User management

The Raijin user management system allows administrators to implement role-based access control (RBAC).

Creating users

Raijin supports two authentication methods: certificate-based authentication using TLS/SSL certificates and password-based authentication. Both methods require a username.

The two authentication methods are mutually exclusive. You can only use one of them at any given time.

Example 1. Creating a user with password-based authentication

In this example, user foo is created with the password 1234_Raijin.

CREATE USER 'foo' IDENTIFIED WITH PASSWORD '1234_Raijin';

Once you create a user, they can log in to the Raijin UI with the username and password you specified.

The password must contain at least one uppercase letter, a lowercase letter, a number, and a symbol.
Example 2. Creating a user with certificate-based authentication

In this example, a user foo is created with an ssl-certificate-common-name-string.

CREATE USER 'foo' IDENTIFIED WITH SSL_CERTIFICATE CN 'ssl-certificate-common-name-string';

To use certificate-based authentication, you must configure TLS/SSL settings in raijin.conf. Uncomment and modify the following parameters according to your environment:

  • CertFile

  • CertKeyFile

  • CAFile

A new user does not have any privileges by default. You can only use such a user to perform actions that do not require any privileges.

Authenticating using cURL

The easiest way to authenticate with cURL is to obtain a JSON Web Token (JWT).

Example 3. Using cURL to authenticate to Raijin Database Engine

The following command creates the JWT token in /tmp/raijin_cookies.txt. Replace admin, password, and the Raijin URL accordingly.

$ curl -c /tmp/raijin_cookies.txt -X POST -d '{"username":"admin", "password":"password"}' http://localhost:2500/api/v1.1/authentications

Once you create the token, specify the -b option with the path to the cookies file in your subsequent cURL requests.

$ curl -b /tmp/cookies.txt ...

Granting privileges

Privileges are granted per user using the GRANT command.

Raijin supports the following privileges:

  • ALL PRIVILEGE

  • CREATE

  • SELECT

  • INSERT

  • DROP

  • ALTER

  • MAINTENANCE

  • METADATA

Example 4. Assigning Raijin privileges

This example assigns the user foo the CREATE privilege on a database named db.

GRANT create on db.* TO 'foo';

The following command assigns the user foo the CREATE and SELECT privileges on a database named db.

GRANT create, select ON db.* TO 'foo';

The following command assigns the user foo the CREATE and SELECT privileges on the tbl table in the database named db.

GRANT create, select ON db.tbl TO 'foo';

Privilege mapping

The table below lists SQL statements and the minimum privileges they require.

SQL statement Required minimum privilege

COPY FROM

INSERT privilege on the table

COPY TO

SELECT privilege on the table

CREATE DATABASE

CREATE privilege

DROP DATABASE

DROP privilege on the database

ALTER DATABASE RENAME

ALTER and DROP privileges on the database,
CREATE and INSERT privileges on the table

CREATE TABLE

CREATE privilege on the table

DROP TABLE

DROP privilege on the table

ALTER TABLE RENAME

ALTER and DROP privileges on the table,
CREATE and INSERT privileges on the table

ALTER TABLE PARTITION BY

ALTER privilege on the table

ALTER TABLE PARTITION BY

ALTER privilege on the table

ALTER TABLE DETACH PARTITION

ALTER privilege on the table

ALTER TABLE DROP PARTITION

ALTER privilege on the table

CREATE VIEW AS <query>

CREATE privilege on the table and the required privileges for the specified query

ALTER VIEW RENAME

ALTER and DROP on the table,
CREATE on the table

DROP VIEW

DROP privilege on the table

SELECT FROM

SELECT privilege on the table

SELECT FIELDS FROM

SELECT privilege on the table

INSERT INTO

INSERT privilege on the table and the required privileges to access the data

CREATE USER

ALL PRIVILEGES on the database and its tables

GRANT

ALL PRIVILEGES on the database and its tables

GRANT ALL PRIVILEGES

ALL PRIVILEGES on the database and its tables

USE

This statement requires granting privileges to access the database and tables within it.

SHOW DATABASES

The user only sees the databases they have the privilege to access.

SHOW TABLES

Any privilege to a table

DESCRIBE

SELECT privilege on the table

FLUSH TABLES

MAINTENANCE privilege on the table

FLUSH TABLES

MAINTENANCE privilege on the table

FLUSH TABLES WITH READ LOCK

MAINTENANCE privilege on all tables

UNLOCK TABLES

MAINTENANCE privilege on all tables

SHOW PARTITIONS IN

METADATA privilege on the table

SET <configuration_option> TO

none

SHOW <configuration_option>

none

Creating a superuser

In Raijin Database Engine, a superuser is a special role assigned the highest privileges for all databases and tables. Additionally, it can create other users and assign privileges, including the superuser role.

Example 5. Creating a superuser

This SQL command makes user foo a superuser.

GRANT ALL PRIVILEGES ON *.* TO 'foo'