diff --git a/user-account-management.md b/user-account-management.md index 1b8d020c56623..477651bd4a281 100644 --- a/user-account-management.md +++ b/user-account-management.md @@ -37,22 +37,107 @@ You can create TiDB accounts in two ways: It is recommended to use the account-management statements, because manipulating the privilege tables directly can lead to incomplete updates. You can also create accounts by using third party GUI tools. -The following example uses the `CREATE USER` and `GRANT` statements to set up four accounts: +{{< copyable "sql" >}} ```sql -mysql> CREATE USER 'finley'@'localhost' IDENTIFIED BY 'some_pass'; -mysql> GRANT ALL PRIVILEGES ON *.* TO 'finley'@'localhost' WITH GRANT OPTION; -mysql> CREATE USER 'finley'@'%' IDENTIFIED BY 'some_pass'; -mysql> GRANT ALL PRIVILEGES ON *.* TO 'finley'@'%' WITH GRANT OPTION; -mysql> CREATE USER 'admin'@'localhost' IDENTIFIED BY 'admin_pass'; -mysql> GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost'; -mysql> CREATE USER 'dummy'@'localhost'; +CREATE USER [IF NOT EXISTS] user [IDENTIFIED BY 'auth_string']; ``` -To see the privileges for an account, use `SHOW GRANTS`: +After you assign the password, TiDB encrypts and stores the `auth_string` in the `mysql.user` table. + +{{< copyable "sql" >}} + +```sql +CREATE USER 'test'@'127.0.0.1' IDENTIFIED BY 'xxx'; +``` + +The name of a TiDB account consists of a user name and a hostname. The syntax of the account name is 'user_name'@'host_name'. + +- `user_name` is case sensitive. + +- `host_name` is a hostname or IP address, which supports the wild card `%` or `_`. For example, the hostname `'%'` matches all hosts, and the hostname `'192.168.1.%'` matches all hosts in the subnet. + +The host supports fuzzy matching: + +{{< copyable "sql" >}} + +```sql +CREATE USER 'test'@'192.168.10.%'; +``` + +The `test` user is allowed to log in from any hosts on the `192.168.10` subnet. + +If the host is not specified, the user is allowed to log in from any IP. If no password is specified, the default is empty password: + +{{< copyable "sql" >}} + +```sql +CREATE USER 'test'; +``` + +Equivalent to: + +{{< copyable "sql" >}} + +```sql +CREATE USER 'test'@'%' IDENTIFIED BY ''; +``` + +If the specified user does not exist, the behavior of automatically creating users depends on `sql_mode`. If the `sql_mode` includes `NO_AUTO_CREATE_USER`, the `GRANT` statement will not create users with an error returned. + +For example, assume that the `sql_mode` does not include `NO_AUTO_CREATE_USER`, and you use the following `CREATE USER` and `GRANT` statements to create four accounts: + +{{< copyable "sql" >}} + +```sql +CREATE USER 'finley'@'localhost' IDENTIFIED BY 'some_pass'; +``` + +{{< copyable "sql" >}} + +```sql +GRANT ALL PRIVILEGES ON *.* TO 'finley'@'localhost' WITH GRANT OPTION; +``` + +{{< copyable "sql" >}} + +```sql +CREATE USER 'finley'@'%' IDENTIFIED BY 'some_pass'; +``` + +{{< copyable "sql" >}} + +```sql +GRANT ALL PRIVILEGES ON *.* TO 'finley'@'%' WITH GRANT OPTION; +``` + +{{< copyable "sql" >}} + +```sql +CREATE USER 'admin'@'localhost' IDENTIFIED BY 'admin_pass'; +``` + +{{< copyable "sql" >}} ```sql -mysql> SHOW GRANTS FOR 'admin'@'localhost'; +GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost'; +``` + +{{< copyable "sql" >}} + +```sql +CREATE USER 'dummy'@'localhost'; +``` + +To see the privileges granted for an account, use the `SHOW GRANTS` statement: + +{{< copyable "sql" >}} + +```sql +SHOW GRANTS FOR 'admin'@'localhost'; +``` + +``` +-----------------------------------------------------+ | Grants for admin@localhost | +-----------------------------------------------------+ @@ -64,10 +149,14 @@ mysql> SHOW GRANTS FOR 'admin'@'localhost'; To remove a user account, use the `DROP USER` statement: +{{< copyable "sql" >}} + ```sql -mysql> DROP USER 'test'@'localhost'; +DROP USER 'test'@'localhost'; ``` +This operation clears the user's records in the `mysql.user` table and the related records in the privilege table. + ## Reserved user accounts TiDB creates the `'root'@'%'` default account during the database initialization. @@ -107,14 +196,18 @@ TiDB stores passwords in the `mysql.user` system database. Operations that assig skip-grant-table = true ``` -2. Use `root` to log in and then modify the password: +2. Start TiDB with the modified configuration. Use `root` to log in and then modify the password: ```bash mysql -h 127.0.0.1 -P 4000 -u root ``` +When the `skip-grant-table` is set, starting the TiDB process will check whether the user is an administrator of the operating system, and only the `root` user of the operating system can start the TiDB process. + ## `FLUSH PRIVILEGES` +Information related to users and privileges is stored in the TiKV server, and TiDB caches this information inside the process. Generally, modification of the related information through `CREATE USER`, `GRANT`, and other statements takes effect quickly within the entire cluster. If the operation is affected by some factors such as temporarily unavailable network, the modification will take effect in about 15 minutes because TiDB will periodically reload the cache information. + If you modified the privilege tables directly, run the following command to apply changes immediately: ```sql