User Permissions and Roles
User Privileges
Privileges consist of two components: an action and an object. An action refers to a type of operation that is permitted to be carried out on an object:
List of Actions
Some privileges must specify the exact object with which the relation applies to by using a selector. In this case the object is a specific entity, identified by its name, such as a schema, table, view, configuration, deployment unit and others. For example, CLUSTER_CONFIG - READ_CLUSTER_CONFIG does not have a selector. ALTER_SCHEMA - SCHEMA needs to specify which schema should be used (PUBLIC, MY_SCHEMA_NAME). These privileges are listed below as Has selector.
Cluster Configuration
| Name | Has Selector | Description |
|---|---|---|
READ_CLUSTER_CONFIG |
no |
Allows the user to access information about cluster configuration. |
WRITE_CLUSTER_CONFIG |
no |
Allows the user to change cluster configuration. |
READ_NODE_CONFIG |
no |
Allows the user to access information about individual node configuration. |
WRITE_NODE_CONFIG |
no |
Allows the user to change node configuration. |
Code Deployment
| Name | Has Selector | Description |
|---|---|---|
DEPLOY_UNIT |
yes |
Allows the user to send deployment units to the cluster. |
UNDEPLOY_UNIT |
yes |
Allows the user to remove deployments units from the cluster. |
READ_UNIT |
no |
Allows the user to access information about deployment units. |
Distributed Computing
| Name | Has Selector | Description |
|---|---|---|
GET_JOB_STATE |
no |
Allows the user to access information about a single job user has access to, and their results if any. User always has access to jobs they started. |
GET_JOB_STATES |
yes |
Allows the user to access information about all jobs user has access to, and their results if any. |
EXEC_JOB |
yes |
Allows the user to execute a distributed computing job. |
KILL_JOB |
yes |
Allows the user to stop a distributed computing job. |
Metrics
| Name | Has Selector | Description |
|---|---|---|
ENABLE_METRICS |
no |
Allows the user to enable metrics on the cluster. |
DISABLE_METRICS |
no |
Allows the user to disable metrics on the cluster. |
LIST_METRICS |
no |
Allows the user to access the list of enabled metrics on the cluster. |
READ_METRICS |
no |
Allows the user to get metrics |
Access Control
| Name | Has Selector | Description |
|---|---|---|
CREATE_USER |
no |
Allows the user to create more users. |
EDIT_USER |
no |
Allows the user to edit user configuration. |
READ_USER |
no |
Allows the user to access information about users. |
DROP_USER |
no |
Allows the user to delete users. |
CREATE_ROLE |
no |
Allows the user to create roles. |
READ_ROLE |
no |
Allows the user to access information about user roles. |
DROP_ROLE |
no |
Allows the user to delete roles. |
GRANT_ROLE |
no |
Allows the user to grant roles to users. |
REVOKE_ROLE |
no |
Allows the user to revoke roles from users. |
GRANT_PRIVILEGE |
no |
Allows the user to assign privileges to roles. |
REVOKE_PRIVILEGE |
no |
Allows user to revoke privileges from roles. |
Distribution Zone
| Name | Has Selector | Description |
|---|---|---|
CREATE_DISTRIBUTION_ZONE |
no |
Allows the user to create new distribution zones. |
ALTER_DISTRIBUTION_ZONE |
no |
Allows the user to alter distribution zones. |
DROP_DISTRIBUTION_ZONE |
no |
Allows the user to delete distribution zones. |
Schema
| Name | Has Selector | Description |
|---|---|---|
READ_SCHEMA |
yes |
Allows the user to access schema information. |
Sequence Configuration
| Name | Has Selector | Description |
|---|---|---|
CREATE_SEQUENCE |
yes |
Allows the user to create new sequences. |
ALTER_SEQUENCE |
yes |
Allows the user to change sequences. |
USE_SEQUENCE |
yes |
Allows the user to use sequences. |
DROP_SEQUENCE |
yes |
Allows the user to drop sequences. |
Table
| Name | Has Selector | Description |
|---|---|---|
CREATE_TABLE |
yes |
Allows the user to use the |
SELECT_FROM_TABLE |
yes |
Allows the user to use the |
ALTER_TABLE |
yes |
Allows the user to use the |
DROP_TABLE |
yes |
Allows the user to use the |
INSERT_INTO_TABLE |
yes |
Allows the user to use the |
DELETE_FROM_TABLE |
yes |
Allows the user to use the |
UPDATE_TABLE |
yes |
Allows the user to use the |
CREATE_INDEX |
yes |
Allows the user to use the |
DROP_INDEX |
yes |
Allows the user to use the |
USE_INDEX |
yes |
Allows the user to use the index in their SQL statements. |
System View
| Name | Has Selector | Description |
|---|---|---|
CREATE_VIEW |
yes |
Allows the user to create a view. |
SELECT_FROM_VIEW |
yes |
Allows the user to select from the view. |
ALTER_VIEW |
yes |
Allows the user to change view. |
DROP_VIEW |
yes |
Allows the user to delete the view. |
Snapshots
| Name | Has Selector | Description |
|---|---|---|
CREATE_SNAPSHOT |
no |
Allows the user to create a snapshot. |
RESTORE_SNAPSHOT |
no |
Allows the user to restore data from snapshot. |
DELETE_SNAPSHOT |
no |
Allows the user to delete the snapshot. |
CHECK_SNAPSHOT |
no |
Allows the user to access snapshot information. |
Object Permission Hierarchy
Objects in GridGain 9 are organized in hierarchy:
Actions allowed on the object are also allowed on its children. For example, if you have a PUBLIC schema and allow the SELECT_FROM_TABLE action on it, the user with the role will be able to perform the SELECT SQL action on all tables in the PUBLIC schema.
© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.