User Accounts

Owned by Jason Kinchen
Jul 24, 2024
4 min read

User accounts are only available in SciDB Enterprise Edition.

Examples in this section assume that you have set up the iquery executable to log in and run as a privileged account.  See Using iquery in Security Mode.

Operator Summary

The table below summarizes the AFL operators that manipulate user accounts.  Some of these operations can be done using the spaam.py example account management script, described further below.

AFL OperatorDescription
list('users')List existing user accounts.
create_userCreate a new user account.
drop_userDelete an existing user account.
change_userChange some trait of a user account.  At present the only supported trait is 'password'.
add_user_to_roleGrant a user account membership in one or more roles.
drop_user_from_roleRevoke a user account's membership in one or more roles.
show_roles_for_userList roles granted to a user account.
show_userShow name of currently logged in user account.


The scidbadmin Account

SciDB Enterprise Edition is distributed with a single pre-configured user account called scidbadmin.  This is the database administrator account, and has all privileges associated with the admin role (see Roles).

Initially, use iquery to log in to the scidbadmin account with the following authentication file (see Using iquery in Security Mode):

{
  "user-name": "scidbadmin",
  "user-password": "Paradigm4"
}

Change the default scidbadmin password immediately after installation.  See Changing User Account Passwords below.  Do not forget the new password, as it cannot be recovered.


In earlier releases, the database administration account was called root .  In the 17.8 release, root is an alias for scidbadmin .  Prefer to use scidbadmin when writing new administrative applications.

Creating User Accounts

User accounts may be created by the scidbadmin user or by any user account belonging to the admin or operator roles.

If SciDB is operating in security=pam mode, create user accounts with the facilities provided by your back-end authentication service.  Do not create user accounts directly in SciDB.


Creating User Accounts with spaam.py

The spaam.py script (SciDB Password And Account Management) is a command line utility for simplifying adding user accounts and changing user passwords.  It is installed into /opt/scidb/<version>/bin.

Use the -a/--add command option to create a user account with spaam.py.  You must supply an initial password when creating a user account.  Spaam.py lets you provide the initial password using the terminal, or on standard input.  The following examples create user accounts todd and diane using each technique.

Supplying the initial password on the terminal
$ spaam.py --add todd
Password: 
Re-enter password: 
Query was executed successfully
$

Alternatively,

Supplying the initial password on standard input
$ echo "big secret" | spaam.py --add diane --stdin
Query was executed successfully
$

Creating User Accounts Directly with AFL

The spaam.py -a/–add command option works by issuing an iquery command that uses the AFL create_user operator to create user accounts.  This operator takes two string parameters, the name of the user account to create, and a password hash.  Password hashes are base64-encoded SHA-512 hash digests of the user's cleartext password.  Here is an excerpt from the spaam.py script showing how password hashes are generated in Python:

import base64
import hashlib

# Intervening code deleted...

pwhash = base64.b64encode(hashlib.sha512(cleartext).digest())

In the Linux shell, you can generate password hashes using the openssl(1) and base64(1) commands.

$ PWHASH=$(echo -n $CLEARTEXT | openssl dgst -binary -sha512 | base64 -w 0)

When using openssl(1) to generate a password hash, make certain that the input does not contain a trailing newline, or it will be included in the hash and the user will not be able to log in, since newline (ASCII 0x0A) is not a permissible password character.  The example above uses echo -n to avoid this.

Having generated a password hash, paste it into an AFL query to create a user account.

$ PWHASH=$(echo -n "big secret" | openssl dgst -binary -sha512 | base64 -w 0)
$ echo $PWHASH
8iOHY9qc4gk0L91I5CY1m9A7xgNJVWSFns6PkqhwLnb+PIVdyvED4m8COD4/nMF/7xbqmwVEoSQEN7J8fC6Drg==
$ iquery -a
AFL% create_user('diane', '8iOHY9qc4gk0L91I5CY1m9A7xgNJVWSFns6PkqhwLnb+PIVdyvED4m8COD4/nMF/7xbqmwVEoSQEN7J8fC6Drg==');
Query was executed successfully
AFL% quit;
$

Deleting User Accounts

User accounts are easily deleted directly in AFL.  This example deletes the accounts added in the previous section.

$ iquery -aq "drop_user('diane') ; drop_user('todd')"
Query was executed successfully
Query was executed successfully
$

Suspending User Accounts

If SciDB is operating in security=pam mode, suspend user accounts with the facilities provided by your back-end authentication service.  Do not suspend user accounts directly in SciDB.


In some circumstances you may prefer to disable a user account rather than remove it entirely.  You can do this with the spaam.py script.

$ spaam.py --suspend andrew
Suspended user andrew
$

You can later reactivate the account with the --allow option.

$ spaam.py --allow andrew
Allowed user andrew
$

Changing User Account Passwords

If SciDB is operating in security=pam mode, change user account passwords with the facilities provided by your back-end authentication service.  Do not change passwords directly in SciDB.

HOWEVER, if SciDB is operating in security=pam mode, be sure to change the scidbadmin user account password using the procedures described here.   This is because for the scidbadmin account only, a failed PAM login attempt will fall back to using security=password authentication.   If you do not change the scidbadmin password, attackers can use the factory default password to log in to SciDB with full privileges, even though other users must be authenticated by PAM.

Changing User Account Passwords with spaam.py

The spaam.py script (SciDB Password And Account Management) is a command line utility for simplifying adding user accounts and changing user passwords.  It is installed into /opt/scidb/<version>/bin.

Use the -m/--modify command option to change a user account password with spaam.py.  You can provide the new password on the terminal, or on standard input.  Non-privileged users may change their own passwords without assistance from an operator or administrator.  This example changes the password of user alice (twice).

$ spaam.py --modify alice
New alice password: 
Re-enter password: 
Query was executed successfully
$
$ echo "even bigger secret" | spaam.py -m alice --stdin
Query was executed successfully
$

Changing User Account Passwords Directly with AFL

Generate a password hash as described in 253689868 above.  Paste it into an AFL change_user query.  This example uses a pre-computed password hash to change the password for user account fred .

$ iquery -a
AFL% create_user('password', 'fred', '8iOHY9qc4gk0L91I5CY1m9A7xgNJVWSFns6PkqhwLnb+PIVdyvED4m8COD4/nMF/7xbqmwVEoSQEN7J8fC6Drg==');
Query was executed successfully
AFL% quit;
$