v2.23 Preview Preview release - not for production v2024.1 STS Stable release with standard-term support v2.20 LTS Stable release with long-term support v2.18 STS Stable release with standard-term support v2.14 LTS Stable release with long-term support Unsupported versions

Database authorization

When you deploy a universe, you can set up the database admin credentials for YSQL and YCQL, which you use to access the YugabyteDB database installed on your universe. Use this account to:

  • add more database users
  • assign privileges to users
  • change your password, or the passwords of other users

YugabyteDB uses role-based access control (RBAC) to manage database authorization. A database user's access is determined by the roles they are assigned. You should grant database users only the privileges that they require.

(For information on managing access to your YugabyteDB Anywhere instance, refer to Manage account users.)

Enable database authorization

You enable the YSQL and YCQL endpoints and database authentication when deploying a universe.

On the Create Universe > Primary Cluster page, under Security Configurations > Authentication Settings, enable the endpoints and authorization for the APIs you want to use, as shown in the following illustration.

Enable YSQL and YCQL endpoints

Enter the password to use for the default database admin superuser (yugabyte for YSQL, and cassandra for YCQL).

You can also enable and disable the endpoints and authorization after deployment. Navigate to your universe, click Actions, and choose Edit YSQL Configuration or Edit YCQL Configuration.

Note that for universes deployed using YugabyteDB Anywhere, you can't exclusively enable authentication using flags. You must enable and disable authentication using the YugabyteDB Anywhere UI.

Default roles and users

The YugabyteDB database on your universe includes a set of default users and roles in YSQL and YCQL.

YSQL default roles and users

To view the YSQL roles in your universe, enter the following command:

yugabyte=> \du

                                     List of roles
  Role name   |                         Attributes                         | Member of 
--------------+------------------------------------------------------------+-----------
 postgres     | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
 yb_db_admin  | No inheritance, Cannot login                               | {}
 yb_extension | Cannot login                                               | {}
 yb_fdw       | Cannot login                                               | {}
 yugabyte     | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

For more information, see YSQL roles.

YCQL default roles and users

In YCQL, there is a single superuser called cassandra used during database creation. For more information, see YCQL roles.

Create and manage database users and roles

To manage database users, first connect to your universe.

To create and manage database roles and users (users are roles with login privileges), use the following statements:

I want to YSQL Statement YCQL Statement
Create a user or role. CREATE ROLE CREATE ROLE
Delete a user or role. DROP ROLE DROP ROLE
Assign privileges to a user or role. GRANT GRANT ROLE
Remove privileges from a user or role. REVOKE REVOKE ROLE
Change your own or another user's password. ALTER ROLE ALTER ROLE

Learn more