Create a normal account in an OceanBase cluster instance and grant privileges to the account - ApsaraDB for OceanBase

This topic describes how to create a normal account for a MySQL tenant in an OceanBase cluster instance and grant the minimum privileges to the account in different phases of data migration.

Background information

An OceanBase cluster instance in MySQL mode supports three types of database accounts: normal account, super account, and read-only account. When you use the data transmission service to migrate data from an OceanBase cluster instance, observe the following rules:

If you use a normal account, grant privileges to the account based on the descriptions in this topic.
If you use a super account, it has read/write privileges on all databases by default.
If you use a read-only account, it has the read privilege on all databases by default.

The normal account created for an OceanBase cluster instance in this topic will be entered in Username when you create an OceanBase data source.

If you want to migrate a table without a unique key, you must also create an __oceanbase_inner_drc_user user with the read-only privilege before data migration, which is used to specify the password for __oceanbase_inner_drc_user when you create an OceanBase data source.

Create a normal account in a cluster instance

Go to the Cluster Instance Workspace page.
1. Log on to the ApsaraDB for OceanBase console.
2. In the upper-left corner, select the region where the target instance is located.
3. In the left-side navigation pane, click Instances and then click the name of the target instance.
Go to the Accounts page.
1. On the Cluster Instance Workspace page, click Tenant Management in the left-side navigation pane.
2. On the Tenants page, click the name of the target MySQL tenant.
3. On the Tenant Workspace page, click Account Management in the left-side navigation pane.
On the Account Management page, click Create Account in the upper-right corner.

In the Create Account dialog box, configure the parameters.

Parameter	Description
Username	The username can contain letters, digits, and underscores (_). It must start with a letter and end with a letter or digit, and cannot exceed 32 characters in length.
Account Type	Select Normal Account.
Authorized Databases (Optional)	Select one or more databases accessible to the account. In the left-side Unauthorized list, select one or more databases and click > to add them to the right-side list. In the Authorized list, grant the read/write, DDL-only, DML-only, or read-only privilege on each database to the account.
Password	The password must be 10 to 32 characters in length and contain any three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Supported special characters are ! @ # $ % ^ & * ( ) _ + - = You can click Randomly generated to automatically fill in a random password. Note You can also click Copy Password to copy the password and keep it confidential.
Remarks (Optional)	Enter the description of the account.

Click OK.

Grant privileges to a normal account in a source cluster instance

The following table lists the minimum privileges required for a normal account in a source OceanBase cluster instance (MySQL mode) in different phases of data migration.

Table type	Schema migration	Full migration	DML for incremental synchronization	DDL for incremental synchronization	Full verification	Reverse incremental migration
Table with a primary key or not-null unique key	Read-only	Read-only	Read-only	Read-only	Read-only	DDL-only (only DDL operations are synchronized) DML-only (only DML operations are synchronized) Read/Write (both DDL and DML operations are synchronized)
Table without a primary key or not-null unique key	Read-only	Read-only __oceanbase_inner_drc_user required	Read-only	Read-only	__oceanbase_inner_drc_user required	DDL-only (only DDL operations are synchronized) DML-only (only DML operations are synchronized) Read/Write (both DDL and DML operations are synchronized)

Grant privileges to a normal account in a destination cluster instance

The following table lists the minimum privileges required for a normal account in a destination OceanBase cluster instance (MySQL mode) in different phases of data migration.

Table type	Schema migration	Full migration	DML for incremental synchronization	DDL for incremental synchronization	Full verification	DML for reverse incremental migration	DDL for reverse incremental migration
Table with a primary key or not-null unique key	DDL-only	Read/Write	Read/Write	DDL-only	Read-only	Read-only	Read-only
Table without a primary key or not-null unique key	DDL-only	Read/Write	Read/Write	DDL-only	Not supported	Read-only	Read-only

Create __oceanbase_inner_drc_user and grant privileges to the user

Log on to the ApsaraDB for OceanBase console and go to the Tenant Workspace page.
On the Tenant Workspace page, click Log on to Database in the upper-right corner.
You can also go to the Database Management page for logon.
In the Enter a database account dialog box, enter the name of the database to log on and click OK.
In the Enter the connection password dialog box, enter the password for logging on to the database and click OK.
After logon, run the following command to create the user __oceanbase_inner_drc_user:
```
create user __oceanbase_inner_drc_user identified by '<password>';
```
Run the following command to grant privileges to the user:
```
grant select on *.* to __oceanbase_inner_drc_user;
```