This topic describes how to create databases and accounts for an ApsaraDB RDS MySQL instance.

For information about how to create databases and accounts in other database engines, see the following topics:

Account types

ApsaraDB RDS MySQL supports two types of accounts: privileged accounts and standard accounts. You can manage all your accounts and databases by using the ApsaraDB for RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.

Account type Description
Privileged accounts
  • You can only create and manage privileged accounts by using the ApsaraDB for RDS console or APIs.
  • You can only create one privileged account for an RDS instance. This privileged account has permissions to manage all standard accounts and databases in the RDS instance.
  • You can use the privileged account of your RDS instance for fine-grained permission management suited for your business needs. For example, you can grant each standard account the permissions to query specific tables.
  • You can use the privileged account to disconnect any accounts from their authorized databases in your RDS instance.
Standard accounts
  • You can create and manage standard accounts by using the ApsaraDB for RDS console, APIs, or SQL statements.
  • You can create up to 200 standard accounts for an RDS instance.
  • You must manually grant each standard account the permissions to manage specific databases.
  • You cannot use a standard account to create or manage other accounts in your RDS instance, nor can you use a standard account to disconnect other accounts from their authorized databases.
Account type Number of databases Number of tables Number of users
Privileged accounts Unlimited < 200,000 Varies depending on the kernel parameter settings.
Standard accounts 500 < 200,000 Varies depending on the kernel parameter settings.

Comparison between privileged and superuser accounts

To mitigate the impacts of misoperations on your business, ApsaraDB RDS MySQL does not provide the superuser account. You can only use the privileged account to manage standard accounts and databases in your RDS instance.

Privileged account

  • For more information, see Account permissions.
  • The privileged account has permissions to disconnect all standard accounts.

Superuser account

  • Has permissions to terminate all query connections.
  • Has permissions to modify global variables by executing the SET statement.
  • Has permissions to execute CHANGE MASTER and PURGE MASTER LOGS statements.
  • Has permissions to edit files in the host where your RDS instance resides.

Create a privileged account

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. On the Accounts tab, click Create Account.Create a privileged account
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the privileged account. Make sure that the username meets the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a letter and end with a letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    Account Type Select Privileged Account.
    Password

    Enter the password of the privileged account. Make sure that the password meets the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Re-enter Password Enter the password of the privileged account again.
    Description Enter information that helps identify the privileged account. The description can contain up to 256 characters.
  7. Click Create.

Create a standard account

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Accounts.
  5. Click Create Account.Create a standard account
  6. Configure the following parameters.
    Parameter Description
    Database Account

    Enter the username of the standard account. Make sure that the username meets the following requirements:

    • The username must be 2 to 16 characters in length.
    • The username must start with a letter and end with a letter or digit.
    • The username can contain lowercase letters, digits, and underscores (_).
    Account Type Select Standard Account.
    Authorized Databases Select one or more databases you want to authorize for the standard account. You can choose not to specify this parameter, and grant database permissions to the standard account after the standard account is created.
    1. Select one or more databases from the Unauthorized Databases list and click Add to add them to the Authorized Databases list.
    2. In the Authorized Databases list, select the Read/Write, Read-only, DDL Only, or DML Only permission on each authorized database.

      If you want to specify the same permission on more than one authorized database simultaneously, select the authorized databases and click the button in the upper-right corner. For example, click Full Control Read/Write.

      Note The button in the upper-right corner changes as you click it. For example, the button changes to Full Control Read-only after you click Full Control Read/Write.
    Password

    Enter the password of the standard account. Make sure that the password meets the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • Special characters include ! @ # $ % ^ & * ( ) _ + - =
    Re-enter Password Enter the password of the standard account again.
    Description Optional. Enter information that helps identify the standard account. The description can contain up to 256 characters.
  7. Click Create.

Create a database

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Databases.
  5. Click Create Database.Create a database
  6. Configure the following parameters.
    Parameter Description
    Database Name
    • The name of the database must be 2 to 64 characters in length.
    • The name of the database must start with a letter and end with a letter or digit.
    • The name of the database can contain lowercase letters, digits, underscores (_), and hyphens (-).
    • The name of the database must be unique in the RDS instance.
    Supported Character Set Select utf8, gbk, latin1, or utf8mb4.

    If you do not want to use utf8, gbk, latin1, or utf8mb4, select all and then select a character set from the all drop-down list.

    Authorized Account Select one or more accounts that require access to the database. You can choose not to specify this parameter, and bind accounts to the database after the database is created.
    Note Only standard accounts are displayed. The privileged account has all permissions on all databases. You do not need to authorize the privileged account to access the database you want to create.
    Account Type Select the permissions that you want to grant to the selected accounts. You can select Read/Write, Read-only, DDL Only, or DML Only.
    Description Optional. Enter information that helps identify the database. The description can contain up to 256 characters.
  7. Click Create.

Account permissions

Account type Permission Operation
Privileged accounts N/A SELECT INSERT UPDATE DELETE CREATE
DROP RELOAD PROCESS REFERENCES INDEX
ALTER CREATE TEMPORARY TABLES LOCK TABLES EXECUTE REPLICATION SLAVE
REPLICATION CLIENT CREATE VIEW SHOW VIEW CREATE ROUTINE ALTER ROUTINE
CREATE USER EVENT TRIGGER
Standard accounts Read-only SELECT LOCK TABLES SHOW VIEW PROCESS REPLICATION SLAVE
REPLICATION CLIENT
Read/Write SELECT INSERT UPDATE DELETE CREATE
DROP REFERENCES INDEX ALTER CREATE TEMPORARY TABLES
LOCK TABLES EXECUTE CREATE VIEW SHOW VIEW CREATE ROUTINE
ALTER ROUTINE EVENT TRIGGER PROCESS REPLICATION SLAVE
REPLICATION CLIENT
DDL Only CREATE DROP INDEX ALTER CREATE TEMPORARY TABLES
LOCK TABLES CREATE VIEW SHOW VIEW CREATE ROUTINE ALTER ROUTINE
PROCESS REPLICATION SLAVE REPLICATION CLIENT
DML Only SELECT INSERT UPDATE DELETE CREATE TEMPORARY TABLES
LOCK TABLES EXECUTE SHOW VIEW EVENT TRIGGER
PROCESS REPLICATION SLAVE REPLICATION CLIENT

FAQ

  • Can I manage accounts in read-only instances?

    All accounts created in a primary instance are replicated to its read-only instances. However, you cannot manage the accounts in read-only instances. The accounts only have permissions to read data from read-only instances.

  • Can I manage accounts at fine-grained levels such as IP address and table levels?

    Connect to the RDS instance whose accounts you want to manage. Then, use commands to grant the accounts permissions to manage specific IP addresses or tables. For more information, see Connect to an RDS MySQL instance.

  • Does ApsaraDB for RDS provide the root user or any other superuser account?

    To avoid impacts of misoperations on your business, ApsaraDB for RDS does not provide the root user or any other superuser account.

Related operations

Operation Description
CreateAccount Creates an account for an ApsaraDB for RDS instance.
CreateDatabase Creates a database for an ApsaraDB for RDS instance.