Skip to main content
Version: release-0.9

Manage user accounts

KubeBlocks offers a variety of services to enhance the usability, availability, and observability of database clusters. Different components require user accounts with different permissions to create connections.

note

Currently, KubeBlocks only supports managing user accounts for ApeCloud MySQL, MySQL Community version, PostgreSQL, and Redis.

Steps

  • Create a user account

    kbcli cluster create-account <clustername> --name <username> --password <pwd> 
  • Grant a role to a user

    kbcli cluster grant-role  <clustername> --name <username> --role <rolename>

    KubeBlocks provides three role levels of permission.

    • Superuser: with all permissions.
    • ReadWrite: read and write.
    • ReadOnly: read only.

    For different database engines, the detailed permission are varied. Check the table below.

    RoleMySQLPostgreSQLRedis
    SuperuserGRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON * a userALTER USER WITH SUPERUSER+@ALL allkeys
    ReadWriteGRANT SELECT, INSERT, DELETE ON * TO a userGRANT pg_write_all_data TO a user-@ALL +@Write +@READ allkeys
    ReadOnlyGRANT SELECT, SHOW VIEW ON * TO a userGRANT pg_read_all_data TO a user-@ALL +@READ allkeys
  • Check the role level of a user account

    kbcli cluster describe-account <clustername> --name <username>
  • Revoke role from a user account

    kbcli cluster revoke-role <clustername> --name <name> --role <rolename> 
  • List all user accounts

    kbcli cluster list-accounts  <clustername>  
    note

    For security reasons, the list-accounts command does not show all accounts. Accounts with high privilege such as operational accounts and superuser accounts that meet certain rules are hidden. Refer to the table below to view the hidden accounts.

    DatabaseHidden Accounts
    MySQLroot
    kb*
    Localhost = ''
    PostgreSQLPostgres
    kb*
  • Delete a user account

    kbcli cluster delete-account <clustername> --name <username>