Authentication

The discovery whoami information command lets you check the account on behalf of which the server actually accepts requests:

ydb [connection options] discovery whoami [-g|--groups] [-l|--access-list] [-a|--all]

where [connection options] are database connection options

The response includes the account name (User SID). Additional information can be requested using the following options:

  • -g, --groups — Show the groups to which the account belongs
  • -l, --access-list — Show the access levels granted to the account (administration, monitoring, viewer, database, register node, bootstrap)
  • -a, --all — Show all additional information (equivalent to specifying both -g and -l)

The access levels displayed with the -l or -a option reflect the hierarchical access control configuration. For detailed information about access level lists and their hierarchy, see Access level lists in the Authorization documentation.

Only access levels that are granted to the user are listed:

  • Database (presence in database_allowed_sids) — Grants the right to access the Embedded UI only as "database users": they can open the UI and see database-scoped data, but not cluster-wide data or cluster-level operations.
  • Viewer (presence in viewer_allowed_sids) — Grants the right to access the Embedded UI, without the ability to make changes.
  • Monitoring (presence in monitoring_allowed_sids) — Grants the right to perform actions in the Embedded UI that change the system state.
  • Administration (presence in administration_allowed_sids) — Grants the right to perform administrative actions on databases or the cluster.
  • Register node (presence in register_dynamic_node_allowed_sids) — Grants the right to register dynamic nodes with the cluster.
  • Bootstrap (presence in bootstrap_allowed_sids) — Grants the right to perform bootstrap operations.

If authentication is not enabled on the YDB server (for example, in the case of an independent local deployment), the command will fail with an error.

Support for the -g option depends on the server configuration. If disabled, you'll receive User has no groups in response, regardless of the actual inclusion of your account in any groups.

Examples

Basic usage

$ ydb -p quickstart discovery whoami
User SID: aje5kkjdgs0puc18976co@as

With groups

$ ydb -p quickstart discovery whoami -g
User SID: aje5kkjdgs0puc18976co@as

User has no groups

With access list

$ ydb -p quickstart discovery whoami -l
User SID: user1@builtin

Access levels:
Database
Viewer

With all information

$ ydb -p quickstart discovery whoami -a
User SID: admin@builtin

Group SIDs:
all-users@well-known
ADMINS

Access levels:
Database
Viewer
Monitoring
Administration
Previous
List of endpoints
Next
Displaying connection parameters