Hologres user management - Hologres - Alibaba Cloud Documentation Center

You can use the user management module in the Hologres console to add or delete users and grant permissions. This module provides a visual interface to help you manage users in an instance in detail.

The Alibaba Cloud account that is used to purchase the instance is the default super administrator (Superuser) and has all permissions for that instance. Before you add other users, the user management page shows only information about the current Alibaba Cloud account. The following table describes the items on the user management page.

Item	Description
Member	The username in the current instance. This includes Alibaba Cloud accounts, Resource Access Management (RAM) users, and custom accounts.
Alibaba Cloud account	The Alibaba Cloud account ID of the user in the current instance. Examples: Alibaba Cloud account: `11822780xxx`. RAM user: `p4_269499383xxxx`. Custom account: `BASIC$xxx`.
Account type	The account type of the user in the current instance. Alibaba Cloud account (ALIYUN). RAM user (RAM). BASIC account (BASIC).
Role type	The permission type of the user in the current instance. Superuser Normal
Operation	In the Actions column for the target member, click Delete to remove the user from the instance. After deletion, the user has no access permissions for the instance.

Limits

By default, custom accounts cannot query MaxCompute foreign tables. To enable this capability, you must configure USER MAPPING. For more information, see FAQ.

Add a user

You can add users to an instance on the user management page.

On the Users page, select the target instance name and click Add User in the upper-right corner.
In the Add User dialog box, select an existing RAM user that is associated with the current Alibaba Cloud account, and then select a user type: Superuser or Normal User.
Note
- If the current Alibaba Cloud account does not have any RAM users, you must first create one. For more information, see Quick Start for RAM user authorization.
- You can add users if you are using an Alibaba Cloud account or a RAM user that is set as a Superuser. The RAM user must be granted the AliyunRAMReadOnlyAccess permission. For more information, see Grant permissions to a RAM user.
- Superuser: A superuser has all permissions for the instance. If you grant Superuser permissions to a RAM user, no other authorization is required.
- Normal User: A normal user is created only in the instance and has no permissions to view or perform operations on any objects, such as databases, schemas, or tables. You must grant permissions to a normal user before the user can view or perform operations on the instance.
  
  You can go to the DB Management page to grant permissions using the visual interface. You can also grant permissions using SQL statements. For more information, see Quick Start for RAM user authorization.

Delete a user

On the Users page, select the target instance name. In the user list, find the user that you want to delete and click Delete in the Actions column. This action removes the user from the instance and revokes all access permissions.

Create a custom user

Important

Custom users are valid only within Hologres. To allow custom users to access other Alibaba Cloud products, such as MaxCompute foreign tables, you must use User Mapping to attach the user's account. For more information, see FAQ.

Console operations

You can create custom users for an instance on the user management page.

On the Users page, select the target instance name and click Create Custom User in the upper-right corner.

In the Create Custom User dialog box, configure the following parameters. 创建自定义用户

Parameter	Description
Custom account	Enter a custom account name. The name can be up to 57 characters long and can contain only lowercase letters, digits, and underscores (_).
Select member role	Select a user type. Superuser: Has all permissions for the instance. If a RAM user is granted Superuser permissions, no other authorization is needed. Normal User: Is only created in the instance and has no permissions to view or operate on any objects, such as databases, schemas, and tables. You must grant permissions to a normal user before they can view or operate on the instance.
Password	Set a password that meets the following requirements. Must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Must be 8 to 32 characters in length. Supported special characters include `!@#$%^&*()_+-=`.
Confirm password	Enter the password again.

Click OK to create the custom user.

SQL operations

create user "BASIC$<user_name>" with password '<password>';

user_name specifies the custom username. password specifies the password for the custom user.

Other related operations

Modify the password for a custom user.

Note
You can modify the passwords of only custom users. Alibaba Cloud accounts and RAM users use automatically generated AccessKey pairs for authentication instead of passwords.

You can use one of the following methods to modify the password of a custom user:
- Console operations.
  1. On the Users page, find the target custom user in the User Account Authorization list and click Reset Password in the Actions column.
  2. In the Reset Password dialog box, enter and confirm the new password, and then click OK.
- SQL operations.
```
alter user "BASIC$<user_name>" with password '<password>';
```
  user_name specifies the custom username. password specifies the new password for the custom user.
Delete a custom user.

You can use one of the following methods to delete a custom user:
- Console operations.
  1. On the Users page, find the target custom user in the User Account Authorization list and click Delete in the Actions column.
  2. In the Remove User dialog box, click OK.
- SQL operations.
```
drop user "BASIC$<user_name>";
```
  user_name specifies the custom username.

FAQ

Symptom: The following error occurs when a custom account tries to access a MaxCompute foreign table.

ERROR:  Query:[xxxxxx] Build desc failed: failed to check permission: Authorization Failed [4002], You don't exist in project hologres_test. Context ID:xxxxxx-xxxx-xxxx-xxxx-xxxxxxx.    --->Tips: Pricipal:INVALID$BASIC$xxx; You don't exist in project xxx

Cause: Custom accounts exist only within Hologres and cannot access MaxCompute foreign tables by default.

Solution: You can create a User Mapping in Hologres. This action attaches a custom account to an Alibaba Cloud RAM user who has the required database permissions for the corresponding MaxCompute project and Hologres internal tables.

Syntax example

CREATE USER MAPPING
FOR "<user_name>"
SERVER odps_server
OPTIONS
(
    access_id '<Access_id>',
    access_key '<Access_key>'
);

Parameter description

Parameter	Description
user_name	The username of the custom account.
Access_id	The AccessKey ID of an account that has logon permissions for the current database. Click AccessKey Management to obtain the AccessKey ID.
Access_key	The AccessKey secret of an account that has logon permissions for the current database. Click AccessKey Management to obtain the AccessKey secret.

Usage example

-- Create a USER MAPPING for the user BASIC$test
CREATE USER MAPPING
FOR "BASIC$test"
SERVER odps_server
OPTIONS (
  access_id 'LTxxxxxxxxxx',
  access_key 'y8xxxxxxxxxxxxx');

-- Create a USER MAPPING for the current user
CREATE USER MAPPING
FOR CURRENT_USER
SERVER odps_server
OPTIONS (
  access_id 'LTxxxxxxxxxx',
  access_key 'y8xxxxxxxxxxxxx');

References

For more information about how to delete an account (DROP USER) in Hologres and troubleshoot related errors, see Delete an account.