Updated on 2024-09-03 GMT+08:00

Creating a Database User

Multiple users with different permissions can be created to access a DB instance or database, but the permissions of these users cannot exceed the operation permissions of the account.

Hidden Accounts

DAS can hide your RDS for MySQL instance accounts in Table 1 to ensure that your database runs normally and to prevent your account details from being deleted by mistake.

Table 1 Accounts that DAS can hide

Account

Description

mysql.session@localhost

Internal database account configured in MySQL 5.7 or later.

mysql.sys@localhost

Internal database account configured in MySQL 5.7 or later.

mysql.infoschema@localhost

Internal database account.

root@%

Account configured when you create a MySQL instance.

rdsAdmin@localhost

Management account, which has the highest permission and is used to query and modify instance information, rectify faults, as well as migrate and restore data.

rdsBackup@localhost

Backup account, which is used for backend backup.

rdsMetric

Metering account, which is used by watchdog to collect database status data.

rdsRepl

Replication account, which is used to synchronize data from primary instances to standby instances or read replicas.

rdsProxy

Proxy account, which is used for authentication when a database is connected using a read/write splitting address. This account is automatically created when read/write splitting is enabled.

drsFull

Account added to the destination database when you start a full migration task on DRS.

drsIncremental

Account added to the destination database when you start an incremental migration task on DRS.

Precautions

For details about differences between IAM permissions and database permissions, see Differences Between IAM Permissions and Database Permissions.

Creating a User

  1. Log in to the DAS console.
  2. Click in the upper left corner and select a region and project.
  3. Click in the upper left corner, and under Databases, click Data Admin Service.
  4. In the navigation pane on the left, choose Development Tool.

    You can also click Go to Development Tool on the overview page.

  5. Locate the DB instance that you want to log in to and click Log In in the Operation column.
  6. On the top menu bar, choose Account Management > User Management.
  7. Click Create User.

    Figure 1 Creating a user

    Configure required details, such as basic information, advanced settings, global permissions, object permissions, and roles by referring to Table 2.

    Table 2 Parameter description

    Type

    Parameter

    Configuration Description

    Basic Information

    Username

    Name of the new user.

    Host

    Whitelisted IP addresses allowed to access the database server.

    • If you leave this parameter blank or enter %, the user can access all IP addresses.
    • If you enter multiple IP addresses, separate them with commas (,).

      For example, if you enter 192.%,193.% for Host, two users with host addresses of 192.% and 193.% will be created, respectively.

    • You can click Add DAS IP Address to add a DAS server IP address to the user host.

    Password

    Password of the user. The password:

    • Can include 8 to 32 characters.
    • Must contain at least three of the following character types: letters, digits, and special characters ~!@#$%^*-_=+?,()&
    • Cannot be the username or the username spelled backwards.
    • Cannot be a weak password.

    Confirm Password

    The value must be the same as the user password you set.

    Advanced Settings

    Max. Queries Per Hour

    Maximum queries that this user can execute within an hour. If this parameter is left empty or set to 0, there is no limit on the maximum queries.

    Max. Updates Per Hour

    Maximum updates that this user can execute within an hour. If this parameter is left empty or set to 0, there is no limit on the maximum updates.

    Max. Connections Per Hour

    Maximum connections (of this user) to the DAS server within an hour. If this parameter is left empty or set to 0, there is no limit on the maximum connections.

    Max. User Connections

    Maximum concurrent connections to the server. If this parameter is left empty or set to 0, there is no limit on the maximum concurrent connections.

    SSL Type

    Type of certificates for authenticating user requests sent to the server.

    Issuer

    Authority that issues X.509 certificates for connecting the user to the server.

    Subject

    Subject of the X.509 certificates for connecting the user to the server.

    Algorithm

    Method of encrypting connections between the user and the server.

    Global Permissions

    Permissions granted to the user to perform operations on all databases in the current instance.

    For details about the global permissions that can be configured, see Table 3. For details about permission usages and explanations, visit the official website.

    Object Permissions

    Permissions granted to the user on specific objects.

    For details about the object permissions that can be configured, see Table 3. For details about permission usages and explanations, visit the official website.

    Example:

    The following settings grant the user the permission to query the ID of table user_test in database db_test.

    Figure 2 Adding an object permission

    On the Object Permissions tab, you can add or delete object permissions and click Save. In the displayed dialog box, click OK.

    Role

    Role of the user. Roles are only supported for MySQL 8.0.

    • Role Name: You can select an existing username in this instance.
    • Grant Role: Whether the new user can grant permissions of the selected role to another user.
    • Default Role: Whether the new user can inherit permissions of the selected role.
    NOTE:

    To manage roles, the current account must have the ROLE_ADMIN permission. You can manually assign the permission. For example, you can run the GRANT ROLE_ADMIN on *.* TO 'root'@' %' command to assign the ROLE_ADMIN permission to user root.

    Example:

    The following settings indicate that user_2 can inherit permissions of user@ and can grant permissions of user@ to another user.

    Figure 3 Granting permissions
    Table 3 Permission description

    Permission

    Description

    SELECT

    Permission to query a specified object, for example, a global or single database.

    INSERT

    Permission to insert data into a specified object.

    UPDATE

    Permission to update data of a specified object.

    DELETE

    Permission to delete data from a specified object.

    CREATE

    Permission to create databases and tables for a specified object.

    DROP

    Permission to delete databases, tables, and views from a specified object.

    RELOAD

    Permission to execute FLUSH.

    PROCESS

    Permission to execute SHOW PROCESSLIST to view all the processes.

    GRANT

    Permission to grant a specified object the permissions of another account or reclaim permissions from other accounts.

    REFERENCES

    Permission to create foreign keys for a specified object.

    INDEX

    Permission to create or delete an index for a specified object.

    ALTER

    Permission to execute ALTER TABLE for a specified object.

    SHOW DATABASES

    Permission to run SHOW DATABASES to show all databases.

    CREATE TEMPORARY TABLES

    Permission to execute CREATE TEMPORARY TABLE for a specified object.

    LOCK TABLES

    Permission to execute LOCK TABLES on the tables with the SELECT permission for a specified object.

    EXECUTE

    Permission to execute a stored procedure for a specified object.

    REPLICATION SLAVE

    Permission to allow the replica server to read binary log events from the source server.

    REPLICATION CLIENT

    Permission to query locations of the source server or replica server.

    CREATE VIEW

    Permission to create or alter a view for a specified object.

    SHOW VIEW

    Permission to execute SHOW CREATE VIEW for a specified object.

    CREATE ROUTINE

    Permission to create a stored procedure for a specified object.

    ALTER ROUTINE

    Permission to alter or delete a stored procedure for a specified object.

    CREATE USER

    Permission to execute CREATE USER, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES for a specified object.

    EVENT

    Permission to create, modify, delete, or display the event scheduler for a specified object.

    TRIGGER

    Permission to execute a trigger for a specified object. Only users with this permission can create, delete, execute, or display triggers of a table.

  8. After configuring required parameters, click Save. In the preview dialog box, click OK.
  9. After the user is created, check whether the user is displayed in the user list.

    Figure 4 Viewing user information