Purpose
You can use this statement to perform the following operations:
Change the password of a database user.
Change the profile used by a database user.
Change the encryption method of database user connections. For more information about how to change user passwords, see SET PASSWORD.
Change the default role of a database user.
Required privileges
To execute this statement to modify information of a user other than the current user, you must have the ALTER USER privilege. For more information about privileges in OceanBase Database, see Privilege types in Oracle mode.
Limitations
You can use a proxy user to connect to OceanBase Database on behalf of the target user through OceanBase Command-Line Client (OBClient). The version of OBClient must be 2.2.6 or later. At present, you cannot connect to OceanBase Database by using a Java driver or a C driver.
Syntax
ALTER USER user_name
{ IDENTIFIED BY password
| PROFILE {"profile_name" | DEFAULT}
| REQUIRE {NONE | SSL | x509 | tls_option_list}
| DEFAULT ROLE
{ role_name[,role_name...]
| ALL [EXCEPT role_name[,role_name...]]
| NONE
}
| GRANT CONNECT THROUGH proxy_user_name [with_clause]
};
tls_option_list:
tls_option
| tls_option_list tls_option
tls_option:
CIPHER str_value
| ISSUER str_value
| SUBJECT str_value
with_clause:
WITH ROLE {role_name[, role_name,...]}
| WITH NO ROLE
| WITH ROLE ALL EXCEPT {role_name[, role_name,...]}
Parameters
| Parameter | Description |
|---|---|
| user_name | The name of the login user or the name of the target user corresponding to the proxy user. |
| IDENTIFIED BY | The new password of the user. |
| PROFILE | The profile used by the user.
|
| REQUIRE | The encryption protocol for the user. Valid values: NONE, SSL, X509, and tls_option_list. |
| DEFAULT ROLE | The default role of the user during login.
|
| GRANT CONNECT THROUGH | Specifies to use a proxy user. For more information about how to use a proxy user, see Use a proxy user. |
| proxy_user_name | The name of the proxy user. After authorization, the proxy user can connect to OceanBase Database on behalf of the target user and perform database operations with the privileges of the target user. |
| with_clause | The roles of the target user that take effect when the proxy user connects to OceanBase Database on behalf of the target user. If this clause is not specified, all roles of the target user take effect when the proxy user connects to OceanBase Database on behalf of the target user. For more information, see with_clause. |
with_clause
Notice
If a role with a password is specified, you must execute the SET ROLE role_name IDENTIFIED BY role_password; statement to activate the role after you connect to OceanBase Database.
WITH ROLE {role_name[, role_name,...]}: specifies to automatically obtain and activate the specified roles of the target user when the proxy user connects to OceanBase Database on behalf of the target user. In this case, only the specified roles of the target user take effect.WITH NO ROLE: specifies not to automatically obtain any roles of the target user when the proxy user connects to OceanBase Database on behalf of the target user. In this case, none of roles of the target user takes effect.WITH ROLE ALL EXCEPT {role_name[ ,role_name,...]}: specifies to automatically obtain and activate all roles of the target user other than the specified roles when the proxy user connects to OceanBase Database on behalf of the target user.
Examples
Change the password of
user1.obclient> ALTER USER user1 IDENTIFIED BY ******; Query OK, 0 rows affectedChange the connection encryption protocol to
SSLforuser1.obclient> ALTER USER user1 REQUIRE SSL; Query OK, 0 rows affectedChange the profile used by
user1toprofile1.obclient> ALTER USER user1 PROFILE "profile1"; Query OK, 0 rows affectedSet the default roles of
user1.obclient> CREATE ROLE role1; Query OK, 0 rows affected obclient> CREATE ROLE role2 IDENTIFIED BY ******; Query OK, 0 rows affected obclient> CREATE ROLE role3 IDENTIFIED BY ******; Query OK, 0 rows affected obclient> GRANT role1,role2,role3 TO user1; Query OK, 0 rows affected obclient> ALTER USER user1 DEFAULT ROLE role1; Query OK, 0 rows affectedNote
user1can directly use the privileges ofrole1. To use the privileges ofrole2androle3,user1must first enablerole2androle3in the session.For more information about the statement for enabling roles, see SET ROLE.