Authentication
Connecting & authenticating to a Kinetica instance generally requires four parameters:- Kinetica host
- Kinetica port
- User name
- Password
API authentication is only required if you’ve
setup HTTPD for Kinetica.
User Management
User accounts can be added & removed via API call. In Python, internal & external (LDAP, AD, etc.) users are created with thecreate_user_internal &
create_user_external functions, respectively.
Creating Users
To create an internal user, auser, in Python:Deleting Users
To delete the internal user, auser, in Python:Role Management
Roles can be created in and removed from the system, and can be assigned to and unassigned from both users & roles, all via API call.Creating Roles
To create a role, rx_user, in Python:Assigning Roles
To assign the role, rx_user, to the auser user, in Python:Unassigning Roles
To unassign a role, rx_user, from the auser user, in Python:Deleting Roles
To delete a role, rx_user, in Python:Permission Management
Permissions on database objects can be assigned to and unassigned from both users & roles, all via API call, in each of the following categories:- System Permissions
- Schema Permissions
- Table Permissions
- Credential Permissions
- Data Source Permissions
- Data Sink Permissions
- Directory Permissions
- Graph Permissions
- Procedure Permissions
- Table Monitor Permissions
Managing System Permissions
System permissions can be granted to and revoked from a user or role using the API.Granting System Permissions
To grant the system permission,system_admin, to the auser user, in
Python:
system_user_admin, to the
auser user, in Python:
system_read, to the rx_auditor role, in
Python:
Revoking System Permissions
To revoke the system permission,system_admin, from the auser user, in
Python:
system_user_admin, from the
auser user, in Python:
system_read, from the rx_auditor role,
in Python:
Managing Schema Permissions
Schema permissions can be granted to and revoked from a user or role using the API.Granting Schema Permissions
To grant the create data sink permission in the cschema schema to the cuser user, in Python:Revoking Schema Permissions
To revoke the create data sink permission in the cschema schema from the cuser user, in Python:Managing Table Permissions
Table permissions can be granted to and revoked from a user or role using the API.Granting Table Permissions
To grant the table read permission,table_read, on the rx_order table in
the example schema, to the zanalyst user, in Python:
table_admin, on the
rx_order table in the example schema, to the rx_user role, in
Python:
Specifying only a schema name grants the specified access on all
present & future tables in that schema to the specified user; this grant is
maintained separately from any grants to individual tables within the schema.
Revoking Table Permissions
To revoke the table read permission,table_read, on the rx_order table
in the example schema, from the zanalyst user, in Python:
table_admin, on the
rx_order table in the example schema, from the rx_user role, in
Python:
Specifying only a schema name revokes the specified access previously
granted on that schema from the specified user; this revocation will not
effect any grants the user has to individual tables within the schema.
Managing Table Permissions at the Row Level
Row-level table permissions can be granted to and revoked from a user or role using the API.Granting Row-Level Table Permissions
To grant row-level table permissions, in Python, with the following criteria:- table read permission (
table_read) - on the rx_order table in the example schema
- for records with order timestamps on or after 2002-01-01
- to user zanalyst
- table read permission (
table_read) - on the rx_order table in the example schema
- for records associated with the querying user, matched by username
- to role rx_user
Revoking Row-Level Table Permissions
To revoke row-level table permissions, in Python, with the following criteria:- table read permission (
table_read) - on the rx_order table in the example schema
- for any/all granted rows (row-level access to a table must be revoked by revoking access to the full table)
- from user zanalyst
- table read permission (
table_read) - on the rx_order table in the example schema
- for any/all granted rows (row-level access to a table must be revoked by revoking access to the full column)
- from role rx_user
Managing Table Permissions at the Column Level
Column-level table permissions can be granted to and revoked from a user or role using the API.Granting Column-Level Table Permissions
To grant column-level table permissions, in Python, with the following criteria:- table read permission (
table_read) - on the rx_order table in the example schema
- for columns rx_name, order_ts, and an obfuscated version of ssn
- to user zanalyst
- table read permission (
table_read) - on the rx_order table in the example schema
- for columns name, rx_name, order_ts, as well as a masked version of the ssn, only showing the last 4 digits
- to role rx_user
Revoking Column-Level Table Permissions
To revoke column-level table permissions, in Python, with the following criteria:- table read permission (
table_read) - on the rx_order table in the example schema
- for obfuscated column ssn (other granted columns will remain visible)
- from user zanalyst
- table read permission (
table_read) - on the rx_order table in the example schema
- for column rx_name and masked column ssn (other granted columns will remain visible)
- from role rx_user
Managing Credential Permissions
Credential permissions can be granted to and revoked from a user or role using the API.Granting Credential Permissions
To grant the credential permission,credential_read, on a credential,
to the auser user, in Python:
Revoking Credential Permissions
To revoke the credential permission,credential_read, on a credential,
from the auser user, in Python:
Managing Data Source Permissions
Data source permissions can be granted to and revoked from a user or role using the API.Granting Data Source Permissions
To grant the data source permission,connect, on the kin_ds data source,
to the auser user, in Python:
Revoking Data Source Permissions
To revoke the data source permission,connect, on the kin_ds data
source, from the auser user, in Python:
Managing Data Sink Permissions
Data sink permissions can be granted to and revoked from a user or role using the API.Granting Data Sink Permissions
To grant the data sink permission,connect, on the kin_dsink data sink,
to the auser user, in Python:
Revoking Data Sink Permissions
To revoke the data sink permission,connect, on the kin_dsink data sink,
from the auser user, in Python:
Managing Graph Permissions
Graph permissions can be granted to and revoked from a user or role using the API.Granting Graph Permissions
To grant the graph permission,graph_read, on a graph,
to the auser user, in Python:
Revoking Graph Permissions
To revoke the graph permission,graph_read, on a graph,
from the auser user, in Python:
Managing Directory Permissions
KiFS permissions can be granted to and revoked from a user or role using the API.Granting Directory Permissions
To grant the directory permission,read, on the kdata directory,
to the kuser user, in Python:
Revoking Directory Permissions
To revoke the directory permission,write, on the kdata directory,
from the kuser user, in Python:
Managing Procedure Permissions
Procedure permissions can be granted to and revoked from a user or role using the API. While permissions for user-defined functions are able to be managed via the native API, permissions for SQL procedures are managed via SQL.Granting UDF Permissions
To grant the execute permission,proc_execute, on a specific UDF to the
auser user, in Python:
Revoking UDF Permissions
To revoke the execute permission,proc_execute, on a specific UDF from the
auser user, in Python:
This revocation of execute on present & future UDFs is only a
revocation of the corresponding grant of the same. This will not revoke
execute permission to specific UDFs that a user has been granted; each of
those must be revoked separately.
Managing SQL-GPT Context Permissions
SQL-GPT context permissions can be granted to and revoked from a user or role using the API.Granting SQL-GPT Context Permissions
To grant the SQL-GPT context permission,context_admin, on a SQL-GPT context,
to the auser user, in Python:
Revoking SQL-GPT Context Permissions
To revoke the SQL-GPT context permission,context_admin, on a SQL-GPT context,
from the auser user, in Python:
Managing Table Monitor Permissions
Table monitor permissions can be granted to and revoked from a user or role using the API.Granting Table Monitor Permissions
To grant the table monitor permission,monitor_admin, on a table monitor,
to the auser user, in Python:
Revoking Table Monitor Permissions
To revoke the table monitor permission,monitor_admin, on a table monitor,
from the auser user, in Python:
Security Information Retrieval
Complete security information for a user or role can be extracted via API calls.Basic Security Information
The permission & role grants, resource groups, and default schema can be retrieved for a given user; while the permission & role grants and resource groups can be retrieved for a given role; all via the Python API. That information can be displayed within a table produced by tabulate, as show below. The key API usage points to note below are:-
The call to
show_securitywith the user or role name for which security information will be retrieved -
The extraction of the key security fields from the returned structure:
types- type of security entity (internal user, external user, or role)default_schema- for users, the default schema assignedresource_groups- resource groups assigned to the entitypermissions- permissions granted directly to the entityroles- roles granted to the entity
Table-Level Security Information
Table-level permission (including row-level & column-level security) can be retrieved, via Python API, by examining thepermissions component of the
show_security response structure.
The key API usage points to note below are:
-
The call to
show_securitywith the user or role name for which table-level security information will be retrieved -
The extraction of the
permissionssecurity field from the returned structure, where the array of per-table security information is kept -
The extraction of the key security fields for each table:
object- fully-qualified name of the table to which access has been grantedpermission- type of access granted for the table; in the case of row-level and column-level security, this will always betable_readcolumns- a list of the columns and optional per-column row-level filters to which column-level access has been grantedfilter_expression- the expression used to define the row-level access granted to the table as a whole
External (LDAP) Users
Differences between using an external user instead of an internal user:- Rather than connect to Kinetica through its port (normally 9191), you will connect to the HTTPD proxy’s port (8082 by default). When creating this connection, you will pass the LDAP user’s username and password.
- For each LDAP user that needs to use Kinetica, a corresponding Kinetica
user must be created either manually or
automatically, via config. The username in Kinetica
must be the
@symbol followed by the LDAP username. - If an external user is granted system administration permissions, the system can be operated & managed exclusively by externally-authenticated users.
Kinetica LDAP integration passes the username & password to LDAP for
authentication, and can also map LDAP groups to Kinetica roles.
However, the permissions those roles have must be managed within
Kinetica.
jdoe.
Global Session Timeout Configuration
Administrators can control the global idle session timeout for several Apache Tomcat web applications included with all Kinetica installations (the applications can be found in/opt/gpudb/tomcat/webapps). To update
the timeout:
- Open the /opt/gpudb/tomcat/conf/web.xml file in a text editor.
-
Update the following setting for desired timeout value in minutes (the
default is
30): - Save the file, and restart the database.