Credentials
Tarantool enables flexible management of access to various database resources by providing specific privileges to users. You can read more about the main concepts of Tarantool access control system in the authentication section.
This topic describes how to create users and grant them the specified
privileges in the credentials
section of a YAML configuration. For example, you can define users with
the replication and sharding roles to maintain
replication and
sharding in a Tarantool cluster.
You can create new or configure credentials of the existing users in the credentials.users section.
In the example below, a dbadmin user without a password is created:
credentials:users:dbadmin: {}
To set a password, use the credentials.users. option:
credentials:users:dbadmin:password: 'T0p_Secret_P@$$w0rd'
To assign a role to a user, use the
credentials.users. option. In this example, the
dbadmin user gets privileges granted to the super built-in role:
credentials:users:dbadmin:password: 'T0p_Secret_P@$$w0rd'roles: [ super ]
To create a new role, define it in the
credentials.roles.*
section. In the example below, the writers_space_reader role gets
privileges to select data in the writers space:
roles:writers_space_reader:privileges:- permissions: [ read ]spaces: [ writers ]
Then, you can assign this role to a user using
credentials.users. (sampleuser in the example
below):
sampleuser:password: '123456'roles: [ writers_space_reader ]
You can grant specific privileges directly using
credentials.users.. In this example,
sampleuser gets privileges to select and modify data in the books
space:
sampleuser:password: '123456'roles: [ writers_space_reader ]privileges:- permissions: [ read, write ]spaces: [ books ]
You can find the full example here: credentials.
Revoking privileges from a user ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To revoke a previously granted privilege, remove it from the configuration.
For example, here is how to grant privileges to a space and how to revoke one of the privileges:
# grant privileges:
If you want to revoke the remaining privilege to from a space, you can
remove it, too, thus making permissions an empty array:
# empty permissions array:privileges:- permissions: [] # !! read permission revoked !!spaces: [books]
You can revoke all privileges by making the privileges an empty array:
# empty privileges array:
Tarantool enables you to load secrets from safe storage such as external
files or environment variables. To do this, you need to define
corresponding options in the
config.context
section. In the examples below, context.dbadmin_password and
context.sampleuser_password define how to load user passwords from
*.txt files or environment variables:
- This example shows how to load passwords from
*.txtfiles:
config:context:dbadmin_password:from: filefile: secrets/dbadmin_password.txtrstrip: truesampleuser_password:from: filefile: secrets/sampleuser_password.txtrstrip: true
- This example shows how to load passwords from environment variables:
config:context:dbadmin_password:from: envenv: DBADMIN_PASSWORDsampleuser_password:from: envenv: SAMPLEUSER_PASSWORD
These environment variables should be set before starting instances.
After configuring how to load passwords, you can set password values using credentials.users. as follows:
credentials:users:dbadmin:password: '{{ context.dbadmin_password }}'sampleuser:password: '{{ context.sampleuser_password }}'
You can find the full examples here: credentials_context_file, credentials_context_env.