Skip to content

Propagate changes to distributed-database-middleware-api-ref from PreProd environment #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
otcbot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Propagate changes to distributed-database-middleware-api-ref from PreProd environment #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added umn/source/_static/images/en-us_image_0000002454002032.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
48 changes: 24 additions & 24 deletions umn/source/account_management/creating_an_account.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,29 +20,29 @@ Procedure

.. table:: **Table 1** Required parameters

+-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Parameter | Description |
+===================================+========================================================================================================================================================+
| Username | Username of the account. |
| | |
| | The username can consist of 1 to 32 characters and must start with a letter. Only letters, digits, and underscores (_) are allowed. |
+-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Password | Password of the account. The password: |
| | |
| | - Can include 8 to 32 characters. |
| | - Must contain at least three of the following character types: lowercase letters, uppercase letters, digits, and special characters ``~!@#%^*-_=+?`` |
| | - Cannot be a weak password. It cannot be overly simple and easily guessed. |
| | - Cannot be the username or the username spelled backwards. |
+-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Confirm Password | The confirm password must be the same as the entered password. |
+-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Schema | Schema to be associated with the account. You can select an existing schema from the drop-down list. |
| | |
| | The account can be used to access only the associated schemas. |
+-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Permissions | Options: **CREATE**, **DROP**, **ALTER**, **INDEX**, **INSERT**, **DELETE**, **UPDATE**, and **SELECT**. You can select any or a combination of them. |
+-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description | Description of the account, which cannot exceed 256 characters. |
+-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Parameter | Description |
+===================================+=======================================================================================================================================================+
| Username | Username of the account. |
| | |
| | The username can consist of 1 to 32 characters and must start with a letter. Only letters, digits, and underscores (_) are allowed. |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Password | Password of the account. The password: |
| | |
| | - Can include 8 to 32 characters. |
| | - Must contain at least three of the following character types: lowercase letters, uppercase letters, digits, and special characters ``~!@#%^*-_+?`` |
| | - Cannot be a weak password. It cannot be overly simple and easily guessed. |
| | - Cannot be the username or the username spelled backwards. |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Confirm Password | The confirm password must be the same as the entered password. |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Schema | Schema to be associated with the account. You can select an existing schema from the drop-down list. |
| | |
| | The account can be used to access only the associated schemas. |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Permissions | Options: **CREATE**, **DROP**, **ALTER**, **INDEX**, **INSERT**, **DELETE**, **UPDATE**, and **SELECT**. You can select any or a combination of them. |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description | Description of the account, which cannot exceed 256 characters. |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

#. Confirm the settings and click **OK**.
2 changes: 2 additions & 0 deletions umn/source/account_management/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Account Management
- :ref:`Modifying an Account <ddm_05_0133>`
- :ref:`Deleting an Account <ddm_05_0134>`
- :ref:`Resetting the Password of an Account <ddm_05_0008>`
- :ref:`Managing Permissions <ddm_05_0020>`

.. toctree::
:maxdepth: 1
Expand All @@ -18,3 +19,4 @@ Account Management
modifying_an_account
deleting_an_account
resetting_the_password_of_an_account
managing_permissions/index
14 changes: 14 additions & 0 deletions umn/source/account_management/managing_permissions/account_permissions.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
:original_name: ddm_12_0002.html

.. _ddm_12_0002:

Account Permissions
===================

DDM permissions management is based on MySQL permissions management. DDM supports most of MySQL syntax and permissions. For more information about MySQL accounts and permissions, see `MySQL documentation <https://dev.mysql.com/doc/refman/5.7/en/access-control.html>`__.

This document describes DDM account rules, permission levels, permission items, and permission operations.

.. note::

DDM Accounts created by CREATE USER or GRANT have nothing to do with accounts in associated RDS instances, and will not be synchronized to RDS instances either.
24 changes: 24 additions & 0 deletions umn/source/account_management/managing_permissions/account_requirements.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
:original_name: ddm_12_0003.html

.. _ddm_12_0003:

Account Requirements
====================

Account
-------

Different from MySQL, DDM identifies an account by username, not by username@host.

Username
--------

- Must be case-sensitive.
- Contains 1 to 32 characters and must start with a letter. Only letters, digits, and underscores (_) are allowed.

Password
--------

- Contains 8 to 32 characters.
- Must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters ``~!@#%^*-_+?``
- Cannot be a weak password that is easily guessed.
18 changes: 18 additions & 0 deletions umn/source/account_management/managing_permissions/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
:original_name: ddm_05_0020.html

.. _ddm_05_0020:

Managing Permissions
====================

- :ref:`Account Permissions <ddm_12_0002>`
- :ref:`Account Requirements <ddm_12_0003>`
- :ref:`Managing Permissions <ddm_12_0004>`

.. toctree::
:maxdepth: 1
:hidden:

account_permissions
account_requirements
managing_permissions
220 changes: 220 additions & 0 deletions umn/source/account_management/managing_permissions/managing_permissions.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,220 @@
:original_name: ddm_12_0004.html

.. _ddm_12_0004:

Managing Permissions
====================

Permission Levels
-----------------

- User level (supported)
- Database level (supported)
- Table level (supported)
- Column level (not supported)
- Subprogram level (not supported)
- Global level (not supported)

Permission Types
----------------

DDM supports different permission types by using the GRANT statement.

=============== ==========================================
Permission Type Description
=============== ==========================================
ALL All permissions
DROP Deleting a table
INDEX Creating/Deleting an index
ALTER Executing ALTER statements
CREATE Creating a table
SELECT Reading table data
INSERT Inserting data to a table
UPDATE Updating data in a table
GRANT Granting permissions to users
REVOKE Deleting a user permission
SET Setting user's passwords
FILE Uploading database permissions from a file
CREATE USER Creating a user
=============== ==========================================

Precautions
-----------

- Basic permissions of a DDM account can only be modified on the DDM console.
- If a DDM account has table or database permissions on a schema, the schema will be displayed in the row where the account is located.
- Users created by the CREATE USER statement support only user-level permissions.
- If a DDM account has been associated with a schema, deleting this schema or tables in it does not affect the permissions assigned to the account.
- Permissions cannot be assigned to a DDM account created on the management and control plane unless the account is associated with a schema.

Permission Operations
---------------------

.. important::

SHOW GRANTS is supported in versions in 3.0.2 or later. Other functions are available in versions 2.4.1.4 or later.

**CREATE USER**

Syntax:

.. code-block::

CREATE USER username IDENTIFIED BY 'password';

Example: **Creating an account (whose name is Jenny and whose password is changed from xxxxxx to a custom one)**

.. code-block::

CREATE USER Jenny IDENTIFIED BY 'xxxxxx';

.. note::

Each username and password must meet the corresponding requirements.

**DROP USER**

Syntax:

.. code-block::

DROP USER username

Example: **Removing user1**

.. code-block::

DROP USER user1;

**SET PASSWORD**

Syntax:

.. code-block::

SET PASSWORD FOR 'username'@'%' = 'password'

.. note::

To be compatible with the MySQL syntax, the username must be in the format of 'username'@'%'.

Example: **Changing the password of Jenny**

.. code-block::

SET PASSWORD FOR 'Jenny'@'%' = 'new_password'

**GRANT**

Syntax:

.. code-block::

GRANT
priv_type[, priv_type] ...
ON priv_level
TO user [auth_option]
priv_level: {
| *.*
| db_name.*
| db_name.tbl_name
| tbl_name}
auth_option: {
IDENTIFIED BY 'password'
}

.. note::

If a GRANT statement provides no accounts and does not specify **IDENTIFIED BY**, a message **No account found** will be returned. If **IDENTIFIED BY** is specified, an account will be created accordingly and permissions will be granted to it.

GRANT ALL [PRIVILEGES] can be used to assign table-, user-, and database-level permissions.

Example 1: Create a user-level account with all permissions. The username is **user2**.

Method 1: Create an account and then grant permissions to it.

.. code-block::

CREATE USER user2 IDENTIFIED BY 'password';
GRANT SELECT, INSERT ON *.* to user2;

Method 2: Use one SQL statement to create an account and grant it permissions.

.. code-block::

GRANT SELECT, INSERT ON *.* to user2 IDENTIFIED BY 'password';

Example 2: Create a database-level account with all permissions. Create account **user3** in database **testdb** and grant the SELECT permissions of database **testdb** to the account.

Method 1: Create an account and then grant permissions to it.

.. code-block::

CREATE USER user3 IDENTIFIED BY 'password';
GRANT SELECT ON testdb.* to user3;

Method 2: Use one SQL statement to create an account and grant it permissions.

.. code-block::

GRANT SELECT ON testdb.* to user3 IDENTIFIED BY 'password';

Example 3: Create a table-level account with all permissions. Create account **user4** in database **testdb** and grant all permissions of table **testdb.employees** to the account.

.. code-block::

GRANT ALL PRIVILEGES ON testdb.employees to user4 IDENTIFIED BY 'password';

**REVOKE**

Syntax:

.. code-block::

REVOKE
priv_type [, priv_type] ...
ON priv_level FROM user;

Example: Deleting CREATE, DROP, and INDEX permissions of user **user4** on table **testdb.emp**.

.. code-block::

REVOKE CREATE,DROP,INDEX ON testdb.emp FROM user4;

.. note::

REVOKE can delete actions at each permission level of an account. The permission level is specified by **priv_level**.

**SHOW GRANTS**

Syntax:

.. code-block::

SHOW GRANTS FOR username;

Example 1: Querying user permissions with any of the following statements:

.. code-block::

SHOW GRANTS;
SHOW GRANTS FOR CURRENT_USER;
SHOW GRANTS FOR CURRENT_USER();


.. figure:: /_static/images/en-us_image_0000002454002032.png
:alt: **Figure 1** Viewing the permissions of the current user

**Figure 1** Viewing the permissions of the current user

Example 2: Querying other permissions. This operation can be performed only when the current user can grant user-level permissions.

.. code-block::

mysql> show grants for user4;
+-----------------------------+
|Grants for user4 |
+-----------------------------+
|GRANT USAGE ON *.* TO user4 |
+-----------------------------+
1 row in set (0.00 sec)
Loading