ScalarDB Auth with ScalarDB SQL
ScalarDB Auth is an authentication and authorization mechanism for ScalarDB.
This document describes how to use ScalarDB Auth with ScalarDB SQL.
ScalarDB Auth Overview
By using ScalarDB Auth, you can create users and grant or revoke their privileges. You can create a user by using the CREATE USER command, and you can grant or revoke one's privileges on a table or a namespace by using the GRANT or REVOKE command, respectively. For details about such data control language (DCL) commands, see DCL.
Users can log in to ScalarDB Cluster with a username and a password and execute SQL statements if they have the required privileges.
ScalarDB Auth supports two types of users:
- Superusers: This type of user has all privileges. Only superusers can create or drop other users and namespaces.
- Normal users: This type of user initially doesn't have any privileges, so they need to be granted privileges by a superuser or another user who has the
GRANTprivilege.
In ScalarDB Auth, the following privileges are available:
SELECTINSERTUPDATEDELETECREATEDROPTRUNCATEALTERGRANT
For details about privileges, see Which privileges are required for each type of operation.
Configurations
This section describes the available configurations in ScalarDB Cluster.
ScalarDB Cluster node configurations
To enable ScalarDB Auth, you need to set scalar.db.cluster.auth.enabled to true.
| Name | Description | Default |
|---|---|---|
scalar.db.cluster.auth.enabled | Whether ScalarDB Auth is enabled. | false |
You can also set the following configurations:
| Name | Description | Default |
|---|---|---|
scalar.db.cluster.auth.cache_expiration_time_millis | Cache expiration time for auth information in milliseconds. | 60000 (1 minute) |
scalar.db.cluster.auth.auth_token_expiration_time_minutes | Auth token expiration time in minutes. | 1440 (1 day) |
scalar.db.cluster.auth.auth_token_gc_thread_interval_minutes | Auth token garbage collection (GC) thread interval in minutes. | 360 (6 hours) |
scalar.db.cluster.auth.pepper | A secret value added to a password before hashing. If not specified, A password is hashed without pepper. |
If you enable ScalarDB Auth, you will also need to set scalar.db.cross_partition_scan.enabled to true for the system namespace (scalardb by default) because ScalarDB Auth performs cross-partition scans internally.
ScalarDB Cluster Java client SDK configurations
To enable ScalarDB Auth on the client side, you need to set scalar.db.cluster.auth.enabled to true.
| Name | Description | Default |
|---|---|---|
scalar.db.cluster.auth.enabled | Whether ScalarDB Auth is enabled. | false |
In addition to the configuration in the ScalarDB Cluster SQL client configurations section, you also need to set scalar.db.sql.cluster_mode.username and scalar.db.sql.cluster_mode.password to specify the username and password of the client.
| Name | Description | Default |
|---|---|---|
scalar.db.sql.cluster_mode.username | The username of the client. | |
scalar.db.sql.cluster_mode.password | The password of the client. |
Initial user
When you enable ScalarDB Auth, the initial user admin is created and the initial password of that user is admin. This user is a superuser and has all privileges. You can log in with this user and create other users if necessary.
For security purposes, be sure to change the password of the initial user, especially before deploying to a production environment.
Which privileges are required for each type of operation
The following tables show which privileges are required for each type of operation:
DDL
| Command | Superuser required | Required privileges |
|---|---|---|
CREATE NAMESPACE | true | |
DROP NAMESPACE | true | |
CREATE TABLE | CREATE | |
DROP TABLE | DROP | |
CREATE INDEX | CREATE | |
DROP INDEX | DROP | |
TRUNCATE TABLE | TRUNCATE | |
ALTER TABLE | ALTER | |
CREATE COORDINATOR TABLES | true | |
DROP COORDINATOR TABLES | true | |
TRUNCATE COORDINATOR TABLES | true |
DML
| Command | Superuser required | Required privileges |
|---|---|---|
SELECT | SELECT | |
INSERT | INSERT | |
UPSERT | INSERT | |
UPDATE | SELECT and UPDATE | |
DELETE | SELECT and DELETE |
DCL
| Command | Superuser required | Required privileges |
|---|---|---|
CREATE USER | true | |
ALTER USER | true (Users can change their own password.) | |
DROP USER | true | |
GRANT | GRANT (Users can grant only the privileges that they have.) | |
REVOKE | GRANT (Users can revoke only the privileges that they have.) |