Creating and managing users, roles, and privileges
IBM Cloud® Databases for DataStax is deprecated and no longer supported as of 30 June 2024. For more information, see the deprecation details.
IBM Cloud® Databases for DataStax uses a system of roles to manage database permissions. Roles are used to give a single user or a group of users a set of privileges.
When you provision a new deployment in IBM Cloud, you are automatically given an admin user to access and manage Databases for DataStax.
User management is described in continued detail in the DataStax public documentation here.
The admin user
When you provision a new deployment in IBM Cloud, you are automatically given an admin user to access and manage Databases for DataStax. Once you set the admin password, you can use it to connect to your Databases for DataStax deployment.
The ibm User
If you use the shell to list the users on your deployment, you might notice a user that is named ibm. The ibm account is the only superuser on your deployment. A superuser account is not available for you to use. This
user is an internal administrative account that manages replication, metrics, and other functions to ensure the stability of your deployment. Changing or deleting to the ibm user is not advised as it disrupts the stability of
your deployment.
Users who are created through the CLI and the API
Users that you create through the Cloud Databases API and the Cloud Databases CLI are able to log in, create users, and create databases.
Any user who is created by using the Service Credentials UI, API, or CLI has the same privileges as the admin user. When a user creates a resource in a database, like a table, all users that are in the same group have access to that resource. Resources that are created by any of the users are accessible to other users in the group, including the admin user.
By creating users and roles by using the database functions, you can build more granular access. This procedure is outlined in the DataStax Database roles documentation here.
Users that are created directly from the API and CLI do not appear in Service Credentials, but you can add them if you choose.
More Users and Connection Strings
Access to your Databases for DataStax deployment is not limited to the admin user. You can create users by using the Service Credentials pane, the IBM CLI, or through the IBM Cloud Databases API.
All users on your deployment can use the connection strings, including connection strings for either public or private endpoints.
When you create a user, it is assigned certain database roles and privileges. These privileges include the ability to log in, create databases, and create other users. For more information, see the Managing Users, Roles, and Privileges page.
Creating Users in Service Credentials
- Navigate to the service dashboard for your service.
- Click Service Credentials to open the Service Credentials pane.
- Click New Credential.
- Choose a descriptive name for your new credential.
- (Optional) Specify whether the new credentials use a public or private endpoint. Use either
{ "service-endpoints": "public" }/{ "service-endpoints": "private" }in the Add Inline Configuration Parameters field to generate connection strings that use the specified endpoint. Use of the endpoint is not enforced. It just controls which hostnames are in the connection strings. Public endpoints are generated by default. - Click Add to provision the new credentials. A username and password, and an associated database user in the Databases for DataStax database are auto-generated.
The new credentials appear in the table, and the connection strings are available as JSON in a click-to-copy field under View Credentials.
Service credentials example
{
"connection": {
"secure": {
"authentication": {
"method": "direct",
"password": "03ba3aed7559482de785ff6b4cf3728f207402e81d3ac116fae01fa98bea7c83",
"username": "ibm_cloud_389ef649_ebeb_46cb_b7d9_7cdea4934058"
},
"bundle": {
"bundle_base64": "UEsDBBQAAAAIAKeA51CHsQ5LTBUAAEcVAAAIAAAAY2VydC5wZngBRxW46jCCFUMCAQMwghUPBgkqh
kiG9w0BBwGgghUABIIU/DCCFPgwgg+vBgkqhkiG9w0BBwaggg+gMIIPnAIBADCCD5UGCSqGSIb3DQEHATAcBgoqhkiG9w0B
DAEGMA4ECDiG6o//9YQIAgIIAICCD2j6zdZ9p8Z0EEKu/ZYI62WGsc2L5KNnJoNOm2eRm0icibFcpj2VebqaPp4bwj+OatU
pvP3dy+aw54AccLktzUttN2w7bCGv8iUpD3hWYuTjSAsPcJ/U...
/*** [Redacted] ***/
...+8GE6Mf57Xilyczv35uMxQZ2MNaoIGMWJnq4s9l2VBglF5zvonq9m4lCI4FGsrBMn5yhWKgTezXzBBebSPH2hIW5dDUg
O0eBlxs75NWt+P9tITfGwBhYVtOyXcebcP2dplkFgGyYadIBWdL8X6c7zPpiqLVr6DyQ6IahycxTBVUrJa2bkgL4IAABUD
wAABwAAAAAAAAABAAAApIFnOAAAY2EuY2VydFBLAQI0AxQAAAAIAKeA51BG87H8vggAAFQPAAAGAAAAAAAAAAEAAACkgUpB
AABjYS5jcnRQSwECNAMUAAAACACngOdQmBQflKMGAAChCQAABAAAAAAAAAABAAAApIEsSgAAY2VydFBLBQYAAAAACAAIALE
BAADxUAAAAAA=",
"name": "bundle.zip"
},
"hosts": [
{
"hostname": "fd21c05e-28db-4858-9d8f-66651da81d74.bktg0ujl08k42osvn5ig.databases.appdomain.cloud",
"port": 31868
}
]
}
},
"instance_administration_api": {
"deployment_id": "crn:v1:staging:public:databases-for-cassandra-development:eu-gb:a/
b9552134280015ebfde430a819fa4bb3:fd21c05e-28db-4858-9d8f-66651da81d74::",
"instance_id": "crn:v1:staging:public:databases-for-cassandra-development:eu-gb:a/
b9552134280015ebfde430a819fa4bb3:fd21c05e-28db-4858-9d8f-66651da81d74::",
"root": "https://api.dev.eu-gb.databases.cloud.ibm.com/v4/ibm"
}
}
Command:
echo 'pasted bundle contents' | base64 -D > formation_id_endpoint_type.zip
Creating Users from the IBM Cloud CLI
To manage your service through the IBM Cloud CLI and the Cloud Databases plug-in, create a new user with cdb user-create. For example, to create a new user for an "example-deployment",
use the following command.
ibmcloud cdb user-create example-deployment <newusername> <newpassword>
Once the task finishes, you can retrieve the new user's connection strings with the ibmcloud cdb deployment-connections command.
Creating Users from the API
The Foundation Endpoint that is shown on the Overview pane of your service provides the base URL to access this deployment through the API. To create and manage users, use the base URL with the /users endpoint.
curl -X POST 'https://api.{region}.databases.cloud.ibm.com/v4/ibm/deployments/{id}/users' \
-H "Authorization: Bearer $APIKEY" \
-H "Content-Type: application/json" \
-d '{"username":"jane_smith", "password":"newsupersecurepassword"}'
Once the task finishes, you can retrieve the new user's connection strings, from the /users/{userid}/connections endpoint.
Adding users to Service Credentials
Creating a new user from the CLI doesn't automatically populate that user's connection strings into Service Credentials. To add them there, create a new credential with the existing user information.
Enter the username and password in the JSON field Add Inline Configuration Parameters, or specify a file where the JSON information is stored. For example, putting {"existing_credentials":{"username":"Robert","password":"supersecure"}} in the field generates Service Credentials with the username "Robert" and password "supersecure" filled into connection strings.
Generating credentials from an existing user does not check for or create that user.
The CLI Section
CQLSH example
Specify the local file path to the <formation_id>_<endpoint_type>.zip file that you downloaded from your Databases for DataStax Connections pane. For more information, see Getting Connection Strings.
./bin/cqlsh -u username -p password -b /path/to/secure-connect-database_name.zip
More details on connecting with CQLSH are in the DataStax documentation.
Java example
Specify the local file path to the <formation_id>_<endpoint_type>.zip file that you downloaded from your Databases for DataStax Connections pane. For more imformation, see Getting Connection Strings.
.withCloudSecureConnectBundle(Paths.get(getSecureConnectionBundlePath()))
Set the username and password for your Databases for DataStax database
.withAuthCredentials(getUserName(),getPassword())
For more information, see the DataStax documentation.