LindormTSDB protects your data through multilayer access control. At the engine level, access control is enforced by user authentication and permission verification — this feature is disabled by default. This document explains how to enable authentication, add credentials to client connections, and understand the permission model.
Access control in LindormTSDB
LindormTSDB enforces access control at three layers:
RAM — Resource Access Management (RAM) provided by Alibaba Cloud, governing which Alibaba Cloud accounts can access the instance.
Physical layer — Instance-level IP whitelists. For details, see Configure whitelists.
Logical layer — Engine-level user authentication and permission verification, covered in this document.
Before you enable authentication
Enabling authentication causes any existing service connections that omit credentials to fail. Before enabling, complete the following steps:
Verify the initial user credentials. A Lindorm instance ships with an initial user. For instances running LindormTSDB 3.4.30 or earlier, the default username and password are both
root. For later versions, both areroot_tsdb. Change the password immediately after the instance is created.Update all application connection strings to include credentials.
Plan for service restarts. After authentication is enabled, any running service that does not include credentials in its connection will fail. Schedule maintenance windows accordingly.
Enable authentication
Run the following SQL statement to enable authentication:
ALTER SYSTEM SET USER_AUTH=TRUE;To verify that authentication is enabled:
SHOW PARAMETER USER_AUTH;To disable authentication, run ALTER SYSTEM SET USER_AUTH=FALSE;. Disabling authentication removes all access controls and exposes the instance to security risks. Keep authentication enabled in production environments.
Connect with credentials
After authentication is enabled, all client connections must include a username and password. The connecting user must also have the appropriate permissions on the target database or table.
lindorm-cli
lindorm-cli -url <Endpoint for LindormTSDB SQL> -username <Username> -password <Password> -database <Database name>For details, see Use Lindorm-cli to connect to and use LindormTSDB.
JDBC
String url = "<Endpoint for LindormTSDB SQL>";
String username = "<Username>";
String password = "<Password>";
Connection conn = null;
try {
conn = DriverManager.getConnection(url, username, password);
// Perform operations after the client is connected to LindormTSDB.
} catch (SQLException e) {
e.printStackTrace();
}For details, see Tutorial: Use the JDBC driver for Lindorm to connect to and use LindormTSDB.
Druid connection pool
dataSource.setDriver(DriverManager.getDriver("<Endpoint for LindormTSDB SQL>"))
dataSource.setUrl("<Endpoint for LindormTSDB SQL>")
dataSource.setUsername("<Username>")
dataSource.setPassword("<Password>")For details, see Tutorial: Use the Druid connection pool to connect to LindormTSDB.
HTTP API
Applications that use OpenTSDB-compatible HTTP API operations must include credentials in the Authorization header as a Base64-encoded string.
The following example constructs the authorization header and sends a SQL request:
import base64
import requests
url = "<HTTP Endpoint for LindormTSDB>/api/v2/sql"
username = "<Username>"
password = "<Password>"
# Encode credentials as Base64
credentials = base64.b64encode(f"{username}:{password}".encode()).decode()
headers = {
"Content-Type": "text/plain",
"Authorization": f"Basic {credentials}"
}
response = requests.post(url, headers=headers, data="SELECT * FROM my_table LIMIT 10")
print(response.json())For applications using TSDB SDKs, pass credentials via the basicAuth method when creating a TSDBConfig object.
For the full authentication specification, see Specify user credentials for authentication. For request format details, see Request content.
Permission model
Permission types
LindormTSDB defines four permission types:
| Permission | Description |
|---|---|
| READ | Required to query data from tables. |
| WRITE | Required to write data to tables. |
| ADMIN | Required to manage data objects (create, alter, or drop databases and tables). |
| SYSTEM | Required for instance-level operations that affect the entire instance. |
A user's effective permissions are the union of all granted permissions. For example, a user with GLOBAL READ and DATABASE READ on DB1 can query data across all databases.
Permission scopes
Permissions are granted at one of two scopes:
GLOBAL — Applies to all databases and tables in the instance. A user with GLOBAL READ can query any time series table in any database.
DATABASE — Applies to all tables within a specific database. A user with READ on
DB1can query any time series table inDB1.
Authorization rules
The SYSTEM permission scope is always GLOBAL. It cannot be scoped to a single database.
Only users with GLOBAL ADMIN or SYSTEM permissions can create, delete, modify, or authorize users.
Manage users and permissions
Use SQL
Use the following SQL statements to manage users and permissions:
| Task | SQL reference |
|---|---|
| Create a user | CREATE USER |
| Delete a user | DROP USER |
| Change a user's password | ALTER USER |
| List all users | SHOW |
| Grant permissions | GRANT |
| Revoke permissions | REVOKE |
Use the cluster management system
User and permission data are shared between LindormTSDB and LindormTable. If LindormTable is activated, log on to the LindormTable cluster management system to manage users and permissions. For details, see Log on to the cluster management system.
The cluster management system supports the TRASH permission, which is not used in LindormTSDB.
If a namespace in LindormTable has the same name as a database in LindormTSDB, any user granted permissions on that namespace automatically has access to the same-named database in LindormTSDB.
Permission reference
Permissions required for SQL statements
The following table lists the permissions required to run common SQL statements. To find the permissions needed for a specific statement, locate the statement row and check which columns are marked ○.
○ = required, × = not required.
| SQL statement | GLOBAL READ | GLOBAL WRITE | GLOBAL ADMIN | GLOBAL SYSTEM | DATABASE READ | DATABASE WRITE | DATABASE ADMIN |
|---|---|---|---|---|---|---|---|
SELECT...FROM... | ○ | × | × | × | ○ | × | × |
INSERT INTO...VALUES... | × | ○ | × | × | × | ○ | × |
INSERT INTO...SELECT... | ○ | ○ | × | × | ○ | ○ | × |
DESCRIBE DATABASE | × | × | ○ | × | × | × | ○ |
CREATE DATABASE | × | × | ○ | × | × | × | × |
ALTER DATABASE | × | × | ○ | × | × | × | ○ |
DROP DATABASE | × | × | ○ | × | × | × | ○ |
SHOW DATABASES | × | × | ○ | × | × | × | × |
DESCRIBE TABLE | ○ | × | × | × | ○ | × | × |
CREATE TABLE | × | × | ○ | × | × | × | ○ |
DROP TABLE | × | × | ○ | × | × | × | ○ |
CREATE USER | × | × | ○ | ○ | × | × | × |
ALTER USER | × | × | ○ | ○ | × | × | × |
DROP USER | × | × | ○ | ○ | × | × | × |
SHOW USERS | × | × | ○ | ○ | × | × | × |
GRANT | × | × | ○ | ○ | × | × | × |
REVOKE | × | × | ○ | ○ | × | × | × |
SHOW PRIVILEGES | × | × | ○ | ○ | × | × | × |
ALTER SYSTEM | × | × | × | ○ | × | × | × |
SHOW PARAMETER | × | × | × | ○ | × | × | × |
INSERT INTO...SELECT... requires WRITE on the destination table and READ on the source table.
Permissions required for OpenTSDB-compatible HTTP API operations
All OpenTSDB-compatible HTTP API operations require GLOBAL-scope permissions. ○ = required, × = not required.
| API operation | GLOBAL WRITE | GLOBAL READ | GLOBAL ADMIN |
|---|---|---|---|
/api/put | ○ | × | × |
/api/query | × | ○ | × |
/api/query/last | × | ○ | × |
/api/mput | ○ | × | × |
/api/mquery | × | ○ | × |
/api/query/mlast | × | ○ | × |
/api/suggest | × | ○ | × |
/api/dump_meta | × | ○ | × |
/api/search/lookup | × | ○ | × |
/api/ttl | × | × | ○ |
/api/truncate | × | × | ○ |