Authority management #
Authority for cluster eco-tools #
Authority for SphereEx-Boot #
No authority control for SphereEx-Boot.
Authority for SphereEx-Console #
Role Authority Description
| Role | Permission | Scope | Operation | Description |
|---|---|---|---|---|
| Super Administrator | All Permissions | System administrators, users, clusters | Console User Management | User name: admin, console built-in, login to change the password |
| System Administrator | All Permissions | Users, Clusters | Console User Management | Created by super admin |
| General User | Specify cluster permissions | Clusters | Console User Management | Created by super administrator or system administrator |
SphereEx-Console permissions to access components
| Components / Resources | Description |
|---|---|
| Host | ssh login privileges, the installation directory has |
| Database | To monitor the db in SphereEx-Console using the monitoring center, you need to install the monitoring plugin on the host where the db is located. The monitoring plugin requires additional user assignment to access the database. Create user reference: create user ‘[mysql_monitor_user_name]’@’[IP of monitoring plugin deployment]’ identified by ‘[password]’ [with max_user_connections N];grant process,replication client,select on . to ‘[mysql_monitor_user_name]’@’[monitor_plugin_deployed_IP]’;flush privileges; |
| Governance Center | None |
| Monitoring Center | None |
| Log Center | None |
Function List
| Function | Description |
|---|---|
| New User | Add users to the SphereEx-Console platform |
| Change password | Modify cluster information |
| Permission Management | Managing cluster parameters |
| Delete | Delete users from the SphereEx-Console platform |
- New User
Applicable scenarios
Create a SphereEx-Console administrative user.
Precautions
You have Super Administrator or System Administrator privileges.
Procedure
- Login to SphereEx-Console.
- Click Avatar->User Management at the top right corner of the home page to enter the user list.
- Click Add User in the upper right corner to enter the Add User page.
- Fill in the information, see the following table for the specific parameters.
| Fields | Data source | Optional / Required | Data Storage | Length Limit | Description |
|---|---|---|---|---|---|
| User | User input | Required | console mysql storage | 32 | User list verification uniqueness |
| Password | User input | Required | console mysql storage | 6-16bit | Numbers Letters Underline. |
| Confirm Password | User input | Required | console mysql storage | consistent with password | |
| Roles | Dropdown selection | Required | console mysql storage | System Administrator/Normal Administrator | |
| Cluster Permissions | Dropdown selection | Optional | console mysql storage | Appears when [Role] is [General Administrator]. | |
| Optional Cluster | List of clusters without permissions | Optional | console mysql storage | ||
| Selected Cluster | List of clusters that have permission | Optional | console mysql storage |
- Click OK to finish adding users.
- Change password
Applicable scenarios
Modify the user password of SphereEx-Console.
Caution
The following is the range of password modification for users with different roles.
| Role | Modifiable range |
|---|---|
| Super Administrator | Self, system administrator, general administrator |
| System Administrator | Self, General Administrator |
| General Administrator | Self |
Operation steps
- Login to SphereEx-Console.
- Click Avatar->User Management at the top right corner of the home page to enter the user list.
- Click the Modify Password button to enter the Modify Password page.
- Fill in the information, see the following table for specific parameters.
| Field | Data source | Optional/Required | Data Storage | Length Limit | Components | Description |
|---|---|---|---|---|---|---|
| User | Automatic filling | Required | console mysql Storage | 32 | Text Box | Non-editable |
| New Password | User input | Required | console mysql Storage | 6-16bit | Text Box | numbers letters underscores. |
| Confirm Password | User input | Required | console mysql Storage | Text Box | Consistent with new password |
- Click OK to finish adding users.
- Permission Management
Applicable Scenarios
Change the user password of SphereEx-Console
Caution
You can’t modify the cluster privileges for managing normal users, and you need to log in again to refresh the privileges after the user privileges are modified.
Operation steps
- Login to SphereEx-Console.
- Click the header image at the top-right corner of the home page -> User Management to enter the user list.
- Click the Permissions Management button to enter the Permissions Management page.
- Fill in the information, see the following table for the specific parameters.
| Fields | Data source | Optional / Required | Length Limit | Description |
|---|---|---|---|---|
| User | User input | Required | 32 | User list verification uniqueness |
| Cluster Permissions | Drop down to select | Optional | Appears when [Role] is [General Administrator]. | |
| Optional clusters | List of clusters without permissions | Optional | ||
| Selected clusters | List of clusters that have permission | Optional |
- Click OK to complete the permission adjustment.
- Delete
Applicable scenarios
Delete the system administrator or general administrator.
Caution
To delete a user, the following is the range of users with different roles that can be deleted.
| Role | Range of users that can be deleted |
|---|---|
| Super Administrator | System Administrator, General Administrator |
| System Administrator | General Administrator |
Operation steps
- Login to SphereEx-Console.
- Click Avatar->User Management at the top right corner of the home page to enter the user list.
- Click the Delete button in the Action column.
- Click OK in the prompt box to complete the user deletion.
Permissions for clustered components #
Permissions to access components.
| Component Name | Permissions of the component itself | Permissions for cluster access to use components | SphereEx-Console access to components | Monitoring plugin access components |
|---|---|---|---|---|
| Host | None | None | ssh login privileges, read/write privileges for the installer | ssh login privileges, read/write privileges for the installer |
| Database | None | Depending on the user’s access to the underlying db | Depending on the user’s access to the underlying db | Create user reference.: create user ‘[mysql_monitor_user_name]’@’[Monitoring plug-ins deployed byIP]’ identified by ‘[password]’ [with max_user_connections N]; |
| Governance Center | None | None | None | None |
| Monitoring Center | None | None | None | None |
| Log Center | None | None | None | None |
Cluster Permissions #
Cluster rights management, i.e., rights management of computing nodes.
| Roles | Functions | Scope | Operation | Description |
|---|---|---|---|---|
| Super User (root) | Top privileges | Cluster | DistSQL | Can not be deleted, can modify the password. Write to governance center after modification, not write back to local file - First time to start with local file, explicit text is risky |
| General user/role | Object-level permissions | Logic Database | DistSQL | Restrict the permission to add, delete, and change objects in the logical library |
Permissions Grading #
DBPlusEngine-Proxy privilege hierarchy is similar to the standard database privileges, with global privileges, library-level object privileges, table-level object privileges, and column-level object privileges.
DBPlusEngine-Proxy permissions consist of operation + operation object, which are combined in the following way.
| Authorized Items | SELECT | INSERT | UPDATE | DELETE | CREATE | DROP | ALTER | INDEX | CREATE_USER | SUPER |
|---|---|---|---|---|---|---|---|---|---|---|
| Global Permissions | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| Object permissions/library | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | / | / |
| Object permissions/table | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | / | / |
| Object permissions/columns | ✔️ | ✔️ | ✔️ | / | / | / | / | / | / | / |
| Authorized Items | CREATE | ALTER | DROP | SHOW |
|---|---|---|---|---|
| RESOURCE | ✔️ | ✔️ | ✔️ | ✔️ |
| SHARDING | ✔️ | ✔️ | ✔️ | ✔️ |
| READWRITE_SPLITTING | ✔️ | ✔️ | ✔️ | ✔️ |
| ENCRYPT | ✔️ | ✔️ | ✔️ | ✔️ |
| DB_DISCOVERY | ✔️ | ✔️ | ✔️ | ✔️ |
| SHADOW | ✔️ | ✔️ | ✔️ | ✔️ |
| SINGLE_TABLE | ✔️ | ✔️ | ✔️ | ✔️ |
- Global privileges
Global privilege means that the authorization granted to the user does not distinguish the target object, and the user can perform corresponding operations on any logical library or logical table.
For example, the following command gives the global INSERT, SELECT, UPDATE and DELETE privileges to user ‘sharding’@’%’, which enables the user to perform DML operations on any table in any logical library.
-- The following two statements are equivalent
GRANT DIST INSERT,SELECT,UPDATE,DELETE TO 'sharding'@'%';
GRANT DIST INSERT,SELECT,UPDATE,DELETE TO sharding;
For example, the following command gives the global SHOW SHARDING permission to user ‘sharding’@’%’, which enables the user to perform SHOW operations on sharding rules in any logical library.
GRANT DIST SHOW SHARDING TO 'sharding'@'%';
Also, because DistSQL has a large number of authorization items, for granting multiple authorization items at once, you can use syntax types as authorization items. For example, if the following command grants global SHOW privileges for all operation objects to user ‘sharding’@’%’, the user will be able to perform SHOW operations on any operation object in any logical library.
GRANT DIST RQL SHARDING TO 'sharding'@'%';
Note that the global privileges include two special privileges: CREATE_USER and SUPER.
In particular, users who have been granted the CREATE_USER authorization can perform the following actions.
| Operation | Description |
|---|---|
| CREATE USER | Create User |
| ALTER USER | ModifyUser |
| DROP USER | Delete User |
| CREATE ROLE | Create Character |
| DROP ROLE | Delete Role |
| REVOKE ALL PRIVILEGES | Revoke all authorizations for a user or role |
SUPER represents the highest privilege of the database system. By default, the initial user configured before the start of ShardingSphere has the SUPER authorization.
- Object privileges
Object privileges are privileges that are restricted in scope and do not allow the user to perform operations outside the scope of the privilege.
The scope of object privileges can be all logical libraries, or it can specify single or multiple logical libraries and the tables and columns in the libraries.
For example, the following command grants all permissions for the t_order table in the logical library sharding_db to the user ‘sharding’@’%’, after which the user can perform operations on the sharding_db.t_order table. However, this user can not operate on other tables in sharding_db without additional authorization.
GRANT DIST ALL ON sharding_db.t_order TO sharding;
For example, the following command grants the user ‘sharding’@’%’ permission to create and modify the sharding rule t_order in the logical library sharding_db, after which the user can perform create and modify operations on the sharding_db.t_order rule. However, this user can not manipulate other rules in sharding_db without additional authorization.
GRANT DIST CREATE SHARDING, ALTER SHARDING ON sharding_db.t_order TO 'sharding'@'%';
DistSQL 清单 #
Refer DistSQL User Management