Skip to main content

Create a superadmin User


The privilege level of the Operator's admin user is designed to prohibit specific operations from being performed that could interfere with Operator automation.

As the superadmin user does not have these restrictions, it should only be used for specific operations, such as initiating disaster recovery (DR) replication or creating a database with unlimited storage. Using the superadmin user to perform unprescribed operations (such as adding and removing leaves and/or changing engine variables, etc.) can trigger unexpected Pod cycling by the Operator and/or adversely impact the Operator's state.

In addition, as the Operator uses the root user to manage the cluster and the root user’s password, the Operator's root password must never be changed. Changing the root user’s password will decouple the Operator from the SingleStoreDB cluster and neither the Operator nor the cluster will continue to function as intended.

Obtain the Root Password

The root user has all privileges, including those to create users and manage the cluster. This user is assigned a password when the SingleStoreDBcluster is first created. The Operator creates a corresponding secret with the same name as the SingleStoreDBcluster which is used to store the root user’s password.

To obtain this secret, run the following command.

kubectl get secrets

Note that, in this secret, the password is Base64-encoded. To decode the password from the secret, run the following command.

echo <ENCODED-VALUE> | base64 -D

Create the superadmin User

As noted earlier, while the root user’s password can be viewed, it must never be changed.

Should you need to use the root user, SingleStore recommends that you:

  1. As the root user, create a superadmin user via the following SQL command.

    CREATE USER 'superadmin'@'%' IDENTIFIED BY '<secure-password>'
  2. Grant the superadmin user root privileges via the following SQL command.

    GRANT ALL ON *.* TO 'superadmin'@'%' WITH GRANT OPTION;

Once this superadmin user has been created, obtaining the root user’s password is no longer necessary.