mirrors/scylladb
1
0
Fork 0
mirror of https://github.com/scylladb/scylladb.git synced 2026-05-23 00:02:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b7fc661fa983f754ed25cd94de5dd8dd1bc9a98c
scylladb/docs/operating-scylla/security/create-superuser.rst
Dario Mirovic 6e83fb5029 docs: auth: do not specify password with -p option 
Specifying password with -p option is considered unsafe.
The password will be saved in bash history.
The preferred approach is to enter the password when prompted.
Any approach that passes the password via command line arguments
makes that password visible in process options (ps command), no matter
if the password is passed directly or as an environment variable.

Refs SCYLLADB-409
2026-03-04 00:01:07 +01:00

101 lines
2.9 KiB
ReStructuredText
Raw Blame History

================================
Creating a Superuser
================================
There is no default superuser role in ScyllaDB.
Users with a superuser role have full access to the database and can run
any CQL command on the database resources.
There are two ways you can create a superuser in ScyllaDB:
- :ref:`Using the ScyllaDB Maintenance Socket to create a superuser role <create-superuser-using-maintenance-socket>`
- :ref:`Using an existing superuser account to create a new superuser role <create-superuser-using-existing-superuser>`
When setting up a new cluster, use the maintenance socket approach to create the first superuser.
.. _create-superuser-using-maintenance-socket:
Setting Up a Superuser Using the Maintenance Socket
------------------------------------------------------
If no superuser account exists in the cluster, which is the case for new clusters, you can create a superuser using the ScyllaDB Maintenance Socket.
In order to do that, the node must have the maintenance socket enabled.
See :doc:`Admin Tools: Maintenance Socket </operating-scylla/admin-tools/maintenance-socket/>`.
To create a superuser using the maintenance socket, you should:
1. Connect to the node using ``cqlsh`` over the maintenance socket.
.. code-block:: shell
cqlsh <maintenance_socket_path>
Replace ``<maintenance_socket_path>`` with the socket path configured in ``scylla.yaml``.
2. Create new superuser role using ``CREATE ROLE`` command.
.. code-block:: cql
CREATE ROLE <new_superuser> WITH SUPERUSER = true AND LOGIN = true and PASSWORD = '<new_superuser_password>';
3. Verify that you can log in to your node using ``cqlsh`` command with the new password.
.. code-block:: shell
cqlsh -u <new_superuser>
Password:
.. note::
Enter the value of `<new_superuser_password>` password when prompted. The input is not displayed.
4. Show all the roles to verify that the new superuser was created:
.. code-block:: cql
LIST ROLES;
.. _create-superuser-using-existing-superuser:
Setting Up a Superuser Using an Existing Superuser Account
-------------------------------------------------------------
To create a superuser using an existing superuser account, you should:
1. Log in to cqlsh using an existing superuser account.
.. code-block:: shell
cqlsh -u <existing_superuser>
Password:
.. note::
Enter the value of `<existing_superuser_password>` password when prompted. The input is not displayed.
2. Create a new superuser.
.. code-block:: cql
CREATE ROLE <new_superuser> WITH SUPERUSER = true AND LOGIN = true and PASSWORD = '<new_superuser_password>';
3. Verify that you can log in to your node using ``cqlsh`` command with the new password.
.. code-block:: shell
cqlsh -u <new_superuser>
Password:
.. note::
Enter the value of `<new_superuser_password>` password when prompted. The input is not displayed.
4. Show all the roles to verify that the new superuser was created:
.. code-block:: cql
LIST ROLES;
Reference in New Issue View Git Blame Copy Permalink