The key to security for VoltDB applications is the users and roles defined in the schema and deployment files. You define users in the deployment file and roles in the schema.

This split is deliberate because it allows you to define the overall security structure globally in the schema, assigning permissions to generic roles (such as operator, dbuser, apps, and so on). You then define specific users and assign them to the generic roles as part of the deployment. This way you can create one configuration (including cluster information and users) for development and testing, then move the database to a different configuration and a different set of users for production by changing only one file: the deployment file.

You define users within the <users> ... </users> tag set in the deployment file. The syntax for defining users is as follows.

<deployment>
   <users>
      <user name="user-name" 
            password="password-string" 
            roles="role-name[,...]"  />
        [ ... ]
   </users>
   ...
</deployment>

Include a <user> tag for every username/password pair you want to define.

Then within the schema you define the roles the users can belong to. You define roles with the CREATE ROLE statement.

CREATE ROLE role-name;

You specify which roles a user belongs to as part of the user definition in the deployment file using the roles attribute to the <user> tag. For example, the following code defines three users, assigning operator and developer the ops role and developer and clientapp the dbuser role. When a user is assigned more than one role, you specify the role names as a comma-delimited list.

<deployment>
   <users>
      <user name="operator" password="mech" roles="ops" />
      <user name="developer" password="tech" roles="ops,dbuser" />
      <user name="clientapp" password="xyzzy" roles="dbuser" />
   </users>

</deployment>

Two important notes concerning the assignment of users and roles: