Manage Users

To create, manage, and remove your cluster's users (which lets you control SQL-level privileges, use the cockroach user command with appropriate flags.

Tip:
You can also use the CREATE USER and DROP USER statements to create and remove users.

Considerations

Subcommands

SubcommandUsage
getRetrieve a table containing a user and their hashed password.
lsList all users.
rmRemove a user.
setCreate or update a user.

Synopsis

  1. # Create a user:
  2. $ cockroach user set <username> <flags>
  3. # List all users:
  4. $ cockroach user ls <flags>
  5. # Display a specific user:
  6. $ cockroach user get <username> <flags>
  7. # View help:
  8. $ cockroach user --help
  9. $ cockroach user get --help
  10. $ cockroach user ls --help
  11. $ cockroach user rm --help
  12. $ cockroach user set --help

Flags

The user command and subcommands support the following general-use and logging flags.

General

FlagDescription
—passwordEnable password authentication for the user; you will be prompted to enter the password on the command line.Password creation is supported only in secure clusters for non-root users. The root user must authenticate with a client certificate and key.
—echo-sqlReveal the SQL statements sent implicitly by the command-line utility. For a demonstration, see the example below.
—formatHow to display table rows printed to the standard output. Possible values: tsv, csv, table, raw, records, sql, html.Default: table for sessions that output on a terminal; tsv otherwise.

Client connection

FlagDescription
—hostThe server host and port number to connect to. This can be the address of any node in the cluster. Env Variable: COCKROACH_HOSTDefault: localhost:26257
—port-pThe server port to connect to. Note: The port number can also be specified via —host. Env Variable: COCKROACH_PORTDefault: 26257
—user-uThe SQL user that will own the client session.Env Variable: COCKROACH_USERDefault: root
—insecureUse an insecure connection.Env Variable: COCKROACH_INSECUREDefault: false
—certs-dirThe path to the certificate directory containing the CA and client certificates and client key.Env Variable: COCKROACH_CERTS_DIRDefault: ${HOME}/.cockroach-certs/
—urlA connection URL to use instead of the other arguments.Env Variable: COCKROACH_URLDefault: no URL

See Client Connection Parameters for more details.

Currently, only members of the admin role can create users. By default, the root user belongs to the admin role.

Note:

Password creation is supported only in secure clusters for non-root users. The root user must authenticate with a client certificate and key.

Logging

By default, the user command logs errors to stderr.

If you need to troubleshoot this command's behavior, you can change its logging behavior.

Examples

Create a user

Usernames are case-insensitive; must start with either a letter or underscore; must contain only letters, numbers, or underscores; and must be between 1 and 63 characters.

  1. $ cockroach user set jpointsman --certs-dir=certs

Tip:
If you want to allow password authentication for the user, include the —password flag and then enter and confirm the password at the command prompt.

After creating users, you must:

  1. $ cockroach user set jpointsman --insecure

After creating users, you must grant them privileges to databases.

Log in as a specific user

Secure clusters with client certificates

All users can authenticate their access to a secure cluster using a client certificate issued to their username.

  1. $ cockroach sql --certs-dir=certs --user=jpointsman

Secure clusters with passwords

Users with passwords can authenticate their access by entering their password at the command prompt instead of using their client certificate and key.

If we cannot find client certificate and key files matching the user, we fall back on password authentication.

  1. $ cockroach sql --certs-dir=certs --user=jpointsman
  1. $ cockroach sql --insecure --user=jpointsman

Update a user's password

  1. $ cockroach user set jpointsman --certs-dir=certs --password

After issuing this command, enter and confirm the user's new password at the command prompt.

Password creation is supported only in secure clusters for non-root users. The root user must authenticate with a client certificate and key.

List all users

  1. $ cockroach user ls --insecure
  1. +------------+
  2. | username |
  3. +------------+
  4. | jpointsman |
  5. +------------+

Find a specific user

  1. $ cockroach user get jpointsman --insecure
  1. +------------+--------------------------------------------------------------+
  2. | username | hashedPassword |
  3. +------------+--------------------------------------------------------------+
  4. | jpointsman | $2a$108tm5lYjES9RSXSKtQFLhNO.e/ysTXCBIRe7XeTgBrR6ubXfp6dDczS |
  5. +------------+--------------------------------------------------------------+

Remove a user

Warning:
Removing a user does not remove that user's privileges. Therefore, to prevent a future user with an identical username from inheriting an old user's privileges, it's important to revoke a user's privileges before or after removing the user.

  1. $ cockroach user rm jpointsman --insecure

Tip:
You can also use the DROP USER SQL statement to remove users.

Reveal the SQL statements sent implicitly by the command-line utility

In this example, we use the —echo-sql flag to reveal the SQL statement sent implicitly by the command-line utility:

  1. $ cockroach user rm jpointsman --insecure --echo-sql
  1. > DELETE FROM system.users WHERE username=$1
  2. DELETE 1

See also

Was this page helpful?
YesNo