Tair (Redis OSS-compatible) allows you to create multiple accounts and configure read-only and read/write permissions. This helps you manage instances in a more flexible manner, minimizes the risk of accidental operations, and enhances data security.
Background information
To ensure data security, the system automatically creates a default account after an instance is created. Typically, the default account is named after the instance ID, such as r-bp1jpghfglv6******. You cannot delete or replace the default account or modify the permissions of the account. You can view or reset the password of the default account on the Account Management page in the Tair (Redis OSS-compatible) console.
You can use the default account to log on to your instance in the same way as in open source Redis, where you need only to enter the password of the account. The following example shows how to log on to a Tair instance by using redis-cli:
# Use the default account whose username is r-bp1jpghfglv6****** and password is Rp829dlwa to connect to the instance.
redis-cli -h r-bp1zx****.redis.rds.aliyuncs.com -p 6379 -a Rp829dlwaThe name of the default account is default for specific instances. The name that is displayed in the console prevails.
Precautions
You can create up to 20 accounts for an instance.
For Redis Open-Source Edition 4.0 and 5.0 (up to 5.0.8) instances, the account names are case-insensitive. For Redis Open-Source Edition instances of later versions, the account names are case-sensitive.
Prerequisites
The database engine version of the instance is Redis 4.0 or later.
If the database engine version of an instance does not meet this requirement, you can upgrade the version. For more information, see Upgrade the major version.
Procedure
Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click Account Management.
Click Create in the upper-right corner of the page.
In the dialog box that appears, configure the parameters that are described in the following table.
Parameter
Description
Account Type
Local Account: With this account type, you need to record the password of the account or configure the password in plaintext in the application code.
KMS Managed Account: Key Management Service (KMS) is used to manage the account and password of the instance. To connect an application to the instance, you can call the relevant KMS API operation to dynamically retrieve the account username and password of the instance, instead of hardcoding static database credentials into the application. For more information, see Use KMS to manage Tair (Redis OSS-compatible) secrets.
Account
The account name, which must meet the following requirements:
The name must start with a lowercase letter and can contain lowercase letters, digits, and underscores (-).
The name can be up to 35 characters in length.
The name cannot be one of the reserved words listed in the Reserved words for Redis account names section.
Privilege
The permissions that are granted to the account. Valid values:
Read-only: The account has only permissions to read data and is not allowed to modify data.
Read/Write: The account has permissions to read and write data.
Password
The password of the account.
The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and specific special characters. These special characters include
!@#$%^&*()+-=_
The password must be 8 to 32 characters in length
Confirm Password
Enter the password again.
Description (optional)
The description of the account, which must meet the following requirements:
The description must start with a letter and cannot start with http:// or https://.
The description can contain letters, digits, underscores (_), and hyphens (-).
The description must be 2 to 256 characters in length.
Click OK.
After you create an account, the account is in the Unavailable state. Refresh the page about 1 minute later, and the state changes to Available.
NoteThe password of the created account follows the
user:passwordformat. For example, if the created account is namedtestaccountand the password of the account isRp829dlwa, you must entertestaccount:Rp829dlwaas the password that is used to log on to the instance. For more information, see Connect to an instance.If you use a third-party database management tool such as Redis Desktop Manager (RDM) to connect to an instance, enter the password in the
user:passwordformat.
Optional: Perform one of the following operations to manage the account based on your business requirements:
Reset the password
Find the account and click Reset Password in the Actions column. In the panel that appears, reset the password and click OK.
Modify the permissions
Find the account and click Modify Privilege in the Actions column. In the panel that appears, select the required permissions and click OK.
Modify the description
Find the account and click Edit Description in the Actions column. In the panel that appears, modify the description and click OK.
Delete the account
Find the account and choose
> Delete in the Actions column. In the panel that appears, click OK. WarningAfter you delete the account, you cannot log on to the instance by using the account. In this case, to prevent the impact on the connection of your client, change the account and password that are used to verify the connection of your client in advance.
Reserved words for account names
When you create an account, the account name cannot be one of the following reserved words. The following table describes the reserved words. The reserved words are separated by commas (,).
Initial | Reserved word |
a~c | add,admin,all,alter,analyze,and,as,asc,asensitive,aurora,before,between,bigint,binary,blob,both,by,call,cascade,case,change,char,character,check,collate,column,condition,connection,constraint,continue,convert,create,cross,current_date,current_time,current_timestamp,current_user,cursor |
d~f | database,databases,day_hour,day_microsecond,day_minute,day_second,dec,decimal,declare,default,delayed,delete,desc,describe,deterministic,distinct,distinctrow,div,double,drc_rds,drop,dual,each,eagleye,else,elseif,enclosed,escaped,exists,exit,explain,false,fetch,float,float4,float8,for,force,foreign,from,fulltext |
g~l | goto,grant,group,guest,having,high_priority,hour_microsecond,hour_minute,hour_second,if,ignore,in,index,infile,information_schema,inner,inout,insensitive,insert,int,int1,int2,int3,int4,int8,integer,interval,into,is,iterate,join,key,keys,kill,label,leading,leave,left,like,limit,linear,lines,load,localtime,localtimestamp,lock,long,longblob,longtext,loop,low_priority |
m~r | match,mediumblob,mediumint,mediumtext,middleint,minute_microsecond,minute_second,mod,modifies,mysql,natural,no_write_to_binlog,not,null,numeric,on,optimize,option,optionally,or,order,out,outer,outfile,precision,primary,procedure,purge,raid0,range,read,reads,real,references,regexp,release,rename,repeat,replace,replicator,require,restrict,return,revoke,right,rlike,root |
s~z | schema,schemas,second_microsecond,select,sensitive,separator,set,show,smallint,spatial,specific,sql,sql_big_result,sql_calc_found_rows,sql_small_result,sqlexception,sqlstate,sqlwarning,ssl,starting,straight_join,table,terminated,test,then,tinyblob,tinyint,tinytext,to,trailing,trigger,true,undo,union,unique,unlock,unsigned,update,usage,use,using,utc_date,utc_time,utc_timestamp,values,varbinary,varchar,varcharacter,varying,when,where,while,with,write,x509,xor,xtrabak,year_month,zerofill |
Related API operations
API operation | Impacts |
Creates an account that has specific permissions for an instance. | |
Modifies the permissions of an account for an instance. | |
Modifies the description of an account for an instance. | |
Modifies the password of an account for an instance. | |
Deletes an account for an instance. |