Manage Privileges

Paimon provides a privilege system on catalogs. Privileges determine which users can perform which operations on which objects, so that you can manage table access in a fine-grained manner.

Currently, Paimon adopts the identity-based access control (IBAC) privilege model. That is, privileges are directly assigned to users.

This privilege system only prevents unwanted users from accessing tables through catalogs. It does not block access through temporary table (by specifying table path on filesystem), nor does it prevent user from directly modifying data files on filesystem. If you need more serious protection, use a filesystem with access management instead.

Basic Concepts

We now introduce the basic concepts of the privilege system.

Object

An object is an entity to which access can be granted. Unless allowed by a grant, access is denied.

Currently, the privilege system in Paimon has three types of objects: CATALOG, DATABASE and TABLE. Objects have a logical hierarchy, which is related to the concept they represent. For example:

  • If a user is granted a privilege on the catalog, he will also have this privilege on all databases and all tables in the catalog.
  • If a user is granted a privilege on the database, he will also have this privilege on all tables in that database.
  • If a user is revoked a privilege from the catalog, he will also lose this privilege on all databases and all tables in the catalog.
  • If a user is revoked a privilege from the database, he will also lose this privilege on all tables in that database.

Privilege

A privilege is a defined level of access to an object. Multiple privileges can be used to control the granularity of access granted on an object. Privileges are object-specific. Different objects may have different privileges.

Currently, we support the following privileges.

PrivilegeDescriptionCan be Granted on
SELECTQueries data in a table.TABLE, DATABASE, CATALOG
INSERTInserts, updates or drops data in a table. Creates or drops tags and branches in a table.TABLE, DATABASE, CATALOG
ALTER_TABLEAlters metadata of a table, including table name, column names, table options, etc.TABLE, DATABASE, CATALOG
DROP_TABLEDrops a table.TABLE, DATABASE, CATALOG
CREATE_TABLECreates a table in a database.DATABASE, CATALOG
DROP_DATABASEDrops a database.DATABASE, CATALOG
CREATE_DATABASECreates a database in the catalog.CATALOG
ADMINCreates or drops privileged users, grants or revokes privileges from users in a catalog.CATALOG

User

The entity to which privileges can be granted. Users are authenticated by their password.

When the privilege system is enabled, two special users will be created automatically.

  • The root user, which is identified by the provided root password when enabling the privilege system. This user always has all privileges in the catalog.
  • The anonymous user. This is the default user if no username and password is provided when creating the catalog.

Enable Privileges

Paimon currently only supports file-based privilege system. Only catalogs with 'metastore' = 'filesystem' (the default value) or 'metastore' = 'hive' support such privilege system.

To enable the privilege system on a filesystem / Hive catalog, do the following steps.

Flink 1.18+

Run the following Flink SQL.

  1. -- use the catalog where you want to enable the privilege system
  2. USE CATALOG `my-catalog`;
  4. -- initialize privilege system by providing a root password
  5. -- change 'root-password' to the password you want
  6. CALL sys.init_file_based_privilege('root-password');

After the privilege system is enabled, please re-create the catalog and authenticate as root to create other users and grant them privileges.

Privilege system does not affect existing catalogs. That is, these catalogs can still access and modify the tables freely. Please drop and re-create all catalogs with the desired warehouse path if you want to use the privilege system in these catalogs.

Accessing Privileged Catalogs

To access a privileged catalog and to be authenticated as a user, you need to define user and password catalog options when creating the catalog. For example, the following SQL creates a catalog while trying to be authenticated as root, whose password is mypassword.

Flink

  1. CREATE CATALOG `my-catalog` WITH (
  2.     'type' = 'paimon',
  3.     -- ...
  4.     'user' = 'root',
  5.     'password' = 'mypassword'
  6. );

Creating Users

You must be authenticated as a user with ADMIN privilege (for example, root) to perform this operation.

Do the following steps to create a user in the privilege system.

Flink 1.18+

Run the following Flink SQL.

  1. -- use the catalog where you want to create a user
  2. -- you must be authenticated as a user with ADMIN privilege in this catalog
  3. USE CATALOG `my-catalog`;
  5. -- create a user authenticated by the specified password
  6. -- change 'user' and 'password' to the username and password you want
  7. CALL sys.create_privileged_user('user', 'password');

Dropping Users

You must be authenticated as a user with ADMIN privilege (for example, root) to perform this operation.

Do the following steps to drop a user in the privilege system.

Flink 1.18+

Run the following Flink SQL.

  1. -- use the catalog where you want to drop a user
  2. -- you must be authenticated as a user with ADMIN privilege in this catalog
  3. USE CATALOG `my-catalog`;
  5. -- change 'user' to the username you want to drop
  6. CALL sys.drop_privileged_user('user');

Granting Privileges to Users

You must be authenticated as a user with ADMIN privilege (for example, root) to perform this operation.

Do the following steps to grant a user with privilege in the privilege system.

Flink 1.18+

Run the following Flink SQL.

  1. -- use the catalog where you want to drop a user
  2. -- you must be authenticated as a user with ADMIN privilege in this catalog
  3. USE CATALOG `my-catalog`;
  5. -- you can change 'user' to the username you want, and 'SELECT' to other privilege you want
  6. -- grant 'user' with privilege 'SELECT' on the whole catalog
  7. CALL sys.grant_privilege_to_user('user', 'SELECT');
  8. -- grant 'user' with privilege 'SELECT' on database my_db
  9. CALL sys.grant_privilege_to_user('user', 'SELECT', 'my_db');
  10. -- grant 'user' with privilege 'SELECT' on table my_db.my_tbl
  11. CALL sys.grant_privilege_to_user('user', 'SELECT', 'my_db', 'my_tbl');

Revoking Privileges to Users

You must be authenticated as a user with ADMIN privilege (for example, root) to perform this operation.

Do the following steps to revoke a privilege from user in the privilege system.

Flink 1.18+

Run the following Flink SQL.

  1. -- use the catalog where you want to drop a user
  2. -- you must be authenticated as a user with ADMIN privilege in this catalog
  3. USE CATALOG `my-catalog`;
  5. -- you can change 'user' to the username you want, and 'SELECT' to other privilege you want
  6. -- revoke 'user' with privilege 'SELECT' on the whole catalog
  7. CALL sys.revoke_privilege_from_user('user', 'SELECT');
  8. -- revoke 'user' with privilege 'SELECT' on database my_db
  9. CALL sys.revoke_privilege_from_user('user', 'SELECT', 'my_db');
  10. -- revoke 'user' with privilege 'SELECT' on table my_db.my_tbl
  11. CALL sys.revoke_privilege_from_user('user', 'SELECT', 'my_db', 'my_tbl');