Skip to content

Commit

Permalink
Remove mention of cockroach user
Browse files Browse the repository at this point in the history 
It's deprecated, so reference USER sql statements instead
and remove the cockroach user cli page.

Fixes #5305.
  • Loading branch information
@jseldess
jseldess committed Aug 27, 2019
1 parent c3d0064 commit aaa555f
Show file tree
Hide file tree
Showing 31 changed files with 256 additions and 437 deletions.
36 changes: 0 additions & 36 deletions _includes/v19.2/app/common-steps.md
View file

This file was deleted.

2 changes: 1 addition & 1 deletion _includes/v19.2/prod-deployment/use-cluster.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Now that your deployment is working, you can:

1. [Implement your data model](sql-statements.html).
2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html).
2. [Create users](create-user.html) and [grant them privileges](grant.html).
3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the load balancer, not to a CockroachDB node.

You may also want to adjust the way the cluster replicates data. For example, by default, a multi-node cluster replicates all data 3 times; you can change this replication factor or create additional rules for replicating individual databases and tables differently. For more information, see [Configure Replication Zones](configure-replication-zones.html).
Expand Down
2 changes: 1 addition & 1 deletion _includes/v19.2/sql/connection-parameters.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Flag | Description
-----|------------
`--host` | The server host and port number to connect to. This can be the address of any node in the cluster. <br><br>**Env Variable:** `COCKROACH_HOST`<br>**Default:** `localhost:26257`
`--port`<br>`-p` | The server port to connect to. Note: The port number can also be specified via `--host`. <br><br>**Env Variable:** `COCKROACH_PORT`<br>**Default:** `26257`
`--user`<br>`-u` | The [SQL user](create-and-manage-users.html) that will own the client session.<br><br>**Env Variable:** `COCKROACH_USER`<br>**Default:** `root`
`--user`<br>`-u` | The [SQL user](create-user.html) that will own the client session.<br><br>**Env Variable:** `COCKROACH_USER`<br>**Default:** `root`
`--insecure` | Use an insecure connection.<br><br>**Env Variable:** `COCKROACH_INSECURE`<br>**Default:** `false`
`--certs-dir` | The path to the [certificate directory](create-security-certificates.html) containing the CA and client certificates and client key.<br><br>**Env Variable:** `COCKROACH_CERTS_DIR`<br>**Default:** `${HOME}/.cockroach-certs/`
<a name="sql-flag-url"></a> `--url` | A [connection URL](connection-parameters.html#connect-using-a-url) to use instead of the other arguments.<br><br>**Env Variable:** `COCKROACH_URL`<br>**Default:** no URL
8 changes: 1 addition & 7 deletions v19.2/alter-user.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,7 @@ summary: The ALTER USER statement can be used to add or change a user's password
toc: true
---

The `ALTER USER` [statement](sql-statements.html) can be used to add or change a [user's](create-and-manage-users.html) password.

{{site.data.alerts.callout_success}}
You can also use the [`cockroach user`](create-and-manage-users.html#update-a-users-password) command to add or change a user's password.
{{site.data.alerts.end}}

The `ALTER USER` [statement](sql-statements.html) can be used to add or change a [user's](create-user.html) password.

## Considerations

Expand Down Expand Up @@ -75,7 +70,6 @@ To preserve case in a password specified using identifier syntax, use double quo

## See also

- [`cockroach user` command](create-and-manage-users.html)
- [`DROP USER`](drop-user.html)
- [`SHOW USERS`](show-users.html)
- [`GRANT <privileges>`](grant.html)
Expand Down
176 changes: 97 additions & 79 deletions v19.2/authorization.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,28 @@
title: Authorization
summary: Learn about the authorization features for secure CockroachDB clusters.
toc: true
redirect_from: create-and-manage-users.html
---

User authorization is the act of defining access policies for authenticated CockroachDB users. CockroachDB allows you to create, manage, and remove your cluster's [users](#create-and-manage-users) and assign SQL-level [privileges](#assign-privileges) to the users. Additionally, if you have an [Enterprise license](get-started-with-enterprise-trial.html), you can use [role-based access management (RBAC)](#create-and-manage-roles) for simplified user management.

## Create and manage users

You can use either of the following methods to create and manage users:

- Use the [`CREATE USER`](create-user.html) and [`DROP USER`](drop-user.html) statements to create and remove users.
- Use the [`cockroach user` command](create-and-manage-users.html) with appropriate flags.
Use the [`CREATE USER`](create-user.html) and [`DROP USER`](drop-user.html) statements to create and remove users, the [`ALTER USER`](alter-user.html) statement to add or change a user's password, and the [`SHOW USERS`](show-users.html) statement to list users.

## Create and manage roles

{{site.data.alerts.callout_info}}
Role-based access management is an enterprise feature. To request a 30-day trial license, see [Get CockroachDB](https://www.cockroachlabs.com/get-cockroachdb/).
{{site.data.alerts.end}}

Roles are SQL groups that contain any number of users and roles as members.

### Terminology

Term | Description
-----|------------
Role | A group containing any number of [users](create-and-manage-users.html) or other roles.<br><br>Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges.
Role | A group containing any number of [users](create-user.html) or other roles.<br><br>Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges.
Role admin | A member of the role that's allowed to modify role membership. To create a role admin, use [`WITH ADMIN OPTION`](grant-roles.html#grant-the-admin-option).
Superuser / Admin | A member of the `admin` role. Only superusers can [`CREATE ROLE`](create-role.html) or [`DROP ROLE`](drop-role.html). The `admin` role is created by default and cannot be dropped.
`root` | A user that exists by default as a member of the `admin` role. The `root` user must always be a member of the `admin` role.
Expand All @@ -42,7 +44,7 @@ To create and manage your cluster's roles, use the following statements:

## Assign privileges

In CockroachDB, privileges are granted to [users](create-and-manage-users.html) and [roles](#create-and-manage-roles) at the database and table levels. They are not yet supported for other granularities such as columns or rows.
In CockroachDB, privileges are granted to [users](#create-and-manage-users) and [roles](#create-and-manage-roles) at the database and table levels. They are not yet supported for other granularities such as columns or rows.

When a user connects to a database, either via the [built-in SQL client](use-the-built-in-sql-client.html) or a [client driver](install-client-drivers.html), CockroachDB checks the user and role's privileges for each statement executed. If the user does not have sufficient privileges for a statement, CockroachDB gives an error.

Expand Down Expand Up @@ -81,21 +83,17 @@ To revoke privileges from roles or users, use the [`REVOKE`](revoke.html) statem

## Example

For the purpose of this example, you need an [enterprise license](enterprise-licensing.html) and one CockroachDB node running in insecure mode:

{% include copy-clipboard.html %}
~~~ shell
$ cockroach start \
--insecure \
--store=roles \
--listen-addr=localhost:26257
~~~
This example demonstrates user- and role-based access management. Role-based access management is an enterprise feature, so before you begin, [request a trial enterprise license](https://www.cockroachlabs.com/get-cockroachdb/).

1. As the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`:
1. Start a single-node, insecure cluster:

{% include copy-clipboard.html %}
~~~ shell
$ cockroach user set maxroach --insecure
$ cockroach start-single-node \
--insecure \
--store=roles \
--listen-addr=localhost:26257 \
--background
~~~

2. As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html):
Expand All @@ -105,7 +103,26 @@ $ cockroach start \
$ cockroach sql --insecure
~~~

3. Create a database and set it as the default:
3. Run the following commands in your SQL shell to enable enterprise features using your trial license:

{% include copy-clipboard.html %}
~~~ sql
> SET CLUSTER SETTING cluster.organization = '<your organization>';
~~~

{% include copy-clipboard.html %}
~~~ sql
> SET CLUSTER SETTING enterprise.license = '<your license key>';
~~~

4. [Create a user](create-user.html), `maxroach`:

{% include copy-clipboard.html %}
~~~ sql
> CREATE USER maxroach;
~~~

5. [Create a database](create-database.html) and [set it as the default](set-database.html):

{% include copy-clipboard.html %}
~~~ sql
Expand All @@ -117,7 +134,7 @@ $ cockroach start \
> SET DATABASE = test_roles;
~~~

4. [Create a role](create-role.html) and then [list all roles](show-roles.html) in your database:
6. [Create a role](create-role.html) and then [list all roles](show-roles.html) in your database:

{% include copy-clipboard.html %}
~~~ sql
Expand All @@ -130,15 +147,14 @@ $ cockroach start \
~~~

~~~
role_name
+------------+
| rolename |
+------------+
| admin |
| system_ops |
+------------+
admin
system_ops
(2 rows)
~~~

5. Grant privileges to the `system_ops` role you created:
7. [Grant privileges](grant.html) to the `system_ops` role you created:

{% include copy-clipboard.html %}
~~~ sql
Expand All @@ -151,43 +167,42 @@ $ cockroach start \
~~~

~~~
+------------+--------------------+------------+------------+
| Database | Schema | User | Privileges |
+------------+--------------------+------------+------------+
| test_roles | crdb_internal | admin | ALL |
| test_roles | crdb_internal | root | ALL |
| test_roles | crdb_internal | system_ops | CREATE |
| test_roles | crdb_internal | system_ops | SELECT |
| test_roles | information_schema | admin | ALL |
| test_roles | information_schema | root | ALL |
| test_roles | information_schema | system_ops | CREATE |
| test_roles | information_schema | system_ops | SELECT |
| test_roles | pg_catalog | admin | ALL |
| test_roles | pg_catalog | root | ALL |
| test_roles | pg_catalog | system_ops | CREATE |
| test_roles | pg_catalog | system_ops | SELECT |
| test_roles | public | admin | ALL |
| test_roles | public | root | ALL |
| test_roles | public | system_ops | CREATE |
| test_roles | public | system_ops | SELECT |
+------------+--------------------+------------+------------+
database_name | schema_name | grantee | privilege_type
+---------------+--------------------+------------+----------------+
test_roles | crdb_internal | admin | ALL
test_roles | crdb_internal | root | ALL
test_roles | crdb_internal | system_ops | CREATE
test_roles | crdb_internal | system_ops | SELECT
test_roles | information_schema | admin | ALL
test_roles | information_schema | root | ALL
test_roles | information_schema | system_ops | CREATE
test_roles | information_schema | system_ops | SELECT
test_roles | pg_catalog | admin | ALL
test_roles | pg_catalog | root | ALL
test_roles | pg_catalog | system_ops | CREATE
test_roles | pg_catalog | system_ops | SELECT
test_roles | public | admin | ALL
test_roles | public | root | ALL
test_roles | public | system_ops | CREATE
test_roles | public | system_ops | SELECT
(16 rows)
~~~

6. Add the `maxroach` user to the `system_ops` role:
8. Add the `maxroach` user to the `system_ops` role:

{% include copy-clipboard.html %}
~~~ sql
> GRANT system_ops TO maxroach;
~~~

7. To test the privileges you just added to the `system_ops` role, use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `maxroach` user (who is a member of the `system_ops` role):
9. To test the privileges you just added to the `system_ops` role, use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `maxroach` user (who is a member of the `system_ops` role):

{% include copy-clipboard.html %}
~~~ shell
$ cockroach sql --user=maxroach --database=test_roles --insecure
~~~

8. As the `maxroach` user, create a table:
10. As the `maxroach` user, create a table:

{% include copy-clipboard.html %}
~~~ sql
Expand All @@ -199,7 +214,7 @@ $ cockroach start \

We were able to create the table because `maxroach` has `CREATE` privileges.

9. As the `maxroach` user, try to drop the table:
11. As the `maxroach` user, try to drop the table:

{% include copy-clipboard.html %}
~~~ sql
Expand All @@ -212,32 +227,31 @@ $ cockroach start \

You cannot drop the table because your current user (`maxroach`) is a member of the `system_ops` role, which doesn't have `DROP` privileges.
10. `maxroach` has `CREATE` and `SELECT` privileges, so try a `SHOW` statement:
12. `maxroach` has `CREATE` and `SELECT` privileges, so try a `SHOW` statement:
{% include copy-clipboard.html %}
~~~ sql
> SHOW GRANTS ON TABLE employees;
~~~
~~~
+------------+--------+-----------+------------+------------+
| Database | Schema | Table | User | Privileges |
+------------+--------+-----------+------------+------------+
| test_roles | public | employees | admin | ALL |
| test_roles | public | employees | root | ALL |
| test_roles | public | employees | system_ops | CREATE |
| test_roles | public | employees | system_ops | SELECT |
+------------+--------+-----------+------------+------------+
database_name | schema_name | table_name | grantee | privilege_type
+---------------+-------------+------------+------------+----------------+
test_roles | public | employees | admin | ALL
test_roles | public | employees | root | ALL
test_roles | public | employees | system_ops | CREATE
test_roles | public | employees | system_ops | SELECT
(4 rows)
~~~
11. Now switch back to the `root` user to test more of the SQL statements related to roles. Use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `root` user:
12. Now switch back to the `root` user to test more of the SQL statements related to roles. Use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `root` user:
{% include copy-clipboard.html %}
~~~ shell
$ cockroach sql --insecure
~~~
12. As the `root` user, revoke privileges and then drop the `system_ops` role:
13. As the `root` user, revoke privileges and then drop the `system_ops` role:
{% include copy-clipboard.html %}
~~~ sql
Expand All @@ -249,18 +263,17 @@ $ cockroach start \
> SHOW GRANTS ON DATABASE test_roles;
~~~
~~~
+------------+--------------------+-------+------------+
| Database | Schema | User | Privileges |
+------------+--------------------+-------+------------+
| test_roles | crdb_internal | admin | ALL |
| test_roles | crdb_internal | root | ALL |
| test_roles | information_schema | admin | ALL |
| test_roles | information_schema | root | ALL |
| test_roles | pg_catalog | admin | ALL |
| test_roles | pg_catalog | root | ALL |
| test_roles | public | admin | ALL |
| test_roles | public | root | ALL |
+------------+--------------------+-------+------------+
database_name | schema_name | grantee | privilege_type
+---------------+--------------------+---------+----------------+
test_roles | crdb_internal | admin | ALL
test_roles | crdb_internal | root | ALL
test_roles | information_schema | admin | ALL
test_roles | information_schema | root | ALL
test_roles | pg_catalog | admin | ALL
test_roles | pg_catalog | root | ALL
test_roles | public | admin | ALL
test_roles | public | root | ALL
(8 rows)
~~~
{% include copy-clipboard.html %}
Expand All @@ -273,15 +286,16 @@ $ cockroach start \
> SHOW GRANTS ON TABLE test_roles.*;
~~~
~~~
+------------+--------+-----------+-------+------------+
| Database | Schema | Table | User | Privileges |
+------------+--------+-----------+-------+------------+
| test_roles | public | employees | admin | ALL |
| test_roles | public | employees | root | ALL |
+------------+--------+-----------+-------+------------+
database_name | schema_name | table_name | grantee | privilege_type
+---------------+-------------+------------+---------+----------------+
test_roles | public | employees | admin | ALL
test_roles | public | employees | root | ALL
(2 rows)
~~~
{{site.data.alerts.callout_info}}All of a role or user's privileges must be revoked before it can be dropped.{{site.data.alerts.end}}
{{site.data.alerts.callout_info}}
All of a role or user's privileges must be revoked before it can be dropped.
{{site.data.alerts.end}}

{% include copy-clipboard.html %}
~~~ sql
Expand All @@ -292,6 +306,10 @@ $ cockroach start \

- [Client Connection Parameters](connection-parameters.html)
- [SQL Statements](sql-statements.html)
- [`CREATE USER`](create-user.html)
- [`ALTER USER`](alter-user.html)
- [`DROP USER`](drop-user.html)
- [`SHOW USERS`](show-users.html)
- [`CREATE ROLE`](create-role.html)
- [`DROP ROLE`](drop-role.html)
- [`SHOW ROLES`](show-roles.html)
Expand Down
Loading

0 comments on commit aaa555f

Please sign in to comment.