Security Concepts

Overview

Kinetica provides secured access to data and data services by means of role-based access control (RBAC). Permissions are assigned at the table level, schema level, or globally, and can be assigned either directly or grouped into roles for assignment.

Note

Kinetica users, permissions, and roles can be managed through GAdmin's Security interface or through one of the APIs. See Security Usage for details.

Users

Kinetica supports authentication and authorization of both internal users, whose credentials are maintained within the database, and external users, whose credentials are maintained by another directory service (LDAP, AD, etc.).

A user can be assigned any of the following:

Roles are maintained within the database for both types of users, though group memberships held by external users can be mapped to roles to automatically authorize those users to the appropriate level of access. See HTTPD + External Authentication for instructions on how to configure this mapping of external groups to roles.

Internal Users

Internal users have a username and password (encrypted), which are both stored within Kinetica.

An internal username must meet the following criteria:

  • alphanumeric, including underscore; not starting with a number: [a-z_][a-z_0-9]*
  • unique among internal usernames and role names
  • up to 64 characters long

Password must meet the following criteria:

  • up to 1024 characters long, by default; governed by the min_password_length parameter configured in the gpudb.conf file

External Users

External users have a username and password or user certificate stored in an external directory service and a corresponding user name stored within Kinetica. A proxy server is used to authenticate users to the external directory service and pass the authenticated request on to the database.

An external username must meet the following criteria:

  • identical to the external username, but with an @ prepended: @external_username
  • unique among external usernames

Note

Once authenticated, user authorization does not distinguish between internal and external users

Default Users

Kinetica comes with up to four default users:

  • admin
    • full permissions to do anything in Kinetica
    • system_admin permission by default; unable to modify
    • password is admin by default but must be updated after the first login
    • password can be changed; change will be stored securely in Kinetica
  • anonymous
    • no password
    • no permissions by default
  • graph
  • planner
    • System role reserved for use by the SQL query planner engine

User Endpoints

Calling user endpoints generally requires system_admin or system_user_admin permission.

Roles

Roles are configurable sets of permissions, which enable easier maintenance of user authorizations within the database. A role can have any number of permissions assigned to it, and the role can be assigned to any number of users, giving those users all of the permissions associated with the role. A role can also be assigned to another role, creating a hierarchy of permissions. In this way, roles eliminate the need to manage each user's permissions individually.

An individual user's permissions are the set of all directly-granted permissions and permissions granted via roles.

One or more roles can automatically be granted to any external user, based on that user's group memberships within the external directory service used. See HTTPD + External Authentication for instructions on how to map external group memberships to roles.

A role can be assigned any of the following:

A role name must meet the following criteria:

  • alphanumeric, including underscore; not starting with a number: [a-z_][a-z_0-9]*
  • unique among internal usernames and other role names
  • up to 64 characters long

A role may optionally be assigned a resource group, which will be imparted to any user assigned the role.

Important

A role cannot be assigned, as a member, to any role that is one of its member roles, whether that member role is assigned directly to it or via another role; e.g., if role A has role B as a member, role B cannot be assigned role A as a member directly, nor can role B be assigned role C, if role C has role A as a member.

Default Roles

There are two default roles within Kinetica:

  • authenticated
    • All users except anonymous are members of authenticated by default.
  • public
    • All users are members of public by default.
    • The public role will grant permissions to users who have not authenticated.

Role Endpoints

Calling role endpoints generally requires system_admin or system_user_admin permission.

Permissions

Permissions allow users various levels of access to the database's data and management services. Permissions can be granted directly to users and also grouped within roles.

There are several categories of permissions within Kinetica:

Grant Option

All permissions (except system_admin & system_user_admin) may be granted with the option for the grantee to grant that permission to others--that is, with a grant option. The grant option allows a user to both grant and revoke the permission it applies to. The grantee with the grant option may also grant a subset of that permission to others. Both system_admin & system_user_admin permissions have the ability to grant permissions implicitly, making the grant option redundant for these two in particular.

When users create objects, they will automatically be granted administrative permission on them with this grant option. This will not be done explicitly if the user already has a higher level permission that gives them administrative permission with the grant option on this object.

For example, when a user creates a table and is granted administrative permission with the grant option on it, they can then grant read access on that table's data to other users.

System Permissions

System permissions govern access to both database objects and management services.

The available permissions are:

system_admin

A user with system_admin permission:

system_user_admin

A user with system_user_admin permission can:

  • manage users & roles
  • grant/revoke permissions & roles (except the system_admin permission or a role containing it)

system_create

A user with system_create permission:

system_write

A user with system_write permission:

  • has system_create
  • has system_read
  • has table_admin permission on all tables, views, and schemas
  • has graph_admin permission on all schemas
  • has monitor_admin permission on all schemas
  • has directory_write permission on all directories in KIFS
  • can manage schemas
  • can upload symbols via /insert/symbol

system_read

A user with system_read permission has:

  • table_read permission on all tables & views in all schemas
  • context_read permission on all SQL-GPT context objects
  • credential_read permission on all credential objects
  • directory_read permission on all directories in KIFS
  • graph_read permission on all graph objects

directory_create

A user with directory_create permission can:

  • create new directories in KIFS

proc_create

A user with proc_create permission can:

  • create new UDFs and UDTFs

Schema Permissions

Schema permissions govern access to schemas and the database objects within them. Access granted on a schema directly gives permissions to all present and future tables & views within that schema.

Schema permissions granted are cumulative with other permissions. If a user is granted read permissions on a schema and update permission on a table contained within that schema, the effective permissions on that table for that user will be both read and update.

Permissions granted on schemas are maintained separately from permissions granted on tables & views. If a user is granted admin access on a schema and read access on a table within that schema, revoking the user's schema admin access will not affect the user's table read access on the contained table.

In general, there are no negative permissions. For instance, if read access on a schema is granted, read access on a table within that schema cannot be revoked. Instead, the schema read permission would have to be revoked and then the access to the appropriate tables within the schema granted.

The two sets of permissions available at the schema level are:

Table Management Permissions

Table management permissions at the schema level control access to tables, views, and their contained data.

The available permissions are:

  • table_admin
    • has all schema-level table management permissions listed below
    • can create, alter, or drop any table, view, or other object-type under that schema
  • table_insert
    • can insert records into tables within the specified schema(s) (upserting, via /insert/records using the update_on_existing_pk parameter, requires the table_update permission, as well)
  • table_update
    • can update records in tables within the specified schema(s) (upserting, via /insert/records using the update_on_existing_pk parameter, requires the table_insert permission, as well)
  • table_delete
    • can delete records from tables within the specified schema(s)
  • table_read
    • can read (select) records from tables & views within the specified schema(s)

Object Creation Permissions

Object creation permissions at the schema level control the ability to create objects of a given type within a given schema.

The available permissions are:

  • context_create
    • can create new SQL-GPT context objects within the specified schema(s)
  • credential_create
    • can create new credential objects within the specified schema(s)
  • datasink_create
    • can create new data sink objects within the specified schema(s)
  • datasource_create
    • can create new data source objects within the specified schema(s)
  • graph_create
    • can create new graph objects within the specified schema(s)
  • monitor_create
    • can create new table monitor objects within the specified schema(s)
  • sql_proc_create
    • can create new SQL Procedures within the specified schema(s)
  • table_create
    • can create new tables & views within the specified schema(s)

Table Permissions

Table permissions govern access to database objects and the data contained within them. These apply to tables and both native & SQL views.

Table permissions granted are cumulative. If a user is granted read permission on a table through one role and update permission on that same table through another role, the effective permissions on the table for that user will be both read and update.

In general, there are no negative permissions. For instance, if read access on a table is granted, read access on a subset of rows or columns within that table cannot be revoked. Instead, the table read permission would have to be revoked and then the access to the appropriate rows or columns within the table granted.

Both row-level security and column-level security are available to be applied to a table, either separately or together.

Important

For granting the ability to create tables, see Table Management Permissions.

The available permissions are:

  • table_admin
    • has all four table permissions below
    • can alter & drop the granted table
  • table_insert
    • can insert records (upserting, via /insert/records using the update_on_existing_pk parameter, requires the table_update permission, as well)
  • table_update
    • can update records (upserting, via /insert/records using the update_on_existing_pk parameter, requires the table_insert permission, as well)
  • table_delete
    • can delete records
  • table_read

Note

The creator of a materialized view will automatically be given table_admin with grant option permission on it, allowing the user to grant other users access to it.

Row-Level Security

Read access can be granted for a subset of the rows in a given table by employing row-level security. An expression is used to filter the records that should be accessible.

Note

Row-level access must be revoked by revoking access to all rows for that table (or column). To effectively revoke a partial subset, revoke access to the column and then regrant the appropriate access.

Row-level security could be useful in restricting users' access to their own employee records, department managers' access to the data relevant to their departments, or analysts' access to the cases assigned to them.

Row-level permissions may be assigned on a table via GAdmin.

See GRANT Row-Level Security Examples & REVOKE Row-Level Security Examples for examples and granting & revoking row-level read access in SQL, respectively.

Column-Level Security

Read access can be granted for a subset of the columns in a given table by employing column-level security. Column-level security functions can be applied to those columns to either obfuscate or mask the values the user sees.

Note

Column-level access is revoked by specifying the column name(s) to revoke, regardless of what security functions may have been applied to the column when granted.

Column-level security, in general, is useful for preventing users from accessing restricted columns within a table that they can access, or for preventing users from accessing restricted characters within a string column they can otherwise access.

Important

Primary keys and shard keys are only visible to (and usable by) a user if the user has unrestricted access to all columns comprising the key. Applying any column-level security functions to key columns will restrict this access. Without full access to these keys, operations that require them, such as table joins, may fail.

Obfuscating a column's values will result in a unique non-negative number being returned for each unique original column value; rows with the same column value will return the same obfuscated number for that value. This can be useful in performing analysis on patient data, where records need to be attributable to unique individuals, but the identities of those individuals need to be kept private.

Masking a column's values allows certain characters of a string to not be displayed--instead, replacing them with * (or other) characters. This can be useful in displaying the last four digits of a user's social security number for verification purposes without disclosing the entire SSN.

When a user is granted multiple levels of access to a given column, the values shown to a user will be determined based on the least restrictive access the user has been granted. Access restrictiveness is determined in the following order, from least restrictive to most restrictive:

  • Full access
  • Masked access
  • Obfuscated access
  • No access

Column-level permissions may be assigned on a table via Workbench.

See GRANT Column-Level Security Examples & REVOKE Column-Level Security Examples for examples and granting & revoking column-level read access in SQL, respectively.

Column-Level Security Functions

The following security functions can be used when employing column-level security on the following effective types with string base types:

  • char[N] strings
  • ipv4
  • decimal
  • ulong
  • date
  • time
  • datetime
FunctionDescription
HASH(column)Returns a non-negative integer representing an obfuscated version of column
MASK(column, start, length[, char])

Masks length characters of column, beginning at the position identified by start, with * characters (or the character specified in char):

Function CallResult
MASK('Characters', 5, 5)Char*****s
MASK('Characters', 5, 2, '#')Char##ters
OBFUSCATE(column)Alias for HASH

Credential Permissions

Credential permissions govern access to external system credentials. Any user can create and use a credential.

Important

For granting the ability to create credentials, see Object Creation Permissions.

The available permissions are:

  • credential_read
    • allows a user to see the given credential's configuration and use it
  • credential_admin
    • allows a user to modify or drop the given credential, as well as use it and display its configuration.

Note

The creator of a credential will automatically be given credential_admin with grant option permission on it, allowing the user to grant other users access to it.


Data Sink Permissions

Data sink permissions govern access to external data sinks.

Important

For granting the ability to create data sinks, see Object Creation Permissions.

The available permissions are:

  • connect
    • allows a user to connect to an external data consumer through the given data sink, and view the configuration of the data sink
  • datasink_admin
    • allows a user to modify or drop the given data sink

Note

The creator of a data sink will automatically be given datasink_admin with grant option permission on it, allowing the user to grant other users access to it.


Data Source Permissions

Data source permissions govern access to external data sources.

Important

For granting the ability to create data sources, see Object Creation Permissions.

The available permissions are:

  • connect
    • allows a user to connect to an external data set through the given data source, and view the configuration of the data source
  • datasource_admin
    • allows a user to modify or drop the given data source

Note

The creator of a data source will automatically be given datasource_admin with grant option permission on it, allowing the user to grant other users access to it.


Function Permissions

Function permissions govern access to User-Defined Functions (UDFs) and Python UDF function environments.

Permission can be granted on:

  • specific UDFs
  • all present and future UDFs

These two scopes of grants exist independently of each other and are managed separately, as well.

Important

Revoking a user's permission on all UDFs will not revoke any specific UDF permission that user has been granted. To revoke any permission on specific UDFs that a user has, each specific UDF permission needs to be revoked individually from the user.

Administrative access to all present and future UDFs also allows management access to function environments.

Permissions on UDFs & function environments can also be managed via SQL.

Important

For granting the ability to create UDFs, see proc_create.

The available permissions are:

  • proc_execute
    • allows a user to execute the given UDF; or all UDFs, if granted without a UDF specified
  • proc_admin
    • allows a user to manage the given UDF; or all UDFs and function environments, if granted without a UDF specified

Note

The creator of a UDF will automatically be given proc_admin with grant option permission on it, allowing the user to grant other users access to it.


Graph Permissions

Graph permissions govern access to graphs.

Important

For granting the ability to create graphs, see Object Creation Permissions.

The available permissions are:

  • graph_admin
    • includes graph_write permission
    • allows a user to drop the given graph
  • graph_write
    • includes graph_read permission
    • allows a user to modify the given graph
  • graph_read
    • allows a user to query, match, solve, & show the given graph

Note

The creator of a graph will automatically be given graph_admin with grant option permission on it, allowing the user to grant other users access to it.


KiFS Permissions

KiFS permissions govern access to directories and the files they contain.

Important

For granting the ability to create directories, see directory_create.

The available permissions are:

  • directory_write
    • allows a user to upload and delete files within the given directory
    • includes directory_read permission
  • directory_read
    • allows a user to list, download, and use files within the given directory, in Kinetica features that make use of KiFS

Note

Unlike most objects, the creator of a directory will not be given an administrative permission on it, allowing the user to delete the directory or grant other users access to it; those permissions are reserved for users. with the system_admin permission.


Procedure Permissions

Procedure permissions govern access to SQL Procedures.

For managing permission on SQL Procedures, see the SQL Procedure Security section.

Important

For granting the ability to create SQL Procedures, see Object Creation Permissions.

The available permission is:

  • sql_proc_execute

SQL-GPT Context Permissions

SQL-GPT context permissions govern access to SQL-GPT contexts.

Important

For granting the ability to create SQL-GPT contexts, see Object Creation Permissions.

The available permissions are:

  • context_admin
    • includes context_read permission
    • allows a user to modify or drop the given SQL-GPT context
  • context_read
    • allows a user to use the given SQL-GPT context to generate SQL using a SQL-GPT query

Note

The creator of a context will automatically be given context_admin with grant option permission on it, allowing the user to grant other users access to it.


Table Monitor (SQL Stream) Permissions

Table monitor permissions govern access to table monitors (SQL Streams).

Important

For granting the ability to create table monitors, see Object Creation Permissions.

The available permission is:

  • monitor_admin
    • allows a user to drop the given table monitor

Note

The creator of a table monitor will automatically be given monitor_admin with grant option permission on it, allowing the user to grant other users access to it.