From aaa555f1ddd35ef1ec6d0431824c4288f9f2b5a6 Mon Sep 17 00:00:00 2001 From: Jesse Seldess Date: Mon, 26 Aug 2019 17:04:24 -0400 Subject: [PATCH] Remove mention of cockroach user It's deprecated, so reference USER sql statements instead and remove the cockroach user cli page. Fixes #5305. --- _includes/v19.2/app/common-steps.md | 36 --- .../v19.2/prod-deployment/use-cluster.md | 2 +- _includes/v19.2/sql/connection-parameters.md | 2 +- v19.2/alter-user.md | 8 +- v19.2/authorization.md | 176 +++++++------ v19.2/build-a-rust-app-with-cockroachdb.md | 87 ++++++- v19.2/changefeed-for.md | 2 +- v19.2/cockroach-commands.md | 2 +- v19.2/connection-parameters.md | 4 +- v19.2/create-and-manage-users.md | 234 ------------------ v19.2/create-changefeed.md | 2 +- v19.2/create-security-certificates.md | 2 +- v19.2/create-user.md | 10 +- v19.2/demo-json-support.md | 14 +- v19.2/deploy-cockroachdb-on-aws-insecure.md | 2 +- ...y-cockroachdb-on-digital-ocean-insecure.md | 2 +- ...achdb-on-google-cloud-platform-insecure.md | 2 +- ...cockroachdb-on-microsoft-azure-insecure.md | 2 +- v19.2/drop-user.md | 5 +- v19.2/grant-roles.md | 6 +- v19.2/grant.md | 7 +- v19.2/revoke-roles.md | 4 +- v19.2/revoke.md | 4 +- v19.2/roles.md | 16 +- v19.2/show-grants.md | 2 +- v19.2/show-roles.md | 2 +- v19.2/show-users.md | 2 +- v19.2/sql-statements.md | 8 +- .../client-connection-troubleshooting.md | 7 +- v19.2/training/security.md | 36 +-- v19.2/training/users-and-privileges.md | 5 +- 31 files changed, 256 insertions(+), 437 deletions(-) delete mode 100644 _includes/v19.2/app/common-steps.md delete mode 100644 v19.2/create-and-manage-users.md diff --git a/_includes/v19.2/app/common-steps.md b/_includes/v19.2/app/common-steps.md deleted file mode 100644 index b2d6e4deed2..00000000000 --- a/_includes/v19.2/app/common-steps.md +++ /dev/null @@ -1,36 +0,0 @@ -## Step 2. Start a single-node cluster - -For the purpose of this tutorial, you need only one CockroachDB node running in insecure mode: - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach start \ ---insecure \ ---store=hello-1 \ ---listen-addr=localhost -~~~ - -## Step 3. Create a user - -In a new terminal, as the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`. - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user set maxroach --insecure -~~~ - -## Step 4. Create a database and grant privileges - -As the `root` user, use the [built-in SQL client](use-the-built-in-sql-client.html) to create a `bank` database. - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach sql --insecure -e 'CREATE DATABASE bank' -~~~ - -Then [grant privileges](grant.html) to the `maxroach` user. - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach sql --insecure -e 'GRANT ALL ON DATABASE bank TO maxroach' -~~~ diff --git a/_includes/v19.2/prod-deployment/use-cluster.md b/_includes/v19.2/prod-deployment/use-cluster.md index 134f9fc6912..e513a09f046 100644 --- a/_includes/v19.2/prod-deployment/use-cluster.md +++ b/_includes/v19.2/prod-deployment/use-cluster.md @@ -1,7 +1,7 @@ Now that your deployment is working, you can: 1. [Implement your data model](sql-statements.html). -2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html). +2. [Create users](create-user.html) and [grant them privileges](grant.html). 3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the load balancer, not to a CockroachDB node. You may also want to adjust the way the cluster replicates data. For example, by default, a multi-node cluster replicates all data 3 times; you can change this replication factor or create additional rules for replicating individual databases and tables differently. For more information, see [Configure Replication Zones](configure-replication-zones.html). diff --git a/_includes/v19.2/sql/connection-parameters.md b/_includes/v19.2/sql/connection-parameters.md index 0a0ad048ead..14ad2576a42 100644 --- a/_includes/v19.2/sql/connection-parameters.md +++ b/_includes/v19.2/sql/connection-parameters.md @@ -2,7 +2,7 @@ Flag | Description -----|------------ `--host` | The server host and port number to connect to. This can be the address of any node in the cluster.

**Env Variable:** `COCKROACH_HOST`
**Default:** `localhost:26257` `--port`
`-p` | The server port to connect to. Note: The port number can also be specified via `--host`.

**Env Variable:** `COCKROACH_PORT`
**Default:** `26257` -`--user`
`-u` | The [SQL user](create-and-manage-users.html) that will own the client session.

**Env Variable:** `COCKROACH_USER`
**Default:** `root` +`--user`
`-u` | The [SQL user](create-user.html) that will own the client session.

**Env Variable:** `COCKROACH_USER`
**Default:** `root` `--insecure` | Use an insecure connection.

**Env Variable:** `COCKROACH_INSECURE`
**Default:** `false` `--certs-dir` | The path to the [certificate directory](create-security-certificates.html) containing the CA and client certificates and client key.

**Env Variable:** `COCKROACH_CERTS_DIR`
**Default:** `${HOME}/.cockroach-certs/` `--url` | A [connection URL](connection-parameters.html#connect-using-a-url) to use instead of the other arguments.

**Env Variable:** `COCKROACH_URL`
**Default:** no URL diff --git a/v19.2/alter-user.md b/v19.2/alter-user.md index db54cbb9b7f..781a003ee3a 100644 --- a/v19.2/alter-user.md +++ b/v19.2/alter-user.md @@ -4,12 +4,7 @@ summary: The ALTER USER statement can be used to add or change a user's password toc: true --- -The `ALTER USER` [statement](sql-statements.html) can be used to add or change a [user's](create-and-manage-users.html) password. - -{{site.data.alerts.callout_success}} -You can also use the [`cockroach user`](create-and-manage-users.html#update-a-users-password) command to add or change a user's password. -{{site.data.alerts.end}} - +The `ALTER USER` [statement](sql-statements.html) can be used to add or change a [user's](create-user.html) password. ## Considerations @@ -75,7 +70,6 @@ To preserve case in a password specified using identifier syntax, use double quo ## See also -- [`cockroach user` command](create-and-manage-users.html) - [`DROP USER`](drop-user.html) - [`SHOW USERS`](show-users.html) - [`GRANT `](grant.html) diff --git a/v19.2/authorization.md b/v19.2/authorization.md index 4fb29d625f5..eb12290ace5 100644 --- a/v19.2/authorization.md +++ b/v19.2/authorization.md @@ -2,26 +2,28 @@ title: Authorization summary: Learn about the authorization features for secure CockroachDB clusters. toc: true +redirect_from: create-and-manage-users.html --- User authorization is the act of defining access policies for authenticated CockroachDB users. CockroachDB allows you to create, manage, and remove your cluster's [users](#create-and-manage-users) and assign SQL-level [privileges](#assign-privileges) to the users. Additionally, if you have an [Enterprise license](get-started-with-enterprise-trial.html), you can use [role-based access management (RBAC)](#create-and-manage-roles) for simplified user management. ## Create and manage users -You can use either of the following methods to create and manage users: - -- Use the [`CREATE USER`](create-user.html) and [`DROP USER`](drop-user.html) statements to create and remove users. -- Use the [`cockroach user` command](create-and-manage-users.html) with appropriate flags. +Use the [`CREATE USER`](create-user.html) and [`DROP USER`](drop-user.html) statements to create and remove users, the [`ALTER USER`](alter-user.html) statement to add or change a user's password, and the [`SHOW USERS`](show-users.html) statement to list users. ## Create and manage roles +{{site.data.alerts.callout_info}} +Role-based access management is an enterprise feature. To request a 30-day trial license, see [Get CockroachDB](https://www.cockroachlabs.com/get-cockroachdb/). +{{site.data.alerts.end}} + Roles are SQL groups that contain any number of users and roles as members. ### Terminology Term | Description -----|------------ -Role | A group containing any number of [users](create-and-manage-users.html) or other roles.

Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges. +Role | A group containing any number of [users](create-user.html) or other roles.

Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges. Role admin | A member of the role that's allowed to modify role membership. To create a role admin, use [`WITH ADMIN OPTION`](grant-roles.html#grant-the-admin-option). Superuser / Admin | A member of the `admin` role. Only superusers can [`CREATE ROLE`](create-role.html) or [`DROP ROLE`](drop-role.html). The `admin` role is created by default and cannot be dropped. `root` | A user that exists by default as a member of the `admin` role. The `root` user must always be a member of the `admin` role. @@ -42,7 +44,7 @@ To create and manage your cluster's roles, use the following statements: ## Assign privileges -In CockroachDB, privileges are granted to [users](create-and-manage-users.html) and [roles](#create-and-manage-roles) at the database and table levels. They are not yet supported for other granularities such as columns or rows. +In CockroachDB, privileges are granted to [users](#create-and-manage-users) and [roles](#create-and-manage-roles) at the database and table levels. They are not yet supported for other granularities such as columns or rows. When a user connects to a database, either via the [built-in SQL client](use-the-built-in-sql-client.html) or a [client driver](install-client-drivers.html), CockroachDB checks the user and role's privileges for each statement executed. If the user does not have sufficient privileges for a statement, CockroachDB gives an error. @@ -81,21 +83,17 @@ To revoke privileges from roles or users, use the [`REVOKE`](revoke.html) statem ## Example -For the purpose of this example, you need an [enterprise license](enterprise-licensing.html) and one CockroachDB node running in insecure mode: - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach start \ ---insecure \ ---store=roles \ ---listen-addr=localhost:26257 -~~~ +This example demonstrates user- and role-based access management. Role-based access management is an enterprise feature, so before you begin, [request a trial enterprise license](https://www.cockroachlabs.com/get-cockroachdb/). -1. As the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`: +1. Start a single-node, insecure cluster: {% include copy-clipboard.html %} ~~~ shell - $ cockroach user set maxroach --insecure + $ cockroach start-single-node \ + --insecure \ + --store=roles \ + --listen-addr=localhost:26257 \ + --background ~~~ 2. As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html): @@ -105,7 +103,26 @@ $ cockroach start \ $ cockroach sql --insecure ~~~ -3. Create a database and set it as the default: +3. Run the following commands in your SQL shell to enable enterprise features using your trial license: + + {% include copy-clipboard.html %} + ~~~ sql + > SET CLUSTER SETTING cluster.organization = ''; + ~~~ + + {% include copy-clipboard.html %} + ~~~ sql + > SET CLUSTER SETTING enterprise.license = ''; + ~~~ + +4. [Create a user](create-user.html), `maxroach`: + + {% include copy-clipboard.html %} + ~~~ sql + > CREATE USER maxroach; + ~~~ + +5. [Create a database](create-database.html) and [set it as the default](set-database.html): {% include copy-clipboard.html %} ~~~ sql @@ -117,7 +134,7 @@ $ cockroach start \ > SET DATABASE = test_roles; ~~~ -4. [Create a role](create-role.html) and then [list all roles](show-roles.html) in your database: +6. [Create a role](create-role.html) and then [list all roles](show-roles.html) in your database: {% include copy-clipboard.html %} ~~~ sql @@ -130,15 +147,14 @@ $ cockroach start \ ~~~ ~~~ + role_name +------------+ - | rolename | - +------------+ - | admin | - | system_ops | - +------------+ + admin + system_ops + (2 rows) ~~~ -5. Grant privileges to the `system_ops` role you created: +7. [Grant privileges](grant.html) to the `system_ops` role you created: {% include copy-clipboard.html %} ~~~ sql @@ -151,43 +167,42 @@ $ cockroach start \ ~~~ ~~~ - +------------+--------------------+------------+------------+ - | Database | Schema | User | Privileges | - +------------+--------------------+------------+------------+ - | test_roles | crdb_internal | admin | ALL | - | test_roles | crdb_internal | root | ALL | - | test_roles | crdb_internal | system_ops | CREATE | - | test_roles | crdb_internal | system_ops | SELECT | - | test_roles | information_schema | admin | ALL | - | test_roles | information_schema | root | ALL | - | test_roles | information_schema | system_ops | CREATE | - | test_roles | information_schema | system_ops | SELECT | - | test_roles | pg_catalog | admin | ALL | - | test_roles | pg_catalog | root | ALL | - | test_roles | pg_catalog | system_ops | CREATE | - | test_roles | pg_catalog | system_ops | SELECT | - | test_roles | public | admin | ALL | - | test_roles | public | root | ALL | - | test_roles | public | system_ops | CREATE | - | test_roles | public | system_ops | SELECT | - +------------+--------------------+------------+------------+ + database_name | schema_name | grantee | privilege_type + +---------------+--------------------+------------+----------------+ + test_roles | crdb_internal | admin | ALL + test_roles | crdb_internal | root | ALL + test_roles | crdb_internal | system_ops | CREATE + test_roles | crdb_internal | system_ops | SELECT + test_roles | information_schema | admin | ALL + test_roles | information_schema | root | ALL + test_roles | information_schema | system_ops | CREATE + test_roles | information_schema | system_ops | SELECT + test_roles | pg_catalog | admin | ALL + test_roles | pg_catalog | root | ALL + test_roles | pg_catalog | system_ops | CREATE + test_roles | pg_catalog | system_ops | SELECT + test_roles | public | admin | ALL + test_roles | public | root | ALL + test_roles | public | system_ops | CREATE + test_roles | public | system_ops | SELECT + (16 rows) ~~~ -6. Add the `maxroach` user to the `system_ops` role: +8. Add the `maxroach` user to the `system_ops` role: {% include copy-clipboard.html %} ~~~ sql > GRANT system_ops TO maxroach; ~~~ -7. To test the privileges you just added to the `system_ops` role, use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `maxroach` user (who is a member of the `system_ops` role): +9. To test the privileges you just added to the `system_ops` role, use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `maxroach` user (who is a member of the `system_ops` role): {% include copy-clipboard.html %} ~~~ shell $ cockroach sql --user=maxroach --database=test_roles --insecure ~~~ -8. As the `maxroach` user, create a table: +10. As the `maxroach` user, create a table: {% include copy-clipboard.html %} ~~~ sql @@ -199,7 +214,7 @@ $ cockroach start \ We were able to create the table because `maxroach` has `CREATE` privileges. -9. As the `maxroach` user, try to drop the table: +11. As the `maxroach` user, try to drop the table: {% include copy-clipboard.html %} ~~~ sql @@ -212,7 +227,7 @@ $ cockroach start \ You cannot drop the table because your current user (`maxroach`) is a member of the `system_ops` role, which doesn't have `DROP` privileges. -10. `maxroach` has `CREATE` and `SELECT` privileges, so try a `SHOW` statement: +12. `maxroach` has `CREATE` and `SELECT` privileges, so try a `SHOW` statement: {% include copy-clipboard.html %} ~~~ sql @@ -220,24 +235,23 @@ $ cockroach start \ ~~~ ~~~ - +------------+--------+-----------+------------+------------+ - | Database | Schema | Table | User | Privileges | - +------------+--------+-----------+------------+------------+ - | test_roles | public | employees | admin | ALL | - | test_roles | public | employees | root | ALL | - | test_roles | public | employees | system_ops | CREATE | - | test_roles | public | employees | system_ops | SELECT | - +------------+--------+-----------+------------+------------+ + database_name | schema_name | table_name | grantee | privilege_type + +---------------+-------------+------------+------------+----------------+ + test_roles | public | employees | admin | ALL + test_roles | public | employees | root | ALL + test_roles | public | employees | system_ops | CREATE + test_roles | public | employees | system_ops | SELECT + (4 rows) ~~~ -11. Now switch back to the `root` user to test more of the SQL statements related to roles. Use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `root` user: +12. Now switch back to the `root` user to test more of the SQL statements related to roles. Use `\q` or `ctrl-d` to exit the interactive shell, and then open the shell again as the `root` user: {% include copy-clipboard.html %} ~~~ shell $ cockroach sql --insecure ~~~ -12. As the `root` user, revoke privileges and then drop the `system_ops` role: +13. As the `root` user, revoke privileges and then drop the `system_ops` role: {% include copy-clipboard.html %} ~~~ sql @@ -249,18 +263,17 @@ $ cockroach start \ > SHOW GRANTS ON DATABASE test_roles; ~~~ ~~~ - +------------+--------------------+-------+------------+ - | Database | Schema | User | Privileges | - +------------+--------------------+-------+------------+ - | test_roles | crdb_internal | admin | ALL | - | test_roles | crdb_internal | root | ALL | - | test_roles | information_schema | admin | ALL | - | test_roles | information_schema | root | ALL | - | test_roles | pg_catalog | admin | ALL | - | test_roles | pg_catalog | root | ALL | - | test_roles | public | admin | ALL | - | test_roles | public | root | ALL | - +------------+--------------------+-------+------------+ + database_name | schema_name | grantee | privilege_type + +---------------+--------------------+---------+----------------+ + test_roles | crdb_internal | admin | ALL + test_roles | crdb_internal | root | ALL + test_roles | information_schema | admin | ALL + test_roles | information_schema | root | ALL + test_roles | pg_catalog | admin | ALL + test_roles | pg_catalog | root | ALL + test_roles | public | admin | ALL + test_roles | public | root | ALL + (8 rows) ~~~ {% include copy-clipboard.html %} @@ -273,15 +286,16 @@ $ cockroach start \ > SHOW GRANTS ON TABLE test_roles.*; ~~~ ~~~ - +------------+--------+-----------+-------+------------+ - | Database | Schema | Table | User | Privileges | - +------------+--------+-----------+-------+------------+ - | test_roles | public | employees | admin | ALL | - | test_roles | public | employees | root | ALL | - +------------+--------+-----------+-------+------------+ + database_name | schema_name | table_name | grantee | privilege_type + +---------------+-------------+------------+---------+----------------+ + test_roles | public | employees | admin | ALL + test_roles | public | employees | root | ALL + (2 rows) ~~~ - {{site.data.alerts.callout_info}}All of a role or user's privileges must be revoked before it can be dropped.{{site.data.alerts.end}} + {{site.data.alerts.callout_info}} + All of a role or user's privileges must be revoked before it can be dropped. + {{site.data.alerts.end}} {% include copy-clipboard.html %} ~~~ sql @@ -292,6 +306,10 @@ $ cockroach start \ - [Client Connection Parameters](connection-parameters.html) - [SQL Statements](sql-statements.html) +- [`CREATE USER`](create-user.html) +- [`ALTER USER`](alter-user.html) +- [`DROP USER`](drop-user.html) +- [`SHOW USERS`](show-users.html) - [`CREATE ROLE`](create-role.html) - [`DROP ROLE`](drop-role.html) - [`SHOW ROLES`](show-roles.html) diff --git a/v19.2/build-a-rust-app-with-cockroachdb.md b/v19.2/build-a-rust-app-with-cockroachdb.md index 5bae65f83db..c5718843103 100644 --- a/v19.2/build-a-rust-app-with-cockroachdb.md +++ b/v19.2/build-a-rust-app-with-cockroachdb.md @@ -19,7 +19,49 @@ We have tested the official documentation. -{% include {{ page.version.version }}/app/common-steps.md %} +## Step 2. Create the `maxroach` users and `bank` database + +Start the [built-in SQL client](use-the-built-in-sql-client.html): + +{% include copy-clipboard.html %} +~~~ shell +$ cockroach sql --certs-dir=certs +~~~ + +In the SQL shell, issue the following statements to create the `maxroach` user and `bank` database: + +{% include copy-clipboard.html %} +~~~ sql +> CREATE USER IF NOT EXISTS maxroach; +~~~ + +{% include copy-clipboard.html %} +~~~ sql +> CREATE DATABASE bank; +~~~ + +Give the `maxroach` user the necessary permissions: + +{% include copy-clipboard.html %} +~~~ sql +> GRANT ALL ON DATABASE bank TO maxroach; +~~~ + +Exit the SQL shell: + +{% include copy-clipboard.html %} +~~~ sql +> \q +~~~ + +## Step 4. Generate a certificate for the `maxroach` user + +Create a certificate and key for the `maxroach` user by running the following command. The code samples will run as this user. + +{% include copy-clipboard.html %} +~~~ shell +$ cockroach cert create-client maxroach --certs-dir=certs --ca-key=my-safe-directory/ca.key +~~~ ## Step 5. Create a table in the new database @@ -27,7 +69,7 @@ As the `maxroach` user, use the [built-in SQL client](use-the-built-in-sql-clien {% include copy-clipboard.html %} ~~~ shell -$ cockroach sql --insecure \ +$ cockroach sql --certs-dir=certs \ --database=bank \ --user=maxroach \ -e 'CREATE TABLE accounts (id INT PRIMARY KEY, balance INT)' @@ -67,7 +109,7 @@ After running the code, use the [built-in SQL client](use-the-built-in-sql-clien {% include copy-clipboard.html %} ~~~ shell -$ cockroach sql --insecure -e 'SELECT id, balance FROM accounts' --database=bank +$ cockroach sql --certs-dir=certs -e 'SELECT id, balance FROM accounts' --database=bank ~~~ ~~~ @@ -88,9 +130,42 @@ $ cockroach sql --insecure -e 'SELECT id, balance FROM accounts' --database=bank Install the Rust Postgres driver as described in the official documentation. -{% include {{ page.version.version }}/app/common-steps.md %} +## Step 2. Create the `maxroach` users and `bank` database -## Step 5. Create a table in the new database +Start the [built-in SQL client](use-the-built-in-sql-client.html): + +{% include copy-clipboard.html %} +~~~ shell +$ cockroach sql --insecure +~~~ + +In the SQL shell, issue the following statements to create the `maxroach` user and `bank` database: + +{% include copy-clipboard.html %} +~~~ sql +> CREATE USER IF NOT EXISTS maxroach; +~~~ + +{% include copy-clipboard.html %} +~~~ sql +> CREATE DATABASE bank; +~~~ + +Give the `maxroach` user the necessary permissions: + +{% include copy-clipboard.html %} +~~~ sql +> GRANT ALL ON DATABASE bank TO maxroach; +~~~ + +Exit the SQL shell: + +{% include copy-clipboard.html %} +~~~ sql +> \q +~~~ + +## Step 3. Create a table in the new database As the `maxroach` user, use the [built-in SQL client](use-the-built-in-sql-client.html) to create an `accounts` table in the new database. @@ -102,7 +177,7 @@ $ cockroach sql --insecure \ -e 'CREATE TABLE accounts (id INT PRIMARY KEY, balance INT)' ~~~ -## Step 6. Run the Rust code +## Step 4. Run the Rust code Now that you have a database and a user, you'll run code to create a table and insert some rows, and then you'll run code to read and update values as an atomic [transaction](transactions.html). diff --git a/v19.2/changefeed-for.md b/v19.2/changefeed-for.md index 0cd2f402681..4b6cd8ffdbe 100644 --- a/v19.2/changefeed-for.md +++ b/v19.2/changefeed-for.md @@ -18,7 +18,7 @@ For more information, see [Change Data Capture](change-data-capture.html). ## Required privileges -Changefeeds can only be created by superusers, i.e., [members of the `admin` role](create-and-manage-users.html). The admin role exists by default with `root` as the member. +Changefeeds can only be created by superusers, i.e., [members of the `admin` role](authorization.html#create-and-manage-roles). The admin role exists by default with `root` as the member. ## Synopsis diff --git a/v19.2/cockroach-commands.md b/v19.2/cockroach-commands.md index a94649e06ba..09c8fc9f61d 100644 --- a/v19.2/cockroach-commands.md +++ b/v19.2/cockroach-commands.md @@ -19,7 +19,7 @@ Command | Usage [`cockroach quit`](stop-a-node.html) | Temporarily stop a node or permanently remove a node. [`cockroach sql`](use-the-built-in-sql-client.html) | Use the built-in SQL client. [`cockroach sqlfmt`](use-the-query-formatter.html) | Reformat SQL queries for enhanced clarity. -[`cockroach user`](create-and-manage-users.html) | Get, set, list, and remove users. +`cockroach user` | **Deprecated.** To create and manage users and roles, use [`CREATE USER`](create-user.html), [`ALTER USER`](alter-user.html), [`DROP USER`](drop-user.html), [`SHOW USERS`](show-users.html), [`CREATE ROLE`](create-role.html), [`DROP ROLE`](drop-role.html), and [`SHOW ROLES`](show-roles.html). [`cockroach node`](view-node-details.html) | List node IDs, show their status, decommission nodes for removal, or recommission nodes. [`cockroach dump`](sql-dump.html) | Back up a table by outputting the SQL statements required to recreate the table and all its rows. [`cockroach demo`](cockroach-demo.html) | Start a temporary, in-memory, single-node CockroachDB cluster, and open an interactive SQL shell to it. diff --git a/v19.2/connection-parameters.md b/v19.2/connection-parameters.md index 6b34d07ff91..8cdbb8119f4 100644 --- a/v19.2/connection-parameters.md +++ b/v19.2/connection-parameters.md @@ -45,7 +45,7 @@ postgres://:@:/? Component | Description | Required ----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------- - `` | The [SQL user](create-and-manage-users.html) that will own the client session. | ✗ + `` | The [SQL user](create-user.html) that will own the client session. | ✗ `` | The user's password. It is not recommended to pass the password in the URL directly.

[Find more detail about how CockroachDB handles passwords](authentication.html#client-authentication). | ✗ `` | The host name or address of a CockroachDB node or load balancer. | Required by most client drivers. `` | The port number of the SQL interface of the CockroachDB node or load balancer. The default port number for CockroachDB is 26257. Use this value when in doubt. | Required by most client drivers. @@ -222,4 +222,4 @@ cockroach sql --url "postgres://root@servername:26257/mydb?sslmode=disable" - [`cockroach` commands](cockroach-commands.html) - [Create Security Certificates](create-security-certificates.html) - [Secure a Cluster](secure-a-cluster.html) -- [Create and Manage Users](create-and-manage-users.html) +- [Create and Manage Users](authorization.html#create-and-manage-users) diff --git a/v19.2/create-and-manage-users.md b/v19.2/create-and-manage-users.md deleted file mode 100644 index 39a5e48e6f8..00000000000 --- a/v19.2/create-and-manage-users.md +++ /dev/null @@ -1,234 +0,0 @@ ---- -title: Manage Users -summary: To create and manage your cluster's users (which lets you control SQL-level privileges), use the cockroach user command with appropriate flags. -toc: true ---- - -To create, manage, and remove your cluster's users (which lets you control SQL-level [privileges](authorization.html#assign-privileges), use the `cockroach user` [command](cockroach-commands.html) with appropriate flags. - -{{site.data.alerts.callout_success}}You can also use the CREATE USER and DROP USER statements to create and remove users.{{site.data.alerts.end}} - - -## Considerations - -- Usernames are case-insensitive; must start with either a letter or underscore; must contain only letters, numbers, or underscores; and must be between 1 and 63 characters. -- After creating users, you must [grant them privileges to databases and tables](grant.html). -- All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges. -- On secure clusters, you must [create client certificates for users](create-security-certificates.html#create-the-certificate-and-key-pair-for-a-client) and users must [authenticate their access to the cluster](authentication.html#client-authentication). -- {% include {{ page.version.version }}/misc/remove-user-callout.html %} - -## Subcommands - -Subcommand | Usage ------------|------ -`get` | Retrieve a table containing a user and their hashed password. -`ls` | List all users. -`rm` | Remove a user. -`set` | Create or update a user. - -## Synopsis - -~~~ shell -# Create a user: -$ cockroach user set - -# List all users: -$ cockroach user ls - -# Display a specific user: -$ cockroach user get - -# View help: -$ cockroach user --help -$ cockroach user get --help -$ cockroach user ls --help -$ cockroach user rm --help -$ cockroach user set --help -~~~ - -## Flags - -The `user` command and subcommands support the following [general-use](#general) and [logging](#logging) flags. - -### General - -Flag | Description ------|------------ -`--password` | Enable password authentication for the user; you will be prompted to enter the password on the command line.

Password creation is supported only in secure clusters for non-`root` users. The `root` user must authenticate with a client certificate and key. -`--echo-sql` | Reveal the SQL statements sent implicitly by the command-line utility. For a demonstration, see the [example](#reveal-the-sql-statements-sent-implicitly-by-the-command-line-utility) below. -`--format` | How to display table rows printed to the standard output. Possible values: `tsv`, `csv`, `table`, `raw`, `records`, `sql`, `html`.

**Default:** `table` for sessions that [output on a terminal](use-the-built-in-sql-client.html#session-and-output-types); `tsv` otherwise. - -### Client connection - -{% include {{ page.version.version }}/sql/connection-parameters.md %} - -See [Client Connection Parameters](connection-parameters.html) for more details. - -Currently, only members of the `admin` role can create users. By default, the `root` user belongs to the `admin` role. - -{{site.data.alerts.callout_info}} -Password creation is supported only in secure clusters for non-root users. The root user must authenticate with a client certificate and key. -{{site.data.alerts.end}} - -### Logging - -By default, the `user` command logs errors to `stderr`. - -If you need to troubleshoot this command's behavior, you can change its [logging behavior](debug-and-error-logs.html). - -## Examples - -### Create a user - -
- - -
-

- -Usernames are case-insensitive; must start with either a letter or underscore; must contain only letters, numbers, or underscores; and must be between 1 and 63 characters. - -
- -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user set jpointsman --certs-dir=certs -~~~ - -{{site.data.alerts.callout_success}}If you want to allow password authentication for the user, include the --password flag and then enter and confirm the password at the command prompt.{{site.data.alerts.end}} - -After creating users, you must: - -- [Create their client certificates](create-security-certificates.html#create-the-certificate-and-key-pair-for-a-client). -- [Grant them privileges to databases](grant.html). - -
- -
- -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user set jpointsman --insecure -~~~ - -After creating users, you must [grant them privileges to databases](grant.html). - -
- -### Log in as a specific user - -
- - -
-

- -
- -#### Secure clusters with client certificates - -All users can authenticate their access to a secure cluster using [a client certificate](create-security-certificates.html#create-the-certificate-and-key-pair-for-a-client) issued to their username. - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach sql --certs-dir=certs --user=jpointsman -~~~ - -#### Secure clusters with passwords - -Users with passwords can authenticate their access by entering their password at the command prompt instead of using their client certificate and key. - -If we cannot find client certificate and key files matching the user, we fall back on password authentication. - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach sql --certs-dir=certs --user=jpointsman -~~~ - -
- -
- -{% include copy-clipboard.html %} -~~~ shell -$ cockroach sql --insecure --user=jpointsman -~~~ - -
- -### Update a user's password - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user set jpointsman --certs-dir=certs --password -~~~ - -After issuing this command, enter and confirm the user's new password at the command prompt. - -Password creation is supported only in secure clusters for non-`root` users. The `root` user must authenticate with a client certificate and key. - -### List all users - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user ls --insecure -~~~ - -~~~ -+------------+ -| username | -+------------+ -| jpointsman | -+------------+ -~~~ - -### Find a specific user - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user get jpointsman --insecure -~~~ - -~~~ -+------------+--------------------------------------------------------------+ -| username | hashedPassword | -+------------+--------------------------------------------------------------+ -| jpointsman | $2a$108tm5lYjES9RSXSKtQFLhNO.e/ysTXCBIRe7XeTgBrR6ubXfp6dDczS | -+------------+--------------------------------------------------------------+ -~~~ - -### Remove a user - -{{site.data.alerts.callout_danger}}{% include {{ page.version.version }}/misc/remove-user-callout.html %}{{site.data.alerts.end}} - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user rm jpointsman --insecure -~~~ - -{{site.data.alerts.callout_success}}You can also use the DROP USER SQL statement to remove users.{{site.data.alerts.end}} - -### Reveal the SQL statements sent implicitly by the command-line utility - -In this example, we use the `--echo-sql` flag to reveal the SQL statement sent implicitly by the command-line utility: - -{% include copy-clipboard.html %} -~~~ shell -$ cockroach user rm jpointsman --insecure --echo-sql -~~~ - -~~~ -> DELETE FROM system.users WHERE username=$1 -DELETE 1 -~~~ - -## See also - -- [Authorization](authorization.html) -- [`CREATE USER`](create-user.html) -- [`DROP USER`](drop-user.html) -- [`SHOW USERS`](show-users.html) -- [`GRANT`](grant.html) -- [`SHOW GRANTS`](show-grants.html) -- [Create Security Certificates](create-security-certificates.html) -- [Other Cockroach Commands](cockroach-commands.html) diff --git a/v19.2/create-changefeed.md b/v19.2/create-changefeed.md index f7d312786c5..38f58cb92fa 100644 --- a/v19.2/create-changefeed.md +++ b/v19.2/create-changefeed.md @@ -16,7 +16,7 @@ For more information, see [Change Data Capture](change-data-capture.html). ## Required privileges -Changefeeds can only be created by superusers, i.e., [members of the `admin` role](create-and-manage-users.html). The admin role exists by default with `root` as the member. +Changefeeds can only be created by superusers, i.e., [members of the `admin` role](authorization.html#create-and-manage-roles). The admin role exists by default with `root` as the member. ## Synopsis diff --git a/v19.2/create-security-certificates.md b/v19.2/create-security-certificates.md index 8b82aacf50f..9e7537a56e0 100644 --- a/v19.2/create-security-certificates.md +++ b/v19.2/create-security-certificates.md @@ -34,7 +34,7 @@ Subcommand | Usage -----------|------ `create-ca` | Create the self-signed certificate authority (CA), which you'll use to create and authenticate certificates for your entire cluster. `create-node` | Create a certificate and key for a specific node in the cluster. You specify all addresses at which the node can be reached and pass appropriate flags. -`create-client` | Create a certificate and key for a [specific user](create-and-manage-users.html) accessing the cluster from a client. You specify the username of the user who will use the certificate and pass appropriate flags. +`create-client` | Create a certificate and key for a [specific user](create-user.html) accessing the cluster from a client. You specify the username of the user who will use the certificate and pass appropriate flags. `list` | List certificates and keys found in the certificate directory. ## Certificate directory diff --git a/v19.2/create-user.md b/v19.2/create-user.md index 2e4fdbe5a0a..4294e510318 100644 --- a/v19.2/create-user.md +++ b/v19.2/create-user.md @@ -6,10 +6,6 @@ toc: true The `CREATE USER` [statement](sql-statements.html) creates SQL users, which let you control [privileges](authorization.html#assign-privileges) on your databases and tables. -{{site.data.alerts.callout_success}} -You can also use the [`cockroach user set`](create-and-manage-users.html) command to create and manage users. -{{site.data.alerts.end}} - ## Considerations - Usernames: @@ -48,7 +44,7 @@ Secure clusters require users to authenticate their access to databases and tabl - [Client certificate and key authentication](#secure-clusters-with-client-certificates), which is available to all users. To ensure the highest level of security, we recommend only using client certificate and key authentication. -- [Password authentication](#secure-clusters-with-passwords), which is available to non-`root` users who you've created passwords for. To create a user with a password, use the `WITH PASSWORD` clause of `CREATE USER`. To add a password to an existing user, use the [`cockroach user`](create-and-manage-users.html#update-a-users-password) command. +- [Password authentication](#secure-clusters-with-passwords), which is available to non-`root` users who you've created passwords for. To create a user with a password, use the `WITH PASSWORD` clause of `CREATE USER`. To add a password to an existing user, use the [`ALTER USER`](alter-user.html) statement. Users can use passwords to authenticate without supplying client certificates and keys; however, we recommend using certificate-based authentication whenever possible. @@ -81,7 +77,7 @@ Password creation is supported only in secure clusters for non-`root` users. The ### Manage users -After creating users, you can manage them using the [`cockroach user`](create-and-manage-users.html) command. +After creating a user, you can use the [`ALTER USER`](alter-user.html) statement to add or change the user's password and the [`DROP USER`](drop-user.html) statement to the remove users. ### Authenticate as a specific user @@ -127,7 +123,7 @@ $ cockroach sql --insecure --user=jpointsman ## See also - [Authorization](authorization.html) -- [`cockroach user` command](create-and-manage-users.html) +- [`ALTER USER`](alter-user.html) - [`DROP USER`](drop-user.html) - [`SHOW USERS`](show-users.html) - [`GRANT`](grant.html) diff --git a/v19.2/demo-json-support.md b/v19.2/demo-json-support.md index 256d8fed2e5..b3ba3b70efb 100644 --- a/v19.2/demo-json-support.md +++ b/v19.2/demo-json-support.md @@ -41,22 +41,20 @@ $ cockroach start \ ## Step 3. Create a user -In a new terminal, as the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`. +In a new terminal, open the [built-in SQL client](use-the-built-in-sql-client.html) as the `root` user and create a new user, `maxroach`: {% include copy-clipboard.html %} ~~~ shell -$ cockroach user set maxroach --insecure --host=localhost:26257 +$ cockroach sql --insecure --host=localhost:26257 ~~~ -## Step 4. Create a database and grant privileges - -As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html): - {% include copy-clipboard.html %} -~~~ shell -$ cockroach sql --insecure --host=localhost:26257 +~~~ sql +> CREATE USER maxroach ~~~ +## Step 4. Create a database and grant privileges + Next, create a database called `jsonb_test`: {% include copy-clipboard.html %} diff --git a/v19.2/deploy-cockroachdb-on-aws-insecure.md b/v19.2/deploy-cockroachdb-on-aws-insecure.md index e3d67e74ebb..a1de866b6b0 100644 --- a/v19.2/deploy-cockroachdb-on-aws-insecure.md +++ b/v19.2/deploy-cockroachdb-on-aws-insecure.md @@ -123,7 +123,7 @@ AWS offers fully-managed load balancing to distribute traffic between instances. Now that your deployment is working, you can: 1. [Implement your data model](sql-statements.html). -2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html). +2. [Create users](create-user.html) and [grant them privileges](grant.html). 3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the AWS load balancer, not to a CockroachDB node. ## See also diff --git a/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md b/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md index 1de235383fb..05fd07986d5 100644 --- a/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md +++ b/v19.2/deploy-cockroachdb-on-digital-ocean-insecure.md @@ -100,7 +100,7 @@ For guidance, you can use Digital Ocean's guide to configuring firewalls based o Now that your deployment is working, you can: 1. [Implement your data model](sql-statements.html). -2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html). +2. [Create users](create-user.html) and [grant them privileges](grant.html). 3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the Digital Ocean Load Balancer, not to a CockroachDB node. ## See also diff --git a/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md b/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md index 566c91e3f09..a7a0d3a6deb 100644 --- a/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md +++ b/v19.2/deploy-cockroachdb-on-google-cloud-platform-insecure.md @@ -123,7 +123,7 @@ To use GCE's TCP Proxy Load Balancing service: Now that your deployment is working, you can: 1. [Implement your data model](sql-statements.html). -2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html). +2. [Create users](create-user.html) and [grant them privileges](grant.html). 3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the GCE load balancer, not to a CockroachDB node. ## See also diff --git a/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md b/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md index 4f003afa46a..2361eb78c9e 100644 --- a/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md +++ b/v19.2/deploy-cockroachdb-on-microsoft-azure-insecure.md @@ -134,7 +134,7 @@ Microsoft Azure offers fully-managed load balancing to distribute traffic betwee Now that your deployment is working, you can: 1. [Implement your data model](sql-statements.html). -2. [Create users](create-and-manage-users.html) and [grant them privileges](grant.html). +2. [Create users](create-user.html) and [grant them privileges](grant.html). 3. [Connect your application](install-client-drivers.html). Be sure to connect your application to the Azure load balancer, not to a CockroachDB node. ## See also diff --git a/v19.2/drop-user.md b/v19.2/drop-user.md index 1165e5f4da6..46080eaa5be 100644 --- a/v19.2/drop-user.md +++ b/v19.2/drop-user.md @@ -6,9 +6,6 @@ toc: true The `DROP USER` [statement](sql-statements.html) removes one or more SQL users. -{{site.data.alerts.callout_success}}You can also use the cockroach user rm command to remove users.{{site.data.alerts.end}} - - ## Required privileges The user must have the `DELETE` [privilege](authorization.html#assign-privileges) on the `system.users` table. @@ -57,8 +54,8 @@ In this example, first check a user's privileges. Then, revoke the user's privil ## See also -- [`cockroach user` command](create-and-manage-users.html) - [`CREATE USER`](create-user.html) +- [`ALTER USER`](alter-user.html) - [`SHOW USERS`](show-users.html) - [`GRANT`](grant.html) - [`SHOW GRANTS`](show-grants.html) diff --git a/v19.2/grant-roles.md b/v19.2/grant-roles.md index a225ccab7bb..19d22997001 100644 --- a/v19.2/grant-roles.md +++ b/v19.2/grant-roles.md @@ -4,7 +4,7 @@ summary: The GRANT statement grants user privileges for interacting with toc: true --- -The `GRANT ` [statement](sql-statements.html) lets you add a [role](authorization.html#create-and-manage-roles) or [user](create-and-manage-users.html) as a member to a role. +The `GRANT ` [statement](sql-statements.html) lets you add a [role](authorization.html#create-and-manage-roles) or [user](authorization.html#create-and-manage-users) as a member to a role. {{site.data.alerts.callout_info}}GRANT <roles> is an enterprise-only feature.{{site.data.alerts.end}} @@ -29,7 +29,7 @@ The user granting role membership must be a role admin (i.e., members with the ` Parameter | Description ----------|------------ `role_name` | The name of the role to which you want to add members. To add members to multiple roles, use a comma-separated list of role names. -`user_name` | The name of the [user](create-and-manage-users.html) or [role](authorization.html#create-and-manage-roles) to whom you want to grant membership. To add multiple members, use a comma-separated list of user and/or role names. +`user_name` | The name of the [user](authorization.html#create-and-manage-users) or [role](authorization.html#create-and-manage-roles) to whom you want to grant membership. To add multiple members, use a comma-separated list of user and/or role names. `WITH ADMIN OPTION` | Designate the user as an role admin. Role admins can grant or revoke membership for the specified role. ## Examples @@ -85,4 +85,4 @@ Parameter | Description - [`REVOKE `](revoke.html) - [`SHOW GRANTS`](show-grants.html) - [`SHOW ROLES`](show-roles.html) -- [Manage Users](create-and-manage-users.html) +- [Manage Users](authorization.html#create-and-manage-users) diff --git a/v19.2/grant.md b/v19.2/grant.md index cc586327092..26143e36447 100644 --- a/v19.2/grant.md +++ b/v19.2/grant.md @@ -4,11 +4,10 @@ summary: The GRANT statement grants user privileges for interacting with specifi toc: true --- -The `GRANT ` [statement](sql-statements.html) lets you control each [role](authorization.html#create-and-manage-roles) or [user's](create-and-manage-users.html) SQL [privileges](authorization.html#assign-privileges) for interacting with specific databases and tables. +The `GRANT ` [statement](sql-statements.html) lets you control each [role](authorization.html#create-and-manage-roles) or [user's](authorization.html#create-and-manage-users) SQL [privileges](authorization.html#assign-privileges) for interacting with specific databases and tables. For privileges required by specific statements, see the documentation for the respective [SQL statement](sql-statements.html). - ## Synopsis
{% include {{ page.version.version }}/sql/diagrams/grant_privileges.html %}
@@ -43,7 +42,7 @@ Parameter | Description ----------|------------ `table_name` | A comma-separated list of table names. Alternately, to grant privileges to all tables, use `*`. `ON TABLE table.*` grants apply to all existing tables in a database but will not affect tables created after the grant. `database_name` | A comma-separated list of database names.

Privileges granted on databases will be inherited by any new tables created in the databases, but do not affect existing tables in the database. -`user_name` | A comma-separated list of [users](create-and-manage-users.html) and/or [roles](authorization.html#create-and-manage-roles) to whom you want to grant privileges. +`user_name` | A comma-separated list of [users](authorization.html#create-and-manage-users) and/or [roles](authorization.html#create-and-manage-roles) to whom you want to grant privileges. ## Examples @@ -151,4 +150,4 @@ Parameter | Description - [`REVOKE `](revoke.html) - [`SHOW GRANTS`](show-grants.html) - [`SHOW ROLES`](show-roles.html) -- [Manage Users](create-and-manage-users.html) +- [Manage Users](authorization.html#create-and-manage-users) diff --git a/v19.2/revoke-roles.md b/v19.2/revoke-roles.md index 1cb3d92c087..9bea393c591 100644 --- a/v19.2/revoke-roles.md +++ b/v19.2/revoke-roles.md @@ -4,7 +4,7 @@ summary: The REVOKE statement revokes privileges from users and/or roles toc: true --- -The `REVOKE ` [statement](sql-statements.html) lets you revoke a [role](authorization.html#create-and-manage-roles) or [user's](create-and-manage-users.html) membership to a role. +The `REVOKE ` [statement](sql-statements.html) lets you revoke a [role](authorization.html#create-and-manage-roles) or [user's](authorization.html#create-and-manage-users) membership to a role. {{site.data.alerts.callout_info}}REVOKE <roles> is an enterprise-only feature.{{site.data.alerts.end}} @@ -29,7 +29,7 @@ Parameter | Description ----------|------------ `ADMIN OPTION` | Revoke the user's role admin status. `role_name` | The name of the role from which you want to remove members. To revoke members from multiple roles, use a comma-separated list of role names. -`user_name` | The name of the [user](create-and-manage-users.html) or [role](authorization.html#create-and-manage-roles) from whom you want to revoke membership. To revoke multiple members, use a comma-separated list of user and/or role names. +`user_name` | The name of the [user](authorization.html#create-and-manage-users) or [role](authorization.html#create-and-manage-roles) from whom you want to revoke membership. To revoke multiple members, use a comma-separated list of user and/or role names. ## Examples diff --git a/v19.2/revoke.md b/v19.2/revoke.md index dfd275265ba..84502d25ba3 100644 --- a/v19.2/revoke.md +++ b/v19.2/revoke.md @@ -4,7 +4,7 @@ summary: The REVOKE statement revokes privileges from users and/or roles. toc: true --- -The `REVOKE ` [statement](sql-statements.html) revokes [privileges](authorization.html#assign-privileges) from [users](create-and-manage-users.html) and/or [roles](authorization.html#create-and-manage-roles). +The `REVOKE ` [statement](sql-statements.html) revokes [privileges](authorization.html#assign-privileges) from [users](authorization.html#create-and-manage-users) and/or [roles](authorization.html#create-and-manage-roles). For the list of privileges that can be granted to and revoked from users and roles, see [`GRANT`](grant.html). @@ -25,7 +25,7 @@ Parameter | Description ----------|------------ `table_name` | The name of the table for which you want to revoke privileges. To revoke privileges for multiple tables, use a comma-separated list of table names. To revoke privileges for all tables, use `*`. `database_name` | The name of the database for which you want to revoke privileges. To revoke privileges for multiple databases, use a comma-separated list of database names.

Privileges revoked for databases will be revoked for any new tables created in the databases. -`user_name` | A comma-separated list of [users](create-and-manage-users.html) and/or [roles](authorization.html#create-and-manage-roles) from whom you want to revoke privileges. +`user_name` | A comma-separated list of [users](authorization.html#create-and-manage-users) and/or [roles](authorization.html#create-and-manage-roles) from whom you want to revoke privileges. ## Examples diff --git a/v19.2/roles.md b/v19.2/roles.md index ce06f39d89d..18b9f146e7d 100644 --- a/v19.2/roles.md +++ b/v19.2/roles.md @@ -22,7 +22,7 @@ To get started, basic role terminology is outlined below: Term | Description -----|------------ -Role | A group containing any number of [users](create-and-manage-users.html) or other roles.

Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges. +Role | A group containing any number of [users](create-user.html) or other roles.

Note: All users belong to the `public` role, to which you can [grant](grant.html) and [revoke](revoke.html) privileges. Role admin | A member of the role that's allowed to modify role membership. To create a role admin, use [`WITH ADMIN OPTION`](grant-roles.html#grant-the-admin-option). Superuser / Admin | A member of the `admin` role. Only superusers can [`CREATE ROLE`](create-role.html) or [`DROP ROLE`](drop-role.html). The `admin` role is created by default and cannot be dropped. `root` | A user that exists by default as a member of the `admin` role. The `root` user must always be a member of the `admin` role. @@ -42,21 +42,21 @@ $ cockroach start \ --listen-addr=localhost:26257 ~~~ -1. As the `root` user, use the [`cockroach user`](create-and-manage-users.html) command to create a new user, `maxroach`: +1. As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html): {% include copy-clipboard.html %} ~~~ shell - $ cockroach user set maxroach --insecure + $ cockroach sql --insecure ~~~ -2. As the `root` user, open the [built-in SQL client](use-the-built-in-sql-client.html): +2. [Create a user](create-user.html), `maxroach`: {% include copy-clipboard.html %} - ~~~ shell - $ cockroach sql --insecure + ~~~ sql + > CREATE USER maxroach; ~~~ -3. Create a database and set it as the default: +3. [Create a database](create-database.html) and [set it as the default](set-database.html): {% include copy-clipboard.html %} ~~~ sql @@ -249,6 +249,6 @@ $ cockroach start \ - [`REVOKE `](revoke.html) - [`REVOKE ` (Enterprise)](revoke-roles.html) - [`SHOW GRANTS`](show-grants.html) -- [Manage Users](create-and-manage-users.html) +- [Manage Users](authorization.html#create-and-manage-users) - [Privileges](authorization.html#assign-privileges) - [Other Cockroach Commands](cockroach-commands.html) diff --git a/v19.2/show-grants.md b/v19.2/show-grants.md index bb2f2ac3880..792dd23b3fc 100644 --- a/v19.2/show-grants.md +++ b/v19.2/show-grants.md @@ -254,6 +254,6 @@ SHOW GRANTS ON ROLE FOR carl; - [`REVOKE `](revoke.html) - [`REVOKE ` (Enterprise)](revoke-roles.html) - [`SHOW GRANTS`](show-grants.html) -- [Manage Users](create-and-manage-users.html) +- [Manage Users](authorization.html#create-and-manage-users) - [Other Cockroach Commands](cockroach-commands.html) - [Information Schema](information-schema.html) diff --git a/v19.2/show-roles.md b/v19.2/show-roles.md index be3dca1be1c..95ecddc27f4 100644 --- a/v19.2/show-roles.md +++ b/v19.2/show-roles.md @@ -41,4 +41,4 @@ The user must have the [`SELECT`](select-clause.html) [privilege](authorization. - [`REVOKE ` (Enterprise)](grant-roles.html) - [`REVOKE `](grant.html) | Grant privileges to [users](create-and-manage-users.html) or [roles](authorization.html#create-and-manage-roles). -[`GRANT `](grant-roles.html) | Add a [role](authorization.html#create-and-manage-roles) or [user](create-and-manage-users.html) as a member to a role. -[`REVOKE `](revoke.html) | Revoke privileges from [users](create-and-manage-users.html) or [roles](authorization.html#create-and-manage-roles). -[`REVOKE `](revoke-roles.html) | Revoke a [role](authorization.html#create-and-manage-roles) or [user's](create-and-manage-users.html) membership to a role. +[`GRANT `](grant.html) | Grant privileges to [users](authorization.html#create-and-manage-users) or [roles](authorization.html#create-and-manage-roles). +[`GRANT `](grant-roles.html) | Add a [role](authorization.html#create-and-manage-roles) or [user](authorization.html#create-and-manage-users) as a member to a role. +[`REVOKE `](revoke.html) | Revoke privileges from [users](authorization.html#create-and-manage-users) or [roles](authorization.html#create-and-manage-roles). +[`REVOKE `](revoke-roles.html) | Revoke a [role](authorization.html#create-and-manage-roles) or [user's](authorization.html#create-and-manage-users) membership to a role. [`SHOW GRANTS`](show-grants.html) | View privileges granted to users. [`SHOW ROLES`](show-roles.html) | Lists the roles for all databases. [`SHOW USERS`](show-users.html) | Lists the users for all databases. diff --git a/v19.2/training/client-connection-troubleshooting.md b/v19.2/training/client-connection-troubleshooting.md index f8f61493c48..fd2a1baed1c 100644 --- a/v19.2/training/client-connection-troubleshooting.md +++ b/v19.2/training/client-connection-troubleshooting.md @@ -25,11 +25,14 @@ In this scenario, you try to connect a user without providing a client certifica ### Step 1. Simulate the problem -1. In a new terminal, as the `root` user, create a new user called `kirk`: +1. In a new terminal, as the `root` users, create a new user called `kirk`: {% include copy-clipboard.html %} ~~~ shell - $ cockroach user set kirk --certs-dir=certs --host=localhost:26257 + $ cockroach sql \ + --certs-dir=certs \ + --host=localhost:26257 \ + --execute="CREATE USER kirk;" ~~~ 2. As the `kirk` user, try to connect to the cluster: diff --git a/v19.2/training/security.md b/v19.2/training/security.md index e01846d4796..386d6306440 100644 --- a/v19.2/training/security.md +++ b/v19.2/training/security.md @@ -135,21 +135,14 @@ Restart the nodes using the same commands you used to start them initially, but --host=localhost:26257 ~~~ -2. Create a new user, `spock`: - - {% include copy-clipboard.html %} - ~~~ shell - $ cockroach user set spock --certs-dir=certs --host=localhost:26257 - ~~~ - -3. As the root user, grant `spock` the `SELECT` privilege on the `startrek.quotes` table: +2. Create a new user called `spock` and grant `spock` the `SELECT` privilege on the `startrek.quotes` table: {% include copy-clipboard.html %} ~~~ shell $ cockroach sql \ --certs-dir=certs \ --host=localhost:26257 \ - --execute="GRANT SELECT ON TABLE startrek.quotes TO spock;" + --execute="CREATE USER spock; GRANT SELECT ON TABLE startrek.quotes TO spock;" ~~~ ## Step 4. Authenticate a user (via client cert) @@ -181,17 +174,30 @@ Although we recommend always using TLS certificates to authenticate users, it's For multiple users to access the Admin UI, the `root` user must [create users with passwords](../create-user.html#create-a-user-with-a-password). {{site.data.alerts.end}} -1. As the `root` user, create a new `kirk` user with the password `enterprise`. You'll have to type in the password twice at the prompt: +1. As the `root` user, open the built-in SQL shell: {% include copy-clipboard.html %} ~~~ shell - $ cockroach user set kirk \ + $ cockroach sql \ --certs-dir=certs \ - --host=localhost:26257 \ - --password + --host=localhost:26257 + ~~~ + +2. Create a new `kirk` user with the password `enterprise`. You'll have to type in the password twice at the prompt: + + {% include copy-clipboard.html %} + ~~~ sql + > CREATE USER kirk WITH PASSWORD 'enterprise'; + ~~~ + +3. Exit the SQL shell: + + {% include copy-clipboard.html %} + ~~~ sql + > \q ~~~ -2. As the `root` user, grant `kirk` the `SELECT` privilege on the tables in the `startrek` database: +4. As the `root` user, grant `kirk` the `SELECT` privilege on the tables in the `startrek` database: {% include copy-clipboard.html %} ~~~ shell @@ -202,7 +208,7 @@ For multiple users to access the Admin UI, the `root` user must [create users wi --execute="GRANT SELECT ON startrek.* TO kirk;" ~~~ -3. As the `kirk` user, read from the `startrek.quotes` table: +5. As the `kirk` user, read from the `startrek.quotes` table: {{site.data.alerts.callout_info}} It's necessary to include the `--certs-dir` flag even though you haven't created a cert for this user. When the cluster does not find a suitable client cert, it falls back on password authentication. diff --git a/v19.2/training/users-and-privileges.md b/v19.2/training/users-and-privileges.md index 3ad5e34131c..c5dc97e3177 100644 --- a/v19.2/training/users-and-privileges.md +++ b/v19.2/training/users-and-privileges.md @@ -86,7 +86,10 @@ Initially, no users other than `root` have privileges, and root has `ALL` privil {% include copy-clipboard.html %} ~~~ shell - $ cockroach user set spock --insecure --host=localhost:26257 + $ cockroach sql \ + --certs-dir=certs \ + --host=localhost:26257 \ + --execute="CREATE USER spock;" ~~~ 2. Try to read from a table in the `startrek` database as `spock`: