Overview
Access Control in Oxla
Oxla supports basic RBAC features (role-based access control) like roles, privileges or ownership. The way they work is similar to those currently available on the market, in popular database solutions.
Enabling Access Control
Access Control is enabled by default on new Oxla installations but might be disabled in config on demand. For information on how to set desired access control level please check our Oxla Configuration File doc.
ON, otherwise it will be disabledDefault Superuser
Currently, we only support a single superuser, which is also a default user pre-created in Oxla. Username and password credentials for that user are both set to oxla.
On Oxla’s first start, non-default password for default superuser can be provided in the config via access_control.initial_password parameter. Once set, parameter can be deleted from the config.
System Catalogs Visibility
Rows in system catalog tables are visible to a given user only if they pertain to objects or are located in schemas the user has access to. Considering the information_schema.tables table, a user will see all tables to which they have any grants and all tables located in schemas to which they have the USAGE grant.
Important Notes & Limitations
- There’s only one superuser (their default password can be changed by themselves)
- Only superuser has
SELECTprivilege on internal system tables - Privileges to internal system tables cannot be granted or revoked
- Only superuser and database owners can create new schemas
- Only superuser can create new roles
- Every role is granted
CONNECTprivilege to a default database at the moment of creation (can be revoked) - Concept known as role membership isn’t available in Oxla, thus there’s no privilege inheritance
OXLA_HOME set to OFF, where it was previously enabled,
will result in Oxla entering a degraded state.