Manage the basic permissions of users - ApsaraDB for SelectDB

ApsaraDB for SelectDB references the permission management mechanism of MySQL to implement the fine-grained permission control at the table level, and supports permission control based on roles and whitelists. This topic describes the background information and capabilities of the permission management system of ApsaraDB for SelectDB. This topic also describes how to use the permissions on ApsaraDB for SelectDB.

Terms

Term	Parameter	Description
user identity	user_identity	In the permission management system, a user is identified by a user identity. A user identity consists of two parts: username and userhost. username indicates the username, which can contain letters. userhost indicates the IP address from which the logon requests of the user are sent. User identities can be displayed in one of the following two formats: username@'userhost': A user whose name is specified by username sends logon requests from the IP address specified by userhost. username@['domain']: domain indicates the domain name, which can be reversely resolved to a group of IP addresses by using DNS. The value is a group of user identities in the username@'userhost' format. In this example, the username@'userhost' format is used.
permission	privilege	Permissions allow you to perform operations on nodes, data catalogs, databases, or tables. Different operations require different permissions.
role	role	A role can be considered as a group of permissions. You can assign a role to a new user. Then, the user is automatically granted the permissions of the role. If you change the permissions of the role, the permissions of all users to which the role is assigned also change. You can create custom roles.
user property	user_property	A user property is directly attached to a user instead of a user identity. For example, cmy@'192.%' and cmy@['domain'] have the same group of user properties. The user properties belong to the user named cmy instead of cmy@'192.%' or cmy@['domain']. User properties include the maximum number of user connections and the configurations of clusters for data import.

Permissions

Permission types

Permission	Description
GRANT_PRIV	The permissions to change permissions. These permissions allow you to grant permissions to and revoke permissions from users and roles, and create, delete, and modify users and roles.
SELECT_PRIV	The read-only permissions on databases and tables.
LOAD_PRIV	The write permissions on databases and tables, including the LOAD, INSERT, and DELETE permissions.
ALTER_PRIV	The change permissions on databases and tables, including the permissions to rename databases and tables, permissions to create, delete, and modify columns, and permissions to create and delete partitions.
CREATE_PRIV	The permissions to create databases, tables, and views.
DROP_PRIV	The permissions to delete databases, tables, and views.
USAGE_PRIV	The permissions to use resources.

Permission levels

The following table describes the levels of the permissions on databases and tables that are divided based on the scope of permissions.

Permission level	Description
GLOBAL LEVEL Global permissions	The permissions of `..*` granted by using the GRANT statement. The granted permissions apply to all tables in all databases.
CATALOG LEVEL Catalog-level permissions	The permissions of `ctl..` granted by using the GRANT statement. The granted permissions apply to all databases and tables in the specified catalog.
DATABASE LEVEL Database-level permissions	The permissions of `ctl.db.*` granted by using the GRANT statement. The granted permissions apply to all tables in the specified database.
TABLE LEVEL Table-level permissions	The permissions of `ctl.db.tbl` granted by using the GRANT statement. The granted permissions apply to the specified table in the specified database.

The following table describes the two levels of the permissions on resources.

Permission level

Description

GLOBAL LEVEL

Global permissions

The permissions of * granted by using the GRANT statement. The granted permissions apply to all resources.

RESOURCE LEVEL

Resource-level permissions

The permissions of resource_name granted by using the GRANT statement. The granted permissions apply to the specified resources.

ADMIN_PRIV and GRANT_PRIV permissions

Both the ADMIN_PRIV and GRANT_PRIV permissions allow you to grant permissions. This section describes the usage notes on the ADMIN_PRIV and GRANT_PRIV permissions.

CREATE USER
- Users who have the ADMIN_PRIV permission or the GRANT_PRIV permission at the global and database levels can create users.
DROP USER
- Users who have the ADMIN_PRIV permission or the GRANT_PRIV permission at the global level can delete users.
CREATE/DROP ROLE
- Users who have the ADMIN_PRIV permission or the GRANT_PRIV permission at the global level can create roles.
GRANT/REVOKE
- Users who have the ADMIN_PRIV permission or the GRANT_PRIV permission at the global level can grant permissions to and revoke permissions from users.
- Users who have the GRANT_PRIV permission at the catalog level can grant the permissions on the specified catalog to or revoke the permissions from users.
- Users who have the GRANT_PRIV permission at the database level can grant the permissions on the specified database to or revoke the permissions from users.
- Users who have the GRANT_PRIV permission at the table level can grant the permissions on the specified table in the specified database to or revoke the permissions from users.
SET PASSWORD
- Users who have the ADMIN_PRIV permission or the GRANT_PRIV permission at the global level can set a password for all users.
- Regular users can set the password that corresponds to their own user identity. You can execute the SELECT CURRENT_USER(); statement to query your user identity.
- Users who have the GRANT_PRIV permission that is not at the global level cannot set a password for existing users. Such users can set a password only when they create a user.

User properties

The following table describes the properties that are related to users.

Property	Description
cpu_resource_limit	The maximum CPU resources that are available to queries. For more information, see the `cpu_resource_limit` session variable. A value of -1 indicates that the CPU resources that are available to queries are not limited.
default_load_cluster	The default cluster to which data is imported.
exec_mem_limit	The maximum size of memory that is available to queries. For more information, see the `exec_mem_limit` session variable. A value of -1 indicates that the size of memory that is available to queries is not limited.
insert_timeout	The timeout period for the INSERT operation.
max_query_instances	The maximum number of instances that a user can use for queries at a point in time.
max_user_connections	The maximum number of user connections.
query_timeout	The timeout period for queries of users.
resource_tags	The resource tags.
sql_block_rules	The rules for blocking SQL queries. If a user sends a query that matches the specified rules, the query is rejected.

Note

If a user property such as query_timeout is also specified as variables, the system retrieves the value of the user property based on the following priority: session variable > user property > global variable > default value. If no session variable is specified for a user property, the system checks whether the user property is directly specified. If not, the system checks whether a global variable is specified for the user property. If not, the system uses the default value for the user property.

Operations allowed by permissions

Operation	Operation keyword	Syntax
Create a user	CREATE USER	`CREATE USER [IF EXISTS] user_identity [IDENTIFIED BY 'password'] [DEFAULT ROLE 'role_name'] [password_policy]`
Delete a user	DROP USER	DROP USER 'user_identity' `user_identity`: user@'host' user@['domain']
Grant permissions to a user	GRANT	`GRANT privilege_list ON priv_level TO user_identity [ROLE role_name] GRANT privilege_list ON RESOURCE resource_name TO user_identity [ROLE role_name]`
Revoke permissions from a user	REVOKE	`REVOKE privilege_list ON db_name[.tbl_name] FROM user_identity [ROLE role_name] REVOKE privilege_list ON RESOURCE resource_name FROM user_identity [ROLE role_name]`
Create a role	CREATE ROLE	`CREATE ROLE rol_name;`
Delete a role	DROP ROLE	`DROP ROLE rol_name;`
Query the permissions granted to one or all users	SHOW (ALL) GRANTS	`SHOW [ALL] GRANTS [FOR user_identity];`
Query created roles	SHOW ROLES	`SHOW ROLES`
Query user properties	SHOW PROPERTY	`SHOW PROPERTY [FOR user] [LIKE key]`
Configure user properties	SET PROPERTY	`SET PROPERTY [FOR 'user'] 'key' = 'value' [, 'key' = 'value']`

Parameter description

Parameter

Description

[password_policy]

The policies that are related to password-based logon authentication. The following password policies are supported:

PASSWORD_HISTORY: specifies whether to allow a user to use a historical password as the new password when the user resets the password.
Valid values: [n|DEFAULT]. The default value is 0, which indicates the password history is not enabled and a user can use a historical password as the new password. For example, PASSWORD_HISTORY 10 indicates that the previous 10 historical passwords cannot be used as the new password.
PASSWORD_EXPIRE: the expiration time of the current password.
Valid values: [DEFAULT|NEVER|INTERVAL n DAY/HOUR/SECOND]. The default value is NEVER, which indicates that the password never expires.
FAILED_LOGIN_ATTEMPTS: the maximum number of failed logon attempts allowed before the account is locked.
Valid values: [n|DEFAULT]. The default value of the parameter indicates that the system does not impose a maximum number of failed logon attempts.
PASSWORD_LOCK_TIME: the period during which the account is locked.
Valid values: [n DAY/HOUR/SECOND|UNBOUNDED].

Operation examples

Example 1: Create a user named test_user. The password of the user is 123456 and the user can send logon requests from the IP address 172.10.XX.XX.
```
CREATE USER test_user@'172.10.XX.XX' IDENTIFIED BY '123456';
```
Example 2: Delete a user whose user identity is test_user@'172.10.XX.XX'.
```
DROP USER 'test_user'@'172.10.XX.XX'
```
Example 3: Grant a user whose user identity is test_user@'172.10.XX.XX' the permissions to read data from, modify data in, and import data to the test_ctl.test_db.test_table table.
```
GRANT SELECT_PRIV,ALTER_PRIV,LOAD_PRIV ON test_ctl.test_db.test_table TO 'test_user'@'172.10.XX.XX';
```
Example 4: Revoke the read permissions on the test_db database from the user named test_user.
```
REVOKE SELECT_PRIV ON test_db.* FROM 'test_user'@'172.10.XX.XX';
```
Example 5: Create a role named test_role.
```
CREATE ROLE test_role;
```
Example 6: Delete a role named test_role.
```
DROP ROLE test_role;
```
Example 7: Grant a role named test_role the permissions to import data to all tables of the test_ctl.test_db database.
```
GRANT LOAD_PRIV ON test_ctl.test_db.* TO ROLE 'test_role';
```
Example 8: Change the role assigned to the user whose user identity is test_user @'172.10.XX.XX' to test_role.
```
GRANT "test_role" TO test_user@'172.10.XX.XX';
```
Example 9: Query the permissions of the user whose user identity is test_user@'%'.
```
SHOW GRANTS FOR test_user@'%';
```

Example 10: Query the properties of the user named test_user.

# Query all properties of the user.
SHOW PROPERTY FOR 'test_user';

# Use a LIKE expression to query a specific property of the user.
SHOW PROPERTY FOR 'test_user' LIKE '%max_user_connections%';

Example 11: Configure the properties of the user named test_user.
```
SET PROPERTY FOR 'test_user' 'max_user_connections' = '1000';
```

Best practices

The permission management system is commonly used in the following scenarios:

Scenario 1
The users of a cluster are classified into administrators, R&D engineers, and regular users. Administrators have full permissions on the cluster and are responsible for cluster management, such as building the cluster and managing nodes. R&D engineers are responsible for service modeling, such as creating databases and tables, and importing and modifying data. Regular users access data in different databases and tables.
In this scenario, you can grant the ADMIN_PRIV or GRANT_PRIV permission to administrators. You can grant R&D engineers the CREATE, DROP, ALTER, LOAD, and SELECT permissions on one or more databases and tables. You can grant regular users the SELECT permission on one or more databases and tables. You can also create different roles to grant permissions to multiple users in an easier way.
Scenario 2
A cluster provides different services. Each service may use one or more data records. You need to manage the permissions of users of each service. In this scenario, an administrator can create a user that has the GRANT_PRIV permission at the database level for each database. This user can only grant the permissions on the specified database to users.
Scenario 3
ApsaraDB for SelectDB does not support blacklists, but supports only whitelists. However, you can use specific methods to simulate a blacklist. For example, you create a user whose user identity is test_user1@'192.%'. The user can send logon requests from the IP address 192.*. In this case, if you want to reject logon requests from 192.168.XX.XX, you can create another user whose user identify is test_user2@'192.168.XX.XX' and set a new password for the user. The priority of 192.168.XX.XX is higher than that of 192.%. Therefore, the user from 192.168.XX.XX can no longer use the old password to log on to ApsaraDB for SelectDB instances.

Usage notes on permissions

When an ApsaraDB for SelectDB instance is initialized, the following roles and users are automatically created:
- operator: This role has the NODE_PRIV and ADMIN_PRIV permissions on ApsaraDB for SelectDB and allows you to log on to the ApsaraDB for SelectDB instance from any node. This role is assigned only to the built-in instance user whose user identity is root@'%'.
- admin: This role is a management role and has the ADMIN_PRIV permission. This role has all permissions except the permissions to change nodes, and allows you to log on to the ApsaraDB for SelectDB instance from a node. When the ApsaraDB for SelectDB instance is initialized, the system automatically creates a user whose user identity is admin@'%' and assigns the admin role to the user. You can create multiple users and assign the admin role to the users.
You cannot revoke or change the permissions of roles or users that are automatically created.
If you forget the password of the user to which the admin role is assigned and cannot log on to an ApsaraDB for SelectDB instance, you can reset the password of the user in the ApsaraDB for SelectDB console. For more information, see Reset the password of an admin user for an instance.
The ADMIN_PRIV permission can be granted or revoked only at the global level.
The GRANT_PRIV permission at the global level is equivalent to the ADMIN_PRIV permission because the former has the permissions to grant all permissions. Proceed with caution when you use the GRANT_PRIV permission at the global level.
You can execute the SELECT current_user(); statement to query current_user and the SELECT user(); statement to query user. current_user indicates the user identity that is used by the current user to pass identity authentication, and user indicates the actual user identity of the user. All permissions are granted to the user identity that is used by the current user to pass identity authentication and the user has the permissions of the user identity.
For example, you create a user whose user identity is user1@'192.%' and a user named user1 from the IP address 192.168.XX.XX logged on to an ApsaraDB for SelectDB instance. In this case, the user identity that is used by the current user to pass identity authentication is user1@'192.%' and the actual user identity of the user is user1@'192.168.XX.XX.

FAQ

Q: What do I do if a domain name conflicts with an IP address or IP address conflicts occur when I create a user and grant permissions to the user?

A: Execute the DROP USER statement to delete the user and create another one.

Scenario in which a domain name conflicts with an IP address:
1. After you delete the user, create a new user and grant permissions to the user. Sample code:
```
CREATE USER test_user@['domain'];
GRANT SELECT_PRIV ON.TO test_user@['domain'];
```
  For example, the domain name is resolved by DNS to two IP addresses: IP1 and IP2.
2. Grant permissions to the user whose user identity is test_user@['IP1']. Sample code:
```
GRANT ALTER_PRIV ON.TO test_user@'IP1';
```
  The permissions of the user whose user identity is test_user@'IP1' are changed from SELECT_PRIV to ALTER_PRIV. The user can send logon requests from IP1. If you change the permissions of the user whose user identity is test_user@['domain'], the permissions of the user whose user identity is test_user@'IP1' are not changed.
Scenario in which IP address conflicts occur:
Create new users. Sample code:
```
CREATE USER test_user@'%' IDENTIFIED BY "12345";
CREATE USER test_user@'192.%' IDENTIFIED BY "abcde";
```
The priority of '192.%' is higher than that of '%'. Therefore, if the user named test_user uses the password 12345 to log on to an ApsaraDB for SelectDB instance from the machine whose IP address is 192.168.XX.XX, the logon request is rejected.