Add database users
A user account stored in the Hyper-Converged Database (HCD) database is a role that has a login
and password
or hashed password
.
Enable the By default, authentication is disabled in HCD.
You must enable it by setting |
Create a role
-
Create a role with
login
enabled and an internally stored password:CREATE ROLE <role_name> WITH LOGIN = true AND PASSWORD = '<password_string>';
where:
-
<role_name>
: The user name for authentication. Enclose the role names that include uppercase or special characters in double quotes. -
LOGIN = true
: Allows the role to access the database. -
PASSWORD = '<default_password>'
: Stored internally for database managed accounts. -
(Optional)
superuser = true
: Gives full access to all database objects to the user. See Add a superuser login.This command can also be modified to use a hashed password:
CREATE ROLE <role_name> WITH LOGIN = true AND HASHED PASSWORD = '<hashed_password_string>';
using bcrypt hashing with a log2 factor of 10.
HCD uses the
bcrypt
library, Blowfish, and a log2 factor of 10 to generate a random salt added to the password hash.To allow the role to be used for authentication when scheme permissions are enabled, bind the role to an authentication scheme:
GRANT EXECUTE ON INTERNAL SCHEME TO <role_name>;
-
-
To allow another role to manage the new role:
GRANT AUTHORIZE FOR ALTER, DROP ON <new_role_name> TO <management_role>;
All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.
-
Each user can change their own password with the ALTER ROLE command.
-
User logs in with their role name:
cqlsh -u <role_name> -p <default_password>
-
Changes the password:
ALTER ROLE <role_name> WITH password = '<newpassword>';
or if using a hashed password:
ALTER ROLE <role_name> WITH HASHED PASSWORD = '<Hashed_newpassword>';
-
Next steps
Assign permissions to the role, see Assign permissions.