editor, reviewer
9
edits
Changes
Jump to navigation
Jump to search
The user management This article is an part of the [[Advanced_Usage|advanced featureAdvanced User's Guide]] of . The user management defines which permissions are required by a user to perform a database command or XQuery expression. Permissions are mostly relevant in the client/server architectureof BaseX. In short, users need certain as the [[GUI]] and the [[Command-Line Client]] is run with admin permissions to perform . There are a few exceptions such as the [[CommandsXQuery Module#xquery:eval|database commandsxquery:eval]]function: Its execution scope can also be limited by specifying a permission. Please take care of usual security measures: ensure that your password will not end up in your bash history, avoid sending passwords via ordinary REST requests, etc. ==Rules==
[[File:perms.png|none|thumb|200px|Permissions hierarchy]]<code>> CREATE USER test</code>
==Commands=='''Change password of user 'test' to '71x343sd#':
Admin permissions are needed to execute one of the following processes.<code>> ALTER PASSWORD test 71x343sd#</code>
===Creating user 'test' with password 'test'=== <code>> CREATE USER test test</code> As global permissions, you can set 'none', 'read', 'Grant local write', 'create' and 'admin': ===Revoking all global permissions from to user 'test'=== <code>> GRANT none TO test</code> Valid local permissions are 'none', 'read: ' and 'write': ===Granting write permission on database 'factbook' to user 'test'=== <code>> GRANT write ON factbook unit* TO test</code>
===Showing '''Show global permissions=== :'''
===Showing local permissions on database 'factbook'===
<code>> SHOW USERS ON factbook</code>
[[Category:Server]]Revised in Version 8.0.
db:create → user:create
In the permission hierarchy below, the existing permissions are illustrated.
A higher permission includes all lower permissions.
For example, all users who have the <code>WRITEwrite</code> permission assignedwill also be able to execute commands requiring <code>READread</code> permission. Local permissions are applied to databases. They have a higher precedenceand override global permissions. [[File:perms.png|Permissions hierarchy]] User names must follow the [[Valid Names|valid names constraints]], and the database patterns must follow the [[Commands#Glob_Syntax|Glob Syntax]]. ==Operations== For all operations, admin permissions are required: =Commands= '''Create user 'test' (password will be entered on command line). By default, the user will have no permissions ('none'):
Note: Local permissions overwrite global permissions.
As a consequence, the 'test' user will only be allowed toaccess (i.e., read and write) database starting with the letters 'factbookunit' database.If no local permissions are set, the global rights areinherited.
<code>> SHOW USERS</code>
==XQuery=Dropping of = The available user functions are listed in the [[User Module]]: '''Create user 'test' with no permissions:''' <code>user :create('test', 'top-secret')</code> '''Show detailed information about user 'test':''' <code>user:list-details()[@name === 'test']</code> '''Drop user 'test':''' <code>> DROP USER user:drop('test')</code> =Storage= The permission file {{Code|users.xml}} is stored in the database directory. This file can be manually edited; it will be parsed once when BaseX is started. Salted SHA256 hashes are used for authentication (the current timestamp will be used as salt). Additionally, digest hashes are used in the client/server architecture and the [[Clients|Language Bindings]], and in the [[Web Application|HTTP Context]] if {{Option|AUTHMETHOD}} is set to {{Code|Digest}}. =Changelog=
