12.3. Defining Users and Roles

Documentation

VoltDB Home » Documentation » Using VoltDB
< previoustable of contentsnext >

12.3. Defining Users and Roles

The key to security for VoltDB applications is the users and roles defined in the schema and configuration. You define users in the configuration file and roles in the schema.

This split is deliberate because it allows you to define the overall security structure globally in the schema, assigning permissions to generic roles (such as operator, dbuser, apps, and so on). You then define specific users and assign them to the generic roles as part of the database configuration. This way you can create one configuration (including cluster information and users) for development and testing, then move the database to a different configuration and a different set of users for production by changing only one file: the configuration file.

You define users within the <users> ... </users> tag set in the configuration file. The syntax for defining users is as follows.

<deployment>
   <users>
      <user name="user-name" 
            password="password-string" 
            roles="role-name[,...]"  />
        [ ... ]
   </users>
   ...
</deployment>

Note

If you do not want to distribute the account passwords in plain text, you can use the voltdb mask command to hash the passwords in the configuration file.

Include a <user> tag for every username/password pair you want to define. You specify which roles a user belongs to as part of the user definition in the configuration file using the roles attribute to the <user> tag. You can assign users built-in roles, user-defined roles, or both. For user-defined roles, you define the roles in the database schema using the CREATE ROLE statement.

CREATE ROLE role-name;

Note that at least one user must be assigned the built-in ADMINISTRATOR role. For example, the following code defines three users, assigning operator the built-in ADMINISTRATOR role and the user-defined OPS role, assigning developer the user-defined roles OPS and DBUSER, and assigning the user clientapp DBUSER. When a user is assigned more than one role, you specify the role names as a comma-delimited list.

<deployment>
   <users>
      <user name="operator" password="mech" roles="administrator, ops" />
      <user name="developer" password="tech" roles="ops,dbuser" />
      <user name="clientapp" password="xyzzy" roles="dbuser" />
   </users>

</deployment>

Three important notes concerning the assignment of users and roles:

  • Users must be assigned at least one role, or else they have no permissions. (Permissions are assigned by role.)

  • At least one user must be assigned the built-in ADMINISTRATOR role.

  • There must be a corresponding role defined in the schema for any user-defined roles listed in the configuration file.

< previoustable of contentsnext >