Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloud: support managing SQL users using the console #14578

Merged
merged 12 commits into from
Dec 20, 2023
Merged

cloud: support managing SQL users using the console #14578

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
8cf0659
Create configure-sql-users.md
qiancai Aug 22, 2023
3653d0f
add TOC changes
qiancai Aug 22, 2023
196754e
fix a typo
qiancai Aug 22, 2023
281c8c4
Update configure-sql-users.md
qiancai Aug 22, 2023
c7d1169
Merge branch 'cloud/manage-sql-users' of https://github.com/qiancai/d…
qiancai Aug 22, 2023
9fd984a
Update tidb-cloud/configure-sql-users.md
qiancai Dec 20, 2023
8b052c2
Update TOC-tidb-cloud.md
qiancai Dec 20, 2023
af0bae1
Merge branch 'release-7.1' into cloud/manage-sql-users
qiancai Dec 20, 2023
af90c17
add a note to indicate the feature status
qiancai Dec 20, 2023
0e205bd
Apply suggestions from code review
qiancai Dec 20, 2023
3294c93
Update tidb-cloud/configure-sql-users.md
qiancai Dec 20, 2023
3ccc607
Send -> Submit
qiancai Dec 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions TOC-tidb-cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,7 @@
- Data Access Control
- [Encryption at Rest Using Customer-Managed Encryption Keys](/tidb-cloud/tidb-cloud-encrypt-cmek.md)
- Database Access Control
- [Manage Database Users and Roles](/tidb-cloud/configure-sql-users.md)
qiancai marked this conversation as resolved.
Show resolved Hide resolved
- [Configure Cluster Security Settings](/tidb-cloud/configure-security-settings.md)
- Audit Management
- [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md)
Expand Down
117 changes: 117 additions & 0 deletions tidb-cloud/configure-sql-users.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
---
title: Manage Database Users and Roles
summary: Learn how to manage database users and roles in the TiDB Cloud console.
---

# Manage Database Users and Roles

This document describes how to manage database users and roles using the **SQL Users** page in the [TiDB Cloud console](https://tidbcloud.com/).

> **Note:**
>
> - Database users and roles are independent of [organization and project users and roles](/tidb-cloud/manage-user-access.md). Database users are used to access databases in a TiDB cluster, while organization and project users are used to access organizations and projects in the [TiDB Cloud console](https://tidbcloud.com/).
> - In addition to the **SQL Users** page, you can also manage database users and roles by connecting to your cluster with a SQL client and writing SQL statements. For more information, see [TiDB User Account Management](https://docs.pingcap.com/tidb/dev/user-account-management).

## Roles of database users

In TiDB Cloud, you can grant both a built-in role and multiple custom roles (if available) to a SQL user for role-based access control.

- Built-in roles

TiDB Cloud provides the following built-in roles to help you control the database access of SQL users. You can grant one of the built-in roles to a SQL user.

- `Database Admin`
- `Database Read-Write`
- `Database Read-Only`

- Custom roles

In addition to a built-in role, if your cluster has custom roles that are created using the [`CREATE ROLE`](/sql-statements/sql-statement-create-role.md) statement, you can also grant custom roles to a SQL user when you create or edit SQL users in the TiDB Cloud console.

After a SQL user is granted both a built-in role and multiple custom roles, the user's permissions will be the union of all the permissions from these roles.
qiancai marked this conversation as resolved.
Show resolved Hide resolved

## Prerequisites

- To manage database users and roles using the **SQL Users** page, you must be in the `Organization Owner` role of your organization or the `Project Owner` role of your project.
- If you are in the `Project Data Access Read-Write` or `Project Data Access Read-Only` role of a project, you can only view database users on the **SQL Users** page of that project.

## Create a SQL user

To create a SQL user, take the following steps:

1. In the [TiDB Cloud console](https://tidbcloud.com/), go to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.

> **Tip:**
>
> If you have multiple projects, you can click <MDSvgIcon name="icon-left-projects" /> in the lower-left corner and switch to another project.

2. Click your cluster name, and then click **SQL users** in the left navigation pane.
qiancai marked this conversation as resolved.
Show resolved Hide resolved
3. Click **Create SQL User** in the upper-right corner.

A dialog for the SQL user configuration is displayed.

4. In the dialog, provide the information of the SQL user as follows:

1. Enter the name of the SQL user.
2. Either enter a password for the SQL users or let TiDB Cloud automatically generate a password for the user.
qiancai marked this conversation as resolved.
Show resolved Hide resolved
3. Grant roles to the SQL user.

- **Built-in Role**: you need to select a built-in role for the SQL user in the **Built-in Role** drop-down list.

- **Custom Role**: if your cluster has custom roles that are created using the [`CREATE ROLE`](/sql-statements/sql-statement-create-role.md) statement), you can grant custom roles to the SQL user by selecting the roles from the **Custom Role** drop-down list. Otherwise, the **Custom Roles** drop-down list is invisible here.
qiancai marked this conversation as resolved.
Show resolved Hide resolved

For each SQL user, you can grant a built-in role and multiple custom roles (if any).

5. Click **Create**.

## View SQL users

To view SQL users of a cluster, take the following steps:

1. In the [TiDB Cloud console](https://tidbcloud.com/), go to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.

> **Tip:**
>
> If you have multiple projects, you can click <MDSvgIcon name="icon-left-projects" /> in the lower-left corner and switch to another project.

2. Click your cluster name, and then click **SQL users** in the left navigation pane.
qiancai marked this conversation as resolved.
Show resolved Hide resolved

## Edit a SQL user

To edit the password or roles of a SQL user, take the following steps:

1. In the [TiDB Cloud console](https://tidbcloud.com/), go to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.

> **Tip:**
>
> If you have multiple projects, you can click <MDSvgIcon name="icon-left-projects" /> in the lower-left corner and switch to another project.

2. Click your cluster name, and then click **SQL users** in the left navigation pane.
qiancai marked this conversation as resolved.
Show resolved Hide resolved
3. In the row of the SQL user to be edited, click **...** in the **Action** column, and then click **Edit**.

A dialog for the SQL user configuration is displayed.

4. In the dialog, you can edit the user password and roles as needed.
qiancai marked this conversation as resolved.
Show resolved Hide resolved

> **Note:**
>
> The roles of the default `<prefix>.root` user does not support modification.
qiancai marked this conversation as resolved.
Show resolved Hide resolved

## Delete a SQL user

To delete a SQL user, take the following steps:

1. In the [TiDB Cloud console](https://tidbcloud.com/), go to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.

> **Tip:**
>
> If you have multiple projects, you can click <MDSvgIcon name="icon-left-projects" /> in the lower-left corner and switch to another project.

2. Click your cluster name, and then click **SQL users** in the left navigation pane.
qiancai marked this conversation as resolved.
Show resolved Hide resolved
3. In the row of the SQL user to be edited, click **...** in the **Action** column, and then click **Delete**.

> **Note:**
>
> The default `<prefix>.root` user does not support deletion.

4. Confirm the deletion.