This topic describes how to create a user.
Privilege to create a user
You may need to create users and grant them privileges in OceanBase Database as needed. To create a user, you must have the CREATE USER privilege.
By default, only cluster and tenant administrators have the CREATE USER privilege. Other users can create a user only after they are granted the CREATE USER privilege. For more information, see Modify user privileges.
Naming rules for usernames
When you specify a name for a user, take note of the following items:
The username must be unique in a tenant.
Users in the same tenant must have unique names. However, users in different tenants can have the same name. You can globally and uniquely identify a tenant user by specifying the username in the
username@tenant nameformat.The sys tenant uses the MySQL mode. To distinguish users in the sys tenant from those in a user tenant in MySQL mode, we recommend that you use a specific prefix for the name of a sys tenant user.
Naming rules:
When you create a user by using an OBClient or OceanBase Developer Center (ODC), the username cannot exceed 64 bytes in length.
When you create a user in the OceanBase Cloud Platform (OCP) console, the username must be 2 to 64 characters in length and start with a letter, and can contain letters, digits, and underscores (_).
Create a user with the minimum database privileges by using an SQL statement
You can use the CREATE USER statement to create a user. To create a user, you must have the CREATE USER privilege. When you create a user, we recommend that you grant the user the minimum database privileges.
Execute the following statement to create a user:
CREATE USER [IF NOT EXISTS] user_specification_list
[REQUIRE {NONE | SSL | X509 | tls_option}];
user_specification_list:
user_specification [, user_specification ...]
user_specification:
user IDENTIFIED BY 'authstring'
| user IDENTIFIED BY PASSWORD 'hashstring'
tls_option:
| CIPHER 'cipher'
| ISSUER 'issuer'
| SUBJECT 'subject'
Notes:
IF NOT EXISTS: If the username already exists and you do not specify theIF NOT EXISTSclause, an error is reported.IDENTIFIED BY: You can use theIDENTIFIED BYclause to specify a password for the user.Parameters:
The password in the
user IDENTIFIED BY 'authstring'clause is in plaintext. However, after the password is saved to themysql.usertable, the server stores the password in ciphertext.The password in the
user IDENTIFIED BY PASSWORD 'authstring'clause is in ciphertext.
REQUIRE: specifies an encryption protocol for the user. Valid values:NONE,SSL,X509, andtls_option.
The following example shows how to create the test2 user that has the minimum database privileges:
Log on to a MySQL tenant as the
rootuser.Execute the following statement to create a user named
test2:obclient> CREATE USER 'test2' IDENTIFIED BY '******';Execute the following statement to grant the
test2user the privilege to access all tables in thedb1database.obclient> GRANT SELECT ON db1.* TO test2;