-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0f6f9b7
commit 342dd14
Showing
1 changed file
with
389 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,389 @@ | ||
# User Management | ||
|
||
## Create User | ||
|
||
### Create Regular User | ||
|
||
Using the administrator "opentenbase" to connect to a specific "cn" node, the following operations are the same: | ||
|
||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# create role user1 with login password 'user1@123'; | ||
CREATE ROLE | ||
``` | ||
|
||
Explanation: | ||
|
||
- The above command creates a user named `user1` with specified attributes using the `with` clause. | ||
- `login` specifies that the user can log in. | ||
- password 'user1@123' specifies the user's password. | ||
|
||
### 创建管理员用户 | ||
|
||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (Postgr | ||
eSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# create role opentenbaseadmin with login password 'opentenbaseadmin @123' superuser; | ||
CREATE ROLE | ||
``` | ||
|
||
Explanation: | ||
|
||
- `with superuser` specifies that this user is an administrator | ||
|
||
### Additional User Attribute Configuration | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# create role user1 with login password 'user1@123' createdb createrole replication CONNECTION LIMIT 100 VALID UNTIL '2023-09-30 23:59:59'; | ||
CREATE ROLE | ||
``` | ||
|
||
Explanation: | ||
|
||
- `createdb` specifies that the user can create databases | ||
- `createrole`specifies that the user can create other users. | ||
- `replication`specifies that the user can be used for data synchronization replication. | ||
- `CONNECTION LIMIT 100`indicates that the user's maximum connection limit is 100. Note that connections between opentenbase dn nodes will also connect to each other; `-1` (default) indicates no limit. | ||
- `VALID UNTIL '2023-09-30 23:59:59'`ndicates the expiration time for the user's password,Use `VALID UNTIL 'infinity'` to make a password valid indefinitely. | ||
|
||
## Modify User Attributes | ||
### Disallow User Login | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# alter role user1 with nologin ; | ||
ALTER ROLE | ||
postgres=# alter role user1 with login ; | ||
ALTER ROLE | ||
``` | ||
|
||
### Set User as Administrator and Non-Administrator | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# alter role user1 with superuser ; | ||
ALTER ROLE | ||
postgres=# alter role user1 with nosuperuser ; | ||
ALTER ROLE | ||
``` | ||
|
||
### User Connection Limit | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# alter role user1 with CONNECTION LIMIT 100; | ||
ALTER ROLE | ||
postgres=# alter role user1 with CONNECTION LIMIT -1; | ||
ALTER ROLE | ||
``` | ||
|
||
Explanation: | ||
|
||
- `CONNECTION LIMIT 100` indicates that the user's maximum connection limit is 100. Note that connections between opentenbase dn nodes will also connect to each other; `-1` (default) indicates no limit. | ||
|
||
### Set User Password Expiry Time | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# alter role user1 with VALID UNTIL '2023-09-30 23:59:59'; | ||
ALTER ROLE | ||
postgres=# alter role user1 with VALID UNTIL 'infinity'; | ||
ALTER ROLE | ||
``` | ||
Explanation: | ||
|
||
- `VALID UNTIL '2023-09-30 23:59:59'`indicates the expiration time for the user's password. Use `VALID UNTIL 'infinity'` to make a password valid indefinitely. | ||
|
||
### Change User Password | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
--修改密码方法一 | ||
postgres=# role user1 with password 'user1@123' ; | ||
ALTER ROLE | ||
--修改密码方法二 | ||
postgres=# \password user1 | ||
Enter new password: | ||
Enter it again: | ||
postgres=# | ||
``` | ||
Enter the new password twice. Changing the password using `\password` is more secure because the password information is not recorded in the log file. | ||
|
||
### Additional User Attribute Configuration | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# alter role user1 with createdb createrole replication; | ||
CREATE ROLE | ||
postgres=# alter role user1 with nocreatedb nocreaterole noreplication ; | ||
CREATE ROLE | ||
``` | ||
|
||
Explanation: | ||
|
||
- `createdb/nocreatedb` specifies whether the user can create databases. | ||
- `createrole/nocreaterole` specifies whether the user can create other users. | ||
- `replication/nocreaterole`specifies whether the user can be used for data synchronization replication. | ||
|
||
## Query User | ||
### psql Shortcut Commands for Querying | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# \du | ||
List of roles | ||
Role name | Attributes | Member of | ||
----------------+------------------------------------------------------------+----------- | ||
audit_admin | No inheritance | {} | ||
mls_admin | No inheritance | {} | ||
opentenbase | Superuser, Create role, Create DB, Replication, Bypass RLS | {} | ||
opentenbase_01_admin | Superuser | {} | ||
opentenbaseadmin | Superuser, Create role, Create DB | {} | ||
user1 | Password valid until infinity | {} | ||
``` | ||
|
||
Explanation: | ||
|
||
- `Attributes` displayed the user's attributes | ||
|
||
### Query User System Table | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# select * from pg_roles where rolname='opentenbase'; | ||
-[ RECORD 1 ]--+--------- | ||
rolname | opentenbase | ||
rolsuper | t | ||
rolinherit | t | ||
rolcreaterole | t | ||
rolcreatedb | t | ||
rolcanlogin | t | ||
rolreplication | t | ||
rolconnlimit | -1 | ||
rolpassword | ******** | ||
rolvaliduntil | | ||
rolbypassrls | t | ||
rolconfig | | ||
oid | 10 | ||
``` | ||
|
||
## Drop User | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# drop role user1 ; | ||
DROP ROLE | ||
``` | ||
|
||
Explanation: | ||
|
||
- If the user has existing tables, the removal may be restricted. To prevent user logins without completely removing the user, consider using `nologin` to disable user login. | ||
|
||
## User and Resource Search Path Management | ||
|
||
The default resource search path in OpenTenBase is: | ||
|
||
``` | ||
postgres=# show search_path ; | ||
search_path | ||
----------------- | ||
"$user", public | ||
(1 row) | ||
``` | ||
|
||
When accessing resources such as tables and views, the system first searches for objects in a schema with a name matching the user's name. If no matching schema is found, the system then searches in the public schema. | ||
|
||
### Configuring User's Default Search Path | ||
|
||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# alter role user1 set search_path to opentenbase,"$user", public; | ||
ALTER ROLE | ||
postgres=# alter role user1 set search_path to DEFAULT ; | ||
ALTER ROLE | ||
postgres=# | ||
``` | ||
Explanation: | ||
|
||
- Configures the search path for the user `user1` to include the schemas `opentenbase`, `user1`, and `public`. | ||
- Setting the search path for `user1` to `DEFAULT` restores the search mode to the system's default value. | ||
|
||
### Adding a Schema to a User | ||
|
||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# create schema user1 AUTHORIZATION user1; | ||
``` | ||
Explanation: | ||
|
||
- The command creates a schema named `user1` with `user1` as its owner. | ||
|
||
# Permission Management | ||
## Schema Permission Management | ||
### Granting User Access to a Schema | ||
|
||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# grant usage on SCHEMA mysch to user1; | ||
GRANT | ||
postgres=# | ||
``` | ||
|
||
Explanation: | ||
|
||
- By default, regular users cannot access schemas without proper authorization. Therefore, granting usage permission on a schema (mysch in this case) is necessary for a user to access tables within that schema | ||
- If there is no permission for schema access, an error will occur: `ERROR: permission denied for schema mysch` | ||
|
||
### Revoking User Access to a Schema | ||
|
||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# revoke usage on SCHEMA mysch from user1; | ||
REVOKE | ||
``` | ||
|
||
### Modifying the Owner of a Schema | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# alter schema mysch owner to user1; | ||
ALTER SCHEMA | ||
``` | ||
|
||
## Table Permission Management | ||
### Granting User Permissions to Insert, Delete, Update, and Select Records in a Table | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# grant ALL on mysch.t2 to user1; | ||
GRANT | ||
postgres=# grant SELECT on mysch.t2 to user1; | ||
GRANT | ||
postgres=# | ||
``` | ||
Explanation: | ||
|
||
- `ALL` permission includes the ability to insert, delete, update, and select records. | ||
- If granting specific permissions, ALL can be replaced with INSERT, DELETE, UPDATE, or SELECT accordingly. | ||
|
||
### Revoking User Access Permissions | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# revoke ALL on mysch.t2 from user1; | ||
REVOKE | ||
postgres=# revoke select on mysch.t2 from user1; | ||
REVOKE | ||
``` | ||
|
||
### Granting Permissions for a Table with a Serial Column and Its Sequence | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# create table mysch.t3(f1 serial,f2 int); | ||
CREATE TABLE | ||
postgres=# \d+ mysch.t3 | ||
Table "mysch.t3" | ||
Column | Type | Collation | Nullable | Default | Storage | Stats target | Description | ||
--------+---------+-----------+----------+--------------------------------------+---------+--------------+------------- | ||
f1 | integer | | not null | nextval('mysch.t3_f1_seq'::regclass) | plain | | | ||
f2 | integer | | | | plain | | | ||
Distribute By: SHARD(f1) | ||
Location Nodes: ALL DATANODES | ||
postgres=# | ||
-- Authorization must be done like this | ||
postgres=# grant all on mysch.t3 to user1 ; | ||
GRANT | ||
postgres=# grant all on SEQUENCE mysch.t3_f1_seq to user1; | ||
GRANT | ||
``` | ||
|
||
Explanation: | ||
|
||
- If permissions are not granted, it will result in an error indicating insufficient sequence access permissions (`permission denied for sequence t3_f1_seq`). | ||
|
||
### Grant access to all tables in a schema to a specific user | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# grant ALL ON ALL TABLES IN SCHEMA mysch TO user1; | ||
GRANT | ||
``` | ||
|
||
### Revoke access to all tables in a schema from a specific user | ||
``` | ||
[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 | ||
psql (PostgreSQL 10.0 opentenbase V2) | ||
Type "help" for help. | ||
postgres=# revoke ALL ON ALL TABLES IN SCHEMA mysch FROM user1; | ||
REVOKE | ||
``` | ||
|
||
# Conclusion | ||
OpenTenBase is an enterprise-level distributed HTAP database management system. It provides high consistency distributed database services and high-performance data warehouse services for customers through a single database cluster, forming a comprehensive enterprise solution. Feel free to leave us a message if you encounter any related issues in the field of databases. |