The examples below use the native API to manage users, roles, and permissions. Generally, the API is symmetric across the endpoint calls, so similarly named calls between API languages should have the same function.
Authentication
Connecting & authenticating to a Kinetica instance generally requires four parameters:
- Kinetica host
- Kinetica port
- User name
- Password
Once an API connection has been established, those parameters will be reused in each subsequent call to the database.
Note
API authentication is only required if you've setup HTTPD for Kinetica.
To connect to a Kinetica instance in Python:
|
|
To connect in Java:
|
|
User Management
User accounts can be added & removed via API call. In Python, internal & external (LDAP, AD, etc.) users are created with the create_user_internal & create_user_external functions, respectively.
Creating Users
To create an internal user, auser, in Python:
|
|
To create an external user, ruser, in Python:
|
|
Deleting Users
To delete the internal user, auser, in Python:
|
|
To delete the external user, ruser, in Python:
|
|
Role Management
Roles can be created in and removed from the system, and can be assigned to and unassigned from both users & roles, all via API call.
Creating Roles
To create a role, rx_user, in Python:
|
|
Assigning Roles
To assign the role, rx_user, to the auser user, in Python:
|
|
To assign a role, rx_user_table_read_access, to the rx_user role, in Python:
|
|
Unassigning Roles
To unassign a role, rx_user, from the auser user, in Python:
|
|
To unassign a role, rx_user_table_read_access, from the rx_user role, in Python:
|
|
Deleting Roles
To delete a role, rx_user, in Python:
|
|
Permission Management
Permissions on database objects can be assigned to and unassigned from both users & roles, all via API call, in each of the following categories:
- System Permissions
- Schema Permissions
- Table Permissions
- Credential Permissions
- Data Source Permissions
- Data Sink Permissions
- Directory Permissions
- Graph Permissions
- Procedure Permissions
- Table Monitor Permissions
Managing System Permissions
System permissions can be granted to and revoked from a user or role using the API.
Granting System Permissions
To grant the system permission, system_admin, to the auser user, in Python:
|
|
To grant the user administration permission, system_user_admin, to the auser user, in Python:
|
|
To grant the system permission, system_read, to the rx_auditor role, in Python:
|
|
Revoking System Permissions
To revoke the system permission, system_admin, from the auser user, in Python:
|
|
To revoke the user administration permission, system_user_admin, from the auser user, in Python:
|
|
To revoke the system permission, system_read, from the rx_auditor role, in Python:
|
|
Managing Schema Permissions
Schema permissions can be granted to and revoked from a user or role using the API.
Granting Schema Permissions
To grant the create data sink permission in the cschema schema to the cuser user, in Python:
|
|
To grant the create data source permission in the cschema schema to the crole role, in Python:
|
|
Revoking Schema Permissions
To revoke the create data sink permission in the cschema schema from the cuser user, in Python:
|
|
To revoke the create data source permission in the cschema schema from the crole role, in Python:
|
|
Managing Table Permissions
Table permissions can be granted to and revoked from a user or role using the API.
Granting Table Permissions
To grant the table read permission, table_read, on the rx_order table in the example schema, to the zanalyst user, in Python:
|
|
To grant the table administration permission, table_admin, on the rx_order table in the example schema, to the rx_user role, in Python:
|
|
Note
Specifying only a schema name grants the specified access on all present & future tables in that schema to the specified user; this grant is maintained separately from any grants to individual tables within the schema.
Revoking Table Permissions
To revoke the table read permission, table_read, on the rx_order table in the example schema, from the zanalyst user, in Python:
|
|
To revoke the table administration permission, table_admin, on the rx_order table in the example schema, from the rx_user role, in Python:
|
|
Note
Specifying only a schema name revokes the specified access previously granted on that schema from the specified user; this revocation will not effect any grants the user has to individual tables within the schema.
Managing Table Permissions at the Row Level
Row-level table permissions can be granted to and revoked from a user or role using the API.
Granting Row-Level Table Permissions
To grant row-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for records with order timestamps on or after 2002-01-01
- to user zanalyst
|
|
To grant row-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for records associated with the querying user, matched by username
- to role rx_user
|
|
Revoking Row-Level Table Permissions
To revoke row-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for any/all granted rows (row-level access to a table must be revoked by revoking access to the full table)
- from user zanalyst
|
|
To revoke row-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for any/all granted rows (row-level access to a table must be revoked by revoking access to the full column)
- from role rx_user
|
|
Managing Table Permissions at the Column Level
Column-level table permissions can be granted to and revoked from a user or role using the API.
Granting Column-Level Table Permissions
To grant column-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for columns rx_name, order_ts, and an obfuscated version of ssn
- to user zanalyst
|
|
To grant column-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for columns name, rx_name, order_ts, as well as a masked version of the ssn, only showing the last 4 digits
- to role rx_user
|
|
Revoking Column-Level Table Permissions
To revoke column-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for obfuscated column ssn (other granted columns will remain visible)
- from user zanalyst
|
|
To revoke column-level table permissions, in Python, with the following criteria:
- table read permission (table_read)
- on the rx_order table in the example schema
- for column rx_name and masked column ssn (other granted columns will remain visible)
- from role rx_user
|
|
Managing Credential Permissions
Credential permissions can be granted to and revoked from a user or role using the API.
Granting Credential Permissions
To grant the credential permission, credential_read, on a credential, to the auser user, in Python:
|
|
Revoking Credential Permissions
To revoke the credential permission, credential_read, on a credential, from the auser user, in Python:
|
|
Managing Data Source Permissions
Data source permissions can be granted to and revoked from a user or role using the API.
Granting Data Source Permissions
To grant the data source permission, connect, on the kin_ds data source, to the auser user, in Python:
|
|
Revoking Data Source Permissions
To revoke the data source permission, connect, on the kin_ds data source, from the auser user, in Python:
|
|
Managing Data Sink Permissions
Data sink permissions can be granted to and revoked from a user or role using the API.
Granting Data Sink Permissions
To grant the data sink permission, connect, on the kin_dsink data sink, to the auser user, in Python:
|
|
Revoking Data Sink Permissions
To revoke the data sink permission, connect, on the kin_dsink data sink, from the auser user, in Python:
|
|
Managing Graph Permissions
Graph permissions can be granted to and revoked from a user or role using the API.
Granting Graph Permissions
To grant the graph permission, graph_read, on a graph, to the auser user, in Python:
|
|
Revoking Graph Permissions
To revoke the graph permission, graph_read, on a graph, from the auser user, in Python:
|
|
Managing Directory Permissions
KiFS permissions can be granted to and revoked from a user or role using the API.
Granting Directory Permissions
To grant the directory permission, read, on the kdata directory, to the kuser user, in Python:
|
|
To grant the create directory permission to the crole role, in Python:
|
|
Revoking Directory Permissions
To revoke the directory permission, write, on the kdata directory, from the kuser user, in Python:
|
|
To revoke the create directory permission from the crole role, in Python:
|
|
Managing Procedure Permissions
Procedure permissions can be granted to and revoked from a user or role using the API.
While permissions for user-defined functions are able to be managed via the native API, permissions for SQL procedures are managed via SQL.
Granting UDF Permissions
To grant the execute permission, proc_execute, on a specific UDF to the auser user, in Python:
|
|
To grant execute permission on all present & future UDFs to the auser user, in Python:
|
|
To grant the create UDF permission to the crole role, in Python:
|
|
Revoking UDF Permissions
To revoke the execute permission, proc_execute, on a specific UDF from the auser user, in Python:
|
|
To revoke the ability for the auser user, to execute all present & future UDFs, in Python:
|
|
To revoke the create UDF permission from the crole role, in Python:
|
|
Important
This revocation of execute on present & future UDFs is only a revocation of the corresponding grant of the same. This will not revoke execute permission to specific UDFs that a user has been granted; each of those must be revoked separately.
Managing SQL-GPT Context Permissions
SQL-GPT context permissions can be granted to and revoked from a user or role using the API.
Granting SQL-GPT Context Permissions
To grant the SQL-GPT context permission, context_admin, on a SQL-GPT context, to the auser user, in Python:
|
|
Revoking SQL-GPT Context Permissions
To revoke the SQL-GPT context permission, context_admin, on a SQL-GPT context, from the auser user, in Python:
|
|
Managing Table Monitor Permissions
Table monitor permissions can be granted to and revoked from a user or role using the API.
Granting Table Monitor Permissions
To grant the table monitor permission, monitor_admin, on a table monitor, to the auser user, in Python:
|
|
Revoking Table Monitor Permissions
To revoke the table monitor permission, monitor_admin, on a table monitor, from the auser user, in Python:
|
|
Security Information Retrieval
Complete security information for a user or role can be extracted via API calls.
Tip
A limited set of user/role information can be extracted via function calls. See User/Security Functions for details.
Basic Security Information
The permission & role grants, resource groups, and default schema can be retrieved for a given user; while the permission & role grants and resource groups can be retrieved for a given role; all via the Python API. That information can be displayed within a table produced by tabulate, as show below.
The key API usage points to note below are:
- The call to show_security with the user or role name for which security information will be retrieved
- The extraction of the key security fields from the returned structure:
- types - type of security entity (internal user, external user, or role)
- roles - roles granted to the entity
- permissions - permissions granted directly to the entity, and, for a user, the default schema assigned
- resource_groups - resource groups assigned to the entity
|
|
The output from a request for security information may look like the following:
|
|
Table-Level Security Information
Table-level permission (including row-level & column-level security) can be retrieved, via Python API, by examining the permissions component of the show_security response structure.
The key API usage points to note below are:
- The call to show_security with the user or role name for which table-level security information will be retrieved
- The extraction of the permissions security field from the returned structure, where the array of per-table security information is kept
- The extraction of the key security fields for each table:
- table_name - name of the table to which access has been granted
- permission - type of access granted for the table; in the case of row-level and column-level security, this will always be table_read
- columns - a list of the columns and optional per-column row-level filters to which column-level access has been granted
- filter_expression - the expression used to define the row-level access granted to the table as a whole
|
|
The output from a request for table-level security information may look like the following:
|
|
External (LDAP) Users
Differences between using an external user instead of an internal user:
- Rather than connect to Kinetica through its port (normally 9191), you will connect to the HTTPD proxy's port (8082 by default). When creating this connection, you will pass the LDAP user's username and password.
- For each LDAP user that needs to use Kinetica, a corresponding Kinetica user must be created either manually or automatically, via config. The username in Kinetica must be the @ symbol followed by the LDAP username.
- If an external user is granted system administration permissions, the system can be operated & managed exclusively by externally-authenticated users.
Note
Kinetica LDAP integration passes the username & password to LDAP for authentication, and can also map LDAP groups to Kinetica roles. However, the permissions those roles have must be managed within Kinetica.
Below is an example of creating and using an external system administrator account, jdoe.
|
|
Global Session Timeout Configuration
Administrators can control the global idle session timeout for several Apache Tomcat web applications included with all Kinetica installations (the applications can be found in /opt/gpudb/tomcat/webapps). To update the timeout:
Open the
/opt/gpudb/tomcat/conf/web.xml
file in a text editor.Update the following setting for desired timeout value in minutes (the default is 30):
<session-config> <session-timeout>30</session-timeout> </session-config>
Tip
Provide a value of 0 or -1 to remove session expiration.
Save the file, and restart the database.