Create a user and grant permissions for an OceanBase cluster instance-ApsaraDB for OceanBase (Deprecated)(OceanBase)-阿里云帮助中心

This topic describes how to create a standard account for a MySQL tenant of an OceanBase cluster instance. It also describes the least privilege required for the standard account during different stages of data migration.

Background information

OceanBase cluster instances support standard accounts, privileged accounts, and read-only accounts. When you use Data Transmission Service to migrate data from an OceanBase cluster instance:

If you use a standard account, you must grant the permissions described in this topic.
If you use a privileged account, it has read and write permissions on all databases by default.
If you use a read-only account, it has read-only permissions on all databases by default.

The standard account for the OceanBase cluster instance created in this topic is used for the Username field when you create an OceanBase data source.

To migrate tables without a unique key, you must also create a user named __oceanbase_inner_drc_user with read-only permissions before you start the data migration task. This user is required for the __oceanbase_inner_drc_user Password field when you create the OceanBase data source.

Create a standard account for a cluster instance

Go to the Cluster Instance Workbench page.
1. Log on to the OceanBase Management Console .
2. In the upper-left corner of the console, select the region where the destination instance is located.
3. In the navigation pane on the left, click Instance List, and then click the name of the destination instance.
Go to the Account Management page.
1. On the Cluster Instance Workbench page, click Tenant Management in the navigation pane on the left.
2. On the Tenant List page, click the name of the destination tenant whose Tenant Mode is MySQL.
3. On the Tenant Workbench page, click Account Management in the navigation pane on the left.
On the Account Management page, click Create Account in the upper-right corner.

In the Create Account dialog box, configure the parameters.

Parameter	Description
Username	Must start with a letter and end with a letter or digit. It can contain letters, digits, and underscores (_). The username must not exceed 32 characters in length.
Account Type	Select Standard Account.
Authorized Databases (Optional)	Grant the account permissions on one or more databases. In the Unauthorized list on the left, select one or more databases and click > to add them to the list on the right. In the Authorized list on the right, grant Read/Write, DDL Only, DML Only, or Read-only permissions to a database.
Password	The password must be 10 to 32 characters long and contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Special characters include !@#$%^&()_+-=. You can also click Randomly Generate* to automatically fill in a password. Note You can click Copy Password to copy the password. Store the password securely.
Remarks (Optional)	Enter remarks for the account.

Click OK.

Permissions for a standard account of a source cluster instance

The following table describes the least privilege required for a standard account of an OceanBase cluster instance (MySQL tenant mode) when it is used as a data source at different stages of data migration.

Table classification	Schema migration	Full migration	Incremental DML synchronization	Incremental DDL synchronization	Full verification	Reverse Incremental
Tables with primary keys or non-empty unique keys	Read-only	Read-only	Read-only	Read-only	Read-only	DDL Only (for DDL synchronization only) DML Only (for DML synchronization only) Read/Write (for DDL and DML synchronization)
Tables without primary keys or non-empty unique keys	Read-only	Read-only Requires the __oceanbase_inner_drc_user user	Read-only	Read-only	Requires the __oceanbase_inner_drc_user user	DDL Only (for DDL synchronization only) DML Only (for DML synchronization only) Read/Write (for DDL and DML synchronization)

Permissions for a standard account of a destination cluster instance

The following table describes the least privilege required for a standard account of an OceanBase cluster instance (MySQL tenant mode) when it is used as a destination at different stages of data migration.

Table classification	Schema migration	Full migration	Incremental DML synchronization	Incremental DDL synchronization	Full verification	Reverse incremental DML synchronization	Reverse incremental DDL synchronization
Tables with primary keys or non-empty unique keys	DDL Only	Read/Write	Read/Write	DDL Only	Read-only	Read-only	Read-only
Tables without primary keys or non-empty unique keys	DDL Only	Read/Write	Read/Write	DDL Only	Not supported	Read-only	Read-only

Create and authorize the __oceanbase_inner_drc_user user

Go to the Tenant Workbench page of the OceanBase Management Console.
On the Tenant Workbench page, click Log On to Database in the upper-right corner.
Alternatively, you can log on from the Database Management page.
In the Select Database Account dialog box, enter the name of the database that you want to log on to, and then click OK.
In the Enter Connection Password dialog box, enter the database password, and then click OK.
After you log on to the database, execute the following command to create the __oceanbase_inner_drc_user user.
```
create user __oceanbase_inner_drc_user identified by '<password>';
```
After the user is created, execute the following command to grant permissions to the user.
```
grant select on *.* to __oceanbase_inner_drc_user;
```