diff --git a/_includes/v19.2/app/common-steps.md b/_includes/v19.2/app/common-steps.md
deleted file mode 100644
index b2d6e4deed2..00000000000
--- a/_includes/v19.2/app/common-steps.md
+++ /dev/null
@@ -1,36 +0,0 @@
-## Step 2. Start a single-node cluster
-
-For the purpose of this tutorial, you need only one CockroachDB node running in insecure mode:
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach start \
---insecure \
---store=hello-1 \
---listen-addr=localhost
-~~~
-
-## Step 3. Create a user
-
-In a new terminal, as the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`.
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user set maxroach --insecure
-~~~
-
-## Step 4. Create a database and grant privileges
-
-As the `root` user, use the [built-in SQL client](use-the-built-in-sql-client.html) to create a `bank` database.
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach sql --insecure -e 'CREATE DATABASE bank'
-~~~
-
-Then [grant privileges](grant.html) to the `maxroach` user.
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach sql --insecure -e 'GRANT ALL ON DATABASE bank TO maxroach'
-~~~
diff --git a/_includes/v19.2/prod-deployment/use-cluster.md b/_includes/v19.2/prod-deployment/use-cluster.md
index 134f9fc6912..e513a09f046 100644
--- a/_includes/v19.2/prod-deployment/use-cluster.md
+++ b/_includes/v19.2/prod-deployment/use-cluster.md
@@ -1,7 +1,7 @@
Now that your deployment is working, you can:
1. [Implement your data model](sql-statements.html).
-2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html).
+2. [Create users](create-user.html) and [grant them privileges](grant.html).
3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the load balancer, not to a CockroachDB node.
You may also want to adjust the way the cluster replicates data. For example, by default, a multi-node cluster replicates all data 3 times; you can change this replication factor or create additional rules for replicating individual databases and tables differently. For more information, see [Configure Replication Zones](configure-replication-zones.html).
diff --git a/_includes/v19.2/sql/connection-parameters.md b/_includes/v19.2/sql/connection-parameters.md
index 0a0ad048ead..14ad2576a42 100644
--- a/_includes/v19.2/sql/connection-parameters.md
+++ b/_includes/v19.2/sql/connection-parameters.md
@@ -2,7 +2,7 @@ Flag | Description
-----|------------
`--host` | The server host and port number to connect to. This can be the address of any node in the cluster.
**Env Variable:** `COCKROACH_HOST` **Default:** `localhost:26257`
`--port` `-p` | The server port to connect to. Note: The port number can also be specified via `--host`.
**Env Variable:** `COCKROACH_PORT` **Default:** `26257`
-`--user` `-u` | The [SQL user](create-and-manage-users.html) that will own the client session.
**Env Variable:** `COCKROACH_USER` **Default:** `root`
+`--user` `-u` | The [SQL user](create-user.html) that will own the client session.
**Env Variable:** `COCKROACH_USER` **Default:** `root`
`--insecure` | Use an insecure connection.
**Env Variable:** `COCKROACH_INSECURE` **Default:** `false`
`--certs-dir` | The path to the [certificate directory](create-security-certificates.html) containing the CA and client certificates and client key.
**Env Variable:** `COCKROACH_CERTS_DIR` **Default:** `${HOME}/.cockroach-certs/`
`--url` | A [connection URL](connection-parameters.html#connect-using-a-url) to use instead of the other arguments.
**Env Variable:** `COCKROACH_URL` **Default:** no URL
diff --git a/v19.2/alter-user.md b/v19.2/alter-user.md
index db54cbb9b7f..781a003ee3a 100644
--- a/v19.2/alter-user.md
+++ b/v19.2/alter-user.md
@@ -4,12 +4,7 @@ summary: The ALTER USER statement can be used to add or change a user's password
toc: true
---
-The `ALTER USER` [statement](sql-statements.html) can be used to add or change a [user's](create-and-manage-users.html) password.
-
-{{site.data.alerts.callout_success}}
-You can also use the [`cockroach user`](create-and-manage-users.html#update-a-users-password) command to add or change a user's password.
-{{site.data.alerts.end}}
-
+The `ALTER USER` [statement](sql-statements.html) can be used to add or change a [user's](create-user.html) password.
## Considerations
@@ -75,7 +70,6 @@ To preserve case in a password specified using identifier syntax, use double quo
## See also
-- [`cockroach user` command](create-and-manage-users.html)
- [`DROP USER`](drop-user.html)
- [`SHOW USERS`](show-users.html)
- [`GRANT `](grant.html)
diff --git a/v19.2/authorization.md b/v19.2/authorization.md
index 4fb29d625f5..eb12290ace5 100644
--- a/v19.2/authorization.md
+++ b/v19.2/authorization.md
@@ -2,26 +2,28 @@
title: Authorization
summary: Learn about the authorization features for secure CockroachDB clusters.
toc: true
+redirect_from: create-and-manage-users.html
---
User authorization is the act of defining access policies for authenticated CockroachDB users. CockroachDB allows you to create, manage, and remove your cluster's [users](#create-and-manage-users) and assign SQL-level [privileges](#assign-privileges) to the users. Additionally, if you have an [Enterprise license](get-started-with-enterprise-trial.html), you can use [role-based access management (RBAC)](#create-and-manage-roles) for simplified user management.
## Create and manage users
-You can use either of the following methods to create and manage users:
-
-- Use the [`CREATE USER`](create-user.html) and [`DROP USER`](drop-user.html) statements to create and remove users.
-- Use the [`cockroach user` command](create-and-manage-users.html) with appropriate flags.
+Use the [`CREATE USER`](create-user.html) and [`DROP USER`](drop-user.html) statements to create and remove users, the [`ALTER USER`](alter-user.html) statement to add or change a user's password, and the [`SHOW USERS`](show-users.html) statement to list users.
## Create and manage roles
+{{site.data.alerts.callout_info}}
+Role-based access management is an enterprise feature. To request a 30-day trial license, see [Get CockroachDB](https://www.cockroachlabs.com/get-cockroachdb/).
+{{site.data.alerts.end}}
+
Roles are SQL groups that contain any number of users and roles as members.
### Terminology
Term | Description
-----|------------
-Role | A group containing any number of [users](create-and-manage-users.html) or other roles.
Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges.
+Role | A group containing any number of [users](create-user.html) or other roles.
Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges.
Role admin | A member of the role that's allowed to modify role membership. To create a role admin, use [`WITH ADMIN OPTION`](grant-roles.html#grant-the-admin-option).
Superuser / Admin | A member of the `admin` role. Only superusers can [`CREATE ROLE`](create-role.html) or [`DROP ROLE`](drop-role.html). The `admin` role is created by default and cannot be dropped.
`root` | A user that exists by default as a member of the `admin` role. The `root` user must always be a member of the `admin` role.
@@ -42,7 +44,7 @@ To create and manage your cluster's roles, use the following statements:
## Assign privileges
-In CockroachDB, privileges are granted to [users](create-and-manage-users.html) and [roles](#create-and-manage-roles) at the database and table levels. They are not yet supported for other granularities such as columns or rows.
+In CockroachDB, privileges are granted to [users](#create-and-manage-users) and [roles](#create-and-manage-roles) at the database and table levels. They are not yet supported for other granularities such as columns or rows.
When a user connects to a database, either via the [built-in SQL client](use-the-built-in-sql-client.html) or a [client driver](install-client-drivers.html), CockroachDB checks the user and role's privileges for each statement executed. If the user does not have sufficient privileges for a statement, CockroachDB gives an error.
@@ -81,21 +83,17 @@ To revoke privileges from roles or users, use the [`REVOKE`](revoke.html) statem
## Example
-For the purpose of this example, you need an [enterprise license](enterprise-licensing.html) and one CockroachDB node running in insecure mode:
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach start \
---insecure \
---store=roles \
---listen-addr=localhost:26257
-~~~
+This example demonstrates user- and role-based access management. Role-based access management is an enterprise feature, so before you begin, [request a trial enterprise license](https://www.cockroachlabs.com/get-cockroachdb/).
-1. As the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`:
+1. Start a single-node, insecure cluster:
{% include copy-clipboard.html %}
~~~ shell
- $ cockroach user set maxroach --insecure
+ $ cockroach start-single-node \
+ --insecure \
+ --store=roles \
+ --listen-addr=localhost:26257 \
+ --background
~~~
2. As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html):
@@ -105,7 +103,26 @@ $ cockroach start \
$ cockroach sql --insecure
~~~
-3. Create a database and set it as the default:
+3. Run the following commands in your SQL shell to enable enterprise features using your trial license:
+
+ {% include copy-clipboard.html %}
+ ~~~ sql
+ > SET CLUSTER SETTING cluster.organization = '';
+ ~~~
+
+ {% include copy-clipboard.html %}
+ ~~~ sql
+ > SET CLUSTER SETTING enterprise.license = '';
+ ~~~
+
+4. [Create a user](create-user.html), `maxroach`:
+
+ {% include copy-clipboard.html %}
+ ~~~ sql
+ > CREATE USER maxroach;
+ ~~~
+
+5. [Create a database](create-database.html) and [set it as the default](set-database.html):
{% include copy-clipboard.html %}
~~~ sql
@@ -117,7 +134,7 @@ $ cockroach start \
> SET DATABASE = test_roles;
~~~
-4. [Create a role](create-role.html) and then [list all roles](show-roles.html) in your database:
+6. [Create a role](create-role.html) and then [list all roles](show-roles.html) in your database:
{% include copy-clipboard.html %}
~~~ sql
@@ -130,15 +147,14 @@ $ cockroach start \
~~~
~~~
+ role_name
+------------+
- | rolename |
- +------------+
- | admin |
- | system_ops |
- +------------+
+ admin
+ system_ops
+ (2 rows)
~~~
-5. Grant privileges to the `system_ops` role you created:
+7. [Grant privileges](grant.html) to the `system_ops` role you created:
{% include copy-clipboard.html %}
~~~ sql
@@ -151,43 +167,42 @@ $ cockroach start \
~~~
~~~
- +------------+--------------------+------------+------------+
- | Database | Schema | User | Privileges |
- +------------+--------------------+------------+------------+
- | test_roles | crdb_internal | admin | ALL |
- | test_roles | crdb_internal | root | ALL |
- | test_roles | crdb_internal | system_ops | CREATE |
- | test_roles | crdb_internal | system_ops | SELECT |
- | test_roles | information_schema | admin | ALL |
- | test_roles | information_schema | root | ALL |
- | test_roles | information_schema | system_ops | CREATE |
- | test_roles | information_schema | system_ops | SELECT |
- | test_roles | pg_catalog | admin | ALL |
- | test_roles | pg_catalog | root | ALL |
- | test_roles | pg_catalog | system_ops | CREATE |
- | test_roles | pg_catalog | system_ops | SELECT |
- | test_roles | public | admin | ALL |
- | test_roles | public | root | ALL |
- | test_roles | public | system_ops | CREATE |
- | test_roles | public | system_ops | SELECT |
- +------------+--------------------+------------+------------+
+ database_name | schema_name | grantee | privilege_type
+ +---------------+--------------------+------------+----------------+
+ test_roles | crdb_internal | admin | ALL
+ test_roles | crdb_internal | root | ALL
+ test_roles | crdb_internal | system_ops | CREATE
+ test_roles | crdb_internal | system_ops | SELECT
+ test_roles | information_schema | admin | ALL
+ test_roles | information_schema | root | ALL
+ test_roles | information_schema | system_ops | CREATE
+ test_roles | information_schema | system_ops | SELECT
+ test_roles | pg_catalog | admin | ALL
+ test_roles | pg_catalog | root | ALL
+ test_roles | pg_catalog | system_ops | CREATE
+ test_roles | pg_catalog | system_ops | SELECT
+ test_roles | public | admin | ALL
+ test_roles | public | root | ALL
+ test_roles | public | system_ops | CREATE
+ test_roles | public | system_ops | SELECT
+ (16 rows)
~~~
-6. Add the `maxroach` user to the `system_ops` role:
+8. Add the `maxroach` user to the `system_ops` role:
{% include copy-clipboard.html %}
~~~ sql
> GRANT system_ops TO maxroach;
~~~
-7. To test the privileges you just added to the `system_ops` role, use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `maxroach` user (who is a member of the `system_ops` role):
+9. To test the privileges you just added to the `system_ops` role, use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `maxroach` user (who is a member of the `system_ops` role):
{% include copy-clipboard.html %}
~~~ shell
$ cockroach sql --user=maxroach --database=test_roles --insecure
~~~
-8. As the `maxroach` user, create a table:
+10. As the `maxroach` user, create a table:
{% include copy-clipboard.html %}
~~~ sql
@@ -199,7 +214,7 @@ $ cockroach start \
We were able to create the table because `maxroach` has `CREATE` privileges.
-9. As the `maxroach` user, try to drop the table:
+11. As the `maxroach` user, try to drop the table:
{% include copy-clipboard.html %}
~~~ sql
@@ -212,7 +227,7 @@ $ cockroach start \
You cannot drop the table because your current user (`maxroach`) is a member of the `system_ops` role, which doesn't have `DROP` privileges.
-10. `maxroach` has `CREATE` and `SELECT` privileges, so try a `SHOW` statement:
+12. `maxroach` has `CREATE` and `SELECT` privileges, so try a `SHOW` statement:
{% include copy-clipboard.html %}
~~~ sql
@@ -220,24 +235,23 @@ $ cockroach start \
~~~
~~~
- +------------+--------+-----------+------------+------------+
- | Database | Schema | Table | User | Privileges |
- +------------+--------+-----------+------------+------------+
- | test_roles | public | employees | admin | ALL |
- | test_roles | public | employees | root | ALL |
- | test_roles | public | employees | system_ops | CREATE |
- | test_roles | public | employees | system_ops | SELECT |
- +------------+--------+-----------+------------+------------+
+ database_name | schema_name | table_name | grantee | privilege_type
+ +---------------+-------------+------------+------------+----------------+
+ test_roles | public | employees | admin | ALL
+ test_roles | public | employees | root | ALL
+ test_roles | public | employees | system_ops | CREATE
+ test_roles | public | employees | system_ops | SELECT
+ (4 rows)
~~~
-11. Now switch back to the `root` user to test more of the SQL statements related to roles. Use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `root` user:
+12. Now switch back to the `root` user to test more of the SQL statements related to roles. Use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `root` user:
{% include copy-clipboard.html %}
~~~ shell
$ cockroach sql --insecure
~~~
-12. As the `root` user, revoke privileges and then drop the `system_ops` role:
+13. As the `root` user, revoke privileges and then drop the `system_ops` role:
{% include copy-clipboard.html %}
~~~ sql
@@ -249,18 +263,17 @@ $ cockroach start \
> SHOW GRANTS ON DATABASE test_roles;
~~~
~~~
- +------------+--------------------+-------+------------+
- | Database | Schema | User | Privileges |
- +------------+--------------------+-------+------------+
- | test_roles | crdb_internal | admin | ALL |
- | test_roles | crdb_internal | root | ALL |
- | test_roles | information_schema | admin | ALL |
- | test_roles | information_schema | root | ALL |
- | test_roles | pg_catalog | admin | ALL |
- | test_roles | pg_catalog | root | ALL |
- | test_roles | public | admin | ALL |
- | test_roles | public | root | ALL |
- +------------+--------------------+-------+------------+
+ database_name | schema_name | grantee | privilege_type
+ +---------------+--------------------+---------+----------------+
+ test_roles | crdb_internal | admin | ALL
+ test_roles | crdb_internal | root | ALL
+ test_roles | information_schema | admin | ALL
+ test_roles | information_schema | root | ALL
+ test_roles | pg_catalog | admin | ALL
+ test_roles | pg_catalog | root | ALL
+ test_roles | public | admin | ALL
+ test_roles | public | root | ALL
+ (8 rows)
~~~
{% include copy-clipboard.html %}
@@ -273,15 +286,16 @@ $ cockroach start \
> SHOW GRANTS ON TABLE test_roles.*;
~~~
~~~
- +------------+--------+-----------+-------+------------+
- | Database | Schema | Table | User | Privileges |
- +------------+--------+-----------+-------+------------+
- | test_roles | public | employees | admin | ALL |
- | test_roles | public | employees | root | ALL |
- +------------+--------+-----------+-------+------------+
+ database_name | schema_name | table_name | grantee | privilege_type
+ +---------------+-------------+------------+---------+----------------+
+ test_roles | public | employees | admin | ALL
+ test_roles | public | employees | root | ALL
+ (2 rows)
~~~
- {{site.data.alerts.callout_info}}All of a role or user's privileges must be revoked before it can be dropped.{{site.data.alerts.end}}
+ {{site.data.alerts.callout_info}}
+ All of a role or user's privileges must be revoked before it can be dropped.
+ {{site.data.alerts.end}}
{% include copy-clipboard.html %}
~~~ sql
@@ -292,6 +306,10 @@ $ cockroach start \
- [Client Connection Parameters](connection-parameters.html)
- [SQL Statements](sql-statements.html)
+- [`CREATE USER`](create-user.html)
+- [`ALTER USER`](alter-user.html)
+- [`DROP USER`](drop-user.html)
+- [`SHOW USERS`](show-users.html)
- [`CREATE ROLE`](create-role.html)
- [`DROP ROLE`](drop-role.html)
- [`SHOW ROLES`](show-roles.html)
diff --git a/v19.2/build-a-rust-app-with-cockroachdb.md b/v19.2/build-a-rust-app-with-cockroachdb.md
index 5bae65f83db..c5718843103 100644
--- a/v19.2/build-a-rust-app-with-cockroachdb.md
+++ b/v19.2/build-a-rust-app-with-cockroachdb.md
@@ -19,7 +19,49 @@ We have tested the official documentation.
-{% include {{ page.version.version }}/app/common-steps.md %}
+## Step 2. Create the `maxroach` users and `bank` database
+
+Start the [built-in SQL client](use-the-built-in-sql-client.html):
+
+{% include copy-clipboard.html %}
+~~~ shell
+$ cockroach sql --certs-dir=certs
+~~~
+
+In the SQL shell, issue the following statements to create the `maxroach` user and `bank` database:
+
+{% include copy-clipboard.html %}
+~~~ sql
+> CREATE USER IF NOT EXISTS maxroach;
+~~~
+
+{% include copy-clipboard.html %}
+~~~ sql
+> CREATE DATABASE bank;
+~~~
+
+Give the `maxroach` user the necessary permissions:
+
+{% include copy-clipboard.html %}
+~~~ sql
+> GRANT ALL ON DATABASE bank TO maxroach;
+~~~
+
+Exit the SQL shell:
+
+{% include copy-clipboard.html %}
+~~~ sql
+> \q
+~~~
+
+## Step 4. Generate a certificate for the `maxroach` user
+
+Create a certificate and key for the `maxroach` user by running the following command. The code samples will run as this user.
+
+{% include copy-clipboard.html %}
+~~~ shell
+$ cockroach cert create-client maxroach --certs-dir=certs --ca-key=my-safe-directory/ca.key
+~~~
## Step 5. Create a table in the new database
@@ -27,7 +69,7 @@ As the `maxroach` user, use the [built-in SQL client](use-the-built-in-sql-clien
{% include copy-clipboard.html %}
~~~ shell
-$ cockroach sql --insecure \
+$ cockroach sql --certs-dir=certs \
--database=bank \
--user=maxroach \
-e 'CREATE TABLE accounts (id INT PRIMARY KEY, balance INT)'
@@ -67,7 +109,7 @@ After running the code, use the [built-in SQL client](use-the-built-in-sql-clien
{% include copy-clipboard.html %}
~~~ shell
-$ cockroach sql --insecure -e 'SELECT id, balance FROM accounts' --database=bank
+$ cockroach sql --certs-dir=certs -e 'SELECT id, balance FROM accounts' --database=bank
~~~
~~~
@@ -88,9 +130,42 @@ $ cockroach sql --insecure -e 'SELECT id, balance FROM accounts' --database=bank
Install the Rust Postgres driver as described in the official documentation.
-{% include {{ page.version.version }}/app/common-steps.md %}
+## Step 2. Create the `maxroach` users and `bank` database
-## Step 5. Create a table in the new database
+Start the [built-in SQL client](use-the-built-in-sql-client.html):
+
+{% include copy-clipboard.html %}
+~~~ shell
+$ cockroach sql --insecure
+~~~
+
+In the SQL shell, issue the following statements to create the `maxroach` user and `bank` database:
+
+{% include copy-clipboard.html %}
+~~~ sql
+> CREATE USER IF NOT EXISTS maxroach;
+~~~
+
+{% include copy-clipboard.html %}
+~~~ sql
+> CREATE DATABASE bank;
+~~~
+
+Give the `maxroach` user the necessary permissions:
+
+{% include copy-clipboard.html %}
+~~~ sql
+> GRANT ALL ON DATABASE bank TO maxroach;
+~~~
+
+Exit the SQL shell:
+
+{% include copy-clipboard.html %}
+~~~ sql
+> \q
+~~~
+
+## Step 3. Create a table in the new database
As the `maxroach` user, use the [built-in SQL client](use-the-built-in-sql-client.html) to create an `accounts` table in the new database.
@@ -102,7 +177,7 @@ $ cockroach sql --insecure \
-e 'CREATE TABLE accounts (id INT PRIMARY KEY, balance INT)'
~~~
-## Step 6. Run the Rust code
+## Step 4. Run the Rust code
Now that you have a database and a user, you'll run code to create a table and insert some rows, and then you'll run code to read and update values as an atomic [transaction](transactions.html).
diff --git a/v19.2/changefeed-for.md b/v19.2/changefeed-for.md
index 0cd2f402681..4b6cd8ffdbe 100644
--- a/v19.2/changefeed-for.md
+++ b/v19.2/changefeed-for.md
@@ -18,7 +18,7 @@ For more information, see [Change Data Capture](change-data-capture.html).
## Required privileges
-Changefeeds can only be created by superusers, i.e., [members of the `admin` role](create-and-manage-users.html). The admin role exists by default with `root` as the member.
+Changefeeds can only be created by superusers, i.e., [members of the `admin` role](authorization.html#create-and-manage-roles). The admin role exists by default with `root` as the member.
## Synopsis
diff --git a/v19.2/cockroach-commands.md b/v19.2/cockroach-commands.md
index a94649e06ba..09c8fc9f61d 100644
--- a/v19.2/cockroach-commands.md
+++ b/v19.2/cockroach-commands.md
@@ -19,7 +19,7 @@ Command | Usage
[`cockroach quit`](stop-a-node.html) | Temporarily stop a node or permanently remove a node.
[`cockroach sql`](use-the-built-in-sql-client.html) | Use the built-in SQL client.
[`cockroach sqlfmt`](use-the-query-formatter.html) | Reformat SQL queries for enhanced clarity.
-[`cockroach user`](create-and-manage-users.html) | Get, set, list, and remove users.
+`cockroach user` | **Deprecated.** To create and manage users and roles, use [`CREATE USER`](create-user.html), [`ALTER USER`](alter-user.html), [`DROP USER`](drop-user.html), [`SHOW USERS`](show-users.html), [`CREATE ROLE`](create-role.html), [`DROP ROLE`](drop-role.html), and [`SHOW ROLES`](show-roles.html).
[`cockroach node`](view-node-details.html) | List node IDs, show their status, decommission nodes for removal, or recommission nodes.
[`cockroach dump`](sql-dump.html) | Back up a table by outputting the SQL statements required to recreate the table and all its rows.
[`cockroach demo`](cockroach-demo.html) | Start a temporary, in-memory, single-node CockroachDB cluster, and open an interactive SQL shell to it.
diff --git a/v19.2/connection-parameters.md b/v19.2/connection-parameters.md
index 6b34d07ff91..8cdbb8119f4 100644
--- a/v19.2/connection-parameters.md
+++ b/v19.2/connection-parameters.md
@@ -45,7 +45,7 @@ postgres://:@:/?
Component | Description | Required
----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------
- `` | The [SQL user](create-and-manage-users.html) that will own the client session. | ✗
+ `` | The [SQL user](create-user.html) that will own the client session. | ✗
`` | The user's password. It is not recommended to pass the password in the URL directly.
[Find more detail about how CockroachDB handles passwords](authentication.html#client-authentication). | ✗
`` | The host name or address of a CockroachDB node or load balancer. | Required by most client drivers.
`` | The port number of the SQL interface of the CockroachDB node or load balancer. The default port number for CockroachDB is 26257. Use this value when in doubt. | Required by most client drivers.
@@ -222,4 +222,4 @@ cockroach sql --url "postgres://root@servername:26257/mydb?sslmode=disable"
- [`cockroach` commands](cockroach-commands.html)
- [Create Security Certificates](create-security-certificates.html)
- [Secure a Cluster](secure-a-cluster.html)
-- [Create and Manage Users](create-and-manage-users.html)
+- [Create and Manage Users](authorization.html#create-and-manage-users)
diff --git a/v19.2/create-and-manage-users.md b/v19.2/create-and-manage-users.md
deleted file mode 100644
index 39a5e48e6f8..00000000000
--- a/v19.2/create-and-manage-users.md
+++ /dev/null
@@ -1,234 +0,0 @@
----
-title: Manage Users
-summary: To create and manage your cluster's users (which lets you control SQL-level privileges), use the cockroach user command with appropriate flags.
-toc: true
----
-
-To create, manage, and remove your cluster's users (which lets you control SQL-level [privileges](authorization.html#assign-privileges), use the `cockroach user` [command](cockroach-commands.html) with appropriate flags.
-
-{{site.data.alerts.callout_success}}You can also use the CREATE USER and DROP USER statements to create and remove users.{{site.data.alerts.end}}
-
-
-## Considerations
-
-- Usernames are case-insensitive; must start with either a letter or underscore; must contain only letters, numbers, or underscores; and must be between 1 and 63 characters.
-- After creating users, you must [grant them privileges to databases and tables](grant.html).
-- All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges.
-- On secure clusters, you must [create client certificates for users](create-security-certificates.html#create-the-certificate-and-key-pair-for-a-client) and users must [authenticate their access to the cluster](authentication.html#client-authentication).
-- {% include {{ page.version.version }}/misc/remove-user-callout.html %}
-
-## Subcommands
-
-Subcommand | Usage
------------|------
-`get` | Retrieve a table containing a user and their hashed password.
-`ls` | List all users.
-`rm` | Remove a user.
-`set` | Create or update a user.
-
-## Synopsis
-
-~~~ shell
-# Create a user:
-$ cockroach user set
-
-# List all users:
-$ cockroach user ls
-
-# Display a specific user:
-$ cockroach user get
-
-# View help:
-$ cockroach user --help
-$ cockroach user get --help
-$ cockroach user ls --help
-$ cockroach user rm --help
-$ cockroach user set --help
-~~~
-
-## Flags
-
-The `user` command and subcommands support the following [general-use](#general) and [logging](#logging) flags.
-
-### General
-
-Flag | Description
------|------------
-`--password` | Enable password authentication for the user; you will be prompted to enter the password on the command line.
Password creation is supported only in secure clusters for non-`root` users. The `root` user must authenticate with a client certificate and key.
-`--echo-sql` | Reveal the SQL statements sent implicitly by the command-line utility. For a demonstration, see the [example](#reveal-the-sql-statements-sent-implicitly-by-the-command-line-utility) below.
-`--format` | How to display table rows printed to the standard output. Possible values: `tsv`, `csv`, `table`, `raw`, `records`, `sql`, `html`.
**Default:** `table` for sessions that [output on a terminal](use-the-built-in-sql-client.html#session-and-output-types); `tsv` otherwise.
-
-### Client connection
-
-{% include {{ page.version.version }}/sql/connection-parameters.md %}
-
-See [Client Connection Parameters](connection-parameters.html) for more details.
-
-Currently, only members of the `admin` role can create users. By default, the `root` user belongs to the `admin` role.
-
-{{site.data.alerts.callout_info}}
-Password creation is supported only in secure clusters for non-root users. The root user must authenticate with a client certificate and key.
-{{site.data.alerts.end}}
-
-### Logging
-
-By default, the `user` command logs errors to `stderr`.
-
-If you need to troubleshoot this command's behavior, you can change its [logging behavior](debug-and-error-logs.html).
-
-## Examples
-
-### Create a user
-
-
-
-
-
-
-
-Usernames are case-insensitive; must start with either a letter or underscore; must contain only letters, numbers, or underscores; and must be between 1 and 63 characters.
-
-
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user set jpointsman --certs-dir=certs
-~~~
-
-{{site.data.alerts.callout_success}}If you want to allow password authentication for the user, include the --password flag and then enter and confirm the password at the command prompt.{{site.data.alerts.end}}
-
-After creating users, you must:
-
-- [Create their client certificates](create-security-certificates.html#create-the-certificate-and-key-pair-for-a-client).
-- [Grant them privileges to databases](grant.html).
-
-
-
-
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user set jpointsman --insecure
-~~~
-
-After creating users, you must [grant them privileges to databases](grant.html).
-
-
-
-### Log in as a specific user
-
-
-
-
-
-
-
-
-
-#### Secure clusters with client certificates
-
-All users can authenticate their access to a secure cluster using [a client certificate](create-security-certificates.html#create-the-certificate-and-key-pair-for-a-client) issued to their username.
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach sql --certs-dir=certs --user=jpointsman
-~~~
-
-#### Secure clusters with passwords
-
-Users with passwords can authenticate their access by entering their password at the command prompt instead of using their client certificate and key.
-
-If we cannot find client certificate and key files matching the user, we fall back on password authentication.
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach sql --certs-dir=certs --user=jpointsman
-~~~
-
-
-
-### Update a user's password
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user set jpointsman --certs-dir=certs --password
-~~~
-
-After issuing this command, enter and confirm the user's new password at the command prompt.
-
-Password creation is supported only in secure clusters for non-`root` users. The `root` user must authenticate with a client certificate and key.
-
-### List all users
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user ls --insecure
-~~~
-
-~~~
-+------------+
-| username |
-+------------+
-| jpointsman |
-+------------+
-~~~
-
-### Find a specific user
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user get jpointsman --insecure
-~~~
-
-~~~
-+------------+--------------------------------------------------------------+
-| username | hashedPassword |
-+------------+--------------------------------------------------------------+
-| jpointsman | $2a$108tm5lYjES9RSXSKtQFLhNO.e/ysTXCBIRe7XeTgBrR6ubXfp6dDczS |
-+------------+--------------------------------------------------------------+
-~~~
-
-### Remove a user
-
-{{site.data.alerts.callout_danger}}{% include {{ page.version.version }}/misc/remove-user-callout.html %}{{site.data.alerts.end}}
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user rm jpointsman --insecure
-~~~
-
-{{site.data.alerts.callout_success}}You can also use the DROP USER SQL statement to remove users.{{site.data.alerts.end}}
-
-### Reveal the SQL statements sent implicitly by the command-line utility
-
-In this example, we use the `--echo-sql` flag to reveal the SQL statement sent implicitly by the command-line utility:
-
-{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach user rm jpointsman --insecure --echo-sql
-~~~
-
-~~~
-> DELETE FROM system.users WHERE username=$1
-DELETE 1
-~~~
-
-## See also
-
-- [Authorization](authorization.html)
-- [`CREATE USER`](create-user.html)
-- [`DROP USER`](drop-user.html)
-- [`SHOW USERS`](show-users.html)
-- [`GRANT`](grant.html)
-- [`SHOW GRANTS`](show-grants.html)
-- [Create Security Certificates](create-security-certificates.html)
-- [Other Cockroach Commands](cockroach-commands.html)
diff --git a/v19.2/create-changefeed.md b/v19.2/create-changefeed.md
index f7d312786c5..38f58cb92fa 100644
--- a/v19.2/create-changefeed.md
+++ b/v19.2/create-changefeed.md
@@ -16,7 +16,7 @@ For more information, see [Change Data Capture](change-data-capture.html).
## Required privileges
-Changefeeds can only be created by superusers, i.e., [members of the `admin` role](create-and-manage-users.html). The admin role exists by default with `root` as the member.
+Changefeeds can only be created by superusers, i.e., [members of the `admin` role](authorization.html#create-and-manage-roles). The admin role exists by default with `root` as the member.
## Synopsis
diff --git a/v19.2/create-security-certificates.md b/v19.2/create-security-certificates.md
index 8b82aacf50f..9e7537a56e0 100644
--- a/v19.2/create-security-certificates.md
+++ b/v19.2/create-security-certificates.md
@@ -34,7 +34,7 @@ Subcommand | Usage
-----------|------
`create-ca` | Create the self-signed certificate authority (CA), which you'll use to create and authenticate certificates for your entire cluster.
`create-node` | Create a certificate and key for a specific node in the cluster. You specify all addresses at which the node can be reached and pass appropriate flags.
-`create-client` | Create a certificate and key for a [specific user](create-and-manage-users.html) accessing the cluster from a client. You specify the username of the user who will use the certificate and pass appropriate flags.
+`create-client` | Create a certificate and key for a [specific user](create-user.html) accessing the cluster from a client. You specify the username of the user who will use the certificate and pass appropriate flags.
`list` | List certificates and keys found in the certificate directory.
## Certificate directory
diff --git a/v19.2/create-user.md b/v19.2/create-user.md
index 2e4fdbe5a0a..4294e510318 100644
--- a/v19.2/create-user.md
+++ b/v19.2/create-user.md
@@ -6,10 +6,6 @@ toc: true
The `CREATE USER` [statement](sql-statements.html) creates SQL users, which let you control [privileges](authorization.html#assign-privileges) on your databases and tables.
-{{site.data.alerts.callout_success}}
-You can also use the [`cockroach user set`](create-and-manage-users.html) command to create and manage users.
-{{site.data.alerts.end}}
-
## Considerations
- Usernames:
@@ -48,7 +44,7 @@ Secure clusters require users to authenticate their access to databases and tabl
- [Client certificate and key authentication](#secure-clusters-with-client-certificates), which is available to all users. To ensure the highest level of security, we recommend only using client certificate and key authentication.
-- [Password authentication](#secure-clusters-with-passwords), which is available to non-`root` users who you've created passwords for. To create a user with a password, use the `WITH PASSWORD` clause of `CREATE USER`. To add a password to an existing user, use the [`cockroach user`](create-and-manage-users.html#update-a-users-password) command.
+- [Password authentication](#secure-clusters-with-passwords), which is available to non-`root` users who you've created passwords for. To create a user with a password, use the `WITH PASSWORD` clause of `CREATE USER`. To add a password to an existing user, use the [`ALTER USER`](alter-user.html) statement.
Users can use passwords to authenticate without supplying client certificates and keys; however, we recommend using certificate-based authentication whenever possible.
@@ -81,7 +77,7 @@ Password creation is supported only in secure clusters for non-`root` users. The
### Manage users
-After creating users, you can manage them using the [`cockroach user`](create-and-manage-users.html) command.
+After creating a user, you can use the [`ALTER USER`](alter-user.html) statement to add or change the user's password and the [`DROP USER`](drop-user.html) statement to the remove users.
### Authenticate as a specific user
@@ -127,7 +123,7 @@ $ cockroach sql --insecure --user=jpointsman
## See also
- [Authorization](authorization.html)
-- [`cockroach user` command](create-and-manage-users.html)
+- [`ALTER USER`](alter-user.html)
- [`DROP USER`](drop-user.html)
- [`SHOW USERS`](show-users.html)
- [`GRANT`](grant.html)
diff --git a/v19.2/demo-json-support.md b/v19.2/demo-json-support.md
index 256d8fed2e5..b3ba3b70efb 100644
--- a/v19.2/demo-json-support.md
+++ b/v19.2/demo-json-support.md
@@ -41,22 +41,20 @@ $ cockroach start \
## Step 3. Create a user
-In a new terminal, as the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`.
+In a new terminal, open the [built-in SQL client](use-the-built-in-sql-client.html) as the `root` user and create a new user, `maxroach`:
{% include copy-clipboard.html %}
~~~ shell
-$ cockroach user set maxroach --insecure --host=localhost:26257
+$ cockroach sql --insecure --host=localhost:26257
~~~
-## Step 4. Create a database and grant privileges
-
-As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html):
-
{% include copy-clipboard.html %}
-~~~ shell
-$ cockroach sql --insecure --host=localhost:26257
+~~~ sql
+> CREATE USER maxroach
~~~
+## Step 4. Create a database and grant privileges
+
Next, create a database called `jsonb_test`:
{% include copy-clipboard.html %}
diff --git a/v19.2/deploy-cockroachdb-on-aws-insecure.md b/v19.2/deploy-cockroachdb-on-aws-insecure.md
index e3d67e74ebb..a1de866b6b0 100644
--- a/v19.2/deploy-cockroachdb-on-aws-insecure.md
+++ b/v19.2/deploy-cockroachdb-on-aws-insecure.md
@@ -123,7 +123,7 @@ AWS offers fully-managed load balancing to distribute traffic between instances.
Now that your deployment is working, you can:
1. [Implement your data model](sql-statements.html).
-2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html).
+2. [Create users](create-user.html) and [grant them privileges](grant.html).
3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the AWS load balancer, not to a CockroachDB node.
## See also
diff --git a/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md b/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md
index 1de235383fb..05fd07986d5 100644
--- a/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md
+++ b/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md
@@ -100,7 +100,7 @@ For guidance, you can use Digital Ocean's guide to configuring firewalls based o
Now that your deployment is working, you can:
1. [Implement your data model](sql-statements.html).
-2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html).
+2. [Create users](create-user.html) and [grant them privileges](grant.html).
3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the Digital Ocean Load Balancer, not to a CockroachDB node.
## See also
diff --git a/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md b/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md
index 566c91e3f09..a7a0d3a6deb 100644
--- a/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md
+++ b/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md
@@ -123,7 +123,7 @@ To use GCE's TCP Proxy Load Balancing service:
Now that your deployment is working, you can:
1. [Implement your data model](sql-statements.html).
-2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html).
+2. [Create users](create-user.html) and [grant them privileges](grant.html).
3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the GCE load balancer, not to a CockroachDB node.
## See also
diff --git a/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md b/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md
index 4f003afa46a..2361eb78c9e 100644
--- a/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md
+++ b/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md
@@ -134,7 +134,7 @@ Microsoft Azure offers fully-managed load balancing to distribute traffic betwee
Now that your deployment is working, you can:
1. [Implement your data model](sql-statements.html).
-2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html).
+2. [Create users](create-user.html) and [grant them privileges](grant.html).
3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the Azure load balancer, not to a CockroachDB node.
## See also
diff --git a/v19.2/drop-user.md b/v19.2/drop-user.md
index 1165e5f4da6..46080eaa5be 100644
--- a/v19.2/drop-user.md
+++ b/v19.2/drop-user.md
@@ -6,9 +6,6 @@ toc: true
The `DROP USER` [statement](sql-statements.html) removes one or more SQL users.
-{{site.data.alerts.callout_success}}You can also use the cockroach user rm command to remove users.{{site.data.alerts.end}}
-
-
## Required privileges
The user must have the `DELETE` [privilege](authorization.html#assign-privileges) on the `system.users` table.
@@ -57,8 +54,8 @@ In this example, first check a user's privileges. Then, revoke the user's privil
## See also
-- [`cockroach user` command](create-and-manage-users.html)
- [`CREATE USER`](create-user.html)
+- [`ALTER USER`](alter-user.html)
- [`SHOW USERS`](show-users.html)
- [`GRANT`](grant.html)
- [`SHOW GRANTS`](show-grants.html)
diff --git a/v19.2/grant-roles.md b/v19.2/grant-roles.md
index a225ccab7bb..19d22997001 100644
--- a/v19.2/grant-roles.md
+++ b/v19.2/grant-roles.md
@@ -4,7 +4,7 @@ summary: The GRANT statement grants user privileges for interacting with
toc: true
---
-The `GRANT ` [statement](sql-statements.html) lets you add a [role](authorization.html#create-and-manage-roles) or [user](create-and-manage-users.html) as a member to a role.
+The `GRANT ` [statement](sql-statements.html) lets you add a [role](authorization.html#create-and-manage-roles) or [user](authorization.html#create-and-manage-users) as a member to a role.
{{site.data.alerts.callout_info}}GRANT <roles> is an enterprise-only feature.{{site.data.alerts.end}}
@@ -29,7 +29,7 @@ The user granting role membership must be a role admin (i.e., members with the `
Parameter | Description
----------|------------
`role_name` | The name of the role to which you want to add members. To add members to multiple roles, use a comma-separated list of role names.
-`user_name` | The name of the [user](create-and-manage-users.html) or [role](authorization.html#create-and-manage-roles) to whom you want to grant membership. To add multiple members, use a comma-separated list of user and/or role names.
+`user_name` | The name of the [user](authorization.html#create-and-manage-users) or [role](authorization.html#create-and-manage-roles) to whom you want to grant membership. To add multiple members, use a comma-separated list of user and/or role names.
`WITH ADMIN OPTION` | Designate the user as an role admin. Role admins can grant or revoke membership for the specified role.
## Examples
@@ -85,4 +85,4 @@ Parameter | Description
- [`REVOKE `](revoke.html)
- [`SHOW GRANTS`](show-grants.html)
- [`SHOW ROLES`](show-roles.html)
-- [Manage Users](create-and-manage-users.html)
+- [Manage Users](authorization.html#create-and-manage-users)
diff --git a/v19.2/grant.md b/v19.2/grant.md
index cc586327092..26143e36447 100644
--- a/v19.2/grant.md
+++ b/v19.2/grant.md
@@ -4,11 +4,10 @@ summary: The GRANT statement grants user privileges for interacting with specifi
toc: true
---
-The `GRANT ` [statement](sql-statements.html) lets you control each [role](authorization.html#create-and-manage-roles) or [user's](create-and-manage-users.html) SQL [privileges](authorization.html#assign-privileges) for interacting with specific databases and tables.
+The `GRANT ` [statement](sql-statements.html) lets you control each [role](authorization.html#create-and-manage-roles) or [user's](authorization.html#create-and-manage-users) SQL [privileges](authorization.html#assign-privileges) for interacting with specific databases and tables.
For privileges required by specific statements, see the documentation for the respective [SQL statement](sql-statements.html).
-
## Synopsis
{% include {{ page.version.version }}/sql/diagrams/grant_privileges.html %}
@@ -43,7 +42,7 @@ Parameter | Description
----------|------------
`table_name` | A comma-separated list of table names. Alternately, to grant privileges to all tables, use `*`. `ON TABLE table.*` grants apply to all existing tables in a database but will not affect tables created after the grant.
`database_name` | A comma-separated list of database names.
Privileges granted on databases will be inherited by any new tables created in the databases, but do not affect existing tables in the database.
-`user_name` | A comma-separated list of [users](create-and-manage-users.html) and/or [roles](authorization.html#create-and-manage-roles) to whom you want to grant privileges.
+`user_name` | A comma-separated list of [users](authorization.html#create-and-manage-users) and/or [roles](authorization.html#create-and-manage-roles) to whom you want to grant privileges.
## Examples
@@ -151,4 +150,4 @@ Parameter | Description
- [`REVOKE `](revoke.html)
- [`SHOW GRANTS`](show-grants.html)
- [`SHOW ROLES`](show-roles.html)
-- [Manage Users](create-and-manage-users.html)
+- [Manage Users](authorization.html#create-and-manage-users)
diff --git a/v19.2/revoke-roles.md b/v19.2/revoke-roles.md
index 1cb3d92c087..9bea393c591 100644
--- a/v19.2/revoke-roles.md
+++ b/v19.2/revoke-roles.md
@@ -4,7 +4,7 @@ summary: The REVOKE statement revokes privileges from users and/or roles
toc: true
---
-The `REVOKE ` [statement](sql-statements.html) lets you revoke a [role](authorization.html#create-and-manage-roles) or [user's](create-and-manage-users.html) membership to a role.
+The `REVOKE ` [statement](sql-statements.html) lets you revoke a [role](authorization.html#create-and-manage-roles) or [user's](authorization.html#create-and-manage-users) membership to a role.
{{site.data.alerts.callout_info}}REVOKE <roles> is an enterprise-only feature.{{site.data.alerts.end}}
@@ -29,7 +29,7 @@ Parameter | Description
----------|------------
`ADMIN OPTION` | Revoke the user's role admin status.
`role_name` | The name of the role from which you want to remove members. To revoke members from multiple roles, use a comma-separated list of role names.
-`user_name` | The name of the [user](create-and-manage-users.html) or [role](authorization.html#create-and-manage-roles) from whom you want to revoke membership. To revoke multiple members, use a comma-separated list of user and/or role names.
+`user_name` | The name of the [user](authorization.html#create-and-manage-users) or [role](authorization.html#create-and-manage-roles) from whom you want to revoke membership. To revoke multiple members, use a comma-separated list of user and/or role names.
## Examples
diff --git a/v19.2/revoke.md b/v19.2/revoke.md
index dfd275265ba..84502d25ba3 100644
--- a/v19.2/revoke.md
+++ b/v19.2/revoke.md
@@ -4,7 +4,7 @@ summary: The REVOKE statement revokes privileges from users and/or roles.
toc: true
---
-The `REVOKE ` [statement](sql-statements.html) revokes [privileges](authorization.html#assign-privileges) from [users](create-and-manage-users.html) and/or [roles](authorization.html#create-and-manage-roles).
+The `REVOKE ` [statement](sql-statements.html) revokes [privileges](authorization.html#assign-privileges) from [users](authorization.html#create-and-manage-users) and/or [roles](authorization.html#create-and-manage-roles).
For the list of privileges that can be granted to and revoked from users and roles, see [`GRANT`](grant.html).
@@ -25,7 +25,7 @@ Parameter | Description
----------|------------
`table_name` | The name of the table for which you want to revoke privileges. To revoke privileges for multiple tables, use a comma-separated list of table names. To revoke privileges for all tables, use `*`.
`database_name` | The name of the database for which you want to revoke privileges. To revoke privileges for multiple databases, use a comma-separated list of database names.
Privileges revoked for databases will be revoked for any new tables created in the databases.
-`user_name` | A comma-separated list of [users](create-and-manage-users.html) and/or [roles](authorization.html#create-and-manage-roles) from whom you want to revoke privileges.
+`user_name` | A comma-separated list of [users](authorization.html#create-and-manage-users) and/or [roles](authorization.html#create-and-manage-roles) from whom you want to revoke privileges.
## Examples
diff --git a/v19.2/roles.md b/v19.2/roles.md
index ce06f39d89d..18b9f146e7d 100644
--- a/v19.2/roles.md
+++ b/v19.2/roles.md
@@ -22,7 +22,7 @@ To get started, basic role terminology is outlined below:
Term | Description
-----|------------
-Role | A group containing any number of [users](create-and-manage-users.html) or other roles.
Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges.
+Role | A group containing any number of [users](create-user.html) or other roles.
Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges.
Role admin | A member of the role that's allowed to modify role membership. To create a role admin, use [`WITH ADMIN OPTION`](grant-roles.html#grant-the-admin-option).
Superuser / Admin | A member of the `admin` role. Only superusers can [`CREATE ROLE`](create-role.html) or [`DROP ROLE`](drop-role.html). The `admin` role is created by default and cannot be dropped.
`root` | A user that exists by default as a member of the `admin` role. The `root` user must always be a member of the `admin` role.
@@ -42,21 +42,21 @@ $ cockroach start \
--listen-addr=localhost:26257
~~~
-1. As the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`:
+1. As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html):
{% include copy-clipboard.html %}
~~~ shell
- $ cockroach user set maxroach --insecure
+ $ cockroach sql --insecure
~~~
-2. As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html):
+2. [Create a user](create-user.html), `maxroach`:
{% include copy-clipboard.html %}
- ~~~ shell
- $ cockroach sql --insecure
+ ~~~ sql
+ > CREATE USER maxroach;
~~~
-3. Create a database and set it as the default:
+3. [Create a database](create-database.html) and [set it as the default](set-database.html):
{% include copy-clipboard.html %}
~~~ sql
@@ -249,6 +249,6 @@ $ cockroach start \
- [`REVOKE `](revoke.html)
- [`REVOKE ` (Enterprise)](revoke-roles.html)
- [`SHOW GRANTS`](show-grants.html)
-- [Manage Users](create-and-manage-users.html)
+- [Manage Users](authorization.html#create-and-manage-users)
- [Privileges](authorization.html#assign-privileges)
- [Other Cockroach Commands](cockroach-commands.html)
diff --git a/v19.2/show-grants.md b/v19.2/show-grants.md
index bb2f2ac3880..792dd23b3fc 100644
--- a/v19.2/show-grants.md
+++ b/v19.2/show-grants.md
@@ -254,6 +254,6 @@ SHOW GRANTS ON ROLE FOR carl;
- [`REVOKE `](revoke.html)
- [`REVOKE ` (Enterprise)](revoke-roles.html)
- [`SHOW GRANTS`](show-grants.html)
-- [Manage Users](create-and-manage-users.html)
+- [Manage Users](authorization.html#create-and-manage-users)
- [Other Cockroach Commands](cockroach-commands.html)
- [Information Schema](information-schema.html)
diff --git a/v19.2/show-roles.md b/v19.2/show-roles.md
index be3dca1be1c..95ecddc27f4 100644
--- a/v19.2/show-roles.md
+++ b/v19.2/show-roles.md
@@ -41,4 +41,4 @@ The user must have the [`SELECT`](select-clause.html) [privilege](authorization.
- [`REVOKE ` (Enterprise)](grant-roles.html)
- [`REVOKE `](grant.html) | Grant privileges to [users](create-and-manage-users.html) or [roles](authorization.html#create-and-manage-roles).
-[`GRANT `](grant-roles.html) | Add a [role](authorization.html#create-and-manage-roles) or [user](create-and-manage-users.html) as a member to a role.
-[`REVOKE `](revoke.html) | Revoke privileges from [users](create-and-manage-users.html) or [roles](authorization.html#create-and-manage-roles).
-[`REVOKE `](revoke-roles.html) | Revoke a [role](authorization.html#create-and-manage-roles) or [user's](create-and-manage-users.html) membership to a role.
+[`GRANT `](grant.html) | Grant privileges to [users](authorization.html#create-and-manage-users) or [roles](authorization.html#create-and-manage-roles).
+[`GRANT `](grant-roles.html) | Add a [role](authorization.html#create-and-manage-roles) or [user](authorization.html#create-and-manage-users) as a member to a role.
+[`REVOKE `](revoke.html) | Revoke privileges from [users](authorization.html#create-and-manage-users) or [roles](authorization.html#create-and-manage-roles).
+[`REVOKE `](revoke-roles.html) | Revoke a [role](authorization.html#create-and-manage-roles) or [user's](authorization.html#create-and-manage-users) membership to a role.
[`SHOW GRANTS`](show-grants.html) | View privileges granted to users.
[`SHOW ROLES`](show-roles.html) | Lists the roles for all databases.
[`SHOW USERS`](show-users.html) | Lists the users for all databases.
diff --git a/v19.2/training/client-connection-troubleshooting.md b/v19.2/training/client-connection-troubleshooting.md
index f8f61493c48..fd2a1baed1c 100644
--- a/v19.2/training/client-connection-troubleshooting.md
+++ b/v19.2/training/client-connection-troubleshooting.md
@@ -25,11 +25,14 @@ In this scenario, you try to connect a user without providing a client certifica
### Step 1. Simulate the problem
-1. In a new terminal, as the `root` user, create a new user called `kirk`:
+1. In a new terminal, as the `root` users, create a new user called `kirk`:
{% include copy-clipboard.html %}
~~~ shell
- $ cockroach user set kirk --certs-dir=certs --host=localhost:26257
+ $ cockroach sql \
+ --certs-dir=certs \
+ --host=localhost:26257 \
+ --execute="CREATE USER kirk;"
~~~
2. As the `kirk` user, try to connect to the cluster:
diff --git a/v19.2/training/security.md b/v19.2/training/security.md
index e01846d4796..386d6306440 100644
--- a/v19.2/training/security.md
+++ b/v19.2/training/security.md
@@ -135,21 +135,14 @@ Restart the nodes using the same commands you used to start them initially, but
--host=localhost:26257
~~~
-2. Create a new user, `spock`:
-
- {% include copy-clipboard.html %}
- ~~~ shell
- $ cockroach user set spock --certs-dir=certs --host=localhost:26257
- ~~~
-
-3. As the root user, grant `spock` the `SELECT` privilege on the `startrek.quotes` table:
+2. Create a new user called `spock` and grant `spock` the `SELECT` privilege on the `startrek.quotes` table:
{% include copy-clipboard.html %}
~~~ shell
$ cockroach sql \
--certs-dir=certs \
--host=localhost:26257 \
- --execute="GRANT SELECT ON TABLE startrek.quotes TO spock;"
+ --execute="CREATE USER spock; GRANT SELECT ON TABLE startrek.quotes TO spock;"
~~~
## Step 4. Authenticate a user (via client cert)
@@ -181,17 +174,30 @@ Although we recommend always using TLS certificates to authenticate users, it's
For multiple users to access the Admin UI, the `root` user must [create users with passwords](../create-user.html#create-a-user-with-a-password).
{{site.data.alerts.end}}
-1. As the `root` user, create a new `kirk` user with the password `enterprise`. You'll have to type in the password twice at the prompt:
+1. As the `root` user, open the built-in SQL shell:
{% include copy-clipboard.html %}
~~~ shell
- $ cockroach user set kirk \
+ $ cockroach sql \
--certs-dir=certs \
- --host=localhost:26257 \
- --password
+ --host=localhost:26257
+ ~~~
+
+2. Create a new `kirk` user with the password `enterprise`. You'll have to type in the password twice at the prompt:
+
+ {% include copy-clipboard.html %}
+ ~~~ sql
+ > CREATE USER kirk WITH PASSWORD 'enterprise';
+ ~~~
+
+3. Exit the SQL shell:
+
+ {% include copy-clipboard.html %}
+ ~~~ sql
+ > \q
~~~
-2. As the `root` user, grant `kirk` the `SELECT` privilege on the tables in the `startrek` database:
+4. As the `root` user, grant `kirk` the `SELECT` privilege on the tables in the `startrek` database:
{% include copy-clipboard.html %}
~~~ shell
@@ -202,7 +208,7 @@ For multiple users to access the Admin UI, the `root` user must [create users wi
--execute="GRANT SELECT ON startrek.* TO kirk;"
~~~
-3. As the `kirk` user, read from the `startrek.quotes` table:
+5. As the `kirk` user, read from the `startrek.quotes` table:
{{site.data.alerts.callout_info}}
It's necessary to include the `--certs-dir` flag even though you haven't created a cert for this user. When the cluster does not find a suitable client cert, it falls back on password authentication.
diff --git a/v19.2/training/users-and-privileges.md b/v19.2/training/users-and-privileges.md
index 3ad5e34131c..c5dc97e3177 100644
--- a/v19.2/training/users-and-privileges.md
+++ b/v19.2/training/users-and-privileges.md
@@ -86,7 +86,10 @@ Initially, no users other than `root` have privileges, and root has `ALL` privil
{% include copy-clipboard.html %}
~~~ shell
- $ cockroach user set spock --insecure --host=localhost:26257
+ $ cockroach sql \
+ --certs-dir=certs \
+ --host=localhost:26257 \
+ --execute="CREATE USER spock;"
~~~
2. Try to read from a table in the `startrek` database as `spock`: