Overview|V4.3.1| docs|Distributed Database

Overview

Last Updated：2024-10-08 03:12:18 Updated

Tenant

OceanBase Database's tenant is a logical concept that serves as a unit of resource allocation and the basis for managing database objects and resources. As a container for various database objects, tenants also serve as containers for resources such as CPU, memory, and I/O. Data is completely isolated between tenants, with each tenant being equivalent to an instance of a traditional database. Tenants are divided into system tenants and user tenants. The system tenant ("sys" tenant) is predefined for management purposes and compatible with MySQL. User tenants are further divided into Oracle mode tenants and MySQL mode tenants, commonly referred to as Oracle tenants and MySQL tenants respectively.

User

OceanBase Database users are classified into two categories: users in a system tenant and users in a user tenant. The built-in system administrator for a system tenant is the root user. The built-in tenant administrator for a MySQL tenant is the root user, and that for an Oracle tenant is the SYS user. When you create a user, if the current session is in a system tenant, the created user belongs to the system tenant. Otherwise, the user belongs to a user tenant. Users created by the tenant administrator can only log on to the current tenant, regardless of whether it is a system tenant or a user tenant. Usernames are unique within a tenant, but users in different tenants can have the same username. Therefore, a user is uniquely identified globally in the system in the username@tenant name format.

Administrators in Oracle mode

The Oracle mode of OceanBase Database uses a three-tier security management system for database administration. The MySQL mode currently does not support this management model.

In real life, the abuse of privileges may occur if all privileges are granted to the same person. Likewise, to protect the security of a large database, it is necessary to grant the privileges of the database system to different user roles that take different responsibilities. In this way, the user roles can restrict and supervise each other, thereby ensuring the overall security of the system.

In the three-tier security management system, administrators are classified into database administrator (DBA), system security officer (SSO), and auditor.

DBA

Each database is managed by at least one DBA. The DBA is responsible for installing and upgrading the database management system, configuring database parameters, creating database objects, granting access privileges, importing and exporting data, as well as backing up and restoring the database. In the Oracle mode of OceanBase Database, the SYS user serves as the DBA.
SSO

The SSO is responsible for configuring audit settings, defining new database auditors, viewing audit records, setting the system's security levels, scopes, and groups for the system, and defining security labels for subjects and objects, thereby improving the overall system security. In the Oracle mode of OceanBase Database, the LBACSYS user serves as the SSO.
Auditor

The auditor is responsible for enforcing mandatory access control over the system, setting objects and operations that need to be audited, defining new database auditors, viewing and analyzing audit records, and setting system policies and labels. By setting up auditing, almost any action performed by anyone in the system can be tracked, making it convenient for post-event investigation. In the Oracle mode of OceanBase Database, the ORAAUDITOR user serves as the auditor.

Privilege

In MySQL mode, roles are not supported and the privilege management model is simple. The privilege check logic is the same as that in Oracle mode.

Privilege types

The Oracle mode of OceanBase Database supports the following two types of privileges:
- Object privileges: the privileges to operate on specific objects, such as the ALTER, SELECT, and UPDATE privileges on a table.
- System privileges: the privileges that allow users to perform specific database operations on one or all schemas.
  
  System privileges provide much broader permissions than object privileges.
  
  For more information about the privileges in Oracle mode, see Privilege types.
The MySQL mode of OceanBase Database supports the following three levels of privileges:
- Global privileges: the privileges to manage a tenant, such as modifying system settings and accessing all tables in the tenant.
- Database privileges: the privileges to manage all objects in a database, such as creating or deleting tables in the database, and accessing those tables.
- Object privileges: the privileges to manage a specific object, such as accessing a specific table, view, or index.
  
  For more information about the privilege types in MySQL mode, see Privilege types.

Privilege delegation

Privilege delegation addresses the challenge of centralized authorization. By specifying with admin option or with grant option during the granting process, grantors allow users to delegate those same privileges to other users. When revoking object privileges, the corresponding privileges that the user has delegated to other users will also be revoked. For example, if user A grants privilege to user B and user B grants privilege to user C, when user A revokes privilege from user B, privilege of user C will also be revoked. Revoking system privileges does not revoke delegated privileges.

Role

In OceanBase Database, you can manage privileges by role. A role is a set of system and object privileges. A role can contain other roles. If you assign a role to a user, the user has all the privileges of the role.

In Oracle mode, when a new tenant is created, it has three built-in roles by default:

DBA role: This role has most system privileges.
RESOURCE role: Users with the RESOURCE role can only create database objects in their own schema.
CONNECT role: Users with the CONNECT role have the privilege to connect to databases.
PUBLIC role: This role applies to all users in a tenant. By default, no privilege is granted to the role.
STANDBY_REPLICATION: This role applies to network-based Physical Standby Database scenarios.

Applicability

Currently, only Oracle tenants of OceanBase Database support role management.

For more information about role management in Oracle mode, see Manage roles.

By default, OceanBase Database does not provide built-in system roles in MySQL mode. For more information about role management in MySQL mode, see Manage roles.

Indirect privileges

User privileges are divided into direct and indirect privileges. Direct privileges are the system or object privileges that are granted to a user. Indirect privileges are those that are granted to the roles of a user. Most operations can be performed with direct or indirect privileges. Direct privileges are required to perform the following operations:

When creating a view, the user needs privileges to access objects in a view.
Privileges are required to execute statements in a named PL block with the definers' rights.

Privilege check

The system parses all the privileges required to execute an SQL statement and checks whether you have the corresponding privileges. When you attempt to perform a system operation but you do not have sufficient privileges, an error is returned indicating that you have insufficient privileges. When you attempt to access an object on which you do not have any privilege, an error is returned indicating that the object does not exist. If you have privileges other than the required ones on the object that you want to access, an error is returned indicating that you have insufficient privileges.