| Tarantool

_user is a system space where user-names and password hashes are stored.

Tuples in this space contain the following fields:

  • the numeric id of the tuple (“id”),
  • the numeric id of the tuple’s creator,
  • the name,
  • the type: ‘user’ or ‘role’,
  • optional password.

There are five special tuples in the _user space: ‘guest’, ‘admin’, ‘public’, ‘replication’, and ‘super’.

Name ID Type Description
guest 0 user Default user when connecting remotely. Usually an untrusted user with few privileges.
admin 1 user Default user when using Tarantool as a console. Usually an administrative user with all privileges.
public 2 role Pre-defined role, automatically granted to new users when they are created with box.schema.user.create(user-name). Therefore a convenient way to grant ‘read’ on space ‘t’ to every user that will ever exist is with box.schema.role.grant('public','read','space','t').
replication 3 role Pre-defined role, which the ‘admin’ user can grant to users who need to use replication features.
super 31 role Pre-defined role, which the ‘admin’ user can grant to users who need all privileges on all objects. The ‘super’ role has these privileges on ‘universe’: read, write, execute, create, drop, alter.

To select a tuple from the _user space, use For example, here is what happens with a select for user id = 0, which is the ‘guest’ user, which by default has no password:

- - [0, 1, 'guest', 'user']


To change tuples in the _user space, do not use ordinary functions for insert or update or delete. The _user space is special, so there are special functions which have appropriate error checking.

To create a new user, use box.schema.user.create():

box.schema.user.create(*user-name*, {if_not_exists = true})
box.schema.user.create(*user-name*, {password = *password*})

To change the user’s password, use box.schema.user.password():

-- To change the current user's password

-- To change a different user's password
-- (usually only 'admin' can do it)
box.schema.user.passwd(*user-name*, *password*)

To drop a user, use box.schema.user.drop():


To check whether a user exists, use box.schema.user.exists(), which returns true or false:


To find what privileges a user has, use*user-name*)


The maximum number of users is 32.


Here is a session which creates a new user with a strong password, selects a tuple in the _user space, and then drops the user.

tarantool> box.schema.user.create('JeanMartin', {password = 'Iwtso_6_os$$'})
- - [17, 1, 'JeanMartin', 'user', {'chap-sha1': 't3xjUpQdrt857O+YRvGbMY5py8Q='}]
tarantool> box.schema.user.drop('JeanMartin')
Found what you were looking for?