User Accounts for MariaDB Xpand

MariaDB Xpand creates different default user accounts than MariaDB Enterprise Server. When using the Xpand Storage Engine topology, the user account details described here only apply when you connect to the Xpand nodes.

Default User Accounts

As part of the installation process, by default Xpand creates the following user accounts:

User

Privileges

'root'@'127.0.0.1'

'xpand'@'localhost'

Runs the database process and is configurable as part of the installation. This user will not be created if Xpand is configured to run as root.

'xpandm'@'localhost'

Used to manage the database and is configurable as part of the installation. Created with fewer privileges than xpand. This user will not be created if Xpand is configured to run as root.

'mysql_slave'

Use by the Replication slave process. Login is not possible for this user regardless of whether a password is set.

'clx_maint'@'127.0.0.1'

Used by Support and internal processes.

'clx_view_definer'@'127.0.0.1'

Used by Support and internal processes.

These users must not be removed.

Securing Initial Xpand Accounts

Xpand creates an initial 'root'@'127.0.0.1' account. This is a super user and if there is no password, any user can connect with no password and perform all operations. Xpand strongly recommends setting a root password.

To see which users may not have passwords:

SELECT username, host, HEX(password) FROM system.users;

Caveats for Managing Users

  • Xpand does not support:

  • Xpand allows usernames and hostnames to be up to 256 characters long and will truncate names longer than the permitted length. Xpand recommends that usernames be 16 characters or shorter and hostnames be 60 characters or shorter.

Exporting and Importing User Accounts

Migration of user accounts and permissions from MariaDB or MySQL is a separate step from data load. The mariadb-dump --all-databases will dump the mysql database, but Xpand cannot use this data to instantiate users. Instead, use the clustrix_clone_users script, available at /opt/clustrix/bin/. The tool queries a MariaDB Server or Xpand and generates a set of GRANT statements, which can be run to reproduce the set of user accounts and permissions on another cluster (or MariaDB Enterprise Server).

$ /opt/clustrix/bin/clustrix_clone_users \
      -H xpandhost -u root > user_dump.sql

$ mariadb -u root -h clx < user_dump.sql

Note that using GRANT or CREATE USER queries are the only way to create users; it is not possible to write the users table directly in the system database.