In the Hologres console, you can click Account Management on the Instance Details page to go to the User Management page in the HoloWeb console. On the User Management page, you can add users to your Hologres instance, delete users from your Hologres instance, and grant permissions to users. You can manage users on the User Management page in a visualized manner.
By default, the Alibaba Cloud account that is used to purchase a Hologres instance is the superuser of the instance and has all permissions on the Hologres instance. Before you add other users, only the Alibaba Cloud account is displayed on the User Management page. The following table describes the items displayed on the User Management page.
Item | Description |
Members | The name of the user in the instance. The value can be the name of an Alibaba Cloud account, a RAM user, or a custom account. |
Account ID | The ID of the user in the instance. Examples:
|
Account Type | The account type of the user in the instance. Valid values:
|
Role Type | The role assigned to the user in the instance. Valid values:
|
Operation | The operation that you can perform on the user in the instance. You can click Delete in the Operation column to delete the user from the instance. After the user is deleted, the user has no permissions on the instance. |
Limits
By default, you cannot use a custom account to query data in MaxCompute by using foreign tables. If you want to query MaxCompute data by using a custom account, you must configure user mappings. For more information, see FAQ.
Add a user
This section describes how to add a user to a Hologres instance on the User Management page in a visualized manner.
In the upper part of the User Management page, select the desired instance from the Instance Name drop-down list. In the upper-right corner of the User Management page, click Add New User.
In the Add New User dialog box, select a RAM user in your Alibaba Cloud account and set the Select Member Role parameter to Examples of the Super Administrator (SuperUser) or Ordinary user.
NoteIf no RAM user exists in your Alibaba Cloud account, create a RAM user. For more information, see Grant permissions to a RAM user.
In Hologres, you can add users by using an Alibaba Cloud account or a RAM user that is assigned the superuser role of the instance. The RAM user must be granted the permissions specified in the AliyunRAMReadOnlyAccess policy. For more information, see Grant permissions to a RAM user.
Examples of the Super Administrator (SuperUser): The superuser of a Hologres instance has all permissions on the instance. If the superuser role is assigned to a RAM user, no further authorization is required for the RAM user.
Ordinary User: Regular users created in a Hologres instance have no query or management permissions on the objects in the instance. The objects include databases, schemas, and tables. Regular users must obtain required permissions before they can query or manage the objects in the instance.
We recommend that you grant permissions to a user in a visualized manner. For more information, see the "Grant permissions to a user" section in Manage databases. You can also execute SQL statements to grant permissions to a user. For more information, see Grant permissions to a RAM user.
Delete a user
In the upper part of the User Management page, select the desired instance from the Instance Name drop-down list. Find the user that you want to delete and click Delete in the Operation column. In the Delete User message, click OK. After the user is deleted from the instance, the user has no permissions on the instance.
Create a custom account
Use the console
You can create a custom account for a Hologres instance on the User Management page in a visualized manner.
In the upper part of the User Management page, select the desired instance from the Instance Name drop-down list. In the upper-right corner of the User Management page, click Create Basic User.
In the Create Basic User dialog box, configure the parameters described in the following table.
Parameter
Description
Account Name
The name of the custom account. The name can be up to 57 characters in length and can contain lowercase letters, digits, and underscores (_).
Select Member Role
The account type. Valid values:
Examples of the Super Administrator (SuperUser): The superuser of a Hologres instance has all permissions on the instance. If the superuser role is assigned to a RAM user, no further authorization is required for the RAM user.
Ordinary User: Regular users created in a Hologres instance have no query or management permissions on the objects in the instance. The objects include databases, schemas, and tables. Regular users must obtain required permissions before they can query or manage the objects in the instance.
Password
The password for the custom account. The password must meet the following requirements:
The password contains at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
The password must be 8 to 32 characters in length.
The password can contain the following special characters
! @#$%^&*()_+-=.
Confirm Password
Enter the password again.
Click OK.
Use SQL statements
create user "BASIC$<user_name>" with password '<password>';In the preceding statement, replace user_name with the name of the custom account that you want to create and password with the password of the custom account.
Other operations
Change the password of a custom account
NoteYou can change passwords of only custom accounts. The AccessKey pairs of the Alibaba Cloud account and RAM users are automatically generated.
You can use one of the following methods to change the password of a custom user:
Use the console
On the User Management page, click the User Account Authorization tab, find the custom account whose password you want to change, and then click Reset Password in the Operation column.
In the Reset Password dialog box, configure the Password and Confirm Password parameters, and click OK.
Use SQL statements
alter user "BASIC$<user_name>" with password '<password>';In the preceding statement, replace user_name with the name of the custom account for which you want to change the password and password with the new password.
Delete a custom account
You can use one of the following methods to delete a custom account:
Use the console
On the User Management page, click the User Account Authorization tab, find the custom account that you want to delete, and then click Delete in the Operation column.
In the Delete User message, click OK.
Use SQL statements
drop user "BASIC$<user_name>";In the preceding statement, replace user_name with the name of the custom account that you want to delete.
Common errors and troubleshooting
Problem description
When I use a custom account to access data in MaxCompute by using foreign tables, the following error message is reported:
ERROR: Query:[xxxxxx] Build desc failed: failed to check permission: Authorization Failed [4002], You don't exist in project hologres_test. Context ID:xxxxxx-xxxx-xxxx-xxxx-xxxxxxx. --->Tips: Pricipal:INVALID$BASIC$xxx; You don't exist in project xxxCause
By default, custom accounts are created within Hologres and cannot be used to access MaxCompute foreign tables.
Solution
Configure a
user mappingbetween the custom account and a RAM user that has permissions to access MaxCompute projects and Hologres internal tables.Syntax
CREATE USER MAPPING FOR "<user_name>" SERVER odps_server OPTIONS ( access_id '<Access_id>', access_key '<Access_key>' );Parameter description
Parameter
Description
user_name
The name of the custom account.
Access_id
The AccessKey ID of the account that is used to log on to the Hologres database.
You can obtain the AccessKey ID from the Security Management page.
Access_key
The AccessKey secret of the account that is used to log on to the Hologres database.
You can obtain the AccessKey secret from the Security Management page.
Examples
-- Execute the CREATE USER MAPPING statement for the user named BASIC$test. CREATE USER MAPPING FOR "BASIC$test" SERVER odps_server OPTIONS ( access_id 'LTxxxxxxxxxx', access_key 'y8xxxxxxxxxxxxx'); -- Execute the CREATE USER MAPPING statement for the current user. CREATE USER MAPPING FOR CURRENT_USER SERVER odps_server OPTIONS ( access_id 'LTxxxxxxxxxx', access_key 'y8xxxxxxxxxxxxx');