Baidu AI Cloud
中国站

百度智能云
All Product Document

Data Warehouse

  • Data Warehouse
  • >
  • Operating Manual
  • >
  • Privilege Management

Privilege Management

Last Updated2021-12-17

Privilege management system of Palo refers to the privilege management mechanism of Mysql achieving table level fine-grained permission control and supporting white list mechanism.

Word explanation

  1. User identity user_identity

    In the privilege system, a user is identified by a aUser Identity. User identity consists of two parts: user name and userhost. username is defined as the user name, which is composed of English cases. userhost indicates the IP address of the user links. user_identityis presented in the form ofusername@'userhost' , indicating the username from userhost.

    Another presentation ofuser_identity is username@['domain'], where domain means domain name, which can be resolved to a group of ip through DNS or BNS (Baidu name service). The final presentation is a group of username@'userhost', so we use username@'userhost' to present in the following.

  2. Privilege Privilege

    The objects of privilege are nodes, databases, tables or resources. Different privileges represent different operation privileges.

  3. Role Role

    Palo can create custom-named roles which can be seen as a collection of a set of privileges. A newly-created user can be given a role, which means the user will be automatically given the privileges owned by the role. Subsequent privilege changes to a role will also be reflected in the all privileges of the user belonging to this role.

  4. User property user_property

    User property is directly attached to a user, not a user ID. That is, both cmy@'192.%' and cmy@['domain']have the same set of user properties, which belong to the user cmy , notcmy@'192.%'orcmy@['domain'].

    User properties include but are not limited to: maximum number of user connections, load cluster configuration, etc.

Supported operations

  1. Create a user: CREATE USER
  2. Delete a user: DROP USER
  3. Grant: GRANT
  4. Revoke: REVOKE
  5. Create a role: CREATE ROLE
  6. Drop a role: DROP ROLE
  7. View user privileges: SHOW GRANTS
  8. View created roles: SHOW ROELS
  9. View use property: SHOW PROPERTY
  10. Set user property: SET PROPERTY

Privilege descriptions

Palo currently supports the following privileges:

  1. Node_priv

    It means node changing privilege, including addition, deletion, offline and other operations of FE, BE, BROKER nodes. At present, this privilege can only be granted to Root users.

  2. Grant_priv

    It means changing privilege, which allows the performances such as granting, revocation, addition / deletion / change of user / role, etc.

  3. Select_priv

    It means privilege of read-only for databases and tables.

  4. Load_priv

    It means privilege of writing for databases and tables, including Load、Insert、Delete and other operations.

  5. Alter_priv

    It means privilege of changing databases and tables, including renaming database / table, addition / deletion / changing column and other operations.

  6. Create_priv

    It means privilege of creating databases and tables.

  7. Drop_priv

    It means privilege of deleting databases and tables.

  8. Usage_priv

    it means privilege of using some Resources.

Best practices

  1. The following users and roles will be created automatically when Palo is initialized:

    1. Role admin: The role has Admin_priv, which means all privileges except node change.
    2. admin@'%':the user admin, the user is allowed to log in from any node, and the role is admin.
  2. Deleting or changing privileges for roles or users created by default is not supported.
  3. Users of the role admin can be created more than one.

  4. Some instructions that may lead to conflicts

    1. Domain name and ip conflict:

      Suppose the following user is created:

      CREATE USER cmy@['domain'];

      and be granted with authorization:

      GRANT SELECT_PRIV ON *.* TO cmy@['domain']

      The domain name is resolved into two ip: iP1 and iP2

      After supposing, we grant a separate authorization to cmy@'ip1':

      GRANT ALTER_PRIV ON *.* TO cmy@'ip1';

      Then the privilege of cmy@'ip1' is changed to SELECT_PRIV and ALTER_PRIV.And when we change the privilege of cmy@['domain'] again, cmy@'ip1'will not follow the change.

    2. Repeated ip conflict:

      Suppose the following user is created:

      CREATE USER cmy@'%' IDENTIFIED BY "12345";
CREATE USER cmy@'192.%' IDENTIFIED BY "abcde";

      In terms of priority,'192.%' takes precedence over'%'. Therefore, when the user cmy attempts to log in to Palo with password '12345'from computer 192.168.1.1, the user will be rejected.

  5. When the user forgets the password

    Public cloud user can refer to Reset administrator password.

    Refer to SET PASSWORD command to reset the password after login.

Previous
Materialized View
Next
Resource Management