9. Role Based Access Control - RBAC

The Zetaris Cloud Data Fabric provides Role-Based Access which limits user access to a specific set of data. This is applied at the data source level or table level in each data source. Only admin users or equivalents can run these commands

Privileges

  • SELECT privilege - Give read access to the data source or relation
  • INSERT privilege - Give insert access to the data source or relation
  • CACHE privileges - Give cache access to a relation : (UN)CACHE DATASOURCE TABLE

Predefined Role

Role is case insensitive

  • admin
  • none
  • all
  • default

Create Role

CREATE ROLE role_name [DESCRIBE BY "this is blah~~~"]


Drop Role

DROP ROLE role_name;


Show Roles

SHOW ROLES


Assign a User a Role

ASSIGN USER user_name [, user_name] ...TO ROLE role_name


Revoke User from Role

REVOKE USER user_name[, user_name] ...FROM ROLE role_name


Show Role Assigned to a user

SHOW ROLE ASSIGNED TO USER user_name

shows all roles granted to the user


Show users Assigned to a role

SHOW USER ASSIGNED TO ROLE role_name

shows all users granted to the role

 

Grant
Granted user with GRANT OPTIONS can grant same privilege on the table.

GRANT SELECT | INSERT |CACHEON table_or_view_nameTO principal_spec [,principal_spec] ...[WITH GRANT OPTION]

Revoke

REVOKE SELECT(INSERT | CACHE) ON table_or_view_name FROM principal_spec [,principal_spec] ...

Show Grant

SHOW GRANT[principal_specification] ON(ALL | [TABLE] table_or_view_name)

principal_specification: USER user | ROLE role

will display :

table_identifier        | principal_name  | principal_type  | privilege  | grant_option  |   grant_time                      | grantor 

+------------------------+----------------------+--------------------+-------------+------------------+----------------------------------+----------+

ORCL.movies         | ashutosh            | USER              | DELETE  | false              | 2018-05-07 11:44:12.301 | thejas   

ORCL.movies         | ashutosh            | USER              | INSERT   | false              | 2018-05-07 11:44:12.301 | thejas   

ORCL.ratings          | ashutosh            | ROLE              | SELECT  | false              | 2018-05-07 11:44:12.301 | thejas 

 

Wild card can be only used in table field. For example, ORCL.* is allowed but *.* or *.movies were not allowed.