Overview
Kinetica provides secured access to data and data services by means of role-based access control (RBAC). Permissions are assigned at the table level, schema level, or globally, and can be assigned either directly or grouped into roles for assignment.Kinetica users, permissions, and roles can be managed through
GAdmin’s Security
interface or through one of the APIs. See
Security Usage for details.
Users
Kinetica supports authentication and authorization of both internal users, whose credentials are maintained within the database, and external users, whose credentials are maintained by another directory service (LDAP, AD, etc.). A user can be assigned any of the following: Roles are maintained within the database for both types of users, though group memberships held by external users can be mapped to roles to automatically authorize those users to the appropriate level of access. See HTTPD + External Authentication for instructions on how to configure this mapping of external groups to roles.Internal Users
Internal users have a username and password (encrypted), which are both stored within Kinetica. An internal username must meet the following criteria:- alphanumeric, including underscore; not starting with a number:
[a-z_][a-z_0-9]* - unique among internal usernames and role names
- up to 64 characters long
- up to 1024 characters long, by default; governed by the
min_password_lengthparameter configured in the gpudb.conf file
External Users
External users have a username and password or user certificate stored in an external directory service and a corresponding user name stored within Kinetica. A proxy server is used to authenticate users to the external directory service and pass the authenticated request on to the database. An external username must meet the following criteria:- identical to the external username, but with an
@prepended:@external_username - unique among external usernames
Once authenticated, user authorization does not distinguish between
internal and external users
Default Users
Kinetica comes with up to four default users:-
admin- full permissions to do anything in Kinetica
system_adminpermission by default; unable to modify- password is
adminby default but must be updated after the first login - password can be changed; change will be stored securely in Kinetica
-
anonymous- no password
- no permissions by default
-
graph- System role reserved for use by the Graphs & Solvers engine (if installed)
-
planner- System role reserved for use by the SQL query planner engine
User Endpoints
Calling user endpoints generally requiressystem_admin or
system_user_admin permission.
- /create/user/internal
- /create/user/external
- /alter/user (can be called by users without admin-level permission to change their own passwords)
- /delete/user
- /show/security (can be called by users without admin-level permission to view their type, roles & permissions granted, and resource group assigned)
Roles
Roles are configurable sets of permissions, which enable easier maintenance of user authorizations within the database. A role can have any number of permissions assigned to it, and the role can be assigned to any number of users, giving those users all of the permissions associated with the role. A role can also be assigned to another role, creating a hierarchy of permissions. In this way, roles eliminate the need to manage each user’s permissions individually. An individual user’s permissions are the set of all directly-granted permissions and permissions granted via roles. One or more roles can automatically be granted to any external user, based on that user’s group memberships within the external directory service used. See HTTPD + External Authentication for instructions on how to map external group memberships to roles. A role can be assigned any of the following:- permissions
- roles
- resource group
- alphanumeric, including underscore; not starting with a number:
[a-z_][a-z_0-9]* - unique among internal usernames and other role names
- up to 64 characters long
A role cannot be assigned, as a member, to any role that is
one of its member roles, whether that member role is assigned directly to it
or via another role; e.g., if role A has role B as a member, role B
cannot be assigned role A as a member directly, nor can role B be
assigned role C, if role C has role A as a member.
Default Roles
There are two default roles within Kinetica:-
authenticated- All users except
anonymousare members ofauthenticatedby default.
- All users except
-
public- All users are members of
publicby default. - The
publicrole will grant permissions to users who have not authenticated.
- All users are members of
Role Endpoints
Calling role endpoints generally requiressystem_admin or
system_user_admin permission.
- /create/role
- /alter/role
- /delete/role
- /grant/role
- /has/role
- /revoke/role
- /show/security (can be called by users without admin-level permission to view the roles granted to them)
Permissions
Permissions allow users various levels of access to the database’s data and management services. Permissions can be granted directly to users and also grouped within roles. There are several categories of permissions within Kinetica:- System
- Schema
- Table
- Credential
- Data Sink
- Data Source
- Function
- Graph
- KiFS
- Procedure
- SQL-GPT Context
- Table Monitor (SQL Stream)
Grant Option
All permissions (except system_admin & system_user_admin) may be granted with the option for the grantee to grant that permission to others—that is, with a grant option. The grant option allows a user to both grant and revoke the permission it applies to. The grantee with the grant option may also grant a subset of that permission to others. Both system_admin & system_user_admin permissions have the ability to grant permissions implicitly, making the grant option redundant for these two in particular. When users create objects, they will automatically be granted administrative permission on them with this grant option. This will not be done explicitly if the user already has a higher level permission that gives them administrative permission with the grant option on this object. For example, when a user creates a table and is granted administrative permission with the grant option on it, they can then grant read access on that table’s data to other users.System Permissions
System permissions govern access to both database objects and management services. The available permissions are:- system_admin
- system_user_admin
- system_create
- system_write
- system_read
- system_monitor
- directory_create
- proc_create
system_admin
A user withsystem_admin permission:
- has system_write
- has system_user_admin
- can manage all object-types in any schema
- can grant/revoke all permissions & roles
- can manage UDFs
system_user_admin
A user withsystem_user_admin permission can:
- manage users & roles
- grant/revoke permissions & roles (except the system_admin permission or a role containing it)
system_create
A user withsystem_create permission:
- has directory_create
- has proc_create
- can create all object-types in any schema visible to the user
system_write
A user withsystem_write permission:
- has system_create
- has system_read
- has
table_adminpermission on all tables, views, and schemas - has
graph_adminpermission on all schemas - has
monitor_adminpermission on all schemas - has
directory_writepermission on all directories in KIFS - can manage schemas
- can upload symbols via /insert/symbol
system_read
A user withsystem_read permission has:
table_readpermission on all tables & views in all schemascontext_readpermission on all SQL-GPT context objectscredential_readpermission on all credential objectsdirectory_readpermission on all directories in KIFSgraph_readpermission on all graph objects
system_monitor
A user withsystem_monitor permission can see a read-only view of logs and system metrics.
directory_create
A user withdirectory_create permission can:
- create new directories in KIFS
proc_create
A user withproc_create permission can:
- create new UDFs and UDTFs
Schema Permissions
Schema permissions govern access to schemas and the database objects within them. Access granted on a schema directly gives permissions to all present and future tables & views within that schema. Schema permissions granted are cumulative with other permissions. If a user is granted read permissions on a schema and update permission on a table contained within that schema, the effective permissions on that table for that user will be both read and update. Permissions granted on schemas are maintained separately from permissions granted on tables & views. If a user is granted admin access on a schema and read access on a table within that schema, revoking the user’s schema admin access will not affect the user’s table read access on the contained table. In general, there are no negative permissions. For instance, if read access on a schema is granted, read access on a table within that schema cannot be revoked. Instead, the schema read permission would have to be revoked and then the access to the appropriate tables within the schema granted. The two sets of permissions available at the schema level are:Table Management Permissions
Table management permissions at the schema level control access to tables, views, and their contained data. The available permissions are:-
table_admin- has all schema-level table management permissions listed below
- can create, alter, or drop any table, view, or other object-type under that schema
-
table_insert- can insert records into tables within the specified schema(s)
(upserting, via /insert/records
using the
update_on_existing_pkparameter, requires thetable_updatepermission, as well)
- can insert records into tables within the specified schema(s)
(upserting, via /insert/records
using the
-
table_update- can update records in tables within the specified schema(s)
(upserting, via /insert/records
using the
update_on_existing_pkparameter, requires thetable_insertpermission, as well)
- can update records in tables within the specified schema(s)
(upserting, via /insert/records
using the
-
table_delete- can delete records from tables within the specified schema(s)
-
table_read- can read (select) records from tables & views within the specified schema(s)
Object Creation Permissions
Object creation permissions at the schema level control the ability to create objects of a given type within a given schema. The available permissions are:-
context_create- can create new SQL-GPT context objects within the specified schema(s)
-
credential_create- can create new credential objects within the specified schema(s)
-
datasink_create- can create new data sink objects within the specified schema(s)
-
datasource_create- can create new data source objects within the specified schema(s)
-
graph_create- can create new graph objects within the specified schema(s)
-
monitor_create- can create new table monitor objects within the specified schema(s)
-
sql_proc_create- can create new SQL Procedures within the specified schema(s)
-
table_create- can create new tables & views within the specified schema(s)
Table Permissions
Table permissions govern access to database objects and the data contained within them. These apply to tables and both native & SQL views. Table permissions granted are cumulative. If a user is granted read permission on a table through one role and update permission on that same table through another role, the effective permissions on the table for that user will be both read and update. In general, there are no negative permissions. For instance, if read access on a table is granted, read access on a subset of rows or columns within that table cannot be revoked. Instead, the table read permission would have to be revoked and then the access to the appropriate rows or columns within the table granted. Both row-level security and column-level security are available to be applied to a table, either separately or together.For granting the ability to create tables, see
Table Management Permissions.
-
table_admin- has all four table permissions below
- can alter & drop the granted table
-
table_insert- can insert records (upserting, via /insert/records
using the
update_on_existing_pkparameter, requires thetable_updatepermission, as well)
- can insert records (upserting, via /insert/records
using the
-
table_update- can update records (upserting, via /insert/records
using the
update_on_existing_pkparameter, requires thetable_insertpermission, as well)
- can update records (upserting, via /insert/records
using the
-
table_delete- can delete records
-
table_read- can read (select) records (both row-level security & column-level security can apply to this access type)
The creator of a
materialized view will
automatically be given
table_admin with
grant option
permission on it, allowing the user to grant other users access to it.Row-Level Security
Read access can be granted for a subset of the rows in a given table by employing row-level security. An expression is used to filter the records that should be accessible.Row-level access must be revoked by revoking access to all rows for
that table (or column). To effectively revoke a partial subset, revoke
access to the column and then regrant the appropriate access.
Column-Level Security
Read access can be granted for a subset of the columns in a given table by employing column-level security. Column-level security functions can be applied to those columns to either obfuscate or mask the values the user sees.Column-level access is revoked by specifying the column name(s) to
revoke, regardless of what security functions may have been applied to the
column when granted.
Primary keys and
shard keys are only visible to (and usable by) a
user if the user has unrestricted access to all columns comprising the key.
Applying any column-level security functions to key columns will restrict
this access. Without full access to these keys, operations that require
them, such as table joins, may fail.
* (or other) characters. This can
be useful in displaying the last four digits of a user’s social security number
for verification purposes without disclosing the entire SSN.
When a user is granted multiple levels of access to a given column, the values
shown to a user will be determined based on the least restrictive access the
user has been granted. Access restrictiveness is determined in the following
order, from least restrictive to most restrictive:
- Full access
- Masked access
- Obfuscated access
- No access
Column-Level Security Functions
The following security functions can be used when employing column-level security on the following specific types with string base types:- char[N] strings
- ipv4
- decimal
- ulong
- date
- time
- datetime
HASH(column)
HASH(column)
Returns a non-negative integer representing an obfuscated version of
columnMASK(column, start, length[, char])
MASK(column, start, length[, char])
Masks
length characters of column, beginning at the position identified
by start, with * characters (or the character specified in char):| Function Call | Result |
|---|---|
MASK(‘Characters’, 5, 5) | Char*****s |
MASK(‘Characters’, 5, 2, ’#‘) | Char##ters |
OBFUSCATE(column)
OBFUSCATE(column)
Alias for
HASHCredential Permissions
Credential permissions govern access to external system credentials. Any user can create and use a credential.For granting the ability to create credentials, see
Object Creation Permissions.
-
credential_read- allows a user to see the given credential’s configuration and use it
-
credential_admin- allows a user to modify or drop the given credential, as well as use it and display its configuration.
The creator of a credential will automatically be given
credential_admin with
grant option
permission on it, allowing the user to grant other users access to it.Data Sink Permissions
Data sink permissions govern access to external data sinks.For granting the ability to create data sinks, see
Object Creation Permissions.
-
connect- allows a user to connect to an external data consumer through the given data sink, and view the configuration of the data sink
-
datasink_admin- allows a user to modify or drop the given data sink
The creator of a data sink will automatically be given
datasink_admin with
grant option
permission on it, allowing the user to grant other users access to it.Data Source Permissions
Data source permissions govern access to external data sources.For granting the ability to create data sources, see
Object Creation Permissions.
-
connect- allows a user to connect to an external data set through the given data source, and view the configuration of the data source
-
datasource_admin- allows a user to modify or drop the given data source
The creator of a data source will automatically be given
datasource_admin with
grant option
permission on it, allowing the user to grant other users access to it.Function Permissions
Function permissions govern access to User-Defined Functions (UDFs) and Python UDF function environments. Permission can be granted on:- specific UDFs
- all present and future UDFs
Revoking a user’s permission on all UDFs will not revoke any
specific UDF permission that user has been granted. To revoke any permission
on specific UDFs that a user has, each specific UDF permission needs to be
revoked individually from the user.
For granting the ability to create UDFs, see proc_create.
-
proc_execute- allows a user to execute the given UDF; or all UDFs, if granted without a UDF specified
-
proc_admin- allows a user to manage the given UDF; or all UDFs and function environments, if granted without a UDF specified
The creator of a UDF will automatically be given
proc_admin with
grant option
permission on it, allowing the user to grant other users access to it.Graph Permissions
Graph permissions govern access to graphs.For granting the ability to create graphs, see
Object Creation Permissions.
-
graph_admin- includes
graph_writepermission - allows a user to drop the given graph
- includes
-
graph_write- includes
graph_readpermission - allows a user to modify the given graph
- includes
-
graph_read- allows a user to query, match, solve, & show the given graph
The creator of a graph will automatically be given
graph_admin with
grant option
permission on it, allowing the user to grant other users access to it.KiFS Permissions
KiFS permissions govern access to directories and the files they contain.For granting the ability to create directories, see
directory_create.
-
directory_write- allows a user to upload and delete files within the given directory
- includes
directory_readpermission
-
directory_read- allows a user to list, download, and use files within the given directory, in Kinetica features that make use of KiFS
Unlike most objects, the creator of a directory will not be given an
administrative permission on it, allowing the user to delete the directory
or grant other users access to it; those permissions are reserved for users
with the system_admin permission.
Procedure Permissions
Procedure permissions govern access to SQL Procedures. For managing permission on SQL Procedures, see the SQL Procedure Security section.For granting the ability to create SQL Procedures, see
Object Creation Permissions.
-
sql_proc_execute- allows a user to execute the given SQL Procedure; managed via SQL
SQL-GPT Context Permissions
SQL-GPT context permissions govern access to SQL-GPT contexts.For granting the ability to create SQL-GPT contexts, see
Object Creation Permissions.
-
context_admin- includes
context_readpermission - allows a user to modify or drop the given SQL-GPT context
- includes
-
context_read- allows a user to use the given SQL-GPT context to generate SQL using a SQL-GPT query
The creator of a context will automatically be given
context_admin with
grant option
permission on it, allowing the user to grant other users access to it.Table Monitor (SQL Stream) Permissions
Table monitor permissions govern access to table monitors (SQL Streams).For granting the ability to create table monitors, see
Object Creation Permissions.
-
monitor_admin- allows a user to drop the given table monitor
The creator of a table monitor will automatically be given
monitor_admin with
grant option
permission on it, allowing the user to grant other users access to it.Permission Endpoints
Calling permission endpoints generally requires system_admin or system_user_admin permission.- /grant/permission
- /grant/permission/credential
- /grant/permission/datasource
- /grant/permission/directory
- /grant/permission/proc
- /grant/permission/system
- /grant/permission/table
- /has/permission
- /revoke/permission
- /revoke/permission/credential
- /revoke/permission/datasource
- /revoke/permission/directory
- /revoke/permission/proc
- /revoke/permission/system
- /revoke/permission/table
- /show/security (can be called by users without system_admin or system_user_admin permission to view the permissions granted to them)