• Data Warehouse Service

dws
  1. Help Center
  2. Data Warehouse Service
  3. User Guide
  4. Managing Clusters
  5. Configuring Cluster Security Settings
  6. Separating Rights of Roles

Separating Rights of Roles

Scenario

By default, the administrator user created during data warehouse cluster creation is a database system administrator, who can create other users and view the audit logs of the database. The rights separation mode is disabled.

To protect cluster data, DWS supports separation of rights of roles so that different roles have different rights.

For details about the default permission model and the permission model with rights separation enabled, download the Data Warehouse Service Database Developer Guide and refer to section Separation of Rights.

Impact on the System

After you have modified the security parameters and the modifications take effect, the cluster may be restarted, which makes the cluster unavailable temporarily.

Prerequisites

To modify the cluster's security configuration, ensure that the following conditions are met:

  • The Cluster Status is Available or Low performance.
  • The Task Information cannot be Creating snapshot, Scaling out, Configuring, or Restarting.

Procedure

  1. Log in to the management console at https://console.otc.t-systems.com/dws/.
  2. In the navigation tree on the left, click Cluster Management.
  3. In the cluster list, click the name of a cluster. On the page that is displayed, click Security Settings.

    By default, Configuration Status is Synchronized, which indicates that the latest database result is displayed.

  4. On the Security Settings page, specify Security.

    Figure 1 Security configuration
    Table 1 Security parameters

    Parameter

    Description

    Example Value

    Rights Separation

    indicates that Rights Separation is enabled. After Rights Separation is enabled, set the usernames and passwords of the Security Administrator and Audit Administrator. The system automatically creates the two users. You can use the two users to connect to the databases and perform database-related operations.

    indicates that Rights Separation is disabled. By default, Rights Separation is disabled.

    -

    Security Administrator

    The administrator username must:

    • Consist of lowercase letters, digits, or underscores.
    • Start with a lowercase letter or an underscore.
    • Contain 1 to 63 characters.
    • Cannot be a keyword of the DWS database. For details about the keywords of the DWS database, see section Keyword in the Data Warehouse Service Database Developer Guide.

    security_admin

    Password

    The password complexity requirements are as follows:
    • Consists of 8 to 32 characters.
    • Cannot be the same as the username or the username written in reverse order.
    • Must contain at least 3 of the following character types: uppercase letters, lowercase letters, digits, and special characters ~!@#%^&*()-_=+|[{}];:,<.>/?
    • Passes the weak password check.

    Dws_2018!

    Confirm Password

    Enter the password of the security administrator again.

    -

    Audit Administrator

    The administrator username must:

    • Consist of lowercase letters, digits, or underscores.
    • Start with a lowercase letter or an underscore.
    • Contain 1 to 63 characters.
    • Cannot be a keyword of the DWS database. For details about the keywords of the DWS database, see section Keyword in the Data Warehouse Service Database Developer Guide.

    audit_admin

    Password

    The password complexity requirements are as follows:
    • Consists of 8 to 32 characters.
    • Cannot be the same as the username or the username written in reverse order.
    • Must contain at least 3 of the following character types: uppercase letters, lowercase letters, digits, and special characters ~!@#%^&*()-_=+|[{}];:,<.>/?
    • Passes the weak password check.

    Dws_2018!

    Confirm Password

    Enter the password of the audit administrator again.

    -

  5. Click Apply.
  6. In the displayed Save Configuration dialog box, select or deselect Restart the cluster and click OK.

    • If you select Restart the cluster, the system saves the settings on the Security Settings page and restarts the cluster immediately. After the cluster is restarted, the security settings take effect immediately.
    • If you do not select Restart the cluster, the system only saves the settings on the Security Settings page. Later, you need to manually restart the cluster for the security settings to take effect.

    After the security settings are complete, Configuration Status can be one of the following on the Security Settings page:

    • Applying: The system is saving the settings.
    • Synchronized: The settings have been saved and taken effect.
    • Take effect after restart: The settings have been saved but have not taken effect. Restart the cluster for the settings to take effect.