diff --git a/docs/guide/07-user-rights.en.md b/docs/guide/07-user-rights.en.md new file mode 100644 index 0000000..8724b4f --- /dev/null +++ b/docs/guide/07-user-rights.en.md @@ -0,0 +1,389 @@ +# User Management + +## Create User + +### Create Regular User + +Using the administrator "opentenbase" to connect to a specific "cn" node, the following operations are the same: + +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# create role user1 with login password 'user1@123'; +CREATE ROLE +``` + +Explanation: + +- The above command creates a user named `user1` with specified attributes using the `with` clause. +- `login` specifies that the user can log in. +- password 'user1@123' specifies the user's password. + +### 创建管理员用户 + +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (Postgr +eSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# create role opentenbaseadmin with login password 'opentenbaseadmin @123' superuser; +CREATE ROLE +``` + +Explanation: + +- `with superuser` specifies that this user is an administrator + +### Additional User Attribute Configuration +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# create role user1 with login password 'user1@123' createdb createrole replication CONNECTION LIMIT 100 VALID UNTIL '2023-09-30 23:59:59'; +CREATE ROLE +``` + +Explanation: + +- `createdb` specifies that the user can create databases +- `createrole`specifies that the user can create other users. +- `replication`specifies that the user can be used for data synchronization replication. +- `CONNECTION LIMIT 100`indicates that the user's maximum connection limit is 100. Note that connections between opentenbase dn nodes will also connect to each other; `-1` (default) indicates no limit. +- `VALID UNTIL '2023-09-30 23:59:59'`ndicates the expiration time for the user's password,Use `VALID UNTIL 'infinity'` to make a password valid indefinitely. + +## Modify User Attributes +### Disallow User Login +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# alter role user1 with nologin ; +ALTER ROLE + +postgres=# alter role user1 with login ; +ALTER ROLE +``` + +### Set User as Administrator and Non-Administrator +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# alter role user1 with superuser ; +ALTER ROLE + +postgres=# alter role user1 with nosuperuser ; +ALTER ROLE +``` + +### User Connection Limit +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# alter role user1 with CONNECTION LIMIT 100; +ALTER ROLE + +postgres=# alter role user1 with CONNECTION LIMIT -1; +ALTER ROLE +``` + +Explanation: + +- `CONNECTION LIMIT 100` indicates that the user's maximum connection limit is 100. Note that connections between opentenbase dn nodes will also connect to each other; `-1` (default) indicates no limit. + +### Set User Password Expiry Time +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# alter role user1 with VALID UNTIL '2023-09-30 23:59:59'; +ALTER ROLE + +postgres=# alter role user1 with VALID UNTIL 'infinity'; +ALTER ROLE +``` +Explanation: + +- `VALID UNTIL '2023-09-30 23:59:59'`indicates the expiration time for the user's password. Use `VALID UNTIL 'infinity'` to make a password valid indefinitely. + +### Change User Password +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +--修改密码方法一 +postgres=# role user1 with password 'user1@123' ; +ALTER ROLE + + +--修改密码方法二 +postgres=# \password user1 +Enter new password: +Enter it again: +postgres=# +``` +Enter the new password twice. Changing the password using `\password` is more secure because the password information is not recorded in the log file. + +### Additional User Attribute Configuration +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# alter role user1 with createdb createrole replication; +CREATE ROLE + +postgres=# alter role user1 with nocreatedb nocreaterole noreplication ; +CREATE ROLE +``` + +Explanation: + +- `createdb/nocreatedb` specifies whether the user can create databases. +- `createrole/nocreaterole` specifies whether the user can create other users. +- `replication/nocreaterole`specifies whether the user can be used for data synchronization replication. + +## Query User +### psql Shortcut Commands for Querying +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# \du + List of roles + Role name | Attributes | Member of +----------------+------------------------------------------------------------+----------- + audit_admin | No inheritance | {} + mls_admin | No inheritance | {} + opentenbase | Superuser, Create role, Create DB, Replication, Bypass RLS | {} + opentenbase_01_admin | Superuser | {} + opentenbaseadmin | Superuser, Create role, Create DB | {} + user1 | Password valid until infinity | {} +``` + +Explanation: + +- `Attributes` displayed the user's attributes + +### Query User System Table +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# select * from pg_roles where rolname='opentenbase'; +-[ RECORD 1 ]--+--------- +rolname | opentenbase +rolsuper | t +rolinherit | t +rolcreaterole | t +rolcreatedb | t +rolcanlogin | t +rolreplication | t +rolconnlimit | -1 +rolpassword | ******** +rolvaliduntil | +rolbypassrls | t +rolconfig | +oid | 10 +``` + +## Drop User +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# drop role user1 ; +DROP ROLE +``` + +Explanation: + +- If the user has existing tables, the removal may be restricted. To prevent user logins without completely removing the user, consider using `nologin` to disable user login. + +## User and Resource Search Path Management + +The default resource search path in OpenTenBase is: + +``` +postgres=# show search_path ; + search_path +----------------- + "$user", public +(1 row) +``` + +When accessing resources such as tables and views, the system first searches for objects in a schema with a name matching the user's name. If no matching schema is found, the system then searches in the public schema. + +### Configuring User's Default Search Path + +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# alter role user1 set search_path to opentenbase,"$user", public; +ALTER ROLE + +postgres=# alter role user1 set search_path to DEFAULT ; +ALTER ROLE +postgres=# + +``` +Explanation: + +- Configures the search path for the user `user1` to include the schemas `opentenbase`, `user1`, and `public`. +- Setting the search path for `user1` to `DEFAULT` restores the search mode to the system's default value. + +### Adding a Schema to a User + +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# create schema user1 AUTHORIZATION user1; + +``` +Explanation: + +- The command creates a schema named `user1` with `user1` as its owner. + +# Permission Management +## Schema Permission Management +### Granting User Access to a Schema + +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# grant usage on SCHEMA mysch to user1; +GRANT +postgres=# +``` + +Explanation: + +- By default, regular users cannot access schemas without proper authorization. Therefore, granting usage permission on a schema (mysch in this case) is necessary for a user to access tables within that schema +- If there is no permission for schema access, an error will occur: `ERROR: permission denied for schema mysch` + +### Revoking User Access to a Schema + +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# revoke usage on SCHEMA mysch from user1; +REVOKE +``` + +### Modifying the Owner of a Schema +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# alter schema mysch owner to user1; +ALTER SCHEMA +``` + +## Table Permission Management +### Granting User Permissions to Insert, Delete, Update, and Select Records in a Table +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# grant ALL on mysch.t2 to user1; +GRANT + +postgres=# grant SELECT on mysch.t2 to user1; +GRANT +postgres=# +``` +Explanation: + +- `ALL` permission includes the ability to insert, delete, update, and select records. +- If granting specific permissions, ALL can be replaced with INSERT, DELETE, UPDATE, or SELECT accordingly. + +### Revoking User Access Permissions +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# revoke ALL on mysch.t2 from user1; +REVOKE + +postgres=# revoke select on mysch.t2 from user1; +REVOKE +``` + +### Granting Permissions for a Table with a Serial Column and Its Sequence +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# create table mysch.t3(f1 serial,f2 int); +CREATE TABLE +postgres=# \d+ mysch.t3 + Table "mysch.t3" + Column | Type | Collation | Nullable | Default | Storage | Stats target | Description +--------+---------+-----------+----------+--------------------------------------+---------+--------------+------------- + f1 | integer | | not null | nextval('mysch.t3_f1_seq'::regclass) | plain | | + f2 | integer | | | | plain | | +Distribute By: SHARD(f1) +Location Nodes: ALL DATANODES + +postgres=# + +-- Authorization must be done like this +postgres=# grant all on mysch.t3 to user1 ; +GRANT + +postgres=# grant all on SEQUENCE mysch.t3_f1_seq to user1; +GRANT + +``` + +Explanation: + +- If permissions are not granted, it will result in an error indicating insufficient sequence access permissions (`permission denied for sequence t3_f1_seq`). + +### Grant access to all tables in a schema to a specific user +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# grant ALL ON ALL TABLES IN SCHEMA mysch TO user1; +GRANT +``` + +### Revoke access to all tables in a schema from a specific user +``` +[opentenbase@VM_0_29_centos ~]$ psql -h 172.16.0.29 -U opentenbase -d postgres -p 15432 +psql (PostgreSQL 10.0 opentenbase V2) +Type "help" for help. + +postgres=# revoke ALL ON ALL TABLES IN SCHEMA mysch FROM user1; +REVOKE +``` + +# Conclusion +OpenTenBase is an enterprise-level distributed HTAP database management system. It provides high consistency distributed database services and high-performance data warehouse services for customers through a single database cluster, forming a comprehensive enterprise solution. Feel free to leave us a message if you encounter any related issues in the field of databases. \ No newline at end of file