docs: add user permission docs (#2147)

Signed-off-by: Dennis Zhuang <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: killme2008

docs/user-guide/deployments-administration/authentication/static.md

@@ -9,24 +9,79 @@ GreptimeDB offers a simple built-in mechanism for authentication, allowing users
 
 ## Standalone Mode
 
-GreptimeDB reads the user and password on each line using `=` as a separator, just like a command-line config.
-For example, create a file with the following content:
+GreptimeDB reads the user configuration from a file where each line defines a user with their password and optional permission mode.
+
+### Basic Configuration
+
+The basic format uses `=` as a separator between username and password:
 
 ```
 greptime_user=greptime_pwd
 alice=aaa
 bob=bbb
 ```
 
-then start server with `--user-provider` parameter:
+Users configured this way have full read-write access by default.
+
+### Permission Modes
+
+You can optionally specify permission modes to control user access levels. The format is:
+
+```
+username:permission_mode=password
+```
+
+Available permission modes:
+- `rw` or `readwrite` - Full read and write access (default when not specified)
+- `ro` or `readonly` - Read-only access
+- `wo` or `writeonly` - Write-only access
+
+Example configuration with mixed permission modes:
+
+```
+admin=admin_pwd
+alice:readonly=aaa
+bob:writeonly=bbb
+viewer:ro=viewer_pwd
+editor:rw=editor_pwd
+```
+
+In this configuration:
+- `admin` has full read-write access (default)
+- `alice` has read-only access
+- `bob` has write-only access
+- `viewer` has read-only access
+- `editor` has explicitly set read-write access
+
+### Starting the Server
+
+Start the server with the `--user-provider` parameter and set it to `static_user_provider:file:<path_to_file>` (replace `<path_to_file>` with the path to your user configuration file):
 
 ```shell
 ./greptime standalone start --user-provider=static_user_provider:file:<path_to_file>
 ```
 
-Now, user `alice` with password `aaa` and user `bob` with password `bbb` are loaded into GreptimeDB's memory. You can create a connection to GreptimeDB using these user accounts.
+The users and their permissions will be loaded into GreptimeDB's memory. You can create connections to GreptimeDB using these user accounts with their respective access levels enforced.
+
+:::tip Note
+When using `static_user_provider:file`, the file’s contents are loaded at startup. Changes or additions to the file have no effect while the database is running.
+:::
+
+### Dynamic File Reloading
+
+If you need to update user credentials without restarting the server, you can use the `watch_file_user_provider` instead of `static_user_provider:file`. This provider monitors the credential file for changes and automatically reloads it:
+
+```shell
+./greptime standalone start --user-provider=watch_file_user_provider:<path_to_file>
+```
+
+The watch file provider:
+- Uses the same file format as the static file provider
+- Automatically detects file modifications and reloads credentials
+- Allows adding, removing, or modifying users without server restart
+- If the file is temporarily unavailable or invalid, it keeps the last valid configuration
 
-Note: The content of the file is loaded into the database while starting up. Modifying or appending the file won't take effect while the database is up and running.
+This is particularly useful in production environments where you need to manage user access dynamically.
 
 ## Kubernetes Cluster
 

i18n/zh/docusaurus-plugin-content-docs/current/user-guide/deployments-administration/authentication/static.md

@@ -9,27 +9,80 @@ GreptimeDB 提供了简单的内置身份验证机制，允许你配置一个固
 
 ## 单机模式
 
-GreptimeDB 使用 `=` 作为分隔符，读取文件内每行中的用户和密码。
-例如在文件中添加以下内容：
+GreptimeDB 从配置文件中读取用户配置，每行定义一个用户及其密码和可选的权限模式。
+
+### 基本配置
+
+基本格式使用 `=` 作为用户名和密码之间的分隔符：
 
 ```
 greptime_user=greptime_pwd
 alice=aaa
 bob=bbb
 ```
 
-接下来在启动服务端时添加 `--user-provider` 参数：
+以这种方式配置的用户默认拥有完整的读写权限。
+
+### 权限模式
+
+你可以选择性地指定权限模式来控制用户的访问级别。格式为：
+
+```
+username:permission_mode=password
+```
+
+可用的权限模式：
+- `rw` 或 `readwrite` - 完整的读写权限（未指定时的默认值）
+- `ro` 或 `readonly` - 只读权限
+- `wo` 或 `writeonly` - 只写权限
+
+混合权限模式的配置示例：
+
+```
+admin=admin_pwd
+alice:readonly=aaa
+bob:writeonly=bbb
+viewer:ro=viewer_pwd
+editor:rw=editor_pwd
+```
+
+在此配置中：
+- `admin` 拥有完整的读写权限（默认）
+- `alice` 拥有只读权限
+- `bob` 拥有只写权限
+- `viewer` 拥有只读权限
+- `editor` 明确设置了读写权限
+
+### 启动服务器
+
+在启动服务端时，需添加 `--user-provider` 参数，并将其设置为 `static_user_provider:file:<path_to_file>`（请将 `<path_to_file>` 替换为你的用户配置文件路径）：
 
 ```shell
 ./greptime standalone start --user-provider=static_user_provider:file:<path_to_file>
 ```
 
-这样，用户 `alice` 和 `bob` 的账户信息就会被加载到 GreptimeDB 中。你可以使用这些用户连接 GreptimeDB。
+用户及其权限将被载入 GreptimeDB 的内存。使用这些用户账户连接至 GreptimeDB 时，系统会严格执行相应的访问权限控制。
 
 :::tip 注意
-文件的内容只会在启动时被加载到数据库中，在数据库运行时修改或追加的内容不会生效。
+`static_user_provider:file` 模式下，文件的内容只会在启动时被加载到数据库中，在数据库运行时修改或追加的内容不会生效。
 :::
 
+### 动态文件重载
+
+如果你需要在不重启服务器的情况下更新用户凭证，可以使用 `watch_file_user_provider` 替代 `static_user_provider:file`。该 provider 会监控凭证文件的变化并自动重新加载：
+
+```shell
+./greptime standalone start --user-provider=watch_file_user_provider:<path_to_file>
+```
+
+`watch_file_user_provider`的特点：
+- 使用与 `static_user_provider:file` 相同的文件格式
+- 自动检测文件修改并重新加载凭证
+- 允许在不重启服务器的情况下添加、删除或修改用户
+- 如果文件临时不可用或无效，会保持上次有效的配置
+
+这在需要动态管理用户访问的生产环境中特别有用。
+
 ## Kubernetes 集群
 
 你可以在 `values.yaml` 文件中配置鉴权用户。