Table of Contents
Authentication means verifying the identity of someone (a user, server, or other entity) who wants to use data, resources, or applications. Validating that identity establishes a trust relationship for further interactions. Authentication also enables accountability by making it possible to link access and actions to specific identities.
Within a secure Oracle NoSQL Database, access to the database and internal APIs is generally limited to authenticated users. When a secure Oracle NoSQL Database is first started, there are no users defined, and login to the administrative interface is allowed without authentication. However, no data access operations can be performed without user authentication.
Users can be created, modified or removed in the Oracle NoSQL Database through the admin CLI. The administrative commands of manipulating users are exposed in SQL format via DDL API. Information about a specific user account as well as a summary listing of registered users can also be displayed. For more information, see the next sections describing each user management operation.
To create a user, use the following command:
CREATE USER user_name IDENTIFIED BY password [ACCOUNT LOCK|UNLOCK] [ADMIN] [PASSWORD EXPIRE] [PASSWORD LIFETIME duration]
where:
user_name
The name of the user
IDENTIFIED Clause
Indicate how ONDB authenticates the users (currently by password).
BY password
Create an ONDB local user and indicates that the user must specify password to log on to the ONDB.
The password must be quoted by double-quotation marks, for example, "123@abc".
ACCOUNT Clause
Specify ACCOUNT LOCK to lock the user's account and disable access.
ADMIN Clause
Specify ADMIN to make the user granted with "sysadmin" role by default.
PASSWORD EXPIRE
Specify PASSWORD EXPIRE if you want the user's password to expire immediately on first login. This setting forces the user or the user having sysadmin role to change the password before the user can log in to the database.
PASSWORD LIFETIME duration
Specify the duration that current password can be used for authentication.
duration: [0-9]+ unit unit: S | M | H | SECONDS | MINUTES | HOURS | DAYS
A simple example to create an admin user Kate with password of "123":
Kv-> execute 'CREATE USER Kate IDENTIFIED BY \”123\” ADMIN'
To create the first user in an Oracle NoSQL Database instance, you need to log in to the Admin CLI as an anonymous user and use the “plan create-user” command. To do this, see, Performing a Secure Oracle NoSQL Database Installation.
To alter a user, use the following command:
ALTER USER user_name [IDENTIFIED BY password [RETAIN CURRENT PASSWORD]] [CLEAR RETAINED PASSWORD] [PASSWORD EXPIRE] [PASSWORD LIFETIME duration] [ACCOUNT UNLOCK|LOCK]
where:
user_name
Name of user to alter.
IDENTIFIED Clause
Specify BY password to specify a new password for the user.
RETAIN CURRENT PASSWORD
Used with BY password clause. If
specified, causes the current password defined for the user to
be remembered as a valid alternate password for a limited duration
(24 hours by default), or until the password is explicitly cleared.
Only one alternate password may be retained at a time. This option
allows a password to be changed while an application is still running
without affecting its operation.
CLEAR RETAINED PASSWORD Clause
Erases the current alternate retained password.
PASSWORD EXPIRE
Causes the user's password to expire immediately, then the user or the user having sysadmin role must change the password before attempting to log in to the database following the expiration.
PASSWORD LIFETIME duration
Specify the duration that current password can be used for authentication.
duration: [0-9]+ unit unit: S | M | H | SECONDS | MINUTES | HOURS | DAYS
ACCOUNT Clause
Specify ACCOUNT LOCK to lock the user's account and disable access.
DROP USER user_name
Use the DROP USER user_name command to
remove the specified user account (users cannot remove
themselves):
where, user_name is the name of user to drop.
For example:
kv->execute 'DROP USER Kate'
SHOW [AS JSON] USERS| USER user_name
Use the SHOW USERS command to list all existing users
in the system.
where, user_name is the name of the registered user.
For example, we have created 3 users in the system:
kv-> execute 'SHOW USERS' user: id=u1 name=Ken user: id=u2 name=Kate user: id=u3 name=Alice
These IDs are an internal mechanism for ensuring uniqueness, which will be increased sequentially.
If a user name is specified, view the detailed information of a user
using the SHOW USER user_name command. For example:
kv->execute 'SHOW USER Kate' id=u2 name=kate enabled=true type=LOCAL retain-passwd=inactive granted-role=[public]
You can use either the -username <user> or
the -security <path to security file> runadmin
argument to login to the admin CLI:
-username <user>
Specifies the username to log in as. This option is used in conjunction with security properties like oracle.kv.transport.
-security <path-to-security-file>
Specifies the security file that contains
property settings for the login. Relative filename
references within the security file are interpreted relative to
the location of the security properties file. For example, if a
security properties file contains the setting
oracle.kv.ssl.truststore=client.trust then,
the client.trust file should be in the same directory as the security
properties file. If the file is named with an absolute path then it
can be anywhere in the file system.
The following properties can be set in the file in addition to any of the SSL communication properties documented in the previous chapter:
oracle.kv.auth.username oracle.kv.auth.wallet.dir oracle.kv.auth.pwdfile.file
where the the oracle.kv.auth.wallet.dir and oracle.kv.auth.pwdfile.file properties in this file indicate the location of an EE wallet directory or CE password store file, respectively.
The oracle.kv.security Java system property can be used
as an alternative mechanism for providing
a security file path. Setting this system property is
equivalent to adding the -security
option to the command line. This property is supported by
all tools as well as by the KVStore client library.
The user can configure the lifetime of users’ passwords, or make them expire immediately. When a password expires, the user needs to renew it to log in Oracle NoSQL Database successfully. The two ways to manage passwords from expiring are as follows:
Explicit Expiration
It makes current password expire immediately as well as retained password if it exists. For this user, the password must be changed before attempting to log in the database.
For example:
kv->execute 'CREATE USER John IDENTIFIED BY \”123\” PASSWORD EXPIRE'
Password Lifetime Configuration
If a user logs into the database with John’s account, the user must input the new password for John.
Logged in admin as John The password of John has expired, it is required to change the password. Enter the new password: Re-enter the new password:
Password lifetime limits the duration that current password can be used for authentication.
This configuration only works for current password but not the retained one.
For example:
kv->execute 'ALTER USER John PASSWORD LIFETIME 15 days'
In the example above, the current password for the user John will expire after 15 days. After expiration, if the user attempts to log into the database, the user will be prompted with a notification to change the password.
A retained password is used to allow a password to be changed while an application is still running without affecting its operation. It is only remembered by the system for a limited duration (24 hours) and there is no way to specify individual duration for each user. For retained password, only explicit expiration is supported using the following command:
kv->execute 'ALTER USER John CLEAR RETAINED PASSWORD'