This topic describes how to create databases and accounts for an ApsaraDB RDS for MySQL instance.

For more information about creating databases and accounts in other database engines, see the following topics:

Account types

ApsaraDB RDS for MySQL supports two types of database accounts: privileged and standard. You can manage all your accounts and databases in the ApsaraDB for RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.
Note The type of an account cannot be changed. You can delete an account and then create a new one with the same account name. For more information, see Delete an account for an RDS MySQL instance.
Account type Description
Privileged account
  • You can create and manage privileged accounts by using the ApsaraDB for RDS console or API operations.
  • You can create only one privileged account per instance and then use the privileged account to manage all standard accounts and databases on that instance.
  • A privileged account enables you to manage permissions at a finer level. For example, you can grant query permissions on specific tables to standard accounts.
  • A privileged account has all permissions on all the databases of the instance on which it is created.
  • A privileged account has permissions to disconnect all standard accounts on the instance on which it is created.
Standard account
  • You can create and manage standard accounts by using the ApsaraDB for RDS console, API operations, or SQL statements.
  • You can create more than one standard account per instance. The maximum number of standard accounts allowed varies based on the database engine kernel you use.
  • You must manually grant permissions on specific databases to standard accounts.
  • A standard account does not have permissions to create, manage, or disconnect other accounts on the instance on which it is created.
Account type Number of databases Number of tables Number of accounts
Privileged account Unlimited < 200,000 Varies based on the kernel parameter settings of the instance
Standard account 500 < 200,000 Varies based on the kernel parameter settings of the instance

Comparison between privileged and superuser accounts

To reduce unintended operations that may affect your business, ApsaraDB RDS for MySQL does not provide a superuser account. Only a privileged account is provided for you to manage all of the databases and standard accounts that are created on your RDS instance.

Privileged account

  • The privileged account is granted the highest permissions. For more information, see Permissions of various accounts.
  • The privileged account has the permissions to disconnect all standard accounts.

Superuser account

  • The superuser account has the permissions to terminate the connections for all queries.
  • The superuser account has the permissions to modify global variables by executing the SET statement.
  • The superuser account has the permissions to execute the CHANGE MASTER and PURGE MASTER LOGS statements.
  • The superuser account has the permissions to edit the files on the physical server that hosts your RDS instance.

Create a privileged account

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. On the Accounts tab, click Create Account.Create a privileged account
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username must meet the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a lowercase letter and end with a lowercase letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    Account Type Specify the type of the account. Select Privileged Account.
    Password

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Re-enter Password Enter the password of the account again.
    Description Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click Create.

Create a standard account

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. On the Accounts tab, click Create Account.Create a standard account
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the account. The username must meet the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a lowercase letter and end with a lowercase letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    Account Type Specify the type of the account. Select Standard Account.
    Authorized Databases Select one or more databases on which you want to grant permissions to the account. You can choose not to specify this parameter, because you can grant the account the permissions on specific databases after the account is created.
    1. Select one or more databases from the Unauthorized Databases list and click Add to add them to the Authorized Databases list.
    2. In the Authorized Databases list, select the Read/Write, Read-only, DDL Only, or DML Only permissions on each authorized database.

      If you want to grant the same permissions on more than one authorized database at a time, select the authorized databases and click the button in the upper-right corner. For example, click Set All to Read/Write.

      Note The button in the upper-right corner changes as you click it. For example, after you click Set All to Read/Write, the button changes to Set All to Read-only.
    Password

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Re-enter Password Enter the password of the account again.
    Description Optional. Enter a description that helps identify the account. The description can be up to 256 characters in length.
  7. Click Create.

Create a database

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Databases.
  5. Click Create Database.Create a database
  6. Configure the following parameters.
    Parameter Description
    Database Name
    • The name of the database must be 2 to 64 characters in length.
    • The name of the database must start with a lowercase letter and end with a lowercase letter or digit.
    • The name of the database can contain lowercase letters, digits, underscores (_), and hyphens (-).
    • The name of the database must be unique within the RDS instance.
    Supported Character Sets Select the character set used by the database. You can select utf8, gbk, latin1, or utf8mb4.

    You can also select all and then select another character set from the all drop-down list.

    Authorized Account Select one or more accounts that require access to the database. You can choose not to specify this parameter, because you can bind accounts to the database after the database is created.
    Note Only the created standard accounts are displayed. The privileged account has all the permissions on all the databases and does not need authorization on databases.
    Account Type Select the permissions that you want to grant to the selected accounts. You can select Read/Write, Read-only, DDL Only, or DML Only.
    Description Optional. Enter a description that helps identify the database. The description can be up to 256 characters in length.
  7. Click Create.

Permissions of various accounts

Account type Permission Operation
Privileged account - SELECT INSERT UPDATE DELETE CREATE
DROP RELOAD PROCESS REFERENCES INDEX
ALTER CREATE TEMPORARY TABLES LOCK TABLES EXECUTE REPLICATION SLAVE
REPLICATION CLIENT CREATE VIEW SHOW VIEW CREATE ROUTINE ALTER ROUTINE
CREATE USER EVENT TRIGGER
Standard account Read-only SELECT LOCK TABLES SHOW VIEW PROCESS REPLICATION SLAVE
REPLICATION CLIENT
Read/Write SELECT INSERT UPDATE DELETE CREATE
DROP REFERENCES INDEX ALTER CREATE TEMPORARY TABLES
LOCK TABLES EXECUTE CREATE VIEW SHOW VIEW CREATE ROUTINE
ALTER ROUTINE EVENT TRIGGER PROCESS REPLICATION SLAVE
REPLICATION CLIENT
DDL Only CREATE DROP INDEX ALTER CREATE TEMPORARY TABLES
LOCK TABLES CREATE VIEW SHOW VIEW CREATE ROUTINE ALTER ROUTINE
PROCESS REPLICATION SLAVE REPLICATION CLIENT
DML Only SELECT INSERT UPDATE DELETE CREATE TEMPORARY TABLES
LOCK TABLES EXECUTE SHOW VIEW EVENT TRIGGER
PROCESS REPLICATION SLAVE REPLICATION CLIENT

FAQ

  • Can I manage accounts on read-only instances?

    No, although all of the accounts that are created on your primary instance are replicated to its read-only instances, you cannot manage the accounts on the read-only instances. The accounts only have the permissions to read data from the read-only instances.

  • Can I manage accounts at fine-grained levels, such as the source IP address and table levels?

    Yes, you can use commands to manage the accounts at fine-grained levels, such as the IP address and table levels, after you connect to your RDS instance.

  • Does ApsaraDB for RDS provide a superuser account such as the root user?

    No, ApsaraDB for RDS does not provide a superuser account such as the root user. This allows you to protect your RDS instance from damages such as data loss and leakage that are caused by unintended operations.

Related operations

API Description
CreateAccount Creates an account for an ApsaraDB for RDS instance.
CreateDatabase Creates a database for an ApsaraDB for RDS instance.