CREATE USER
On this page
The CREATE USER command creates a new user account.
Note
Refer to Manage Organizations, Manage Organization Users, and Manage Database Users for more information about managing users and groups.
Syntax
CREATE USER [IF NOT EXISTS] user[@host][IDENTIFIED BY 'password'][WITH {DEFAULT RESOURCE POOL = poolname} |{FAILED_LOGIN_ATTEMPTS = integer PASSWORD_LOCK_TIME = integer} |{DEFAULT RESOURCE POOL = poolname FAILED_LOGIN_ATTEMPTS = integer PASSWORD_LOCK_TIME = integer}][REQUIRE {SSL | X509 | SUBJECT | NONE}][ATTRIBUTE <valid json>][COMMENT <comment string>]
Arguments
-
user: Username of the SingleStore database user.
-
Non-JWT users: Maximum length of 32 characters.
-
JWT users: Maximum length of 320 characters.
-
-
host: The host that the user can connect from.
For example, specifying localhostmeans the user account can be used only when connecting from the local host.If no host is explicitly specified, the %wildcard is used, which allows the user to connect from any host. -
password: An optional database connection password for the user.
-
poolname: The default resource pool for the user.
FAILED_
FAILED_PASSWORD_, specifies the failed login attempt lockout behavior.FAILED_ is the number of failed attempts allowed after which the account is locked out.3 means that the account will be locked after three failed attempts.0, which means there is no restriction.1, PASSWORD_ must also be specified.
PASSWORD_FAILED_, specifies the failed login attempt lockout behavior.PASSWORD_ is the number of seconds a locked out account must wait before reattempting to log in.
Note
You must set both FAILED_ and PASSWORD_ to enable the lockout feature.
To modify the FAILED_ and PASSWORD_ for a user, or to unlock a locked user, use ALTER USER.
If an account is locked either manually using the ALTER USER … ACCOUNT LOCK command or automatically as a result of exceeding the values specified for FAILED_ and PASSWORD_ arguments, then restarting the workspace removes the lock and returns the account’s status to ONLINE.ACCOUNT_ column in the information_ view.
REQUIRE
REQUIRE supports the following options:
-
REQUIRE SSL: Ensures that the user connects via SSL. -
REQUIRE NONE: Specifies that SSL is not required for the connection. -
REQUIRE X509: Enables mutual authentication between the client and SingleStore.The user can connect only if the client presents a valid TLS client certificate that is not expired and chains to the CA bundle configured on the server. Connections that do not provide a valid certificate are rejected. Example: CREATE USER 's2user'@'%' REQUIRE X509; -
REQUIRE SUBJECT '<subject-dn-string>': In addition to extendingREQUIRE X509,REQUIRE SUBJECTchecks the subject in the client certificate provided during mTLS connection and enforces that theSubject DNin the client certificate must exactly match the configured value.This verifies both trust (via certificate chaining to the CA) and identity (via the Subject DNstring).For example: CREATE USER 's2user'@'%' REQUIRE SUBJECT '/CN=s2user/O=example/C=US';When running
CREATE USERorALTER USER, specify theSUBJECTin OpenSSL “oneline” format.Separate fields, such as CN,O,C,ST, andL, with a/.To generate the Subject DNstring in OpenSSL "oneline" format, run the following command:openssl x509 -in client-cert.pem -noout -subject -nameopt compatIf the
openssloutput escapes characters inside a DN value, escape each backslash (\) in the output because the value is entered as a SQL string literal.For example, if the Subjectcontains\+, replace it with\\+in theCREATE USERorALTER USERstatement.For example: CREATE USER 's2user'@'%' REQUIRE SUBJECT '/O=example/CN=Js3g\\+AF\\+/C=US';A
Subjectmismatch can return the same generic certificate verification error as CA-chain issues.To troubleshoot, first verify that the client certificate chains to the CA bundle configured on the server ( REQUIRE X509), and then verify that theSubject DNin the certificate exactly matches the configuredREQUIRE SUBJECTvalue.
ATTRIBUTE and COMMENT
Optional arguments used to provide additional information about a user.ATTRIBUTE must come first.ATTRIBUTE, the value must be a valid JSON object.
Remarks
-
The
CREATE USERcommand must be run by a user with administrative privileges on the database.Also, the new user does not have any privileges granted by default. Use GRANT to specify privileges for the new user. -
Other
CREATE USERcommand options aren’t applied in case the user exists andIF NOT EXISTSis specified; you must use theGRANTcommand to assign privileges or theALTER USERcommand to change user properties. -
The
WITHkeyword must be used with the following options and specified only once:-
DEFAULT RESOURCE POOL = <poolname> -
FAILED_LOGIN_ ATTEMPTS = integer PASSWORD_ LOCK_ TIME = <integer>
For example:
-
WITH DEFAULT RESOURCE POOL = pool1 FAILED_LOGIN_ ATTEMPTS = 10 PASSWORD_ LOCK_ TIME = 20 -
WITH FAILED_LOGIN_ ATTEMPTS = 10 PASSWORD_ LOCK_ TIME = 20 -
WITH DEFAULT RESOURCE POOL = pool1
-
-
This command causes implicit commits.
Refer to COMMIT for more information. -
In SingleStore Helios, you do not have the privileges to create your own resource pool.
Raise a ticket with SingleStore Support to create it. Once the resource pool is created, you can assign it to users. -
The
CREATE USERcommand only applies to the current node unless thesync_engine variable is set topermissions ON. -
The
CREATE USERcommand holds a global lock on the workspace until the processing of the command is completed.Refer to Workspace Level Locks for more information. -
Refer to the Permissions Matrix for the required permissions.
-
Refer to Configuring a Password Policy for information on how to configure a robust password policy.
Examples
-
The following example demonstrates how to add a new user and grant the
SELECTprivilege on all tables in themydbdatabase to the user:CREATE USER joe;GRANT SELECT ON mydb.* TO 'joe'@'%'; -
The following example demonstrates how to create a resource pool and assign it to a new user in addition to controlling the login attempts:
CREATE RESOURCE POOL test_pool WITH QUERY_TIMEOUT = 20;CREATE USER user1 IDENTIFIED BY 'User123' WITH DEFAULT RESOURCE POOL = test_pool FAILED_LOGIN_ATTEMPTS = 3 PASSWORD_LOCK_TIME = 14400; -
The following example demonstrates the use of the
default_variable and therequire_ ssl REQUIREoption:CREATE USER `alice`@`%`; -- uses default_require_ssl var (off by default)CREATE USER `alice`@`%` REQUIRE NONE; -- does not require SSLCREATE USER `alice`@`%` REQUIRE SSL; -- requires SSL -
The following examples demonstrate the use of
ATTRIBUTEandCOMMENT:CREATE USER 'user1'@'svchost-xxxx' ATTRIBUTE '{"phone": "1234567890"}';CREATE USER 'user1'@'svchost-xxxx' COMMENT 'Some information about user1'; -
The following example demonstrates how to retrieve the
ATTRIBUTEandCOMMENTvalues from theinformation_view:schema. USERS CREATE USER singlestore@svchost-xxxx ATTRIBUTE '{"a": 1, "b": 2}' COMMENT 'Some information about the SingleStore user.';SELECT USER, ATTRIBUTE, COMMENT from INFORMATION_SCHEMA.USERS WHERE user='singlestore';+-------------+---------------+----------------------------------------------+ | USER | ATTRIBUTE | COMMENT | +-------------+---------------+----------------------------------------------+ | singlestore | {"a":1,"b":2} | Some information about the SingleStore user. | +-------------+---------------+----------------------------------------------+SELECT USER, ATTRIBUTE, COMMENT, ATTRIBUTE::a + ATTRIBUTE::b AS c FROM INFORMATION_SCHEMA.USERS WHERE user='singlestore';+-------------+---------------+----------------------------------------------+------+ | USER | ATTRIBUTE | COMMENT | c | +-------------+---------------+----------------------------------------------+------+ | singlestore | {"a":1,"b":2} | Some information about the SingleStore user. | 3 | +-------------+---------------+----------------------------------------------+------+
Last modified: