6. User management#

This page describes the query‑language commands that create, inspect, modify, and delete QuasarDB users, as well as the GRANT statement for table‑level privileges. Everything shown here runs in qdbsh while the cluster is online; no knowledge of configuration files is required.

6.1. Overview#

  • Users are identified by a unique UID and a unique username.

  • Each account stores a public key on the server. The user holds the matching private key locally.

  • Privileges are additive—you can add or drop rights at any time. Default privileges apply to objects that do not have explicit grants.

  • USER_SECURITY_FILE is a path on the server that contains the user’s public key.

6.2. Syntax summary#

CREATE USER '<name>' UID=<int> USER_SECURITY_FILE='<path>'
             [PRIVILEGES={ <list> | ALL | DENIED }]
             [SUPERUSER] [DISABLED]

ALTER USER '<name>'
             [SET PRIVILEGES={ <list> | ALL | DENIED }]
             [ADD PRIVILEGES=<list>]
             [DROP PRIVILEGES=<list>]
             [SET SUPERUSER=<bool>]
             [SET DISABLED=<bool>]

DROP USER '<name>' [, '<name2>' …]

SHOW USER '<name>' [, '<name2>' …]
SHOW USERS

RELOAD USER CONFIG      -- re‑reads the on‑disk user list

GRANT <privileges>
  ON { <entries> | <find_expression> }
  TO <grantees>

find_expression ::=
  FIND ( { <type_expression> | <tag_expression> | NOT <tag_expression> } [ AND … ] )

tag_expression  ::= TAG  = 'tag_name'
type_expression ::= TYPE = { BLOB | DEQUE | HSET | INT | INTEGER | STREAM | TAG | TS }

6.3. Commands#

6.3.1. CREATE USER#

Adds a new account.

Parameters
UID

Positive integer, unique in the cluster.

USER_SECURITY_FILE

Absolute or relative path on the server containing the public key.

PRIVILEGES

Initial default privileges: comma‑separated list, ALL, or DENIED.

SUPERUSER

Grants full system privileges.

DISABLED

Creates the user but prevents login until re‑enabled.

Example
CREATE USER 'analyst' UID=2
  USER_SECURITY_FILE='/etc/qdb/analyst.pub'
  PRIVILEGES=SELECT;

6.3.2. ALTER USER#

Changes flags or privileges of an existing account.

Operations

  • SET PRIVILEGES=… — overwrite the default set.

  • ADD PRIVILEGES=… — merge additional rights.

  • DROP PRIVILEGES=… — remove specific rights.

  • SET SUPERUSER=<bool>

  • SET DISABLED=<bool>

Example
ALTER USER 'analyst' ADD PRIVILEGES=SET_TRANSACTION;
ALTER USER 'analyst' SET DISABLED=false;

6.3.3. DROP USER#

Removes one or more accounts and all explicit grants they hold.

DROP USER 'analyst', 'intern';

6.3.4. SHOW USER(S)#

Displays the attributes of one account or all accounts.

SHOW USER 'analyst';
SHOW USERS;

6.3.5. RELOAD USER CONFIG#

Forces the server to reload the user list from disk. Use this after you edit the file outside of SQL commands.

6.3.6. GRANT#

Grants table‑level privileges to specific users, overriding their defaults.

Synopsis
GRANT <privileges>
  ON { <entries> | <find_expression> }
  TO <grantees>
Parameters
privileges

Comma‑separated list such as SELECT,INSERT. The set merges with any existing grant on the same entry.

entries

Explicit table names.

find_expression

Tag‑based selection; see find_expression syntax above.

grantees

One or more usernames.

Examples
-- Bob gains INSERT on two tables
GRANT INSERT ON trades, orders TO 'Bob';

-- Grant SELECT on all time‑series tagged "stocks"
GRANT SELECT ON FIND(tag='stocks' AND type=ts) TO 'Alice';

6.4. End‑to‑end sample#

The snippet below runs top‑to‑bottom without modification.

-- Bootstrap a superuser
CREATE USER 'admin' UID=1 USER_SECURITY_FILE='/etc/qdb/admin.pub' SUPERUSER;

-- Read‑only analyst
CREATE USER 'analyst' UID=2 USER_SECURITY_FILE='/etc/qdb/analyst.pub' PRIVILEGES=SELECT;

-- Fine‑grained privilege on one table
GRANT INSERT ON trades TO 'analyst';

-- Analyst needs transactional control later
ALTER USER 'analyst' ADD PRIVILEGES=SET_TRANSACTION;

-- Review current accounts
SHOW USERS;

-- Analyst leaves the company
DROP USER 'analyst';