You must create an account in the RDS instance before you can use the database. RDS supports two account modes: the classic mode and the master mode. The classic mode is an earlier management mode in which you cannot use SQL to manage databases and accounts. Master mode is a later management mode in which you can use SQL to manage databases and accounts. In addition, you have more permissions available in this mode. In the long run, master mode is recommended if you need personalized and fine-grained control over database permissions.
This document describes the features available for accounts in classic and master modes, and how to create accounts in different modes.
In the classic mode, all accounts are created through the RDS console or API, instead of SQL. All accounts are created equal. The RDS console is used to create and manage all accounts and databases.
In the master mode, you must create and manage your first or initial account by using the RDS console or API. Then you can log on to a database using your initial account. When you are logged on, you can create and manage additional accounts using SQL commands or Alibaba Cloud’s Data Management System (DMS). However, you cannot use your initial account to change the password for the additional accounts you have created. Instead, you have to delete those accounts and create new accounts. In the following example, the initial account is used as root to log on to the database. After that, an additional account “jeffrey” is created:
mysql -hxxxxxxxxx.mysql.rds.aliyuncs.com -uroot -pxxxxxx -e "
CREATE USER 'jeffrey'@'%' IDENTIFIED BY 'password';
CREATE DATABASE DB001;
In master mode, the database management page is unavailable on the RDS console for now. APIs such as CreateDatabase cannot be used to manage databases. Instead, you must use SQL commands or DMS to create and manage databases.
The following figure shows how to create and manage databases or accounts in classic and master modes:
The account modes available for various database engines are shown as follows:
|Database engine||Account mode|
|MySQL 5.5/5.6||Classic mode/Master mode
Note: Upgrade from classic to master mode is supported only. You cannot roll back after the upgrade.
|MySQL 5.7||Master mode|
|SQL Server 2008 R2||Classic mode|
|SQLServer 2012/2016||Master mode|
The following table lists the differences between classic and master modes in accounts and permissions:
|Item||Classic mode||Master mode|
|Account limit||Up to 500.||No limit.|
|RDS console used to create and manage databases and accounts||Yes||
|SQL used to manage databases and accounts||No||Yes|
|Permission management||Simple: Choose from Read/Write or Read-Only permissions for each account.||Fine-grained control. You can take full advantage of the database engine’s permission management capabilities. For example, you can assign the query permissions for different tables to different users.|
|Permissions for an account (applicable to MySQL only)||SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, PROCESS, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER||CREATE USER, RELOAD, and REFERENCES are supported in addition to the 20 permissions supported in classic mode.|
There are no differences in product features in both classic and master modes, including read-only instances, read/write splitting, configuration upgrade, network management, IP address whitelisting, and monitoring and alarms.
When assigning database account permissions, follow the minimum permissions principle and service roles to create accounts and assign reasonable Read-Only and Read/Write permissions. When necessary, you may split database accounts and databases into smaller units so that each database account only has access to its own service data. If you do not must write data to a database, please assign Read-Only permission.
Use strong passwords for database accounts and change the passwords on a regular basis.
See the following documents for more information about how to create an account in classic mode:
See the following documents for more information about how to create an account in master mode: