security_config

The security_config section defines authentication modes, the initial configuration of local users and groups, and their access rights.

security_config:
  # authentication mode configuration
  enforce_user_token_requirement: false
  enforce_user_token_check_requirement: false
  default_user_sids: <authentication token for anonymous requests>
  all_authenticated_users: <group name for all authenticated users>
  all_users_group: <group name for all users>

  # initial security configuration
  default_users: <default user list>
  default_groups: <default group list>
  default_access: <default access rights on the cluster scheme root>

  # access list configuration
  database_allowed_sids: <list of SIDs that are allowed to view database state>
  viewer_allowed_sids: <list of SIDs that are allowed to view the cluster state>
  monitoring_allowed_sids: <list of SIDs that are allowed to monitor and change the cluster state>
  administration_allowed_sids: <list of SIDs that are allowed cluster administration>
  bootstrap_allowed_sids: <list of SIDs allowed to bootstrap the cluster>
  register_dynamic_node_allowed_sids: <list of SIDs that are allowed to register database nodes in the cluster>

  # built-in security configuration
  disable_builtin_security: false
  disable_builtin_groups: false
  disable_builtin_access: false

Configuring Authentication Mode

Parameter

Description

enforce_user_token_requirement

Selects user authentication mode.

  • enforce_user_token_requirement: true — User authentication is mandatory. Requests to YDB must include an auth token.

    Requests to YDB undergo authentication and authorization.

  • enforce_user_token_requirement: false — User authentication is optional. Requests to YDB are not required to include an auth token.

    Requests without an auth token are processed in anonymous mode without authorization.

    Requests with an auth token undergo authentication and authorization. However, requests are still processed in anonymous mode if an authentication error occurs.

    When enforce_user_token_check_requirement: true, requests with authentication errors are blocked.

If the default_user_sids parameter is defined and not empty (see the description below), its value is used instead of the missing auth token. In this case, authentication and authorization are performed for the access subject defined in default_user_sids.

Default value: false.

enforce_user_token_check_requirement

Forbids ignoring authentication errors in the enforce_user_token_requirement: false mode.

Default value: false.

default_user_sids

Specifies a list of SIDs for authenticating incoming requests without an auth token.

default_user_sids acts as an auth token for anonymous requests. The first element in the list must be a user SID. The following elements must be the SIDs of groups to which the user belongs.

If the default_user_sids list is not empty, mandatory authentication mode (enforce_user_token_requirement: true) can be used for anonymous requests. This mode can be used in some YDB testing scenarios or for educational purposes in local YDB installations.

Default value: empty.

all_authenticated_users

Specifies the name of the virtual group that includes all authenticated users.

This virtual group is created automatically by YDB. You cannot delete this virtual group, list its members, or modify them.
You can use this group to grant access rights on scheme objects.

Tip

You can get information about access rights on scheme objects in the system views. For more information see, {#T}.

Default value: all-users@well-known.

all_users_group

Specifies the name of the group that includes all local users.

If all_users_group is not empty, all local users will be added to the group with this name upon creation. The group specified in this parameter must exist when new users are added.

The all_users_group parameter is used during the initialization of built-in security.

Default value: empty.

The following diagram displays the relationship between authentication mode parameters described above:

Bootstrapping Security

The default_users, default_groups, and default_access parameters affect the initial YDB cluster configuration that occurs when YDB starts for the first time. During subsequent runs, the initial configuration is not repeated, and these parameters are ignored.

See Initial cluster security configuration and the related domains_config parameters.

Parameter

Description

default_users

The list of users to be created when the YDB cluster starts for the first time.

The list consists of login-password pairs. The first user in the list is a superuser.

Warning

Passwords are specified in plain text, so it is unsafe to use them for an extended period. You must change these passwords in YDB after the first start. For example, use the ALTER USER statement.

Example:

default_users:
- name: root
  password: <...>
- name: user1
  password: <...>

Errors in the default_users list, such as duplicate logins, are logged but do not affect YDB cluster startup.

default_groups

The list of groups to be created when the YDB cluster starts for the first time.

The list includes groups and their members.

Warning

These groups are created for the entire YDB cluster.

Example:

default_groups:
- name: ADMINS
  members: root
- name: USERS
  members:
  - ADMINS
  - root
  - user1

The order of groups in this list matters: groups are created in the order in which they appear in the default_groups parameter. Group members must exist before the group is created. Nonexistent users will not be added to the group.

Failures to add users to groups are logged but do not affect the YDB cluster startup.

default_access

The list of access rights to be granted on the cluster scheme root.

Access rights are specified using the short access control notation.

Example:

default_access:
- +(CDB|DDB|GAR):ADMINS
- +(ConnDB):USERS

Errors in access right entries are logged but do not affect YDB cluster startup. Access rights with errors will not be granted.

Configuring Administrative and Other Privileges

Access level lists are configured in the security_config section. For detailed information about access level lists, their hierarchy, and how they work, see Access level lists in the Authorization documentation.

Parameter

Description

database_allowed_sids

The list of SIDs with the database access level.

This level is less privileged than viewer. Subjects can only operate within a database scope — backend calls without a specified database are forbidden. Cluster-level requests (e.g., listing cluster nodes) return 403. Database-scoped requests (e.g., database pages in Embedded UI) work normally.

Intended for applications or users restricted to a single database.

viewer_allowed_sids

The list of SIDs with the viewer access level.

This level allows viewing the cluster state, which is not publicly accessible (including most pages in the Embedded UI). No changes are allowed.

monitoring_allowed_sids

The list of SIDs with the monitoring access level.

This level grants additional privileges to monitor and modify the cluster state. For example, it allows performing a backup, restoring a database, or executing YQL statements in the Embedded UI.

administration_allowed_sids

The list of SIDs with the administration access level.

This level grants privileges to administer the YDB cluster and its databases.

Also used for config changes, scheme operations requiring admin privileges, and other administrative checks.

An empty list means any user is treated as an administrator.

bootstrap_allowed_sids

The list of SIDs that are allowed to perform cluster bootstrap.

Used to initially bootstrap the cluster from an uninitialized state (when the auth subsystem is not yet functional). Bootstrap is allowed if the subject is in bootstrap_allowed_sids or administration_allowed_sids.

bootstrap_allowed_sids allows specific identities to bootstrap the cluster without granting full administration privileges.

register_dynamic_node_allowed_sids

The list of SIDs that are allowed to register database nodes.

For technical reasons, this list must include root@builtin.

Warning

The access level lists are empty by default.

An empty list means "allow any user" — any SID is acceptable (or no SID at all if anonymous access is allowed). Empty administration_allowed_sids grants any user administrator privileges; empty viewer_allowed_sids (with other UI lists empty) allows any user viewer-level access to Embedded UI. If all four hierarchical lists are empty, any user has full administrative access.

For a secure YDB deployment, plan the access model beforehand and define the group lists before starting the cluster for the first time.

Access level lists can contain user or group SIDs. A subject matches a list if it contains their user SID or any of their group SIDs (including nested groups) — a single match is sufficient.

It is recommended to add user groups and separate service accounts to the *_allowed_sids access level lists. This way, granting access levels to individual users does not require changing the YDB cluster configuration.

Where the lists are used:

  • database_allowed_sids, viewer_allowed_sids, monitoring_allowed_sids, administration_allowed_sids
    To access Embedded UI and viewer HTTP endpoints.

  • administration_allowed_sids
    For all administrative checks.

  • bootstrap_allowed_sids
    Only for cluster bootstrap operation.

  • register_dynamic_node_allowed_sids
    For registering nodes in a cluster (discovery service and cms subsystem).

Note

Access level lists represent layers of additional privileges:

  • An access subject that is not included in any access level list can view only publicly available information about the cluster (for example, a list of databases on the cluster or a list of cluster nodes).
  • The database_allowed_sids list defines the "database" role: these users are less privileged than viewers and cannot issue any backend call without specifying a database; cluster-wide requests are not allowed.
  • The viewer_allowed_sids, monitoring_allowed_sids, and administration_allowed_sids lists form a hierarchy: administration implies monitoring and viewer; monitoring implies viewer. A subject only needs to be in the one list that matches their role — inclusion in a higher list automatically grants all lower privileges.

For example:

  • A user of a database (e.g. an application that must stay database-scoped) should be added only to database_allowed_sids.
  • A viewer should be added only to viewer_allowed_sids.
  • A monitoring user should be added only to monitoring_allowed_sids (they automatically get viewer privileges).
  • An administrator should be added only to administration_allowed_sids (they automatically get monitoring and viewer privileges).

Built-in Security Configuration

The disable_builtin_security, disable_builtin_groups, and disable_builtin_access flags affect the built-in security configuration that occurs when YDB starts for the first time.

Parameter

Description

disable_builtin_security

Disable the built-in security configuration.
Built-in security configuration automatically creates a root superuser, a set of built-in user groups, and grants access rights to these groups at the root of the cluster.

This flag is not saved in the cluster configuration.

Default value: false.

disable_builtin_groups

Do not create built-in user groups even if the default user groups are not specified in the security_config.default_groups parameter.

Default value: false

disable_builtin_access

Do not add access rights at the root of the cluster scheme for the built-in user groups even if the default access rights are not specified in the security_config.default_access parameter.

Default value: false
Previous
resource_broker_config
Next
tls