You can add and remove users, assign roles, and grant permissions for a Hologres instance from the User Management page in the console.
Account types and roles
Hologres supports three account types:
| Account type | System identifier | Authentication | Scope |
|---|---|---|---|
| Alibaba Cloud account (ALIYUN) | 11822780xxx | AccessKey pair (automatic) | All Alibaba Cloud services |
| RAM user (RAM) | p4_269499383xxxx | AccessKey pair (automatic) | All Alibaba Cloud services (within granted permissions) |
| Custom account (BASIC) | BASIC$xxx | Password | Hologres only |
Each user has one of two roles:
Superuser: Has all permissions on the instance. No additional authorization required.
Normal: Has no permissions after creation. You must grant permissions before this user can access databases, schemas, or tables.
The Alibaba Cloud account that purchased the instance is the default superuser and has all permissions on that instance. Before you add other users, the User Management page displays only this account.
Prerequisites
| Operation | Required account |
|---|---|
| Add a user | Alibaba Cloud account, or a RAM user with the Superuser role and the AliyunRAMReadOnlyAccess policy attached |
| Create a custom user | Superuser account |
| Delete a user or reset a password | Superuser account |
Add a user
Add an existing RAM user to a Hologres instance.
On the User Management page, select the target instance and click Add User in the upper-right corner.
In the Add User dialog box, select a RAM user associated with the current Alibaba Cloud account.
Select a role: Superuser or Regular User.
Click OK.
AliyunRAMReadOnlyAccess permission. For more information, see Grant permissions to a RAM user.Grant permissions to a normal user
After you add a normal user, grant permissions so the user can access databases and objects:
Go to the DB Management page to grant permissions through the console.
Grant permissions with SQL statements. For more information, see Quick Start for RAM user authorization.
Create a custom user
Custom users authenticate with a username and password instead of an AccessKey pair and are valid only within Hologres.
Custom users cannot access other Alibaba Cloud services directly. To allow a custom user to query MaxCompute foreign tables, create a user mapping. See Create a user mapping for MaxCompute access.
Console
On the User Management page, select the target instance and click Create Custom User in the upper-right corner.
In the Create Custom User dialog box, configure the following parameters:
Parameter Description Account Name Enter a username. Up to 57 characters. Only lowercase letters, digits, and underscores (_) are allowed. The username cannot end with admin,developer,writer,viewer, orall_users.Select Member Role Select Superuser or Regular User. Password 8 to 32 characters. Must contain at least three of these character types: uppercase letters, lowercase letters, digits, and special characters ( !@#$%^&*()_+-=).Confirm Password Re-enter the password. Click OK.
SQL
CREATE USER "BASIC$<user_name>" WITH PASSWORD '<password>';user_name: the custom username.password: the password for the custom user.
Reset a custom user password
Only custom user passwords can be reset. Alibaba Cloud accounts and RAM users authenticate with automatically generated AccessKey pairs.
Console
On the User Management page, find the target custom user in the User Account Authorization list.
Click Reset Password in the Actions column.
In the Reset Password dialog box, enter and confirm the new password.
Click OK.
SQL
ALTER USER "BASIC$<user_name>" WITH PASSWORD '<password>';user_name: the custom username.password: the new password.
Delete a user
Deleting a user removes the user from the instance and revokes all access permissions.
Delete a RAM user or Alibaba Cloud account
On the User Management page, select the target instance, find the user in the list, and click Delete in the Actions column.
Delete a custom user
Console
On the User Management page, find the target custom user in the User Account Authorization list.
Click Delete in the Actions column.
In the Remove User dialog box, click OK.
SQL
DROP USER "BASIC$<user_name>";user_name: the custom username.
Create a user mapping for MaxCompute access
Custom accounts exist only within Hologres and cannot query MaxCompute foreign tables by default. If a custom account attempts to query a MaxCompute foreign table, the following error occurs:
ERROR: Query:[xxxxxx] Build desc failed: failed to check permission: Authorization Failed [4002], You don't exist in project hologres_test. Context ID:xxxxxx-xxxx-xxxx-xxxx-xxxxxxx. --->Tips: Pricipal:INVALID$BASIC$xxx; You don't exist in project xxxTo resolve this, create a USER MAPPING that attaches the custom account to a RAM user with the required permissions on the MaxCompute project and the Hologres database.
Syntax
CREATE USER MAPPING
FOR "<user_name>"
SERVER odps_server
OPTIONS
(
access_id '<Access_id>',
access_key '<Access_key>'
);Parameters
| Parameter | Description |
|---|---|
user_name | The username of the custom account. |
access_id | The AccessKey ID of an account that has logon permissions for the current database. Obtain this from AccessKey Management. |
access_key | The AccessKey secret of an account that has logon permissions for the current database. Obtain this from AccessKey Management. |
Examples
Create a USER MAPPING for a specific custom user:
CREATE USER MAPPING
FOR "BASIC$test"
SERVER odps_server
OPTIONS (
access_id 'LTxxxxxxxxxx',
access_key 'y8xxxxxxxxxxxxx');Create a USER MAPPING for the current user:
CREATE USER MAPPING
FOR CURRENT_USER
SERVER odps_server
OPTIONS (
access_id 'LTxxxxxxxxxx',
access_key 'y8xxxxxxxxxxxxx');User Management page columns
The User Management page displays the following columns:
| Column | Description |
|---|---|
| Account Name | The username in the current instance. Includes Alibaba Cloud accounts, Resource Access Management (RAM) users, and custom accounts. |
| Account ID | The account ID. For example: Alibaba Cloud account 11822780xxx, RAM user p4_269499383xxxx, or custom account BASIC$xxx. |
| Account Type | One of: Alibaba Cloud Account (ALIYUN), RAM User (RAM), or Basic User (BASIC). |
| Role Type | Superuser or Normal. |
| Actions | Operations available for the user, such as Delete, Reset Password, or Change Role. |
References
For more information about deleting an account (DROP USER) in Hologres and troubleshooting related errors, see Delete an account.