Authentication and Authorization
When accessing the MatrixOne database, users need to undergo authentication and authorization. Currently, MatrixOne only supports username-password authentication. The database verifies the identity of the user accessing the data, confirms whether the user can be associated with a database user, and checks the validity of the provided password.
Syntax
In MatrixOne, a user's login identity comprises acccount_name
, user_name
, host
, and password
. The complete syntax is as follows:
mysql -h host -p password -u accountname:username -P port
The -h
, -p
, and -P
parameters are the same as those used in MySQL. The difference lies in:
-u
represents the user. In MatrixOne's user system, users are a concept below the tenantaccount
. Therefore, when logging in, you need to specify the tenantaccount_name
first and then specify the userusername
within the tenant to complete the login. Ifaccount_name
is not specified, the default is the system tenantsys
.
Example:
> mysql -h 127.0.0.1 -P6001 -utenant1:u1 -p111
Note
For the standalone version of MatrixOne, you can configure the connection string as parameters in the mo_ctl tool to simplify the login process.
Query Current User
After logging in, you can retrieve information about the current user using the user()
or current_user()
functions.
mysql> select user();
+--------------------+
| user() |
+--------------------+
| tenant1:u1@0.0.0.0 |
+--------------------+
1 row in set (0.00 sec)
mysql> select current_user();
+--------------------+
| current_user() |
+--------------------+
| tenant1:u1@0.0.0.0 |
+--------------------+
1 row in set (0.00 sec)
Note
MatrixOne currently does not support IP whitelisting. Therefore, regardless of the location you log in, the user will always be shown as 0.0.0.0.
Query All Users
Each user identity is unique, and users with the accountadmin
role in a tenant can view all users within that tenant.
mysql> select * from mo_catalog.mo_user;
+---------+-----------+-----------+-------------------------------------------+--------+---------------------+--------------+------------+---------+-------+--------------+
| user_id | user_host | user_name | authentication_string | status | created_time | expired_time | login_type | creator | owner | default_role |
+---------+-----------+-----------+-------------------------------------------+--------+---------------------+--------------+------------+---------+-------+--------------+
| 10001 | localhost | u1 | *832EB84CB764129D05D498ED9CA7E5CE9B8F83EB | unlock | 2023-07-10 06:43:44 | NULL | PASSWORD | 0 | 0 | 1 |
| 0 | localhost | root | *832EB84CB764129D05D498ED9CA7E5CE9B8F83EB | unlock | 2023-07-08 03:17:27 | NULL | PASSWORD | 0 | 0 | 0 |
| 1 | localhost | root | *832EB84CB764129D05D498ED9CA7E5CE9B8F83EB | unlock | 2023-07-08 03:17:27 | NULL | PASSWORD | 0 | 0 | 0 |
+---------+-----------+-----------+-------------------------------------------+--------+---------------------+--------------+------------+---------+-------+--------------+
3 rows in set (0.01 sec)
Note
The location and table structure of user records in MatrixOne differs from MySQL. In MatrixOne, user metadata is not stored in the mysql.user
table but in the mo_catalog.mo_user
table.
Constraints
- MatrixOne currently does not enforce password complexity requirements. It is recommended that users set strong passwords. For password modification operations, refer to Password Management.
- The initial password for the initial user (
root
user of thesys
tenant) in MatrixOne is 111. After users modify their passwords, they need to remember the new password. Once a password is forgotten, MatrixOne currently does not provide a means to retrieve or bypass security verification to reset the password. Reinstallation of MatrixOne is required.