Secure the Initial SingleStoreDB User Accounts
On this page
When SingleStoreDB is installed, the
root user is created on each SingleStoreDB node.
Once your cluster is deployed, you can also change the password for the
root user with the sdb-admin change-root-password command.
root password for a single SingleStoreDB node.
sdb-admin change-root-password --all --yes --password <secure_password>
root password is an online operation for both aggregators and leaves and you do not have to perform any additional operations; however, you must ensure your nodes are running before calling the
root password via a command-line argument is often not secure and SingleStore recommends safer, alternative methods to configure passwords.
While it is convenient to set the
root password using a command-line argument, it is often recommended against this practice for security reasons.
root password supplied as a command-line argument is displayed on-screen and is visible to anyone who is reading the user’s screen.
Some of the more secure, alternative methods to set SingleStoreDB
root password are as follows.
rootpassword using the
PASSWORD This option is best suited for automated applications.
As of SingleStoreDB Toolbox 1.
6. 4, Toolbox commands can solicit the
rootpassword interactively from users.
The passwords entered in an interactive prompt are not displayed on-screen and are effectively secured from anyone reading the user’s screen. The interactive prompt is invoked if neither the
--passwordflag nor the
MEMSQL_environment variable has been used to set the
In MemSQL 6.
'root'@'%' user, which should be configured as described in the previous section.
In MemSQL 5.
To delete these users, use the
DROP USER command.
root user or another user with sufficient permissions, and run:
DROP USER ''@'localhost';DROP USER ''@'127.0.0.1';DROP USER 'root'@'localhost';DROP USER 'dashboard'@'%';DROP USER 'dashboard'@'localhost';
These additional default users are created in MemSQL installations of 5.
Note that since user accounts are configured independently on each node, whenever you add a new SingleStoreDB node, you should also delete any unnecessary default users on it.
The users ''@'localhost' and ''@'127.
For example, a login as user ‘alice’ from localhost matches 'alice'@'localhost', ''@'localhost', and 'alice'@'%' in that order of precedence.
For this reason, the
'root'@'localhost' account is necessary only when the anonymous user accounts for localhost are present.
root user from localhost matches
'root'@'%' in that order of precedence.
'root'@'localhost' account can be removed, leaving only the
'root'@'localhost' account in addition to the anonymous user accounts to avoid the possibility of misconfiguring the
'root'@'%' accounts differently (for example, misconfiguring them with different passwords).
'dashboard'@'localhost' accounts were used by MemSQL Ops versions prior to 4.
Last modified: October 31, 2023