Purpose
This statement is mainly used to perform the following operations:
Change the password of a database user.
Modify the profile used by a database user.
To modify the encryption method for database user connections, see SET PASSWORD for other methods of changing a user's password.
End the password rotation period early in a password rotation scenario.
Modify the default role of a database user's roles.
Privilege requirements
In addition to the modification commands that the current user can execute, other users must have the ALTER USER privilege to execute this command to modify the information of other users. For more information about OceanBase Database privileges, see Privilege types in Oracle-compatible mode.
Limitations
When connecting to a database on behalf of a target user using a proxy user, only OBClient is currently supported, and the OBClient version must be V2.2.6 or later. Connecting to the database using Java drivers or C drivers is not currently supported.
Syntax
ALTER USER user_name
{ IDENTIFIED BY password
| IDENTIFIED WITH auth_plugin [BY password]
| EXPIRE PASSWORD ROLLOVER PERIOD
| PROFILE {"profile_name" | DEFAULT}
| REQUIRE {NONE | SSL | x509 | tls_option_list}
| DEFAULT ROLE
{ role_name[,role_name...]
| ALL [EXCEPT role_name[,role_name...]]
| NONE
}
| GRANT CONNECT THROUGH proxy_user_name [with_clause]
};
tls_option_list:
tls_option
| tls_option_list tls_option
tls_option:
CIPHER str_value
| ISSUER str_value
| SUBJECT str_value
with_clause:
WITH ROLE {role_name[, role_name,...]}
| WITH NO ROLE
| WITH ROLE ALL EXCEPT {role_name[, role_name,...]}
Parameters
Parameter |
Description |
|---|---|
| user_name | Specifies the username or the target username of the proxy. |
| IDENTIFIED BY | Specify the new password for the user. |
| IDENTIFIED WITH | Specify the authentication plugin and its corresponding authentication information. Supported authentication plugins include:caching_sha2_password(The password authentication plugin based on SHA-256). BY password: specifies the plaintext password.
NoteThe |
| EXPIRE PASSWORD ROLLOVER PERIOD | In a password rotation scenario, you can use this parameter to end the rotation period early, causing old passwords to immediately become invalid and retaining only the current password.
NoteThis parameter is supported starting with V4.4.2 BP1. |
| PROFILE | Specifies the profile used by the user.
|
| REQUIRE | Specify the encryption protocol used by the user asNONE、SSL、X509andtls_option_listOne of the following. |
| DEFAULT ROLE | Specifies the default role for a user when logging in.
|
| GRANT CONNECT THROUGH | Specify to use a proxy user. For more examples of using proxy users, see Use a proxy user. |
| proxy_user_name | Proxy username. After authorization, this user can connect to the database on behalf of the target user and perform database operations using the target user's role permissions. |
| with_clause | Specifies the role privileges that take effect when the proxy user connects to the database on behalf of the target user. If this clause is not specified, all role privileges of the target user take effect by default when the proxy user connects to the database on their behalf. For more information, see with_clause. |
with_clause
Notice
When specifying the role privileges of a proxy user, for role privileges that require a password, you must manually activate the role by executing the SET ROLE role_name IDENTIFIED BY role_password; command after connecting to the database.
WITH ROLE {role_name[, role_name,...]}: Specifies that when the proxy user connects to the database on behalf of the target user, it automatically acquires and activates the specified role privileges. That is, only the role privileges specified for the target user take effect.WITH NO ROLE: When the proxy user connects to the database on behalf of the target user, it will not automatically acquire any role privileges of the target user. In other words, all role privileges of the target user will be ineffective.WITH ROLE ALL EXCEPT {role_name[ ,role_name,...]}: Specifies that when the proxy user connects to the database on behalf of the target user, it automatically acquires and activates all roles of the target user except for the specified role.
Examples
Change the password of user
user1.obclient> ALTER USER user1 IDENTIFIED BY ******; Query OK, 0 rows affectedChange the authentication plugin for user
user1tocaching_sha2_password.obclient> ALTER USER user1 IDENTIFIED WITH caching_sha2_password BY ******; Query OK, 0 rows affectedChange the connection encryption protocol for user
user1toSSL.obclient> ALTER USER user1 REQUIRE SSL; Query OK, 0 rows affectedChange the profile used by user
user1toprofile1.obclient> ALTER USER user1 PROFILE "profile1"; Query OK, 0 rows affectedEnd the password rotation cycle for user
user1early in a password rotation scenario.obclient> ALTER USER user1 EXPIRE PASSWORD ROLLOVER PERIOD; Query OK, 0 rows affectedSet the default role for user
user1.obclient> CREATE ROLE role1; Query OK, 0 rows affected obclient> CREATE ROLE role2 IDENTIFIED BY ******; Query OK, 0 rows affected obclient> CREATE ROLE role3 IDENTIFIED BY ******; Query OK, 0 rows affected obclient> GRANT role1,role2,role3 TO user1; Query OK, 0 rows affected obclient> ALTER USER user1 DEFAULT ROLE role1; Query OK, 0 rows affectedNote
User
user1can directly use the privileges ofrole1. To use the privileges ofrole2androle3, useruser1must enable these roles in the session.For more information about the SET ROLE command, see SET ROLE.
