DEV Community

Michael
Michael

Posted on • Originally published at gbase.cn

GBase 8s User Management: Mapping OS Users and Internal Users

#gbase #database #数据库

GBase 8s, the China-domestically developed OLTP database from GBASE, supports two authentication paths: operating system users and database internal users. By configuring user mapping, you can control whether non‑OS users can log in, and what privileges they inherit.

Configuring User Mapping

The USERMAPPING parameter accepts three values:

  • OFF – Only OS users can connect; internal users are blocked.
  • BASIC – Internal users can connect, but cannot perform privileged operations (DBSA, DBSSO, AAO) even if the mapped OS user holds those privileges.
  • ADMIN – Internal users can connect and, if the mapped OS user is a privileged user, the internal user also gains those administrative capabilities.

Set it dynamically:

onmode -wf USERMAPPING='BASIC'
Enter fullscreen mode Exit fullscreen mode

You also need the file /etc/gbasedbt/allowed.surrogates. A minimal version:

USERS:daemon
Enter fullscreen mode Exit fullscreen mode

After changing the file, reload the cache:

onmode -cache surrogates
Enter fullscreen mode Exit fullscreen mode

Creating a Default OS Mapping User

Inside the sysuser database, create a default user that internal users will map to:

CREATE DEFAULT USER WITH PROPERTIES USER daemon HOME "/home/gbasedbt/users";
Enter fullscreen mode Exit fullscreen mode

Creating an Internal User and Granting Permissions

  1. Create the user: 
   CREATE USER testuser WITH PASSWORD 'testuser';
Enter fullscreen mode Exit fullscreen mode
  1. Grant database‑level privileges (CONNECT, RESOURCE, DBA): 
   echo "GRANT DBA TO testuser;" | dbaccess testdb -
Enter fullscreen mode Exit fullscreen mode
  1. Connect as an internal user: 
   dbaccess - -
   CONNECT TO 'testdb@ol_gbasedbt1210' USER 'testuser';
Enter fullscreen mode Exit fullscreen mode

Locking and Unlocking Users

Run directly as the gbasedbt OS user:

ALTER USER testuser ACCOUNT LOCK;   -- lock
ALTER USER testuser ACCOUNT UNLOCK; -- unlock
Enter fullscreen mode Exit fullscreen mode

OS User Access

Create an OS account and add it to the gbasedbt group:

useradd daemon
usermod -g gbasedbt daemon
Enter fullscreen mode Exit fullscreen mode

Then grant database privileges from within the database:

GRANT DBA TO daemon;
Enter fullscreen mode Exit fullscreen mode

To add a supplementary group instead of changing the primary group:

usermod -a -G gbasedbt daemon
Enter fullscreen mode Exit fullscreen mode

Viewing User Info

Query the sysusers table; usertype values: D = DBA, C = CONNECT, etc.

SELECT * FROM sysusers;
Enter fullscreen mode Exit fullscreen mode

The sysusermap table shows how internal users are mapped to OS users.

By combining OS‑level accounts with internal users and fine‑grained mapping, you can set up a gbase database access model that is both secure and flexible — well suited for independently controlled enterprise environments.

Top comments (0)