25-grant.md 4.4 KB
Newer Older
1
---
2
title: User and Access Control
D
danielclow 已提交
3 4
sidebar_label: Access Control
description: This document describes how to manage users and permissions in TDengine.
5 6
---

W
wade zhang 已提交
7
This document describes how to manage permissions in TDengine. User and Access control is a distingguished feature of TDengine enterprise edition. In this section, only the most fundamental functionalities of user and access control are demonstrated. To get the full knowledge of user and access control, please contact the TDengine team.
8

9
## Create a User
10 11

```sql
G
gccgdb1234 已提交
12
CREATE USER user_name PASS 'password' [SYSINFO {1|0}];
13 14
```

15
This statement creates a user account.
16

G
gccgdb1234 已提交
17
The maximum length of user_name is 23 bytes.
18

D
dmchen 已提交
19
The maximum length of password is 31 bytes. The password can include leters, digits, and special characters excluding single quotation marks, double quotation marks, backticks, backslashes, and spaces. The password cannot be empty.
20

G
gccgdb1234 已提交
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
`SYSINFO` indicates whether the user is allowed to view system information. `1` means allowed, `0` means not allowed. System information includes server configuration, dnode, vnode, storage. The default value is `1`.

For example, we can create a user whose password is `123456` and is able to view system information.

```sql
taos> create user test pass '123456' sysinfo 1;
Query OK, 0 of 0 rows affected (0.001254s)
```

## View Users

To show the users in the system, please use 

```sql
SHOW USERS;
```

This is an example:

```sql
taos> show users;
           name           | super | enable | sysinfo |       create_time       |
================================================================================
 test                     |     0 |      1 |       1 | 2022-08-29 15:10:27.315 |
 root                     |     1 |      1 |       1 | 2022-08-29 15:03:34.710 |
Query OK, 2 rows in database (0.001657s)
```

Alternatively, you can get the user information by querying a built-in table, INFORMATION_SCHEMA.INS_USERS. For example:

```sql
taos> select * from information_schema.ins_users;
           name           | super | enable | sysinfo |       create_time       |
================================================================================
 test                     |     0 |      1 |       1 | 2022-08-29 15:10:27.315 |
 root                     |     1 |      1 |       1 | 2022-08-29 15:03:34.710 |
Query OK, 2 rows in database (0.001953s)
```

60
## Delete a User
61 62 63 64 65

```sql
DROP USER user_name;
```

66
## Modify User Information
67 68 69 70 71 72 73 74 75 76 77

```sql
ALTER USER user_name alter_user_clause
 
alter_user_clause: {
    PASS 'literal'
  | ENABLE value
  | SYSINFO value
}
```

78 79 80
- PASS: Modify the user password.
- ENABLE: Specify whether the user is enabled or disabled. 1 indicates enabled and 0 indicates disabled.
- SYSINFO: Specify whether the user can query system information. 1 indicates that the user can query system information and 0 indicates that the user cannot query system information.
81

G
gccgdb1234 已提交
82 83 84 85 86 87 88
For example, you can use below command to disable user `test`:

```sql
taos> alter user test enable 0;
Query OK, 0 of 0 rows affected (0.001160s)
```

89

90
## Grant Permissions
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110

```sql
GRANT privileges ON priv_level TO user_name
 
privileges : {
    ALL
  | priv_type [, priv_type] ...
}
 
priv_type : {
    READ
  | WRITE
}
 
priv_level : {
    dbname.*
  | *.*
}
```

G
gccgdb1234 已提交
111
Grant permissions to a user, this feature is only available in enterprise edition.
112

113
Permissions are granted on the database level. You can grant read or write permissions.
114

115
TDengine has superusers and standard users. The default superuser name is root. This account has all permissions. You can use the superuser account to create standard users. With no permissions, standard users can create databases and have permissions on the databases that they create. These include deleting, modifying, querying, and writing to their own databases. Superusers can grant users permission to read and write other databases. However, standard users cannot delete or modify databases created by other users.
116

117
For non-database objects such as users, dnodes, and user-defined functions, standard users have read permissions only, generally by means of the SHOW statement. Standard users cannot create or modify these objects.
118

119
## Revoke Permissions
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140

```sql
REVOKE privileges ON priv_level FROM user_name
 
privileges : {
    ALL
  | priv_type [, priv_type] ...
}
 
priv_type : {
    READ
  | WRITE
}
 
priv_level : {
    dbname.*
  | *.*
}

```

G
gccgdb1234 已提交
141
Revoke permissions from a user, this feature is only available in enterprise edition.