Security
User Management

Riak TS security lets you to control authorization by creating, modifying, and deleting user characteristics and granting users selective access to Riak TS functionality. Users can be assigned one or more of the following characteristics:

  • username
  • groups
  • password

You may also assign users characteristics beyond those listed above, such as listing email addresses or other information, but those values will carry no special significance for Riak TS.

The username cannot be changed once a user has been created.

Retrieve a Current User or Group List

A list of currently existing users can be accessed at any time:

riak-admin security print-users

The same goes for groups:

riak-admin security print-groups

Example output, assuming user named riakuser with an assigned password:

+----------+--------+----------------------+------------------------------+
| username | groups |       password       |           options            |
+----------+--------+----------------------+------------------------------+
| riakuser |        |983e8ae1421574b8733824|              []              |
+----------+--------+----------------------+------------------------------+

All passwords are displayed in encrypted form in console output.

If the user riakuser were assigned to the group dev and a name of lucius, the output would look like this:

+----------+----------------+----------------------+---------------------+
| username |     groups     |       password       |       options       |
+----------+----------------+----------------------+---------------------+
| riakuser |      dev       |983e8ae1421574b8733824| [{"name","lucius"}] |
+----------+----------------+----------------------+---------------------+

If you’d like to see which permissions have been assigned to riakuser, you would need to use the print-grants command (see next section).

The security print-user or security print-group commands can be used with a name as argument to see the same information as above, except for only that user or group.

Permissions Grants For a Single User or Group

You can retrieve authorization information about a specific user or group using the print-grants command, which takes the form of riak-admin security print-grants <username>.

The output will look like this if the user riakuser has been explicitly granted a riak_ts.get permission on the table shopping_list and inherits a set of permissions from the admin group:

Inherited permissions (user/riakuser)

+--------+----------+----------+----------------------------------------+
| group  |   type   |  table   |                 grants                 |
+--------+----------+----------+----------------------------------------+
| admin  |    *     |    *     |      riak_ts.get, riak_ts.delete,      |
|        |          |          |              riak_ts.put               |
+--------+----------+----------+----------------------------------------+

Dedicated permissions (user/riakuser)

+----------+-------------+----------------------------------------+
|   type   |   table     |                 grants                 |
+----------+-------------+----------------------------------------+
|   ANY    |shopping_list|               riak_ts.get              |
+----------+-------------+----------------------------------------+

Cumulative permissions (user/riakuser)

+----------+-------------+----------------------------------------+
|   type   |   table     |                 grants                 |
+----------+-------------+----------------------------------------+
|    *     |      *      |      riak_ts.get, riak_ts.delete,      |
|          |             |               riak_ts.put              |
|   ANY    |shopping_list|               riak_ts.get              |
+----------+-------------+----------------------------------------+

The term admin is not a reserved term in Riak security. It is used here only for illustrative purposes.

Because the same name can represent both a user and a group, a prefix (user/ or group/) can be used before the name (e.g., print-grants user/admin). If a name collides and no prefix is supplied, grants for both will be listed separately.

Add Group

For easier management of permissions across several users, it is possible to create groups to be assigned to those users.

riak-admin security add-group admin

Add User

To create a user with the username riakuser, we use the add-user command:

riak-admin security add-user riakuser

Using the command this way creates the user riakuser without any characteristics beyond a username, which is the only attribute that you must assign upon user creation.

You may also assign a password or other attributes to the user upon creation. Here, we’ll assign a password:

riak-admin security add-user riakuser password=Test1234

Assigning a Password and Altering Existing User Characteristics

While passwords and other characteristics can be set upon user creation, it often makes sense to change user characteristics after the user has already been created. Let’s say that the user riakuser was created without a password (or created with a password that we’d like to change). The alter-user command can be used to modify our riakuser user:

riak-admin security alter-user riakuser password=opensesame

When creating or altering a user, any number of <option>=<value> pairs can be appended to the end of the command. Any non-standard options will be stored and displayed via the riak-admin security print-users command.

riak-admin security alter-user riakuser name=bill age=47 fav_color=red

Now, the print-users command should return this:

+----------+--------+----------+--------------------------------------------------+
| username | groups | password |                     options                      |
+----------+--------+----------+--------------------------------------------------+
| riakuser |        |          |[{"fav_color","red"},{"age","47"},{"name","bill"}]|
+----------+--------+----------+--------------------------------------------------+

Usernames CANNOT be changed using the alter-user command. If you attempt to do so by running alter-user riakuser username=other-name, for example, this will add the {"username","other-name"} tuple to riakuser’s options.

Managing Groups for a User

If we have a user jane_goodall and we’d like to assign her to the admin group, we assign the value admin to the option groups:

riak-admin security alter-user jane_goodall groups=admin

If we’d like to make the user jane_goodall both an admin and an archoverlord:

riak-admin alter-user jane_goodall groups=admin,archoverlord

There is no way to incrementally add groups; even if jane_goodall was already an admin, it is necessary to list it again when adding the archoverlord group. Thus, to remove a group from a user, use alter-user and list all other groups.

If the user should be removed from all groups, use groups= with no list:

riak-admin alter-user jane_goodall groups=

Managing Groups for Groups

Groups can be added to other groups for cascading permissions.

riak-admin alter-group admin groups=dev

Deleting a User or Group

If you’d like to remove a user, use the del-user command:

riak-admin security del-user riakuser

For groups, use the del-group command:

riak-admin security del-group admin

Adding or Deleting Multiple Users

The riak-admin security command does not currently allow you to add or delete multiple users using a single command. Instead, they must be added or deleted one by one.

Managing Permissions

Permission to perform a wide variety of operations against Riak TS can be granted to, or revoked from, users via the grant and revoke commands.

grant

The grant command takes one of the following forms:

riak-admin security grant <permissions> on any to all|{<user>|<group>[,...]}
riak-admin security grant <permissions> on <table> to all|{<user>|<group>[,...]}

revoke

The revoke command is essentially the same, except that to is replaced with from of to:

riak-admin security revoke <permissions> on any from all|{<user>|<group>[,...]}
riak-admin security revoke <permissions> on <table> from all|{<user>|<group>[,...]}

Selecting any and all

If you select any, the permission (or set of permissions) is granted/revoked for all tables. If you specify a table only, then the permission is granted/revoked for all tables of that type.

Selecting all grants or revokes a permission (or set of permissions) for all users in all groups. When specifying the user(s)/group(s) to apply a permission (or set of permissions), you may list any number of users or groups comma-separated with no whitespace. Here is an example of granting multiple permissions across all tables to multiple users:

riak-admin security grant riak_ts.get on any to jane,ahmed

If the same name is used for both a user and a group, the grant command will ask for the name to be prefixed with user/ or group/ to disambiguate.

Riak TS Permissions

Permissions that can be granted for basic time series access functionality:

Permission Operation
riak_ts.get Retrieve time series data via a single key
riak_ts.put Write time series data via a single key or via a SQL INSERT statement
riak_ts.delete Delete a single record via a key
riak_ts.list_keys Stream a list of primary keys for a table
riak_ts.coverage Return coverage information for a given query
riak_ts.create_table Create a time series table
riak_ts.query_select Retrieve data via a SQL SELECT statement
riak_ts.describe_table Retrieve metadata about a single TS table
riak_ts.show_tables Retrieve a list of TS tables
riak_ts.query_explain Diagnostic information about how a query will be executed
Note on Listing Keys and Tables

riak_ts.list_keys and riak_ts.show_tables are both very expensive operations that should be performed very rarely and never in production. Access to this functionality should be granted very carefully.

For example, if you’d like to create a client account that is allowed only to run GET and PUT requests on all tables:

riak-admin security add-user client
riak-admin security grant riak_ts.get,riak_ts.put on any to client