Account Management Statements

IoTDB provides users with account priviledge management operations, so as to ensure data security.

We will show you basic user priviledge management operations through the following specific examples. Detailed SQL syntax and usage details can be found in SQL Documentation. At the same time, in the JAVA programming environment, you can use the Java JDBC to execute priviledge management statements in a single or batch mode.

Basic Concepts

User

The user is the legal user of the database. A user corresponds to a unique username and has a password as a means of authentication. Before using a database, a person must first provide a legitimate username and password to make himself/herself a user.

Priviledge

The database provides a variety of operations, and not all users can perform all operations. If a user can perform an operation, the user is said to have the priviledge to perform the operation. Priviledges can be divided into data management priviledge (such as adding, deleting and modifying data) and authority management priviledge (such as creation and deletion of users and roles, granting and revoking of priviledges, etc.). Data management priviledge often needs a path to limit its effective range, which is a subtree rooted at the path’s corresponding node.

Role

A role is a set of priviledges and has a unique role name as an identifier. A user usually corresponds to a real identity (such as a traffic dispatcher), while a real identity may correspond to multiple users. These users with the same real identity tend to have the same priviledges. Roles are abstractions that can unify the management of such priviledges.

Default User

There is a default user in IoTDB after the initial installation: root, and the default password is root. This user is an administrator user, who cannot be deleted and has all the priviledges. Neither can new priviledges be granted to the root user nor can priviledges owned by the root user be deleted.

Priviledge Management Operation Examples

According to the sample dataAccount Management Statements - 图1, the sample data of IoTDB may belong to different power generation groups such as ln, sgcc, etc. Different power generation groups do not want others to obtain their own database data, so we need to have data priviledge isolated at the group layer.

Create User

We can create two users for ln and sgcc groups, named ln_write_user and sgcc_write_user, with both passwords being write_pwd. The SQL statement is:

  1. CREATE USER ln_write_user write_pwd
  2. CREATE USER sgcc_write_user write_pwd

Then use the following SQL statement to show the user:

  1. LIST USER

As can be seen from the result shown below, the two users have been created:

Account Management Statements - 图2

Grant User Priviledge

At this point, although two users have been created, they do not have any priviledges, so they can not operate on the database. For example, we use ln_write_user to write data in the database, the SQL statement is:

  1. INSERT INTO root.ln.wf01.wt01(timestamp,status) values(1509465600000,true)

The SQL statement will not be executed and the corresponding error prompt is given as follows:

Account Management Statements - 图3

Now, we grant the two users write priviledges to the corresponding storage groups, and try to write data again. The SQL statement is:

  1. GRANT USER ln_write_user PRIVILEGES 'INSERT_TIMESERIES' on root.ln
  2. GRANT USER sgcc_write_user PRIVILEGES 'INSERT_TIMESERIES' on root.sgcc
  3. INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)

The execution result is as follows:

Account Management Statements - 图4

Other Instructions

The Relationship among Users, Priviledges and Roles

A Role is a set of priviledges, and priviledges and roles are both attributes of users. That is, a role can have several priviledges and a user can have several roles and priviledges (called the user’s own priviledges).

At present, there is no conflicting priviledge in IoTDB, so the real priviledges of a user is the union of the user’s own priviledges and the priviledges of the user’s roles. That is to say, to determine whether a user can perform an operation, it depends on whether one of the user’s own priviledges or the priviledges of the user’s roles permits the operation. The user’s own priviledges and priviledges of the user’s roles may overlap, but it does not matter.

It should be noted that if users have a priviledge (corresponding to operation A) themselves and their roles contain the same priviledge, then revoking the priviledge from the users themselves alone can not prohibit the users from performing operation A, since it is necessary to revoke the priviledge from the role, or revoke the role from the user. Similarly, revoking the priviledge from the users’s roles alone can not prohibit the users from performing operation A.

At the same time, changes to roles are immediately reflected on all users who own the roles. For example, adding certain priviledges to roles will immediately give all users who own the roles corresponding priviledges, and deleting certain priviledges will also deprive the corresponding users of the priviledges (unless the users themselves have the priviledges).

List of Priviledges Included in the System

List of Priviledges Included in the System

Priviledge NameInterpretation
SET_STORAGE_GROUPcreate timeseries; set storage groups; path dependent
INSERT_TIMESERIESinsert data; path dependent
UPDATE_TIMESERIESupdate data; path dependent
READ_TIMESERIESquery data; path dependent
DELETE_TIMESERIESdelete data or timeseries; path dependent
CREATE_USERcreate users; path independent
DELETE_USERdelete users; path independent
MODIFY_PASSWORDmodify passwords for all users; path independent; (Those who do not have this priviledge can still change their own asswords. )
LIST_USERlist all users; list a user’s priviledges; list a user’s roles with three kinds of operation priviledges; path independent
GRANT_USER_PRIVILEGEgrant user priviledges; path independent
REVOKE_USER_PRIVILEGErevoke user priviledges; path independent
GRANT_USER_ROLEgrant user roles; path independent
REVOKE_USER_ROLErevoke user roles; path independent
CREATE_ROLEcreate roles; path independent
DELETE_ROLEdelete roles; path independent
LIST_ROLElist all roles; list the priviledges of a role; list the three kinds of operation priviledges of all users owning a role; path independent
GRANT_ROLE_PRIVILEGEgrant role priviledges; path independent
REVOKE_ROLE_PRIVILEGErevoke role priviledges; path independent

Username Restrictions

IoTDB specifies that the character length of a username should not be less than 4, and the username cannot contain spaces.

Password Restrictions

IoTDB specifies that the character length of a password should not be less than 4, and the password cannot contain spaces. The password is encrypted with MD5.

Role Name Restrictions

IoTDB specifies that the character length of a role name should not be less than 4, and the role name cannot contain spaces.