Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space ML1 and version 9.2
Section
Column

Table of Contents
maxLevel1

Column
Panel

See also:

Migrating User Permissions

Replicating User Account Management Statements

Default Users

Clustrix stores user information in the SYSTEM.USERS table. Accounts are defined by a username and the host(s) from which the user can connect.

As part of the installation process, by default ClustrixDB creates the following user accounts:

...

'root'@'127.0.0.1'

...

Warning

These users must not be removed. 

Connecting to ClustrixDB 

To connect to ClustrixDB, you can specify the username, password, and database:Since ClustrixDB is deployed on Linux, by default use the mysql client to connect: 

shell> mysql -p db_name

By default, the MySQL client will log in using use the current Unix user name as the MySQL name. However, that is a convention and the underlying Unix user is separate from the ClustrixDB.                   

shell> mysql -p db_name

To override that defaultto log in. To specify a different user, use the -u or --user option to log in.:

shell> mysql --user=clxm -p db_name

If you do not supply a password after the -p option, the client will prompt for one.

Securing Initial ClustrixDB Accounts

ClustrixDB creates an inital 'root'@'127.0.0.1' account. This is a superuser and if there is no password, any user can connect with no password and perform all operations. Clustrix recommends setting a root password.

To see which users may not have passwords, run the following query:

sql> SELECT username, host, hex(password) from system.users;         

...

.

...

Creating and Managing Users

User information is stored in the system.users table in ClustrixDB, versus the mysql.user table in MySQL. To create users, issue the CREATE USER or GRANT commands, both of which require the CREATE USER privilege.

For example:

ClustrixDB does not permit blank usernames. 

sql> CREATE USER 'test_user'@'%' IDENTIFIED BY 'test_passwd'; 
sql> GRANT INSERT on test.* to 'test_user'@'client1' IDENTIFIED BY'test_passwd';

...

sql> SET PASSWORD FOR test_user = PASSWORD('new_passwd');
Info

Clustrix recommends setting a password for all users. 

To Use DROP USER to remove a user from the database, use the DROP USER command.

You can qualify ClustrixDB user names by specifying CIDR, subnet mask, SQL wildcards, and FQDN qualifiers.

For example:

...

.

Anchor
sha2
sha2
SHA256 passwords

By default, passwords use mysql_native_password. To change an existing users’ password to use sha256 encryption:

sql> ALTER USER '[email protected]'%' IDENTIFIED WITH sha256_password BY 'foo';

To set it back to use mysql_native_password:

sql> ALTER USER 'seymour'@’%’ IDENTIFIED WITH mysql_native_password by 'foo';


Info

Users with a password encrypted with SHA256 must use encrypted connections and a client that supports SHA256 (mysql 5.7+) to connect to ClustrixDB. If a secure connection is not available, the user will encounter an error and be unable to connect.

Granting Privileges

ClustrixDB supports an access control system that is similar to that of MySQL. You can grant privileges globally (using ON *.* ), at the database level ( ON <dbname>.*), or at the table level (ON <dbname>.<tablename>).

...

  • column_list and object_type are ignored.
  • The ssl options cipher issuer and subject are not supported
Info

ClustrixDB does not allow SYSTEM tables to be modified directly. Use SQL to modify users and privileges.

To display permissions, issue the SHOW GRANTS statement. For example, to list permissions for the current user:

sql> show grants;
+-------------------------------------------------------------+
| Grants for [email protected]                                  |
+-------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION | 
+-------------------------------------------------------------+
1 row in set (0.00 sec)

To list permissions show grants for a specific individualuser:

sql> show grants for sergei;
+-------------------------------------------------------------------------------------------------------+
| Grants for [email protected]%                                                                                   |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'sergei'@'%' IDENTIFIED BY PASSWORD '*F3A2A51A9B0FXXXXXXXXXXXXX32313728C250DBF' | 
+-------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

...

For a full list of the supported and unsupported privileges, see User Privileges.

Securing Initial ClustrixDB Accounts

ClustrixDB creates an inital 'root'@'127.0.0.1' account. This is a superuser and if there is no password, any user can connect with no password and perform all operations. Clustrix strongly recommends setting a root password.

To see which users may not have passwords:

sql> SELECT username, host, hex(password) from system.users;         

Default Users

As part of the installation process, by default ClustrixDB creates the following user accounts:

UserPrivileges

'root'@'127.0.0.1'

 
'clxd'@'localhost'Runs the database process and is configurable as part of the installation. This user will not be created if ClustrixDB is configured to run as root.
'clxm'@'localhost'Used to manage the database and is configurable as part of the installation. Created with fewer privileges than clxd. This user will not be created if ClustrixDB is configured to run as root. When using the ClustrixDB AMI, this is 'clustrix'@'localhost'
'mysql_slave'Use by the Replication slave process. Login is not possible for this user regardless of whether a password is set.
'clx_maint'@'127.0.0.1'Used by Clustrix Support and internal processes. 
'clx_view_definer'@'127.0.0.1'Used by Clustrix Support and internal processes. 

These users must not be removed. 

Caveats for Managing Users

  • Clustrix does not support:
    • DROP USER IF EXISTS
    • netmask notation for IP addresses
    • directly modifying the users table. 
  • ClustrixDB allows usernames and hostnames to be up to 256 characters long and will truncate names longer than the permitted length. Clustrix recommends that usernames be 16 characters or shorter and hostnames be 60 characters or shorter.