Authenticate and Authorize Users
ScalarDB Cluster has a mechanism to authenticate and authorize users.
This guide describes how to use authentication and authorization in ScalarDB Cluster.
Overview
By using authentication and authorization, you can create users and grant or revoke their privileges. You can create a user by using the CREATE USER
command, and you can grant or revoke one's privileges on a table or a namespace by using the GRANT
or REVOKE
command, respectively. For details about such data control language (DCL) commands, see DCL.
Users can log in to ScalarDB Cluster with a username and a password and execute SQL statements if they have the required privileges.
Authentication and authorization support two types of users:
- Superusers: This type of user has all privileges. Only superusers can create or drop other users and namespaces.
- Normal users: This type of user initially doesn't have any privileges, so they need to be granted privileges by a superuser or another user who has the
GRANT
privilege.
The following privileges are available when using authentication and authorization:
SELECT
INSERT
UPDATE
DELETE
CREATE
DROP
TRUNCATE
ALTER
GRANT
For details about privileges, see Which privileges are required for each type of operation.
Configurations
This section describes the available configurations for authentication and authorization.
ScalarDB Cluster node configurations
To enable authentication and authorization, you need to set scalar.db.cluster.auth.enabled
to true
.
Name | Description | Default |
---|---|---|
scalar.db.cluster.auth.enabled | Whether authentication and authorization are enabled. | false |
You can also set the following configurations:
Name | Description | Default |
---|---|---|
scalar.db.cluster.auth.cache_expiration_time_millis | Cache expiration time for authentication and authorization information in milliseconds. | 60000 (1 minute) |
scalar.db.cluster.auth.auth_token_expiration_time_minutes | Authentication and authorization token expiration time in minutes. | 1440 (1 day) |
scalar.db.cluster.auth.auth_token_gc_thread_interval_minutes | Authentication and authorization token garbage collection (GC) thread interval in minutes. | 360 (6 hours) |
scalar.db.cluster.auth.pepper | A secret value added to a password before hashing. If not specified, the password is hashed without pepper. |
If you enable authentication and authorization, you will also need to set scalar.db.cross_partition_scan.enabled
to true
for the system namespace (scalardb
by default) because authentication and authorization perform cross-partition scans internally.
ScalarDB Cluster Java client SDK configurations
To enable authentication and authorization on the client side, you need to set scalar.db.cluster.auth.enabled
to true
.
Name | Description | Default |
---|---|---|
scalar.db.cluster.auth.enabled | Whether authentication and authorization are enabled. | false |
In addition to the configuration in the ScalarDB Cluster SQL client configurations section, you also need to set scalar.db.sql.cluster_mode.username
and scalar.db.sql.cluster_mode.password
to specify the username and password of the client.
Name | Description | Default |
---|---|---|
scalar.db.sql.cluster_mode.username | The username of the client. | |
scalar.db.sql.cluster_mode.password | The password of the client. |
Initial user
When you enable authentication and authorization, the initial user admin
is created and the initial password of that user is admin
. This user is a superuser and has all privileges. You can log in with this user and create other users if necessary.
For security purposes, be sure to change the password of the initial user, especially before deploying to a production environment.