Access Rights

Users are recorded in the users section. Here is a fragment of the users.xml file:

You can see a declaration from two users: defaultandweb. We added the web user separately.

The default user is chosen in cases when the username is not passed. The default user is also used for distributed query processing, if the configuration of the server or cluster doesn’t specify the user and password (see the section on the Distributed engine).

The user that is used for exchanging information between servers combined in a cluster must not have substantial restrictions or quotas – otherwise, distributed queries will fail.

A list of networks is specified that access is allowed from. In this example, the list of networks for both users is loaded from a separate file (/etc/metrika.xml) containing the substitution. Here is a fragment of it:

<yandex>
    ...
        <ip>::/64</ip>
        <ip>203.0.113.0/24</ip>
        ...
    </networks>

You could define this list of networks directly in users.xml, or in a file in the directory (for more information, see the section ““).

The config includes comments explaining how to open access from everywhere.

For use in production, only specify ip elements (IP addresses and their masks), since using host and hoost_regexp might cause extra latency.

In the optional <allow_databases> section, you can also specify a list of databases that the user can access. By default, all databases are available to the user. You can specify the default database. In this case, the user will receive access to the database by default.

In the optional <allow_dictionaries> section, you can also specify a list of dictionaries that the user can access. By default, all dictionaries are available to the user.

Access to the system database is always allowed (since this database is used for processing queries).

The user can get a list of all databases and tables in them by using queries or system tables, even if access to individual databases isn’t allowed.