Creating a Database User
Multiple users with different permissions can be created to access a DB instance or database, but the permissions of these users cannot exceed the operation permissions of the account.
Hidden Accounts
DAS can hide your RDS for MySQL instance accounts in Table 1 to ensure that your database runs normally and to prevent your account details from being deleted by mistake.
Account |
Description |
---|---|
mysql.session@localhost |
Internal database account configured in MySQL 5.7 or later. |
mysql.sys@localhost |
Internal database account configured in MySQL 5.7 or later. |
mysql.infoschema@localhost |
Internal database account. |
root@% |
Account configured when you create a MySQL instance. |
rdsAdmin@localhost |
Management account, which has the highest permission and is used to query and modify instance information, rectify faults, as well as migrate and restore data. |
rdsBackup@localhost |
Backup account, which is used for backend backup. |
rdsMetric |
Metering account, which is used by watchdog to collect database status data. |
rdsRepl |
Replication account, which is used to synchronize data from primary instances to standby instances or read replicas. |
rdsProxy |
Proxy account, which is used for authentication when a database is connected using a read/write splitting address. This account is automatically created when read/write splitting is enabled. |
drsFull |
Account added to the destination database when you start a full migration task on DRS. |
drsIncremental |
Account added to the destination database when you start an incremental migration task on DRS. |
Precautions
For details about differences between IAM permissions and database permissions, see Differences Between IAM Permissions and Database Permissions.
Creating a User
- Log in to the DAS console.
- Click in the upper left corner and select a region and project.
- Click in the upper left corner, and under Databases, click Data Admin Service.
- In the navigation pane on the left, choose Development Tool.
You can also click Go to Development Tool on the overview page.
- Locate the DB instance that you want to log in to and click Log In in the Operation column.
- On the top menu bar, choose Account Management > User Management.
- Click Create User.
Figure 1 Creating a user
Configure required details, such as basic information, advanced settings, global permissions, object permissions, and roles by referring to Table 2.
Table 2 Parameter description Type
Parameter
Configuration Description
Basic Information
Username
Name of the new user.
Host
Whitelisted IP addresses allowed to access the database server.
- If you leave this parameter blank or enter %, the user can access all IP addresses.
- If you enter multiple IP addresses, separate them with commas (,).
For example, if you enter 192.%,193.% for Host, two users with host addresses of 192.% and 193.% will be created, respectively.
- You can click Add DAS IP Address to add a DAS server IP address to the user host.
Password
Password of the user. The password:
- Can include 8 to 32 characters.
- Must contain at least three of the following character types: letters, digits, and special characters ~!@#$%^*-_=+?,()&
- Cannot be the username or the username spelled backwards.
- Cannot be a weak password.
Confirm Password
The value must be the same as the user password you set.
Advanced Settings
Max. Queries Per Hour
Maximum queries that this user can execute within an hour. If this parameter is left empty or set to 0, there is no limit on the maximum queries.
Max. Updates Per Hour
Maximum updates that this user can execute within an hour. If this parameter is left empty or set to 0, there is no limit on the maximum updates.
Max. Connections Per Hour
Maximum connections (of this user) to the DAS server within an hour. If this parameter is left empty or set to 0, there is no limit on the maximum connections.
Max. User Connections
Maximum concurrent connections to the server. If this parameter is left empty or set to 0, there is no limit on the maximum concurrent connections.
SSL Type
Type of certificates for authenticating user requests sent to the server.
Issuer
Authority that issues X.509 certificates for connecting the user to the server.
Subject
Subject of the X.509 certificates for connecting the user to the server.
Algorithm
Method of encrypting connections between the user and the server.
Global Permissions
Permissions granted to the user to perform operations on all databases in the current instance.
For details about the global permissions that can be configured, see Table 3. For details about permission usages and explanations, visit the official website.
Object Permissions
Permissions granted to the user on specific objects.
For details about the object permissions that can be configured, see Table 3. For details about permission usages and explanations, visit the official website.
Example:
The following settings grant the user the permission to query the ID of table user_test in database db_test.
Figure 2 Adding an object permission
On the Object Permissions tab, you can add or delete object permissions and click Save. In the displayed dialog box, click OK.
Role
Role of the user. Roles are only supported for MySQL 8.0.
- Role Name: You can select an existing username in this instance.
- Grant Role: Whether the new user can grant permissions of the selected role to another user.
- Default Role: Whether the new user can inherit permissions of the selected role.
NOTE:To manage roles, the current account must have the ROLE_ADMIN permission. You can manually assign the permission. For example, you can run the GRANT ROLE_ADMIN on *.* TO 'root'@' %' command to assign the ROLE_ADMIN permission to user root.
Example:
The following settings indicate that user_2 can inherit permissions of user@ and can grant permissions of user@ to another user.
Figure 3 Granting permissions
Table 3 Permission description Permission
Description
SELECT
Permission to query a specified object, for example, a global or single database.
INSERT
Permission to insert data into a specified object.
UPDATE
Permission to update data of a specified object.
DELETE
Permission to delete data from a specified object.
CREATE
Permission to create databases and tables for a specified object.
DROP
Permission to delete databases, tables, and views from a specified object.
RELOAD
Permission to execute FLUSH.
PROCESS
Permission to execute SHOW PROCESSLIST to view all the processes.
GRANT
Permission to grant a specified object the permissions of another account or reclaim permissions from other accounts.
REFERENCES
Permission to create foreign keys for a specified object.
INDEX
Permission to create or delete an index for a specified object.
ALTER
Permission to execute ALTER TABLE for a specified object.
SHOW DATABASES
Permission to run SHOW DATABASES to show all databases.
CREATE TEMPORARY TABLES
Permission to execute CREATE TEMPORARY TABLE for a specified object.
LOCK TABLES
Permission to execute LOCK TABLES on the tables with the SELECT permission for a specified object.
EXECUTE
Permission to execute a stored procedure for a specified object.
REPLICATION SLAVE
Permission to allow the replica server to read binary log events from the source server.
REPLICATION CLIENT
Permission to query locations of the source server or replica server.
CREATE VIEW
Permission to create or alter a view for a specified object.
SHOW VIEW
Permission to execute SHOW CREATE VIEW for a specified object.
CREATE ROUTINE
Permission to create a stored procedure for a specified object.
ALTER ROUTINE
Permission to alter or delete a stored procedure for a specified object.
CREATE USER
Permission to execute CREATE USER, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES for a specified object.
EVENT
Permission to create, modify, delete, or display the event scheduler for a specified object.
TRIGGER
Permission to execute a trigger for a specified object. Only users with this permission can create, delete, execute, or display triggers of a table.
- After configuring required parameters, click Save. In the preview dialog box, click OK.
- After the user is created, check whether the user is displayed in the user list.
Figure 4 Viewing user information
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot