Initial cluster security configuration
Initial security is configured automatically when the YDB cluster starts for the first time.
During this process YDB adds a superuser and a set of roles for user access management.
Note
For information about overriding and skipping initial security configuration, see the following sections:
Roles
| Role | Description |
|---|---|
ADMINS |
Provides unlimited access rights for the entire YDB cluster scheme. |
DATABASE-ADMINS |
Provides access rights to manage databases, their scheme, and scheme access rights. No data access. |
ACCESS-ADMINS |
Provides access rights to manage scheme access rights. No data access. |
DDL-ADMINS |
Provides access rights to manage the scheme. No data access. |
DATA-WRITERS |
Provides access rights for scheme objects, including reading and modifying data. |
DATA-READERS |
Provides access rights for scheme objects and reading data. |
METADATA-READERS |
Provides access rights for scheme objects. No data access. |
USERS |
Provides access rights for databases. This is a common group for all users. |
Groups
Roles in YDB are implemented as a hierarchy of user groups and a set of access rights for these groups. Access rights for the groups are granted on the cluster scheme root.
Groups can be nested, and a child group inherits the access rights of its parent group:
For example, users in the DATA-WRITERS group are allowed to:
- View the scheme —
METADATA-READERS - Read data —
DATA-READERS - Change data —
DATA-WRITERS
Users in the DDL-ADMINS group are allowed to:
- View the scheme —
METADATA-READERS - Change the scheme —
DDL-ADMINS
Users in the ADMINS group are allowed to perform all operations on the scheme and data.
Superuser
A superuser belongs to the ADMINS and USERS groups and has full access rights to the cluster scheme.
By default, a superuser is the root user with an empty password.
A group for all users
The USERS group is a common group for all local users. When you add new users, they are automatically added to the USERS group.
For more information about managing groups and users, see Authorization.
Overriding initial security configuration
You can override the initial security configuration with a custom set of users, groups, and access rights.
To specify custom users, groups, and access rights to be created during the initial security configuration, define the default_users, default_groups, or default_access parameters in the security_config section in the cluster configuration file.
Skipping initial security configuration
You can skip initial security configuration by setting the security_config.disable_builtin_security parameter to true.