Mysql 大量 unauthenticated user

MySQL的文档:http://dev.mysql.com/doc/refman/5.0/en/dns.html

MySQL处理用户连接时进行如下过程来验证用户的合法性:

 

1 When a new client connects to mysqld, mysqld spawns a new thread to handle the request. This thread first checks whether the host name is in the host name cache. If not, the thread attempts to resolve the host name: 
2 
3 The thread takes the IP address and resolves it to a host name (using gethostbyaddr()). It then takes that host name and resolves it back to the IP address (using gethostbyname()) and compares to ensure it is the original IP address.

 

 

即:先作反向解析IP>Hostname,然后作Hostname>IP的正向解析。如果结果符合,则验证为合法用户允许登录,如果不符合则定义为“unauthenticated user”。

 

1 eg: If your client machine is called 'foo.domain.com' with IP 1.2.3.4, you might set up grants on your remote MySQL server like this:
2 
3 grant select on dbname.* to [email]username@foo.domain.com[/email] identified by 'somepassword'
4 
5 But when you try to connect from foo.domain.com you find you get the error "Host '1.2.3.4' is not allowed to connect to this MySQL server"
6 
7 This is because a reverse lookup of 1.2.3.4 may in fact return a fully qualified domain name of 4-3-2-1.isp.otherdomain.com, ie something *other* than foo.domain.com.
8 
9 So stick to granting access by IP, not hostname, unless your forward and reverse lookups match.

 

 

 

所以建议创建用户权限的时候,不要使用hostname作为限制而是直接用IP;更干脆的话就主机不配置DNS Server。
MySQL的文档:http://dev.mysql.com/doc/refman/5.0/en/dns.html

手册中的解释是:unauthenticated user refers to a thread that has become associated with a client connection but for which authentication of the client user has not yet been done。意即:有一个线程在处理客户端的连接,但是该客户端还没通过用户验证。

解决办法有:

  1. 在 hosts 中添加客户端ip,如
    192.168.0.1  yejr
  2. MySQL启动参数增加一个skip-name-resolve,即不启用DNS反响解析
  3. 服务器的线程还处于排队状态,因此可以加大 back_log

back_log在手册中是这样描述的:

The number of outstanding connection requests MySQL can have. This comes into play when the main MySQL thread gets very many connection requests in a very short time. It then takes some time (although very little) for the main thread to check the connection and start a new thread. The back_log value indicates how many requests can be stacked during this short time before MySQL momentarily stops answering new requests. You need to increase this only if you expect a large number of connections in a short period of time.

In other words, this value is the size of the listen queue for incoming TCP/IP connections. Your operating system has its own limit on the size of this queue. The manual page for the Unix listen() system call should have more details. Check your OS documentation for the maximum value for this variable. back_log cannot be set higher than your operating system limit.

意思是:back_log意味着mysql连接队列中允许存放的最大连接请求数。

  这种情况发生在mysql的主线程在短时间内有大量连接请求。mysql的主线程需要花费一点时间(虽然很短)来检查连接并且创建一个新的线程。back_log意味着mysql连接队列中允许存放的最大连接请求数。如果你想在短时间内有大量连接的话,那就增大这个值吧!

  换句话说,back_log就是传入tcp/ip连接监听队列的大小。你的操作系统有它自己的对这个值的限制。Unix的listen()系统调用的帮助页上有详细的介绍。检查你的系统文档看看对这个变量的限制。back_log的值不能超过操作系统中对tcp/ip监听数的限制。

posted @ 2010-09-14 11:35  sunss  阅读(727)  评论(0编辑  收藏  举报