Built-in access control privileges#

The built-in access control system in Starburst Enterprise allows setting individual privileges on various entities.

Predefined privilege grants#

A newly installed cluster’s built-in access control system has the EXECUTE privilege predefined for Queries granted to the public role. This allows any user to execute a query by default. The sysadmin role can remove or change this setting.

Add privileges#

When logged into Starburst Enterprise web UI with sysadmin or its equivalent, the Roles and privileges panel shows a list of configured roles, with a Privileges link for each one. Click that link to open a column on the right with a list of that role’s privilege settings, and an active Add privileges button.

When you click this button, make sure the top line Add privilege for role: in the pop-up dialog names the user or group name for which you intend to edit privilege settings.

For each Entity category in the first drop-down menu, you must also specify how broadly the action is to apply, which is entitiy-specific. This is described in the following sections for each entity category.

The dialog provides an option for all entity categories: Allow role receiving grant to grant to others. Use this option carefully, because it might inadvertently increase the privilege level of some roles beyond your intentions.

Table entities#

When selecting Tables in Starburst Enterprise web UI’s Add privilege dialog, you must also select at least the default Catalog * entry, which specifies all catalogs in the cluster. You can also narrow your selection to:

  • an individual catalog

  • a schema in that catalog

  • a table or view in that schema

  • a column in that table or view

Use the dialog’s check boxes to grant one or more of the following privileges to the role for the specified entity:

Table privileges#

Privilege

Grants the right to:

ALTER

Edit the properties of an existing table, view or schema, or to use the ALTER TABLE, ALTER VIEW, or ALTER SCHEMA commands.

CREATE

Create a new table in the current context, or use the CREATE TABLE or CREATE TABLE AS commands.

DELETE

Delete rows from an existing table or run the DELETE command.

DROP

Delete an existing table, view, or schema, or run the DROP TABLE, DROP VIEW, or DROP SCHEMA commands.

INSERT

Insert new rows into a table, or use the INSERT command.

REFRESH

Refresh a materialized view or run the REFRESH MATERIALIZED VIEW command.

SELECT

Browse the query editor’s catalog and schema tree, or use the SELECT command.

SHOW

Browse the query editor’s catalog and schema tree, or use the following SQL commands: SHOW TABLES and SHOW CREATE TABLE.

UPDATE

Update rows in an existing table, or use the UPDATE command.

Role entities#

In the second drop-down of the Add privilege dialog, you can select Roles * to apply the current change to all roles, or you can select a role name from the list. You cannot enter the name of an undefined role.

Use the dialog’s check boxes to grant the role one or more of the following privileges for the selected entity. The SHOW privilege allows the target role to run SHOW CURRENT ROLES.

Role privileges#

Privilege

Grants the right to:

CREATE

Create a new role, or run the CREATE ROLE command.

DROP

Delete an existing role, or run the DROP ROLE or REVOKE ROLES commands.

SHOW

Run the SHOW [CURRENT] ROLES, or SHOW ROLE GRANTS commands.

User entities#

The second drop-down of the Add privilege dialog allows you to apply the change to All users or to an individual name you select from the list. The dialog does not reach into the cluster’s authentication system to list or validate all available usernames. You can enter a username that does not appear, but you must use the exact case and spelling of the name as recorded in the cluster’s authentication system.

There is one privilege to grant for the Users category:

User privileges#

Privilege

Grants the right to:

IMPERSONATE

Control whether the specified user can participate in User impersonation.

Query entities#

There are three privileges to grant. The Kill privilege allows the Kill query button to appear in the Query details panel for a long-running query; it does not affect the Cancel button in the Query editor, which is always available.

Query privileges#

Privilege

Grants the right to:

EXECUTE

Run a query in the current context.

SHOW

See a list of all queries running in the cluster, and see the details of a particular query.

KILL

Stop a long-running query with the Cancel button in the query editor, or with the Kill query button in the Query details pane for that query.

Function entities#

This category allows you to control access to custom functions. (The right to run built-in functions is always allowed.)

There is one privilege to grant:

Custom function privileges#

Privilege

Grants the right to:

EXECUTE

Run one or all custom functions.

Procedure entities#

This category lets you manage which roles can run catalog-defined procedures. Note that these are not the same as stored procedures provided by some data sources such as PostgreSQL.

The Add privilege dialog lets you specify all catalogs with an asterisk, or narrow the target to an individual catalog, then optionally to an individual schema. Once you select the target of the privilege, enter the name of a procedure if you know it, or select the asterisk to specify all procedures in that target.

There is one privilege to grant:

Procedure privileges#

Privilege

Notes

EXECUTE

For catalogs that have defined procedures, grants the right to use the command CALL to run one or all procedures in a catalog, or to run the procedures restricted to a schema, or to run an individual procedure.

System session property entities#

The second drop-down of the Add privilege dialog lets you enter an asterisk to specify all session properties to grant privilege on, or to search the drop-down list to locate an individual system session property.

There is one privilege to grant:

System session property privileges#

Privilege

Grants the right to:

SET

Allow all or one specified session property to be set.

Catalog session property entities#

The second drop-down of the Add privilege dialog lets you specify a catalog on which to grant session property privileges. If the catalog’s data source enumerates catalog session properties, you can select an individual session property name from the third drop-down list. For other catalogs, specify the privilege for all catalog session properties with an asterisk.

There is one privilege to grant:

Catalog session property privileges#

Privilege

Grants the right to:

SET

Allow all or one specified catalog session property to be set. Applies to catalogs that have a defined set of session properties.

Data product entities#

This entity only appears in the dialog when starburst.data-product.enabled is set to true.

The Add privileges dialog lets you specify how narrowly the privilege applies:

  • Select * on the domain field to manage all domains and all data products in those domains.

  • Select a specific domain and * for data products to manage that domain and all data products in the domain.

  • Select a specific domain and specific data product to manage that data product.

Use the dialog’s check boxes to grant one or more of the following privileges to the specified domain or data product:

Data product privileges#

Privilege

Grants the right to:

ALTER

Edit existing domain or data product.

CREATE

Create new data products within a domain.

DROP

Delete an existing domain or data product.

PUBLISH

Publish a created data product into the data source.

SHOW

Make a created data product visible to a set of users.

User interface entities#

The UI components that a user sees when assuming a given role depends on which user interface entities the role has been granted SHOW privileges for.

Note

The role currently applied to your user affects the options you can see in the Features drop-down when setting SHOW privileges for user interface entities.

Use the dialog’s SHOW check box to grant the role access to one or more of the following tabs in the Starburst Enterprise web UI:

User interface entities#

Privilege

Grants the right to view:

All available SEP features

Includes all individual UI screens listed in this table.

Query editor tab

The SEP query editor.

Data products tab

The data products screen and all associated tabs.

Cluster overview tab

The overview screen.

Query overview tab

The query overview report and its filters.

Cluster history tab

The cluster history charts and their filters.

Usage metrics tab

The usage metrics report and its filter.

All available settings

Includes the license information and customized login settings screens listed in this table.

License information settings tab

The license information report showing all possible SEP features and their statuses based on your current license file.

Customize login settings tab

The setting screen that allows you to customize the SEP login by uploading a logo, creating a banner message, or both.