CREATE USERuser_specification[,user_specification] ...user_specification:user[ IDENTIFIED BY [PASSWORD] 'password' | IDENTIFIED WITHauth_plugin[AS 'auth_string'] ]
The CREATE USER statement creates
new MySQL accounts. To use it, you must have the global
CREATE USER privilege or the
INSERT privilege for the
mysql database. For each account,
CREATE USER creates a new row in
the mysql.user table and assigns the account
no privileges. An error occurs if the account already exists.
Each account name uses the format described in Section 5.4.3, “Specifying Account Names”. For example:
CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
If you specify only the user name part of the account name, a
host name part of '%' is used.
The user specification may indicate how the user should authenticate when connecting to the server:
To enable the user to connect with no password (which is insecure), include no
IDENTIFIED BYclause:CREATE USER 'jeffrey'@'localhost';
In this case, the server uses built-in authentication and clients must provide no password.
To assign a password, use
IDENTIFIED BYwith the literal plaintext password value:CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';
The server uses built-in authentication and clients must match the given password.
To avoid specifying the plaintext password if you know its hash value (the value that
PASSWORD()would return for the password), specify the hash value preceded by the keywordPASSWORD:CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
The server uses built-in authentication and clients must match the given password.
If the account should authenticate using a specific authentication plugin, use
IDENTIFIED WITH.auth_pluginis an authentication plugin name. It can be an unquoted name or a quoted string literal.'is an optional quoted string literal to pass to the plugin. The plugin interprets the meaning of the string.auth_string'CREATE USER 'jeffrey'@'localhost' IDENTIFIED WITH my_auth_plugin;
The server uses the named plugin and clients must provide credentials as required for the authentication method that the plugin implements. If the server cannot find the plugin, an error occurs.
IDENTIFIED WITHcan be given as of MySQL 5.5.7.
The IDENTIFIED BY and IDENTIFIED
WITH clauses are mutually exclusive, so at most one of
them can be specified for a given user.
For additional information about setting passwords, see Section 5.5.5, “Assigning Account Passwords”.
CREATE USER may be recorded in
server logs or in a history file such as
~/.mysql_history, which means that
plaintext passwords may be read by anyone having read access
to that information. See Section 5.3.2, “Password Security in MySQL”.
Some releases of MySQL introduce changes to the structure of the grant tables to add new privileges or features. Whenever you update to a new version of MySQL, you should update your grant tables to make sure that they have the current structure so that you can take advantage of any new capabilities. See Section 4.4.7, “mysql_upgrade — Check Tables for MySQL Upgrade”.