TiDB supports high-privilege accounts

[gejibin]

Feature Request

在公有云上，给TiDB用户创建一个高权限的账号，权限与root账号一样，但是该高权限账号有如下限制：

1. 不能删除root账号，修改root密码。
   2.不能删除内置账号，哪些是内置账号可以通过配置文件指定。

这样，用户可以通过高权限的账号做自己的任何操作，同时不影响服务提供方（公有云）运维tidb数据库。

目前，aurora和polarDB均支持这种高权限的账号。

On the public cloud, create a high-privilege account for TiDB users. The permissions are the same as the root account, but the high-privilege account has the following restrictions:

1. Can not delete the root account and change the root password.
2. It is not possible to delete the built-in account, which can be specified through the configuration file.

In this way, users can do any of their operations through a high-privilege account without affecting the service provider (public cloud) operation and maintenance of the tidb database.

Currently, both aurora and polarDB support such high-privilege accounts.

[zhangjinpeng87]

@gejibin Would you mind to participate in the development of this feature if we provide the design RFC?

[gejibin]

@zhangjinpeng1987 if you can provide the detail-level design, we can Participate in development. But we are not very sure about the timing. If you can finish the detailed design next month, we may be able to complete this function before October.

[zz-jason]

In this way, users can do any of their operations through a high-privilege account without affecting the service provider (public cloud) operation and maintenance of the tidb database.

Can it be accomplished by the current privilege system?

I'm a little confused about the desired privilege, could you give some links about the described privilege management in Aurora and PolarDB?

[gejibin]

@zz-jason you can try to use the aurora or polarDB in Amazon Cloud or Alibaba Cloud.

[ghost]

I believe this is a duplicate of #14148

There are a few ways to implement this, my preference would be via an admin-only port.