Syntax:

CREATE USER user_specification [, user_specification] ...

user_specification:
user [ identified_option ]

auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED BY PASSWORD 'hash_string'
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin AS 'hash_string'
}

The CREATE USER statement creates new MySQL accounts. An error occurs
if you try to create an account that already exists.

To use CREATE USER, you must have the global CREATE USER privilege or
the INSERT privilege for the mysql database. When the read_only system
variable is enabled, CREATE USER additionally requires the SUPER
privilege.

For each account, CREATE USER creates a new row in the mysql.user table
with no privileges and (as of MySQL 5.5.7) assigns the account an
authentication plugin. Depending on the syntax used, CREATE USER may
also assign the account a password.

Each user_specification clause consists of an account name and

information about how authentication occurs for clients that use the
account. This part of CREATE USER syntax is shared with GRANT, so the
description here applies to GRANT as well.

Each account name uses the format described in

http://dev.mysql.com/doc/refman/5.5/en/account-names.html. For example:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

If you specify only the user name part of the account name, a host name
part of '%' is used.

The server assigns an authentication plugin and password to each

account as follows, depending on whether the user specification clause
includes IDENTIFIED WITH to specify a plugin or IDENTIFIED BY to
specify a password:

*Note*: IDENTIFIED WITH is available as of MySQL 5.5.7. Before 5.5.7,

authentication plugins are not used, so only the remarks about
IDENTIFIED BY apply.

o With IDENTIFIED WITH, the server assigns the specified plugin and the
account has no password. If the optional AS 'hash_string' clause is
also given, the string is stored as is in the authentication_string
column (it is assumed to be already hashed in the format required by
the plugin).

o With IDENTIFIED BY, the server assigns no plugin and assigns the
specified password.

o With neither IDENTIFIED WITH nor IDENTIFIED BY, the server assigns no
plugin and the account has no password.

If the account has no password, the Password column in the account's

mysql.user table row remains empty, which is insecure. To set the
password, use SET PASSWORD. See [HELP SET PASSWORD].
If the server assigns no plugin to the account, the plugin column in
the account's mysql.user table row remains empty.

For client connections that use a given account, the server invokes the
authentication plugin assigned to the account and the client must
provide credentials as required by the authentication method that the
plugin implements. If the server cannot find the plugin, either at
account-creation time or connect time, an error occurs.

If an account's mysql.user table row has a nonempty plugin column:

o The server authenticates client connection attempts using the named

plugin.

o Changes to the account password using SET PASSWORD with PASSWORD()

must be made with the old_passwords system variable set to the value
required by the authentication plugin, so that PASSWORD() uses the
appropriate password hashing method. If the plugin is
mysql_old_password, the password can also be changed using SET
PASSWORD with OLD_PASSWORD(), which uses pre-4.1 password hashing
regardless of the value of old_passwords.

If an account's mysql.user table row has an empty plugin column:

o The server authenticates client connection attempts using the

mysql_native_password or mysql_old_password authentication plugin,
depending on the hash format of the password stored in the Password
column.

o Changes to the account password using SET PASSWORD can be made with
PASSWORD(), with old_passwords set to 0 or 1 for 4.1 or pre-4.1
password hashing, respectively, or with OLD_PASSWORD(), which uses
pre-4.1 password hashing regardless of the value of old_passwords.

CREATE USER examples:

o To specify an authentication plugin for an account, use IDENTIFIED

WITH auth_plugin. The plugin name can be a quoted string literal or
an unquoted name. 'auth_string' is an optional quoted string literal
to pass to the plugin. The plugin interprets the meaning of the
string, so its format is plugin specific and it is stored in the
authentication_string column as given. (This value is meaningful only
for plugins that use that column.) Consult the documentation for a
given plugin for information about the authentication string values
it accepts, if any.

CREATE USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password;

The server assigns the given authentication plugin to the account but
no password. Clients must provide no password when they connect.
However, an account with no password is insecure. To ensure that an
account uses a specific authentication plugin and has a password with
the corresponding hash format, specify the plugin explicitly with
IDENTIFIED WITH, then use SET PASSWORD to set the password:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password;

SET old_passwords = 0;
SET PASSWORD FOR 'jeffrey'@'localhost' = PASSWORD('mypass');

Changes to the account password using SET PASSWORD with PASSWORD()

must be made with the old_passwords system variable set to the value
required by the account's authentication plugin, so that PASSWORD()
uses the appropriate password hashing method. Therefore, to use the
mysql_old_password plugin instead, name that plugin in the CREATE
USER statement and set old_passwords to 1 before using SET PASSWORD.

o To specify a password for an account at account-creation time, use

IDENTIFIED BY with the literal cleartext password value:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

The server assigns the given password to the account but no

authentication plugin. Clients must provide the password when they
connect.

o To avoid specifying the cleartext password if you know its hash value
(the value that PASSWORD() would return for the password), specify
the hash value preceded by the keyword PASSWORD:

CREATE USER 'jeffrey'@'localhost'

IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';

The server assigns the given password to the account but no

authentication plugin. Clients must provide the password when they
connect.

o To enable the user to connect with no password, include no IDENTIFIED

BY clause:

CREATE USER 'jeffrey'@'localhost';

The server assigns no authentication plugin or password to the

account. Clients must provide no password when they connect. However,
an account with no password is insecure. To avoid this, use SET
PASSWORD to set the account password.

For additional information about setting passwords and authentication

plugins, see
http://dev.mysql.com/doc/refman/5.5/en/assigning-passwords.html, and
http://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html.

URL: http://dev.mysql.com/doc/refman/5.5/en/create-user.html

Syntax:
DROP USER user [, user] ...

The DROP USER statement removes one or more MySQL accounts and their
privileges. It removes privilege rows for the account from all grant
tables. An error occurs for accounts that do not exist.

To use DROP USER, you must have the global CREATE USER privilege or the
DELETE privilege for the mysql database. When the read_only system
variable is enabled, DROP USER additionally requires the SUPER
privilege.

Each account name uses the format described in

http://dev.mysql.com/doc/refman/5.5/en/account-names.html. For example:

DROP USER 'jeffrey'@'localhost';

If you specify only the user name part of the account name, a host name
part of '%' is used.

URL: http://dev.mysql.com/doc/refman/5.5/en/drop-user.html

Syntax:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
TO user_specification [, user_specification] ...
[REQUIRE {NONE | tsl_option [[AND] tsl_option] ...}]
[WITH {GRANT OPTION | resource_option} ...]

GRANT PROXY ON user_specification

TO user_specification [, user_specification] ...
[WITH GRANT OPTION]

object_type: {
TABLE
| FUNCTION
| PROCEDURE
}

priv_level: {
*
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name
| db_name.routine_name
}

user_specification:
user [ auth_option ]

auth_option: {
IDENTIFIED BY 'auth_string'
| IDENTIFIED BY PASSWORD 'hash_string'
| IDENTIFIED WITH auth_plugin
| IDENTIFIED WITH auth_plugin AS 'hash_string'
}

tsl_option: {
SSL
| X509
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
}

resource_option: {
| MAX_QUERIES_PER_HOUR count
| MAX_UPDATES_PER_HOUR count
| MAX_CONNECTIONS_PER_HOUR count
| MAX_USER_CONNECTIONS count
}

The GRANT statement grants privileges to MySQL user accounts. GRANT

also serves to specify other account characteristics such as use of
secure connections and limits on access to server resources.

To use GRANT, you must have the GRANT OPTION privilege, and you must
have the privileges that you are granting. When the read_only system
variable is enabled, GRANT additionally requires the SUPER privilege.

The REVOKE statement is related to GRANT and enables administrators to

remove account privileges. See [HELP REVOKE].

Normally, a database administrator first uses CREATE USER to create an

account, then GRANT to define its privileges and characteristics. For
example:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

GRANT ALL ON db1.* TO 'jeffrey'@'localhost';
GRANT SELECT ON db2.invoice TO 'jeffrey'@'localhost';
GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;

*Note*: Examples shown here include no IDENTIFIED clause. It is assumed

that you establish passwords with CREATE USER at account-creation time
to avoid creating insecure accounts.

If an account named in a GRANT statement does not already exist, GRANT

may create it under the conditions described later in the discussion of
the NO_AUTO_CREATE_USER SQL mode.

From the mysql program, GRANT responds with Query OK, 0 rows affected
when executed successfully. To determine what privileges result from
the operation, use SHOW GRANTS. See [HELP SHOW GRANTS].

URL: http://dev.mysql.com/doc/refman/5.5/en/grant.html