diff --git a/docs/user-guide/deployments-administration/authentication/static.md b/docs/user-guide/deployments-administration/authentication/static.md index e861015ff..15e77061c 100644 --- a/docs/user-guide/deployments-administration/authentication/static.md +++ b/docs/user-guide/deployments-administration/authentication/static.md @@ -9,8 +9,11 @@ GreptimeDB offers a simple built-in mechanism for authentication, allowing users ## Standalone Mode -GreptimeDB reads the user and password on each line using `=` as a separator, just like a command-line config. -For example, create a file with the following content: +GreptimeDB reads the user configuration from a file where each line defines a user with their password and optional permission mode. + +### Basic Configuration + +The basic format uses `=` as a separator between username and password: ``` greptime_user=greptime_pwd @@ -18,15 +21,67 @@ alice=aaa bob=bbb ``` -then start server with `--user-provider` parameter: +Users configured this way have full read-write access by default. + +### Permission Modes + +You can optionally specify permission modes to control user access levels. The format is: + +``` +username:permission_mode=password +``` + +Available permission modes: +- `rw` or `readwrite` - Full read and write access (default when not specified) +- `ro` or `readonly` - Read-only access +- `wo` or `writeonly` - Write-only access + +Example configuration with mixed permission modes: + +``` +admin=admin_pwd +alice:readonly=aaa +bob:writeonly=bbb +viewer:ro=viewer_pwd +editor:rw=editor_pwd +``` + +In this configuration: +- `admin` has full read-write access (default) +- `alice` has read-only access +- `bob` has write-only access +- `viewer` has read-only access +- `editor` has explicitly set read-write access + +### Starting the Server + +Start the server with the `--user-provider` parameter and set it to `static_user_provider:file:` (replace `` with the path to your user configuration file): ```shell ./greptime standalone start --user-provider=static_user_provider:file: ``` -Now, user `alice` with password `aaa` and user `bob` with password `bbb` are loaded into GreptimeDB's memory. You can create a connection to GreptimeDB using these user accounts. +The users and their permissions will be loaded into GreptimeDB's memory. You can create connections to GreptimeDB using these user accounts with their respective access levels enforced. + +:::tip Note +When using `static_user_provider:file`, the file’s contents are loaded at startup. Changes or additions to the file have no effect while the database is running. +::: + +### Dynamic File Reloading + +If you need to update user credentials without restarting the server, you can use the `watch_file_user_provider` instead of `static_user_provider:file`. This provider monitors the credential file for changes and automatically reloads it: + +```shell +./greptime standalone start --user-provider=watch_file_user_provider: +``` + +The watch file provider: +- Uses the same file format as the static file provider +- Automatically detects file modifications and reloads credentials +- Allows adding, removing, or modifying users without server restart +- If the file is temporarily unavailable or invalid, it keeps the last valid configuration -Note: The content of the file is loaded into the database while starting up. Modifying or appending the file won't take effect while the database is up and running. +This is particularly useful in production environments where you need to manage user access dynamically. ## Kubernetes Cluster diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/user-guide/deployments-administration/authentication/static.md b/i18n/zh/docusaurus-plugin-content-docs/current/user-guide/deployments-administration/authentication/static.md index 2802161cd..9427d1d85 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/user-guide/deployments-administration/authentication/static.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/user-guide/deployments-administration/authentication/static.md @@ -9,8 +9,11 @@ GreptimeDB 提供了简单的内置身份验证机制,允许你配置一个固 ## 单机模式 -GreptimeDB 使用 `=` 作为分隔符,读取文件内每行中的用户和密码。 -例如在文件中添加以下内容: +GreptimeDB 从配置文件中读取用户配置,每行定义一个用户及其密码和可选的权限模式。 + +### 基本配置 + +基本格式使用 `=` 作为用户名和密码之间的分隔符: ``` greptime_user=greptime_pwd @@ -18,18 +21,68 @@ alice=aaa bob=bbb ``` -接下来在启动服务端时添加 `--user-provider` 参数: +以这种方式配置的用户默认拥有完整的读写权限。 + +### 权限模式 + +你可以选择性地指定权限模式来控制用户的访问级别。格式为: + +``` +username:permission_mode=password +``` + +可用的权限模式: +- `rw` 或 `readwrite` - 完整的读写权限(未指定时的默认值) +- `ro` 或 `readonly` - 只读权限 +- `wo` 或 `writeonly` - 只写权限 + +混合权限模式的配置示例: + +``` +admin=admin_pwd +alice:readonly=aaa +bob:writeonly=bbb +viewer:ro=viewer_pwd +editor:rw=editor_pwd +``` + +在此配置中: +- `admin` 拥有完整的读写权限(默认) +- `alice` 拥有只读权限 +- `bob` 拥有只写权限 +- `viewer` 拥有只读权限 +- `editor` 明确设置了读写权限 + +### 启动服务器 + +在启动服务端时,需添加 `--user-provider` 参数,并将其设置为 `static_user_provider:file:`(请将 `` 替换为你的用户配置文件路径): ```shell ./greptime standalone start --user-provider=static_user_provider:file: ``` -这样,用户 `alice` 和 `bob` 的账户信息就会被加载到 GreptimeDB 中。你可以使用这些用户连接 GreptimeDB。 +用户及其权限将被载入 GreptimeDB 的内存。使用这些用户账户连接至 GreptimeDB 时,系统会严格执行相应的访问权限控制。 :::tip 注意 -文件的内容只会在启动时被加载到数据库中,在数据库运行时修改或追加的内容不会生效。 +`static_user_provider:file` 模式下,文件的内容只会在启动时被加载到数据库中,在数据库运行时修改或追加的内容不会生效。 ::: +### 动态文件重载 + +如果你需要在不重启服务器的情况下更新用户凭证,可以使用 `watch_file_user_provider` 替代 `static_user_provider:file`。该 provider 会监控凭证文件的变化并自动重新加载: + +```shell +./greptime standalone start --user-provider=watch_file_user_provider: +``` + +`watch_file_user_provider`的特点: +- 使用与 `static_user_provider:file` 相同的文件格式 +- 自动检测文件修改并重新加载凭证 +- 允许在不重启服务器的情况下添加、删除或修改用户 +- 如果文件临时不可用或无效,会保持上次有效的配置 + +这在需要动态管理用户访问的生产环境中特别有用。 + ## Kubernetes 集群 你可以在 `values.yaml` 文件中配置鉴权用户。