vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dws/dev/dws_04_0057.html
Lu, Huayi a24ca60074 DWS DEVELOPER 811 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Lu, Huayi <luhuayi@huawei.com>
Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
2023-01-19 13:37:49 +00:00

37 lines
9.2 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001145894533"></a><a name="EN-US_TOPIC_0000001145894533"></a>
<h1 class="topictitle1">Users</h1>
<div id="body8662426"><p id="EN-US_TOPIC_0000001145894533__ab211f1190a3a49f1ae26d391cf4c820a">You can use <strong id="EN-US_TOPIC_0000001145894533__b1286263181411">CREATE USER</strong> and <strong id="EN-US_TOPIC_0000001145894533__b195831715146">ALTER USER</strong> to create and manage database users, respectively. The database cluster has one or more named databases. Users and roles are shared within the entire cluster, but their data is not shared. That is, a user can connect to any database, but after the connection is successful, any user can access only the database declared in the connection request.</p>
<p id="EN-US_TOPIC_0000001145894533__a566124869f49472780199b06c42415d7">In non-<a href="dws_04_0056.html">separation-of-duty</a> scenarios, a <span id="EN-US_TOPIC_0000001145894533__text249229464">GaussDB(DWS)</span> user account can be created and deleted only by a system administrator or a security administrator with the <strong id="EN-US_TOPIC_0000001145894533__en-us_topic_0157416672_b54441931101611">CREATEROLE</strong> attribute. In separation-of-duty scenarios, a user account can be created only by a security administrator.</p>
<p id="EN-US_TOPIC_0000001145894533__en-us_topic_0155089862_p967512110275">When a user logs in, <span id="EN-US_TOPIC_0000001145894533__text861939956">GaussDB(DWS)</span> authenticates the user. A user can own databases and database objects (such as tables), and grant permissions of these objects to other users and roles. In addition to system administrators, users with the <strong id="EN-US_TOPIC_0000001145894533__b172454016209">CREATEDB</strong> attribute can create databases and grant permissions to these databases.</p>
<div class="section" id="EN-US_TOPIC_0000001145894533__s5a76876c562240bb9a03705a6487337f"><h4 class="sectiontitle">Adding, Modifying, and Deleting Users</h4><ul id="EN-US_TOPIC_0000001145894533__u4bfa4d1112af43318dd434b9cfffcbf0"><li id="EN-US_TOPIC_0000001145894533__l2049a7122c434a029455124ffc1fd627">To create a user, use the SQL CREATE USER statement.<div class="p" id="EN-US_TOPIC_0000001145894533__a9f9301016ac84e0ab3c1e6236a4c1198"><a name="EN-US_TOPIC_0000001145894533__l2049a7122c434a029455124ffc1fd627"></a><a name="l2049a7122c434a029455124ffc1fd627"></a>For example, create a user <strong id="EN-US_TOPIC_0000001145894533__b11967125692018">joe</strong> and set the <strong id="EN-US_TOPIC_0000001145894533__b280419111218">CREATEDB</strong> attribute for the user.<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001145894533__s892d131194b3404fa2acfc6472700f9f"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">USER</span><span class="w"> </span><span class="n">joe</span><span class="w"> </span><span class="k">WITH</span><span class="w"> </span><span class="k">CREATEDB</span><span class="w"> </span><span class="n">PASSWORD</span><span class="w"> </span><span class="s1">'password'</span><span class="p">;</span><span class="w"></span>
</pre></div></td></tr></table></div>
</div>
</div>
</li><li id="EN-US_TOPIC_0000001145894533__lccbf77bee88541569c5e40005095843d">To create a system administrator, use the CREATE USER statement with the <strong id="EN-US_TOPIC_0000001145894533__b1478612392112">SYSADMIN</strong> parameter.</li><li id="EN-US_TOPIC_0000001145894533__ldd3060b2c4914b6a82e6696cb970c61f">To delete an existing user, use the DROP USER statement.</li><li id="EN-US_TOPIC_0000001145894533__l0d85d2fc5c794bc4b83988b683ea8267">To change a user account (for example, rename the user or change the password), use the ALTER USER statement.</li><li id="EN-US_TOPIC_0000001145894533__en-us_topic_0155089862_li69266599132">To view a user list, query the <a href="dws_04_0791.html">PG_USER</a> view.<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001145894533__sc2a210ac740e4d19bd710d40d9496405"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">pg_user</span><span class="p">;</span><span class="w"> </span>
</pre></div></td></tr></table></div>
</div>
</li><li id="EN-US_TOPIC_0000001145894533__l46bd6ed365544771a90386e90a1f5c31">To view user attributes, query the system catalog <a href="dws_04_0574.html">PG_AUTHID</a>.<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001145894533__s5d4870c3957d4590a2bdfd86247e801f"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">pg_authid</span><span class="p">;</span><span class="w"> </span>
</pre></div></td></tr></table></div>
</div>
</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001145894533__section12234116194510"><h4 class="sectiontitle">Private Users</h4><p id="EN-US_TOPIC_0000001145894533__p27831729154519">If multiple service departments use different database user accounts to perform service operations and a database maintenance department at the same level uses database administrator accounts to perform maintenance operations, service departments may require that database administrators, without specific authorization, can manage (<strong id="EN-US_TOPIC_0000001145894533__b2861135378">DROP</strong>, <strong id="EN-US_TOPIC_0000001145894533__b18121314377">ALTER</strong>, and <strong id="EN-US_TOPIC_0000001145894533__b27847201375">TRUNCATE</strong>) their data but cannot access (<strong id="EN-US_TOPIC_0000001145894533__b283111351272">INSERT</strong>, <strong id="EN-US_TOPIC_0000001145894533__b209979439718">DELETE</strong>, <strong id="EN-US_TOPIC_0000001145894533__b203235217713">UPDATE</strong>, <strong id="EN-US_TOPIC_0000001145894533__b81458561971">SELECT</strong>, and <strong id="EN-US_TOPIC_0000001145894533__b1517715510817">COPY</strong>) the data. That is, the management permissions of database administrators for tables need to be isolated from their access permissions to improve the data security of common users.</p>
<p id="EN-US_TOPIC_0000001145894533__p93879318541">In <a href="dws_04_0056.html">Separation of Permissions</a> mode, a database administrator does not have permissions for the tables in schemas of other users. In this case, database administrators have neither management permissions nor access permissions, which does not meet the requirements of the service departments mentioned above. Therefore, <span id="EN-US_TOPIC_0000001145894533__text1006556763">GaussDB(DWS)</span> provides private users to solve the problem. That is, create private users with the <strong id="EN-US_TOPIC_0000001145894533__b45047117216">INDEPENDENT</strong> attribute in non-separation-of-duties mode.</p>
<div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001145894533__screen89147321833"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">USER</span><span class="w"> </span><span class="n">user_independent</span><span class="w"> </span><span class="k">WITH</span><span class="w"> </span><span class="n">INDEPENDENT</span><span class="w"> </span><span class="n">IDENTIFIED</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="ss">&quot;password&quot;</span><span class="p">;</span><span class="w"></span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001145894533__p14363122319413">Database administrators can manage (<strong id="EN-US_TOPIC_0000001145894533__b66215232236">DROP</strong>, <strong id="EN-US_TOPIC_0000001145894533__b63414253235">ALTER</strong>, and <strong id="EN-US_TOPIC_0000001145894533__b19965152618239">TRUNCATE</strong>) objects of private users but cannot access (<strong id="EN-US_TOPIC_0000001145894533__b1120123314246">INSERT</strong>, <strong id="EN-US_TOPIC_0000001145894533__b1219413384247">DELETE</strong>, <strong id="EN-US_TOPIC_0000001145894533__b178731641172414">SELECT</strong>, <strong id="EN-US_TOPIC_0000001145894533__b79794513240">UPDATE</strong>, <strong id="EN-US_TOPIC_0000001145894533__b12131448202414">COPY</strong>, <strong id="EN-US_TOPIC_0000001145894533__b3130185152415">GRANT</strong>, <strong id="EN-US_TOPIC_0000001145894533__b62591354192411">REVOKE</strong>, and <strong id="EN-US_TOPIC_0000001145894533__b669210552516">ALTER OWNER</strong> the objects before being authorized.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_04_0053.html">Managing Users and Their Permissions</a></div>
</div>
</div>
View Git Blame Copy Permalink