v2.25 Preview Preview release - not for production v2024.2 LTS Stable release with long-term support v2024.1 STS Stable release with standard-term support v2.20 LTS Stable release with long-term support Unsupported versions

Database authorization

When you deploy a universe, you can set up the database admin credentials for YSQL and YCQL. You use the admin user to access the YugabyteDB database installed on your universe.

  • On YSQL, this user is named yugabyte and has superuser privileges.
  • On YCQL, this user is named cassandra.

Use this user to administer your database, including:

  • add more database users
  • assign privileges to database users
  • change database user passwords

YugabyteDB uses role-based access control (RBAC) to manage database authorization. A database user's access is determined by the roles they are assigned. You should grant database users only the privileges that they require.

(For information on managing access to your YugabyteDB Anywhere instance, refer to Manage account users.)

Enable database authorization

You enable the YSQL and YCQL endpoints and database authentication when deploying a universe.

On the Create Universe > Primary Cluster page, under Security Configurations > Authentication Settings, enable the endpoints and authorization for the APIs you want to use, as shown in the following illustration.

Enable YSQL and YCQL endpoints

Enter a password for the default database admin user (yugabyte for YSQL, and cassandra for YCQL).

Important

Save your password in a secure location. Your password is not stored in YugabyteDB Anywhere, and if you lose it, you won't be able to access the database.

You can also enable and disable the endpoints and authorization, as well as rotate your admin user password, after deployment. Navigate to your universe, click Actions, and choose Edit YSQL Configuration or Edit YCQL Configuration.

To disable YSQL or YCQL authorization or rotate the password, you will need your yugabyte or cassandra database user password.

For YCQL, you can modify the YCQL API and admin UI endpoint ports by selecting the Override YCQL Default Ports option.

Note that for universes deployed using YugabyteDB Anywhere, you can't exclusively enable authentication using flags. You must enable and disable authentication using the YugabyteDB Anywhere UI.

Default roles and users

The YugabyteDB database on your universe includes a set of default users and roles in YSQL and YCQL.

YSQL default roles and users

To view the YSQL roles in your universe, enter the following command:

yugabyte=> \du

                                     List of roles
  Role name   |                         Attributes                         | Member of 
--------------+------------------------------------------------------------+-----------
 postgres     | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
 yb_db_admin  | No inheritance, Cannot login                               | {}
 yb_extension | Cannot login                                               | {}
 yb_fdw       | Cannot login                                               | {}
 yugabyte     | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

For more information, see YSQL roles.

YCQL default roles and users

In YCQL, there is a single superuser called cassandra used during database creation. For more information, see YCQL roles.

Create and manage database users and roles

To manage database users, first connect to your universe.

To create and manage database roles and users (users are roles with login privileges), use the following statements:

I want to YSQL Statement YCQL Statement
Create a user or role. CREATE ROLE CREATE ROLE
Delete a user or role. DROP ROLE DROP ROLE
Assign privileges to a user or role. GRANT GRANT ROLE
Remove privileges from a user or role. REVOKE REVOKE ROLE
Change your own or another user's password. ALTER ROLE ALTER ROLE

Learn more