change_user

Owned by Jason Kinchen
Jul 24, 2024
2 min read

The change_user operator changes a trait of a user account. Available only in the Enterprise Edition.

SciDB security mode must be correctly configured before this or any security operator can be used.  See the Security section of the SciDB Administration Guide.

Synopsis

change_user ( trait, username, newValue )

Inputs

All input parameters are string literals.

  • trait: Must be the literal string 'password' .
  • userName: The name of the user whose trait will be modified.
  • newValue: The new value for the trait. (This is not the cleartext password, see Limitations below.)

Summary

Use this operator in namespaces mode to change a user's password.


  • Any user can use this operator to change their own password.  
  • Requires operator or admin privileges to change another user's password.


Invoking this operator directly is not recommended. Instead, change passwords by running the utility script described in User Accounts.

If your SciDB cluster is configured in security=pam mode, you should change passwords using the tools provided by the configured back-end authentication service.


Limitations

The only accepted value of trait is 'password' and the only accepted value of newValue is a base64-encoded SHA-512 digest of the new password.

Example

  1. Create a scidbadmin authentication file in the home directory by copying the following text to ~/admin.auth

    [security_password]
user-name      = scidbadmin
user-password  = Paradigm4

  2. Change the permissions on the authentication file to 600

    $ chmod 600 ~/admin.auth

  3. List the users to show that 'John' is not a SciDB user.

    $ iquery --auth-file ~/admin.auth -aq "project(list('users'), name);"

    On a system with no user accounts added so far, the output is:

    {No} name
{0} 'scidbadmin'

  4. Choose 'John_Password' as the password and create the hash of the password 

    $ PWHASH=$(echo -n "John_Password" | openssl dgst -sha512 -binary | base64 --wrap 0)

  5. Create the user 'John' using the password previously created

    $ iquery --auth-file ~/admin.auth -aq "create_user('John', '"$PWHASH"');"


    The output is:

    Query was executed successfully

  6. List the users to show that 'John' is a new SciDB user.

    $ iquery --auth-file ~/admin.auth -aq "project(list('users'), name);"


    The output is:

    {No} name
{0} 'root'
{1} 'John'

  7. Create an authentication file for 'John' in the home directory by copying the following text to ~/john.auth

    [security_password]
user-name      = John
user-password  = John_Password

  8. Change the permissions on the 'John' authentication file to 600

    $ chmod 600 ~/john.auth

  9. Login using the 'John' authentication file and show that the user is currently 'John'

    $ iquery --auth-file ~/john.auth -aq "show_user();"


    The output is:

    {i} name
{0} 'John'

  10. Create a new password 'John_New_password' for 'John'

    $ PWHASH=$(echo -n "John_New_Password" | openssl dgst -sha512 -binary | base64 --wrap 0)

  11. Change the 'John' authentication file, ~/john.auth, to reflect the new password as follows

    [security_password]
user-name      = John
user-password  = John_New_Password

  12. Change SciDB's password for 'John'

    $ iquery --auth-file ~/admin.auth -aq "change_user('password', 'John', '"$PWHASH"');"


    The output is:

    Query was executed successfully

  13. Log in using the 'John' authentication file and show that the user is currently 'John'

    $ iquery --auth-file ~/john.auth -aq "show_user();"


    The output is:

    {i} name
{0} 'John'

  14. Remove the user 'John'

    $ iquery --auth-file ~/admin.auth -aq "drop_user('John');"

    The output is:

    Query was executed successfully

  15. List the users to show that 'John' is not a SciDB user.

    $ iquery --auth-file ~/admin.auth -aq "project(list('users'), name);"


    The output is:

    {No} name
{0} 'scidbadmin'

See User Accounts for more information.