Note
This documentation is for a prior release of Kinetica. For the latest documentation, click here.
Kinetica provides basic table-level role-based access control for users. It also allows global read/write and administrative access to be granted. For details about Kinetica security, see Security Concepts.
Tip
A limited set of user/role information can be extracted via function calls. See User/Security Functions for details.
Security features accessible via SQL include:
- User Management
- Role Management
- Privilege Management
- Impersonation (Execute As...) - enables execution of commands as another user
User Management
The ability to manage user accounts is available through SQL, using the following commands:
See Users for details about users within Kinetica.
CREATE USER
Users can be added to the system and assigned permissions either directly or via roles.
Optionally, the user can be associated with a resource group and/or be assigned a default schema.
|
|
Note
The password needs to be single-quoted and must not contain single quotes.
For example, two of the ways to create a new internal user with the user ID of jsmith and a password of secret are:
|
|
To create an internal user with the user ID of jsmith, a password of secret, and assigning the memory_over_execution resource group:
|
|
To create a user with an existing external LDAP user, the user name should match the LDAP user name and be prepended with the @ symbol; no password is supplied, as the user will be externally authenticated:
|
|
ALTER USER
Any of the following facets of a user can be altered, either individually or as a group:
- password
- resource group
- default schema
|
|
Note
The password needs to be single-quoted and must not contain single quotes.
For example, to alter a user with the user ID of jsmith, assigning a password of new_secret, and the memory_over_execution resource group:
|
|
To unassign the memory_over_execution resource_group from the jsmith user:
|
|
DROP USER
Any user, other than the default users, can be removed from the system. Note that any database objects created by a user will remain when the user is removed.
|
|
For example, to drop an internal user jsmith:
|
|
To drop an external LDAP user jsmith:
|
|
SHOW SECURITY FOR User
For any one or more (or all) users in the system, the following can be listed:
In addition, permissions, roles, & resource groups will be listed recursively for the roles the specified users have and the roles those roles have, etc. This allows the full set of permissions for a given user, both direct & inherited, to be viewed with one command.
|
|
For example, to show the permissions, roles, resource group, and default schema for user jsmith:
|
|
Role Management
The ability to manage roles is available through SQL, using the following commands:
See Roles for details about roles within Kinetica.
CREATE ROLE
A new role can be created as a container for permissions or other roles, though both of those must be granted to the role after its creation.
Optionally, the role can be associated with a resource group.
|
|
For example, to create an analyst role:
|
|
To create an executive role, assigning it the execution_over_memory resource group:
|
|
ALTER ROLE
A role can have its associated resource group modified.
|
|
For example, to assign the memory_over_execution resource group to the analyst role:
|
|
To unassign the resource group from the analyst role:
|
|
DROP ROLE
Dropping a role will remove the associated permissions & roles granted through the role to all users with the role. Users & roles granted the same permissions either directly or via other roles will retain those permissions.
Any role, other than the default roles, can be removed from the system.
|
|
For example, to drop the analyst role:
|
|
SHOW SECURITY FOR Role
For any one or more (or all) roles in the system, the following can be listed:
In addition, these attributes will be listed recursively for the roles the specified roles have and the roles those roles have, etc. This allows the full set of permissions for a given role, both direct & inherited, to be viewed with one command.
|
|
To show the permissions, roles, and resource group for the analyst role:
|
|
Privilege Management
The ability to manage user & role privileges is available through SQL, using the following commands:
- Roles (GRANT | REVOKE)
- System Permissions (GRANT | REVOKE)
- Schema Permissions (GRANT | REVOKE)
- Table Permissions (GRANT | REVOKE)
- Credential Permissions (GRANT | REVOKE)
- Data Source Permissions (GRANT | REVOKE)
- Data Sink Permissions (GRANT | REVOKE)
- Directory Permissions (GRANT | REVOKE)
- Function Permissions (GRANT | REVOKE)
- Graph Permissions (GRANT | REVOKE)
- Procedure Permissions (GRANT | REVOKE)
- SQL-GPT Context Permissions (GRANT | REVOKE)
- Stream Permissions (GRANT | REVOKE)
- SHOW SECURITY
- CHECK
See Users for details about user accounts within Kinetica.
GRANT Role
Roles can be granted directly to users or other roles.
|
|
For example, to grant a role allowing access to analyst tables to the analyst role, and then grant that analyst role to user jsmith:
|
|
GRANT SYSTEM Permission
System permissions can be granted directly to users or roles.
|
|
|
|
For example, to grant system administrator permission to jsmith:
|
|
To grant read access to all tables to the auditor role:
|
|
To grant user administrator permission to jsmith:
|
|
GRANT Schema Permission
Schema permissions, which allow management of schemas and their contained objects can be granted directly to users or roles.
|
|
Parameters | Description | ||||||
---|---|---|---|---|---|---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility | ||||||
SCHEMA | Optional keyword to avoid ambiguity between a grant to a schema and a grant to a table/view in the user's default schema | ||||||
<schema reference> | Either the name of the schema to which access is being granted or a wildcard expression signifying the schema(s) and table(s)/views(s) to which access is being granted
|
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission to CREATE, ALTER, & DROP any table or view in the specified schema(s).
Examples
To grant SELECT access on all schemas to the auditor role:
|
|
To grant SELECT access on all current and future tables & views within the app_schema schema to the app_user role:
|
|
To grant full access on each of the schemas, tables, & views in the database individually to the dbadmin role:
|
|
GRANT Table Permission
Table permissions, which can be applied to tables and views, can be granted directly to users or roles.
Row-level security can be invoked for SELECT privilege by specifying a WHERE clause expression.
Column-level security can be invoked for SELECT privilege by specifying a list of accessible columns and/or column security functions.
|
|
Parameters | Description |
---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility |
TABLE | Optional keyword for SQL-92 compatibility, and to avoid ambiguity between a grant to a table/view in the user's default schema (when <schema name> is omitted) and a grant to a schema |
<schema name> | The name of the schema containing the table to which access is being granted; if omitted, the table/view will be looked for in the default schema |
<table/view name> | The name of the table/view to which access is being granted; the wildcard * can be used to grant access to all tables/views within the given <schema name> schema |
<column list> | Optional comma-separated list of specific table columns and/or column security functions applied to columns on which to grant access; see Column-Level Security for details |
WHERE <expression> | Optional filter expression on the table to which access is being granted, determining to which rows of the target table the grantee will be given access; see Row-Level Security for details |
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission either to ALTER and DROP the specified table.
Examples
For example, to grant full access on the network_config table to jsmith:
|
|
To grant SELECT access on the network_config_history table to the analyst role:
|
|
To grant full access on each of the tables & views within the example schema to the developer role:
|
|
Row-Level Security Examples
To grant SELECT access on an rx_order table for all orders placed since the year 2002:
|
|
To grant SELECT access on an rx_order table for only orders belonging to the current user:
|
|
Column-Level Security Examples
To grant SELECT access on the following columns of an rx_order table:
- obfuscated version of the orderer's social security number
- name of the prescription ordered
- order date/time
|
|
To grant SELECT access on the following columns of an rx_order table:
- masked version of the orderer's social security number (last 4 digits)
- name of the orderer
- name of the prescription ordered
- order date/time
|
|
GRANT Credential Permission
Credential permissions, which allow management of credentials, can be granted directly to users or roles.
|
|
Permission | Description |
---|---|
ADMIN | Modify or drop the given credential (includes READ access) |
READ | Use or view the configuration of the given credential |
For example, to grant read access on the credential named auser_azure_active_dir_creds to the auser user:
|
|
To grant administrative access on the credential to the auser user:
|
|
GRANT Data Source Permission
Data source permissions, which allow management of data sources, can be granted directly to users or roles.
|
|
Permission | Description |
---|---|
ADMIN | Modify or drop the given data source (includes CONNECT access) |
CONNECT | Connect to, load data from, or view the configuration of the given data source |
For example, to grant connect access on the data source named kin_ds to the auser user:
|
|
To grant administrative access on the data source named kin_ds_anon to the auser user:
|
|
GRANT Data Sink Permission
Data sink permissions, which allow management of data sinks, can be granted directly to users or roles.
|
|
Permission | Description |
---|---|
ADMIN | Modify or drop the given data sink (includes CONNECT access) |
CONNECT | Connect to, load data into, or view the configuration of the given data sink |
For example, to grant connect & load access on the data sink named kin_dsink to the auser user:
|
|
To grant administrative access on the data sink named kin_dsink_http to the auser user:
|
|
GRANT Directory Permission
KiFS directory permissions, which allow management of files within KiFS directories, can be granted directly to users or roles.
|
|
Permission | Description |
---|---|
READ | List, download, or load data from files within the given directory |
WRITE | Upload files to or delete files from the given directory (includes READ access) |
For example, to grant read access on a directory named kdata to the kuser user:
|
|
To grant write access on a directory named kdata to the kuser user:
|
|
GRANT Function (UDF/UDTF) Permission
Function permissions, which allow management of UDFs/UDTFs, can be granted directly to users or roles.
|
|
Permission | Description |
---|---|
ADMIN | Drop the given UDF, and display full configuration about it (includes EXECUTE access). When * is used instead of function name, gives permission to create, drop, & execute any UDF, and also gives permission to manage Python UDF function environments |
EXECUTE | Run and terminate the given UDF, and display limited configuration about it |
<function name> | The name of the UDF to which access is being granted; use * instead of function name to grant access to all existing & future UDFs |
For example, to grant execute on the udf_sos_py_proc UDF to udf_user:
|
|
To grant administrative access on every existing & future UDF, as well as the ability to manage Python UDF environments, to udf_user:
|
|
GRANT Graph Permission
Graph permissions, which allow management of network graphs, can be granted directly to users or roles.
|
|
For example, to grant query, match, solve, & show access on the graph named big_cities_graph to geo_user:
|
|
GRANT Procedure Permission
Procedure permissions, which allow execution of SQL procedures, can be granted directly to users or roles.
|
|
For example, to grant execute on the sqlp_weekly procedure to spuser:
|
|
GRANT SQL-GPT Context Permission
SQL-GPT context permissions, which allow management of SQL-GPT contexts, can be granted directly to users or roles.
|
|
For example, to grant read access on the SQL-GPT context named example.atc_ctx to the ctxuser user:
|
|
GRANT Stream Permission
Stream permissions, which allow removal & display of streams, can be granted directly to users or roles.
|
|
For example, to grant administrative access on the stream named kin_stream to the auser user:
|
|
REVOKE Role
Roles can be revoked from users or other roles.
|
|
For example, to revoke a role allowing access to analyst tables from the analyst role:
|
|
To revoke the analyst role from user jsmith:
|
|
REVOKE SYSTEM Permission
System permissions can be revoked from users or roles.
|
|
|
|
For example, to revoke system administrator permission from jsmith:
|
|
To revoke read access to all tables from the auditor role:
|
|
To revoke user administrator permission from jsmith:
|
|
REVOKE Schema Permission
Schema permissions, which allow management of schemas and their contained objects can be revoked from users or roles.
|
|
Parameters | Description | ||||||
---|---|---|---|---|---|---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility | ||||||
SCHEMA | Optional keyword to avoid ambiguity between revoking a grant to a schema and a grant to a table/view in the user's default schema | ||||||
<schema reference> | Either the name of the schema to which access is being revoked or a wildcard expression signifying the schema(s) and table(s)/views(s) to which access is being revoked
|
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission to CREATE, ALTER, & DROP any table or view in the specified schema(s).
Examples
To revoke SELECT access on all schemas from the auditor role:
|
|
To revoke SELECT access on all current and future tables & views within the app_schema schema from the app_user role:
|
|
To revoke full access on each of the schemas, tables, & views in the database individually from the dbadmin role:
|
|
REVOKE Table Permission
Table permissions, which can be applied to tables and views, can be revoked from users or roles.
Row-level security can be revoked for SELECT privilege only by revoking SELECT privilege from the entire table.
Note
Access to individual rows cannot be revoked; instead, full SELECT access should be revoked, followed by a grant of access to the appropriate rows.
Column-level security can be revoked for SELECT privilege by specifying a list of columns for which access will be revoked, regardless of any security functions that may have been applied to the column when granting access (HASH, MASK).
|
|
Parameters | Description |
---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility |
TABLE | Optional keyword for SQL-92 compatibility, and to avoid ambiguity between revoking a grant to a table/view in the user's default schema (when <schema name> is omitted) and a grant to a schema |
<schema name> | The name of the schema containing the table/view to which access is being revoked; if omitted, the table/view will be looked for in the default schema |
<table/view name> | The name of the table to which access is being revoked; the wildcard * can be used to revoke access to all tables/views within the given <schema name> schema |
<column list> | Optional comma-separated list of specific table columns to which access is being revoked; see Column-Level Security for details |
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission either to ALTER and DROP the specified table or to CREATE, ALTER, & DROP all tables in the specified schema.
Examples
For example, to revoke full access on the network_config table from jsmith:
|
|
To revoke SELECT access on the network_config_history table from the analyst role:
|
|
To revoke full access on each of the tables & views within the example schema from the developer role:
|
|
Row-Level Security Examples
To revoke SELECT access on an rx_order table for all orders placed since the year 2002 (as was granted in the row-level grant example), revoke all SELECT access:
|
|
Column-Level Security Examples
To revoke SELECT access on the following columns of an rx_order table:
- orderer's social security number
|
|
To revoke SELECT access on the following columns of an rx_order table:
- masked version of the orderer's social security number (last 4 digits)
- name of the prescription ordered
|
|
REVOKE Credential Permission
Permissions on credentials that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke read access on the credential named auser_azure_active_dir_creds from the auser user:
|
|
To revoke administrative access on the credential from the auser user:
|
|
REVOKE Data Source Permission
Permissions on data sources that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke connect access on the data source named kin_ds from the auser user:
|
|
To revoke administrative access on the data source named kin_ds_anon from the auser user:
|
|
REVOKE Data Sink Permission
Permissions on data sinks that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke connect access on the data sink named kin_dsink from the auser user:
|
|
To revoke administrative access on the data sink named kin_dsink_http from the auser user:
|
|
REVOKE Directory Permission
Permissions on KiFS directories that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke read access on a directory named kdata from the kuser user:
|
|
To revoke write access on a directory named kdata from the kuser user:
|
|
REVOKE Function (UDF/UDTF) Permission
Permissions relating to UDFs/UDTFs and Python UDF function environments that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke execute on the udf_sos_py_proc UDF from udf_user:
|
|
To revoke administrative access on every existing & future UDF, as well as the ability to manage function environments, from udf_user:
|
|
REVOKE Graph Permission
Permissions on network graphs that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke query, match, solve, & show access on the graph named big_cities_graph from geo_user:
|
|
REVOKE Procedure Permission
Permissions relating to SQL procedures can be revoked from users or roles.
|
|
For example, to revoke execute on the sqlp_weekly procedure from spuser:
|
|
REVOKE SQL-GPT Context Permission
Permissions on SQL-GPT contexts that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke read access on the SQL-GPT context named example.atc_ctx from the ctxuser user:
|
|
REVOKE Stream Permission
Permissions on streams that have been granted directly to users or roles can be revoked.
|
|
For example, to revoke administrative access on the stream named kin_stream from the auser user:
|
|
SHOW SECURITY
For any one or more (or all) users and roles in the system, the following can be listed:
- permissions
- roles
- resource groups
- default schema (users only)
In addition, permissions, roles, & resource groups will be listed recursively for the roles the specified users/roles have and the roles those roles have, etc. This allows the full set of permissions for a given user or role, both direct & inherited, to be viewed with one command.
|
|
For example, to show the permissions, roles, resource groups, and default schema for user jsmith:
|
|
To show the permissions, roles, and resource groups for the analyst role:
|
|
To show the permissions, roles, resource groups, and default schema for the anonymous user and the public role:
|
|
To show all users & roles:
|
|
CHECK
Users (or the current user) can have their effective permissions checked, including:
- Role assignments
- Administrative permissions
- Object-level access
A result of YES or NO will be returned, based on whether the given user has the specified permissions or not, either directly or through a role or administrative access. Row/Column-level permission information will be returned after the YES, if applicable.
|
|
|
|
Parameters | Description | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
<permission> | Permission to verify for the given user Supported permissions include:
| ||||||||||||||||||||||||||
PERMISSION | Optional keyword for clarity | ||||||||||||||||||||||||||
ON | Keyword for specifying the optional ON clause, which checks for the specified permission on the following target (and optional target type) given in this clause | ||||||||||||||||||||||||||
<target type> | Optional keyword for specifying the object type of the target; may be necessary to disambiguate same-named objects of differing types Supported target types include:
| ||||||||||||||||||||||||||
<target> | Name of the object to which the given user's specified permission will be checked | ||||||||||||||||||||||||||
<role> | Name of the role of which the given user's membership will be checked | ||||||||||||||||||||||||||
FOR <user> | Optional FOR clause, which checks whether the specified permission/role exists for the user given in this clause; if omitted, the current user will be checked | ||||||||||||||||||||||||||
IF EXISTS | Optional error suppression clause, which causes the check to return No if any of the entities specified do not exist; without this clause, non-existent entities will return an error |
Impersonation (Execute As...)
When logged into the database as one user, SQL commands can be run as a second user (that user can be impersonated). To do this, first log in to the database as an administrator, then switch to the second user, and finally, run the command. Afterwards, the original user can be reverted back to in order to execute commands as that administrator again; alternatively, an option can be specified to prevent switching back to the original user.
The ability to impersonate other users is available through SQL, using the following commands:
Important
Only a user with administrator privilege can impersonate another user, and only an administrator with a Kinetica database account. Any users who are mapped to Kinetica as administrators via external authentication will need to ensure that a corresponding Kinetica administrator account has been created for impersonation to succeed.
Additionally, impersonation is only supported via ODBC/JDBC.
EXECUTE AS
During a SQL session, a user can execute subsequent commands as another user.
Note
This command is only available through KiSQL or database clients configured with the Kinetica ODBC/JDBC driver.
|
|
The WITH NO REVERT option prevents the impersonated user from switching back to the original user. This is useful in several cases, including:
- An administrator needs to run a script as a user with specific permissions, but doesn't want the script to be able to revert back to administrator privileges during its execution.
- An application server connects to the database with its own credentials, but issues commands to the database on behalf of an application user. Again, there is a need to prevent the application user from reverting back to the application server's database account and using those privileges to execute commands.
Example
To demonstrate the uses of EXECUTE AS USER, the following commands can be issued upon logging into the database as an administrator.
First, verify the current user is admin:
|
|
|
|
Then, switch to a user auser and verify the session is now executing commands as that user:
|
|
|
|
Accessing a database object that auser has permission for results in a successful outcome:
|
|
|
|
Accessing an object that auser doesn't have permission for results in an error:
|
|
|
|
To switch back to the original user and verify the current identity, use the REVERT command:
|
|
|
|
Now, switch to auser using the WITH NO REVERT option:
|
|
|
|
Attempts to switch back to the administrator user will fail:
|
|
|
|
Verify the session is still executing commands as the auser user:
|
|
|
|
REVERT
After using EXECUTE AS or SET USER to switch to another user, the original user can be switched back to using the following command:
Note
This command is only available through KiSQL or database clients configured with the Kinetica ODBC/JDBC driver.
|
|
See the EXECUTE AS example for an example usage of REVERT.
SET USER
The SET USER (or SETUSER) command is simply an alias for the EXECUTE AS and REVERT commands.
Note
This command is only available through KiSQL or database clients configured with the Kinetica ODBC/JDBC driver.
The following commands are equivalent for switching to another user:
|
|
Important
There is no ability to prevent reversion to the original user when using the SET USER command. To prevent reversion, see EXECUTE AS.
The following commands are equivalent for switching back to the original user:
|
|