that accounts may have, and for each factor, which authentication methods are permitted. SeeConfiguring the Multifactor Authentication Policy.

For information about factor-specific rules that determine the default authentication plugin for authentication clauses that name no plugin, seeThe Default Authentication Plugin.

Followingauth_option, there may appear different optional MFA clauses:

2fa_auth_option: Specifies a factor 2 authentication method. The following example definescaching_sha2_password as the factor 1 authentication method, andauthentication_ldap_sasl as the factor 2 authentication method.
```
CREATE USER 'u1'@'localhost'  IDENTIFIED WITH caching_sha2_password    BY 'sha2_password'  AND IDENTIFIED WITH authentication_ldap_sasl    AS 'uid=u1_ldap,ou=People,dc=example,dc=com';
```
3fa_auth_option: Following2fa_auth_option, there may appear a3fa_auth_option clause to specify a factor 3 authentication method. The following example definescaching_sha2_password as the factor 1 authentication method,authentication_ldap_sasl as the factor 2 authentication method, andauthentication_webauthn as the factor 3 authentication method
```
CREATE USER 'u1'@'localhost'  IDENTIFIED WITH caching_sha2_password    BY 'sha2_password'  AND IDENTIFIED WITH authentication_ldap_sasl    AS 'uid=u1_ldap,ou=People,dc=example,dc=com'  AND IDENTIFIED WITH authentication_webauthn;
```
initial_auth_option: Specifies an initial authentication method for configuring FIDO/FIDO2 passwordless authentication. As shown in the following, temporary authentication using either a generated random password or a user-specifiedauth-string is required to enable WebAuthn passwordless authentication.
```
CREATE USERuser  IDENTIFIED WITH authentication_webauthn  INITIAL AUTHENTICATION IDENTIFIED BY {RANDOM PASSWORD | 'auth_string'};
```
For information about configuring passwordless authentication using WebAuthn pluggable authentication, SeeWebAuthn Passwordless Authentication.

CREATE USER Role Options

TheDEFAULT ROLE clause defines which roles become active when the user connects to the server and authenticates, or when the user executes theSET ROLE DEFAULT statement during a session.

Each role name uses the format described inSection 8.2.5, “Specifying Role Names”. For example:

CREATE USER 'joe'@'10.0.0.1' DEFAULT ROLE administrator, developer;

The host name part of the role name, if omitted, defaults to'%'.

TheDEFAULT ROLE clause permits a list of one or more comma-separated role names. These roles must exist at the timeCREATE USER is executed; otherwise the statement raises an error (ER_USER_DOES_NOT_EXIST), and the user is not created.

CREATE USER SSL/TLS Options

MySQL can check X.509 certificate attributes in addition to the usual authentication that is based on the user name and credentials. For background information on the use of SSL/TLS with MySQL, seeSection 8.3, “Using Encrypted Connections”.

To specify SSL/TLS-related options for a MySQL account, use aREQUIRE clause that specifies one or moretls_option values.

Order ofREQUIRE options does not matter, but no option can be specified twice. TheAND keyword is optional betweenREQUIRE options.

CREATE USER permits thesetls_option values:

NONE
Indicates that all accounts named by the statement have no SSL or X.509 requirements. Unencrypted connections are permitted if the user name and password are valid. Encrypted connections can be used, at the client's option, if the client has the proper certificate and key files.
```
CREATE USER 'jeffrey'@'localhost' REQUIRE NONE;
```
Clients attempt to establish a secure connection by default. For clients that haveREQUIRE NONE, the connection attempt falls back to an unencrypted connection if a secure connection cannot be established. To require an encrypted connection, a client need specify only the--ssl-mode=REQUIRED option; the connection attempt fails if a secure connection cannot be established.
NONE is the default if no SSL-relatedREQUIRE options are specified.
SSL
Tells the server to permit only encrypted connections for all accounts named by the statement.
```
CREATE USER 'jeffrey'@'localhost' REQUIRE SSL;
```
Clients attempt to establish a secure connection by default. For accounts that haveREQUIRE SSL, the connection attempt fails if a secure connection cannot be established.
X509
For all accounts named by the statement, requires that clients present a valid certificate, but the exact certificate, issuer, and subject do not matter. The only requirement is that it should be possible to verify its signature with one of the CA certificates. Use of X.509 certificates always implies encryption, so theSSL option is unnecessary in this case.
```
CREATE USER 'jeffrey'@'localhost' REQUIRE X509;
```
For accounts withREQUIRE X509, clients must specify the--ssl-key and--ssl-cert options to connect. (It is recommended but not required that--ssl-ca also be specified so that the public certificate provided by the server can be verified.) This is true forISSUER andSUBJECT as well because thoseREQUIRE options imply the requirements ofX509.
ISSUER 'issuer'
For all accounts named by the statement, requires that clients present a valid X.509 certificate issued by CA'issuer'. If a client presents a certificate that is valid but has a different issuer, the server rejects the connection. Use of X.509 certificates always implies encryption, so theSSL option is unnecessary in this case.
```
CREATE USER 'jeffrey'@'localhost'  REQUIRE ISSUER '/C=SE/ST=Stockholm/L=Stockholm/    O=MySQL/CN=CA/emailAddress=ca@example.com';
```
BecauseISSUER implies the requirements ofX509, clients must specify the--ssl-key and--ssl-cert options to connect. (It is recommended but not required that--ssl-ca also be specified so that the public certificate provided by the server can be verified.)
SUBJECT 'subject'
For all accounts named by the statement, requires that clients present a valid X.509 certificate containing the subjectsubject. If a client presents a certificate that is valid but has a different subject, the server rejects the connection. Use of X.509 certificates always implies encryption, so theSSL option is unnecessary in this case.
```
CREATE USER 'jeffrey'@'localhost'  REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/    O=MySQL demo client certificate/    CN=client/emailAddress=client@example.com';
```
MySQL does a simple string comparison of the'subject' value to the value in the certificate, so lettercase and component ordering must be given exactly as present in the certificate.
BecauseSUBJECT implies the requirements ofX509, clients must specify the--ssl-key and--ssl-cert options to connect. (It is recommended but not required that--ssl-ca also be specified so that the public certificate provided by the server can be verified.)
CIPHER 'cipher'
For all accounts named by the statement, requires a specific cipher method for encrypting connections. This option is needed to ensure that ciphers and key lengths of sufficient strength are used. Encryption can be weak if old algorithms using short encryption keys are used.
```
CREATE USER 'jeffrey'@'localhost'  REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';
```

TheSUBJECT,ISSUER, andCIPHER options can be combined in theREQUIRE clause:

CREATE USER 'jeffrey'@'localhost'  REQUIRE SUBJECT '/C=SE/ST=Stockholm/L=Stockholm/    O=MySQL demo client certificate/    CN=client/emailAddress=client@example.com'  AND ISSUER '/C=SE/ST=Stockholm/L=Stockholm/    O=MySQL/CN=CA/emailAddress=ca@example.com'  AND CIPHER 'EDH-RSA-DES-CBC3-SHA';

CREATE USER Resource-Limit Options

It is possible to place limits on use of server resources by an account, as discussed inSection 8.2.21, “Setting Account Resource Limits”. To do so, use aWITH clause that specifies one or moreresource_option values.

Order ofWITH options does not matter, except that if a given resource limit is specified multiple times, the last instance takes precedence.

CREATE USER permits theseresource_option values:

MAX_QUERIES_PER_HOURcount,MAX_UPDATES_PER_HOURcount,MAX_CONNECTIONS_PER_HOURcount
For all accounts named by the statement, these options restrict how many queries, updates, and connections to the server are permitted to each account during any given one-hour period. Ifcount is0 (the default), this means that there is no limitation for the account.
MAX_USER_CONNECTIONScount
For all accounts named by the statement, restricts the maximum number of simultaneous connections to the server by each account. A nonzerocount specifies the limit for the account explicitly. Ifcount is0 (the default), the server determines the number of simultaneous connections for the account from the global value of themax_user_connections system variable. Ifmax_user_connections is also zero, there is no limit for the account.

Example:

CREATE USER 'jeffrey'@'localhost'  WITH MAX_QUERIES_PER_HOUR 500 MAX_UPDATES_PER_HOUR 100;

CREATE USER Password-Management Options

CREATE USER supports severalpassword_option values for password management:

Password expiration options: You can expire an account password manually and establish its password expiration policy. Policy options do not expire the password. Instead, they determine how the server applies automatic expiration to the account based on password age, which is assessed from the date and time of the most recent account password change.
Password reuse options: You can restrict password reuse based on number of password changes, time elapsed, or both.
Password verification-required options: You can indicate whether attempts to change an account password must specify the current password, as verification that the user attempting to make the change actually knows the current password.
Incorrect-password failed-login tracking options: You can cause the server to track failed login attempts and temporarily lock accounts for which too many consecutive incorrect passwords are given. The required number of failures and the lock time are configurable.

This section describes the syntax for password-management options. For information about establishing policy for password management, seeSection 8.2.15, “Password Management”.

If multiple password-management options of a given type are specified, the last one takes precedence. For example,PASSWORD EXPIRE DEFAULT PASSWORD EXPIRE NEVER is the same asPASSWORD EXPIRE NEVER.

Note

Except for the options that pertain to failed-login tracking, password-management options apply only to accounts that use an authentication plugin that stores credentials internally to MySQL. For accounts that use a plugin that performs authentication against a credentials system that is external to MySQL, password management must be handled externally against that system as well. For more information about internal credentials storage, seeSection 8.2.15, “Password Management”.

A client has an expired password if the account password was expired manually or the password age is considered greater than its permitted lifetime per the automatic expiration policy. In this case, the server either disconnects the client or restricts the operations permitted to it (seeSection 8.2.16, “Server Handling of Expired Passwords”). Operations performed by a restricted client result in an error until the user establishes a new account password.

CREATE USER permits thesepassword_option values for controlling password expiration:

PASSWORD EXPIRE
Immediately marks the password expired for all accounts named by the statement.
```
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE;
```
PASSWORD EXPIRE DEFAULT
Sets all accounts named by the statement so that the global expiration policy applies, as specified by thedefault_password_lifetime system variable.
```
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT;
```
PASSWORD EXPIRE NEVER
This expiration option overrides the global policy for all accounts named by the statement. For each, it disables password expiration so that the password never expires.
```
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE NEVER;
```
PASSWORD EXPIRE INTERVALN DAY
This expiration option overrides the global policy for all accounts named by the statement. For each, it sets the password lifetime toN days. The following statement requires the password to be changed every 180 days:
```
CREATE USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 180 DAY;
```

CREATE USER permits thesepassword_option values for controlling reuse of previous passwords based on required minimum number of password changes:

PASSWORD HISTORY DEFAULT
Sets all accounts named by the statement so that the global policy about password history length applies, to prohibit reuse of passwords before the number of changes specified by thepassword_history system variable.
```
CREATE USER 'jeffrey'@'localhost' PASSWORD HISTORY DEFAULT;
```
PASSWORD HISTORYN
This history-length option overrides the global policy for all accounts named by the statement. For each, it sets the password history length toN passwords, to prohibit reusing any of theN most recently chosen passwords. The following statement prohibits reuse of any of the previous 6 passwords:
```
CREATE USER 'jeffrey'@'localhost' PASSWORD HISTORY 6;
```

CREATE USER permits thesepassword_option values for controlling reuse of previous passwords based on time elapsed:

PASSWORD REUSE INTERVAL DEFAULT
Sets all statements named by the account so that the global policy about time elapsed applies, to prohibit reuse of passwords newer than the number of days specified by thepassword_reuse_interval system variable.
```
CREATE USER 'jeffrey'@'localhost' PASSWORD REUSE INTERVAL DEFAULT;
```
PASSWORD REUSE INTERVALN DAY
This time-elapsed option overrides the global policy for all accounts named by the statement. For each, it sets the password reuse interval toN days, to prohibit reuse of passwords newer than that many days. The following statement prohibits password reuse for 360 days:
```
CREATE USER 'jeffrey'@'localhost' PASSWORD REUSE INTERVAL 360 DAY;
```

CREATE USER permits thesepassword_option values for controlling whether attempts to change an account password must specify the current password, as verification that the user attempting to make the change actually knows the current password:

PASSWORD REQUIRE CURRENT
This verification option overrides the global policy for all accounts named by the statement. For each, it requires that password changes specify the current password.
```
CREATE USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT;
```
PASSWORD REQUIRE CURRENT OPTIONAL
This verification option overrides the global policy for all accounts named by the statement. For each, it does not require that password changes specify the current password. (The current password may but need not be given.)
```
CREATE USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT OPTIONAL;
```
PASSWORD REQUIRE CURRENT DEFAULT
Sets all statements named by the account so that the global policy about password verification applies, as specified by thepassword_require_current system variable.
```
CREATE USER 'jeffrey'@'localhost' PASSWORD REQUIRE CURRENT DEFAULT;
```

CREATE USER permits thesepassword_option values for controlling failed-login tracking:

FAILED_LOGIN_ATTEMPTSN
Whether to track account login attempts that specify an incorrect password.N must be a number from 0 to 32767. A value of 0 disables failed-login tracking. Values greater than 0 indicate how many consecutive password failures cause temporary account locking (ifPASSWORD_LOCK_TIME is also nonzero).
PASSWORD_LOCK_TIME {N | UNBOUNDED}
How long to lock the account after too many consecutive login attempts provide an incorrect password.N must be a number from 0 to 32767, orUNBOUNDED. A value of 0 disables temporary account locking. Values greater than 0 indicate how long to lock the account in days. A value ofUNBOUNDED causes the account locking duration to be unbounded; once locked, the account remains in a locked state until unlocked. For information about the conditions under which unlocking occurs, seeFailed-Login Tracking and Temporary Account Locking.

For failed-login tracking and temporary locking to occur, an account'sFAILED_LOGIN_ATTEMPTS andPASSWORD_LOCK_TIME options both must be nonzero. The following statement creates an account that remains locked for two days after four consecutive password failures:

CREATE USER 'jeffrey'@'localhost'  FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 2;

CREATE USER Comment and Attribute Options

You can also include an optional comment or attribute when creating a user, as described here:

User comment
To set a user comment, addCOMMENT 'user_comment' to theCREATE USER statement, whereuser_comment is the text of the user comment.
Example (omitting any other options):
```
CREATE USER 'jon'@'localhost' COMMENT 'Some information about Jon';
```
User attribute
A user attribute is a JSON object made up of one or more key-value pairs, and is set by includingATTRIBUTE 'json_object' as part ofCREATE USER.json_object must be a valid JSON object.
Example (omitting any other options):
```
CREATE USER 'jim'@'localhost'    ATTRIBUTE '{"fname": "James", "lname": "Scott", "phone": "123-456-7890"}';
```

User comments and user attributes are stored together in theATTRIBUTE column of the Information SchemaUSER_ATTRIBUTES table. This query displays the row in this table inserted by the statement just shown for creating the userjim@localhost:

mysql> SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES    ->    WHERE USER = 'jim' AND HOST = 'localhost'\G*************************** 1. row ***************************     USER: jim     HOST: localhostATTRIBUTE: {"fname": "James", "lname": "Scott", "phone": "123-456-7890"}1 row in set (0.00 sec)

TheCOMMENT option in actuality provides a shortcut for setting a user attribute whose only element hascomment as its key and whose value is the argument supplied for the option. You can see this by executing the statementCREATE USER 'jon'@'localhost' COMMENT 'Some information about Jon', and observing the row which it inserts into theUSER_ATTRIBUTES table:

mysql> CREATE USER 'jon'@'localhost' COMMENT 'Some information about Jon';Query OK, 0 rows affected (0.06 sec)mysql> SELECT * FROM INFORMATION_SCHEMA.USER_ATTRIBUTES    ->    WHERE USER = 'jon' AND HOST = 'localhost';+------+-----------+-------------------------------------------+| USER | HOST      | ATTRIBUTE                                 |+------+-----------+-------------------------------------------+| jon  | localhost | {"comment": "Some information about Jon"} |+------+-----------+-------------------------------------------+1 row in set (0.00 sec)

You cannot useCOMMENT andATTRIBUTE together in the sameCREATE USER statement; attempting to do so causes a syntax error. To set a user comment concurrently with setting a user attribute, useATTRIBUTE and include in its argument a value with acomment key, like this:

mysql> CREATE USER 'bill'@'localhost'    ->        ATTRIBUTE '{"fname":"William", "lname":"Schmidt",    ->        "comment":"Website developer"}';Query OK, 0 rows affected (0.16 sec)

Since the content of theATTRIBUTE row is a JSON object, you can employ any appropriate MySQL JSON functions or operators to manipulate it, as shown here:

mysql> SELECT    ->   USER AS User,    ->   HOST AS Host,    ->   CONCAT(ATTRIBUTE->>"$.fname"," ",ATTRIBUTE->>"$.lname") AS 'Full Name',    ->   ATTRIBUTE->>"$.comment" AS Comment    -> FROM INFORMATION_SCHEMA.USER_ATTRIBUTES    -> WHERE USER='bill' AND HOST='localhost';+------+-----------+-----------------+-------------------+| User | Host      | Full Name       | Comment           |+------+-----------+-----------------+-------------------+| bill | localhost | William Schmidt | Website developer |+------+-----------+-----------------+-------------------+1 row in set (0.00 sec)

To set or to make changes in the user comment or user attribute for an existing user, you can use aCOMMENT orATTRIBUTE option with anALTER USER statement.

Because the user comment and user attribute are stored together internally in a singleJSON column, this sets an upper limit on their maximum combined size; seeJSON Storage Requirements, for more information.

See also the description of the Information SchemaUSER_ATTRIBUTES table for more information and examples.

CREATE USER Account-Locking Options

MySQL supports account locking and unlocking using theACCOUNT LOCK andACCOUNT UNLOCK options, which specify the locking state for an account. For additional discussion, seeSection 8.2.20, “Account Locking”.

If multiple account-locking options are specified, the last one takes precedence.

CREATE USER Binary Logging

CREATE USER is written to the binary log if it succeeds, but not if it fails; in that case, rollback occurs and no changes are made. A statement written to the binary log includes all named users. If theIF NOT EXISTS clause is given, this includes even users that already exist and were not created.

The statement written to the binary log specifies an authentication plugin for each user, determined as follows:

The plugin named in the original statement, if one was specified.
Otherwise, the default authentication plugin. In particular, if a useru1 already exists and uses a nondefault authentication plugin, the statement written to the binary log forCREATE USER IF NOT EXISTS u1 names the default authentication plugin. (If the statement written to the binary log must specify a nondefault authentication plugin for a user, include it in the original statement.)

If the server adds the default authentication plugin for any nonexisting users in the statement written to the binary log, it writes a warning to the error log naming those users.

If the original statement specifies theFAILED_LOGIN_ATTEMPTS orPASSWORD_LOCK_TIME option, the statement written to the binary log includes the option.

CREATE USER statements with clauses that support multifactor authentication (MFA) are written to the binary log.

CREATE USER ... IDENTIFIED WITH .. INITIAL AUTHENTICATION IDENTIFIED WITH ... statements are written to the binary log asCREATE USER .. IDENTIFIED WITH .. INITIAL AUTHENTICATION IDENTIFIED WITH .. AS 'password-hash', where thepassword-hash is the user-specifiedauth-string or the random password generated by server when theRANDOM PASSWORD clause is specified.

PREV HOME UP NEXT