Privileges Management Overview
Manage Account
- Prerequisites: Account management is only possible with a cluster administrator (the default account is the root).
The roles and permissions corresponding to the root are shown in the following table:
Username | Explanation | Role | Privilege | Description |
---|---|---|---|---|
root | Cluster administrator | MOADMIN | Create, edit, delete accounts | Automatically generated and granted after cluster creation |
root | System account administrator | MOADMIN | Manage all resources under the system account, including users, roles, databases/tables/views, authorization management | Automatically generated and granted after the cluster is created |
Create Account
SQL Statement
create account <account_name> admin_name='<user_name>' identified by '<password>';
Parameter Description
Parameter | Description |
---|---|
account_name | account name |
user_name | The administrator username of the newly created account, which will be automatically granted the highest privilege role of the account, namely ACCOUNTADMIN |
password | Newly created account administrator password |
For more information, see CREATE ACCOUNT.
Select Account
SQL Statement
select * from mo_catalog.mo_account;
Delect Account
SQL Statement
drop account if exists <account_name>;
Parameter Description
Parameter | Description |
---|---|
account_name | The name of the account to be deleted |
Note
After the account is deleted, it cannot be restored, including all data under the account account. Please use it with caution.
For more information, see DROP ACCOUNT.
Manage User
Create User
-
Prerequisites: Has the
CREATE USER
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Create a username and password for a user in the current account.
SQL Statement
create user <user_name> identified by '<password>';
Parameter Description
Parameter | Description |
---|---|
user_name | The name of a new user |
password | The password of a new user |
For more information, see CREATE USER.
View User
-
Prerequisites: Has the privilege to view users.
· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: View all the users in the current account.
SQL Statement
select * from mo_catalog.mo_user;
Delete User
-
Prerequisites: Has the
DROP USER
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Delete the specified user in the current account.
SQL Statement
drop user if exist <user_name>;
Parameter Description
Parameter | Description |
---|---|
user_name | The name of the user to be deleted |
Note
When deleting a user, you need to stop the user's current session first, otherwise the deletion will fail.
For more information, see DROP USER.
Manage Role
Create Role
-
Prerequisites: Has the
CREATE ROLE
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Create a custom role in the current account.
SQL Statement
create role <role_name>;
Parameter Description
Parameter | Description |
---|---|
role_name | The name of a new role |
For more information, see CREATE ROLE.
View Role
-
Prerequisites: Has the privilege to view role.
· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: View all the roles in the current account.
SQL Statement
select * from mo_catalog.mo_role;
Switch Role
-
Prerequisites: Has the
SET ROLE
privilege. By default, all users have this privilege. -
Introduction: Switch the role of the user in the account, and obtain the privilege of the secondary role to execute the corresponding SQL.
SQL Statement
set role <role_name>;
Parameter Description
Parameter | Description |
---|---|
role_name | The name of the role to be switched |
For more information, see SET ROLE.
Delete Role
-
Prerequisites: Has the
DROP ROLE
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Delete the specified role in the current account.
SQL Statement
drop role if exists <role_name>;
Parameter Description
Parameter | Description |
---|---|
role_name | The name of the role to be deleted |
Note
When deleting a specified role, the roles of authorized users will be recovered simultaneously.
For more information, see DROP ROLE.
Manage Privilege
Grant an object privilege to a role
-
Prerequisites: Has the
MANAGE GRANTS
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Grant an object privilege to a role.
SQL Statement
grant <privilege> on <object_type> <object_name> to <role_name>
Parameter Description
Parameter | Description |
---|---|
privilege | Privilege Name |
object_type | The type of object |
object_name | The name of object |
role_name | The name of the role which is granted |
For more information, see GRANT.
Grant certain kind of object privileges to a role
-
Prerequisites: Has the
MANAGE GRANTS
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Grant the privilege on all databases/tables to a role.
SQL Statement
grant <privilege> on database * to <role_name>;
grant <privilege> on table *.* to <role_name>;
Parameter Description
Parameter | Description |
---|---|
privilege | Privilege Name |
role_name | The name of the role which is granted |
Note
Although this operation is relatively simple when authorizing multiple objects of the same category, it is also prone to permission leakage, so please use it with caution.
For more information, see GRANT.
Grant a role to a user
-
Prerequisites: Has the
MANAGE GRANTS
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Grant a role to a user.
SQL Statement
grant <role_name> to <user_name>;
Parameter Description
Parameter | Description |
---|---|
role_name | The name of the role which is granted |
user_name | The name of the user which is granted |
For more information, see GRANT.
One role inherit the privileges of another role
-
Prerequisites: Has the
MANAGE GRANTS
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Let role_b inherit all privileges of role_a.
SQL Statement
grant <role_a> to <role_b>;
Note
The permissions are inherited dynamically. If the permissions of role_a change, the permissions inherited by role_b will also change dynamically. MatrixOne does not allow role ring inheritance; that is, role1 inherits role2, role2 inherits role3, but role3 can not inherits role1.
For more information, see GRANT ROLE.
Show the privilege of user
-
Prerequisites: Has the
SHOW GRANTS
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Show all privileges currently owned by the specified user.
SQL Statement
show grants for <user_name>@<localhost>
Parameter Description
Parameter | Description |
---|---|
user_name | The name of user which is granted. |
For more information, see SHOW GRANTS.
Revoke the role of user
-
Prerequisites: Has the
REVOKE
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Remove a role from a user.
SQL Statement
revoke <role_name> from <user_name>
Parameter Description
Parameter | Description |
---|---|
role_name | The name of role which is granted. |
user_name | The name of user which is granted. |
For more information, see REVOKE.
Revoke privilege of roles
-
Prerequisites: Has the
REVOKE
privilege.· The default role with this privilege is
MOADMIN
orACCOUNTADMIN
: the cluster administrator (the default account is root), and the tenant administrator created by the cluster administrator has the privilege by default. -
Introduction: Revoke privileges on an object in a role.
SQL Statement
revoke <privilege> on <object_type> <object_name> to <role_name>;
Parameter Description
Parameter | Description |
---|---|
privilege | Privilege |
object_type | The type of the object |
object_name | The name of the object |
role_name | A role that needs to be granted |
For more information, see REVOKE.