All Products
Search

This Product

    ApsaraDB for ClickHouse:Manage database accounts of an ApsaraDB for ClickHouse cluster

    Document Center

    ApsaraDB for ClickHouse:Manage database accounts of an ApsaraDB for ClickHouse cluster

    Last Updated:May 25, 2023

    This topic describes how to create, delete, and manage database accounts of an ApsaraDB for ClickHouse cluster. You can modify permissions and change the passwords of the database accounts.

    Precautions

    • You can view the configuration methods of database accounts only for ApsaraDB for ClickHouse clusters.

    • You can use the following methods to configure database accounts for an ApsaraDB for ClickHouse cluster of V20.8 or later that is created after December 1, 2021.

      • You can use XML configuration files to configure database accounts that were created before December 27, 2022.

      • You can execute SQL statements to configure database accounts that are created after December 27, 2022.

    • For an ApsaraDB for ClickHouse cluster of V20.3 or earlier or an ApsaraDB for ClickHouse cluster of V20.8 that was created before December 1, 2021, you can use only XML configuration files to configure database accounts.

    Account configuration methods

    Configuration method

    Account type

    Description

    XML configuration file

    Standard account

    • You can create and manage standard accounts by using the ApsaraDB for ClickHouse console or calling an API operation.

    • A maximum of 500 standard accounts can be created for a cluster.

    • You can grant standard accounts the DML and DDL permissions and specify resources that can be accessed by the standard accounts.

    SQL statement

    Privileged account

    • You can create and manage privileged accounts by using the ApsaraDB for ClickHouse console or calling an API operation.

    • You can create only one privileged account for each cluster and use the privileged account to manage all standard accounts and databases in the corresponding cluster.

    • A privileged account allows you to manage more permissions at fine-grained levels based on your business requirements. For example, you can grant each standard account the permissions to query specific tables.

    Standard account

    • You can create and manage standard accounts by using the ApsaraDB for ClickHouse console, calling an API operation, or executing SQL statements. For more information about how to use a privileged account to create a standard account by executing a SQL statement, see CREATE USER.

    • A maximum of 500 standard accounts can be created for a cluster.

    • By default, a standard account can be used only to connect to databases. For more information about how to use a privileged account to grant other permissions to a standard account, see GRANT.

    • You are not allowed to create or manage other accounts by using a standard account.

    Create a database account

    1. Log on to the ApsaraDB for ClickHouse console.

    2. In the top navigation bar, select the region where the cluster that you want to manage is deployed.

    3. On the Clusters page, click the Default Instances tab, find the cluster that you want to manage, and then click the ID of the cluster.

    4. In the left-side navigation pane, click Account Management.

    5. In the upper-right corner of the Account Management page, click Create Account.

    6. In the Create Account panel, set the following parameters as prompted.

      The following table describes the parameters for creating an account for an ApsaraDB for ClickHouse cluster of V20.8 or later:

      Parameter

      Description

      Database Account

      The name of the database account. The account name must meet the following requirements:

      • The name must be unique in the cluster.

      • The name can contain lowercase letters, digits, or underscores (_).

      • The name must start with a lowercase letter and end with a lowercase letter or a digit.

      • The name must be 2 to 64 characters in length.

      Account Type

      The type of the database account. Valid values:

      • Privileged Account

      • Standard Account

      Note

      By default, a standard account can be used only to connect to databases. A privilege account can be used to grant permissions to standard accounts by using SQL statements. For more information, see GRANT.

      Password

      The password of the database account. The password must meet the following requirements:

      • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

      • Special characters include ! @ # $ % ^ & * ( ) _ + - =

      • The password must be 8 to 32 characters in length.

      Confirm Password

      The same password that you entered in the Password field.

      Description

      The description of the database account. The description must meet the following requirements:

      • The description can be up to 256 characters in length or be an empty string.

      • The description cannot start with http:// or https://.

      The following table describes the parameters for creating an account for an ApsaraDB for ClickHouse cluster of V20.3:

      Parameter

      Description

      Database Account

      The name of the database account. The account name must meet the following requirements:

      • The name must be unique in the cluster.

      • The name can contain lowercase letters, digits, or underscores (_).

      • The name must start with a lowercase letter and end with a lowercase letter or a digit.

      • The name must be 2 to 64 characters in length.

      Authorized Access Scope

      The resources that can be accessed by the database account. Valid values:

      • All Databases and Dictionaries

      • Partial Databases and Dictionaries

        After you select required databases or dictionaries, click Add Authorized Databases or Dictionaries or Remove Authorized Databases or Dictionaries to add or remove authorized databases or dictionaries.

      DML Permission

      Specifies whether to grant write permissions. Valid values:

      • Read, Write, and Set Permissions: You can perform read, write, and set operations on the authorized databases and dictionaries.

      • Read and Set Permissions: You can perform only read and set operations on the authorized databases and dictionaries. You cannot write data to the authorized databases or dictionaries.

      DDL Permission

      Specifies whether to grant DDL permissions. Valid values:

      • Enable DDL

      • Disable DDL

      Password

      The password of the database account. The password must meet the following requirements:

      • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

      • Special characters include ! @ # $ % ^ & * ( ) _ + - =

      • The password must be 8 to 32 characters in length.

      Confirm Password

      The same password that you entered in the Password field.

      Description

      The description of the database account. The description must meet the following requirements:

      • The description can be up to 256 characters in length or be an empty string.

      • The description cannot start with http:// or https://.

    7. Click OK.

    Modify permissions

    Note

    This operation is only applicable to accounts that are created by using XML configuration files.

    1. Log on to the ApsaraDB for ClickHouse console.

    2. In the top navigation bar, select the region where the cluster that you want to manage is deployed.

    3. On the Clusters page, click the Default Instances tab, find the cluster that you want to manage, and then click the ID of the cluster.

    4. In the left-side navigation pane, click Account Management.

    5. Find the database account that you want to manage, and click Modify Permission in the Actions column.

    6. In the Modify Permissions panel, set the Authorized Access Scope, DML Permissions, and DDL Permissions fields of the database account based on your business requirements.

    7. Click OK.

    Change the password

    1. Log on to the ApsaraDB for ClickHouse console.

    2. In the top navigation bar, select the region where the cluster that you want to manage is deployed.

    3. On the Clusters page, click the Default Instances tab, find the cluster that you want to manage, and then click the ID of the cluster.

    4. In the left-side navigation pane, click Account Management.

    5. Find the database account that you want to manage, and click Change Password in the Actions column.

    6. In the Change Password panel, enter the new password twice.

    7. Click OK.

    Delete a database account

    1. Log on to the ApsaraDB for ClickHouse console.

    2. In the top navigation bar, select the region where the cluster that you want to manage is deployed.

    3. On the Clusters page, click the Default Instances tab, find the cluster that you want to manage, and then click the ID of the cluster.

    4. In the left-side navigation pane, click Account Management.

    5. Find the database account that you want to manage, and click Delete in the Actions column.

    6. In the Delete Account message that appears, click OK.

      Warning

      Exercise caution when you delete an account. You cannot restore an account after it is deleted.