Skip to content

chore: add privilege doc about view and connection #2528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore: add privilege doc about view and connection #2528

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 48 additions & 37 deletions docs/en/guides/56-security/access-control/01-privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,46 +104,49 @@ Databend offers a range of privileges that allow you to exercise fine-grained co

### All Privileges

| Privilege | Object Type | Description |
|:-----------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------|
| ALL | All | Grants all the privileges for the specified object type. |
| ALTER | Global, Database, Table, View | Alters a database, table, user or UDF. |
| CREATE | Global, Table | Creates a table or UDF. |
| CREATE DATABASE | Global | Creates a database or UDF. |
| CREATE WAREHOUSE | Global | Creates a warehouse. |
| DELETE | Table | Deletes or truncates rows in a table. |
| DROP | Global, Database, Table, View | Drops a database, table, view or UDF. Undrops a table. |
| INSERT | Table | Inserts rows into a table. |
| SELECT | Database, Table | Selects rows from a table. Shows or uses a database. |
| UPDATE | Table | Updates rows in a table. |
| GRANT | Global | Grants / revokes privileges to / from a user or role. |
| SUPER | Global, Table | Kills a query. Sets global configs. Optimizes a table. Analyzes a table. Operates a stage(Lists stages. Creates, Drops a stage), catalog or share. |
| USAGE | Global | Synonym for “no privileges”. |
| CREATE ROLE | Global | Creates a role. |
| DROP ROLE | Global | Drops a role. |
| CREATE USER | Global | Creates a SQL user. |
| DROP USER | Global | Drops a SQL user. |
| WRITE | Stage | Write into a stage. |
| READ | Stage | Read a stage. |
| USAGE | UDF | Use udf. |
| Privilege | Object Type | Description |
|:------------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------|
| ALL | All | Grants all the privileges for the specified object type. |
| ALTER | Global, Database, Table, View | Alters a database, table, user or UDF. |
| CREATE | Global, Table | Creates a table or UDF. |
| CREATE DATABASE | Global | Creates a database or UDF. |
| CREATE WAREHOUSE | Global | Creates a warehouse. |
| CREATE CONNECTION | Global | Creates a connection. |
| DELETE | Table | Deletes or truncates rows in a table. |
| DROP | Global, Database, Table, View | Drops a database, table, view or UDF. Undrops a table. |
| INSERT | Table | Inserts rows into a table. |
| SELECT | Database, Table | Selects rows from a table. Shows or uses a database. |
| UPDATE | Table | Updates rows in a table. |
| GRANT | Global | Grants / revokes privileges to / from a user or role. |
| SUPER | Global, Table | Kills a query. Sets global configs. Optimizes a table. Analyzes a table. Operates a stage(Lists stages. Creates, Drops a stage), catalog or share. |
| USAGE | Global | Synonym for “no privileges”. |
| CREATE ROLE | Global | Creates a role. |
| DROP ROLE | Global | Drops a role. |
| CREATE USER | Global | Creates a SQL user. |
| DROP USER | Global | Drops a SQL user. |
| WRITE | Stage | Write into a stage. |
| READ | Stage | Read a stage. |
| USAGE | UDF | Use udf. |
| ACCESS CONNECTION | CONNECTION | Access connection. |

### Global Privileges

| Privilege | Description |
|:-----------------|:------------------------------------------------------------------------------------------------------------------|
| ALL | Grants all the privileges for the specified object type. |
| ALTER | Adds or drops a table column. Alters a cluster key. Re-clusters a table. |
| CREATEROLE | Creates a role. |
| CREAT DATABASE | Creates a DATABASE. |
| CREATE WAREHOUSE | Creates a WAREHOUSE. |
| DROPUSER | Drops a user. |
| CREATEUSER | Creates a user. |
| DROPROLE | Drops a role. |
| SUPER | Kills a query. Sets or unsets a setting. Operates a stage, catalog or share. Calls a function. COPY INTO a stage. |
| USAGE | Connects to a databend query only. |
| CREATE | Creates a UDF. |
| DROP | Drops a UDF. |
| ALTER | Alters a UDF. Alters a SQL user. |
| Privilege | Description |
|:------------------|:------------------------------------------------------------------------------------------------------------------|
| ALL | Grants all the privileges for the specified object type. |
| ALTER | Adds or drops a table column. Alters a cluster key. Re-clusters a table. |
| CREATEROLE | Creates a role. |
| CREAT DATABASE | Creates a DATABASE. |
| CREATE WAREHOUSE | Creates a WAREHOUSE. |
| CREATE CONNECTION | Creates a CONNECTION. |
| DROPUSER | Drops a user. |
| CREATEUSER | Creates a user. |
| DROPROLE | Drops a role. |
| SUPER | Kills a query. Sets or unsets a setting. Operates a stage, catalog or share. Calls a function. COPY INTO a stage. |
| USAGE | Connects to a databend query only. |
| CREATE | Creates a UDF. |
| DROP | Drops a UDF. |
| ALTER | Alters a UDF. Alters a SQL user. |

### Table Privileges

Expand Down Expand Up @@ -224,3 +227,11 @@ Please note that you can use the [USE DATABASE](/sql/sql-commands/ddl/database/d
|:----------|:---------------------------------------------------------|
| SUPER | SHOW CREATE catalog. Creates or drops a catalog. |
| ALL | Grants all the privileges for the specified object type. |

### Connection Privileges

| Privilege | Description |
|:------------------|:-------------------------------------------------------------------------------------------------------------------|
| Access Connection | Can access Connection. |
| ALL | Grants Access Connection privileges for the specified object type. |
| OWNERSHIP | Grants full control over a Connection. Only a single role can hold this privilege on a specific object at a time. |
6 changes: 6 additions & 0 deletions docs/en/sql-reference/10-sql-commands/00-ddl/05-view/ddl-create-view.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@ So, if you delete the table which the view depends on, it occurs an error that t
CREATE [ OR REPLACE ] VIEW [ IF NOT EXISTS ] [ db. ]view_name [ (<column>, ...) ] AS SELECT query
```

## Access control requirements

To access a view, users only require the SELECT privilege on the view itself.

Separate permissions are not required on the view’s underlying tables. This mechanism simplifies access control and enhances data security.

## Examples

```sql
Expand Down
19 changes: 19 additions & 0 deletions docs/en/sql-reference/10-sql-commands/00-ddl/13-connection/create-connection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,25 @@ CREATE CONNECTION <connection_name>
| ROLE_ARN | The Amazon Resource Name (ARN) of the IAM role that Databend will assume to access your S3 resources. |


## Access control requirements

| Privilege | Object Type | Description |
|:------------------|:------------|:----------------------|
| CREATE CONNECTION | Global | Creates a connection. |


To create a connection, the user performing the operation or the [current_role](/guides/security/access-control/roles) must have the CREATE CONNECTION [privilege](/guides/security/access-control/privileges).

:::note

The enable_experimental_connection_rbac_check settings governs connection-level access control. It is disabled by default.
Connection creation solely requires the user to possess superuser privileges, bypassing detailed RBAC checks.
When enabled, granular permission verification is enforced during connection establishment.

This is an experimental feature and may be enabled by default in the future.

:::

## Examples

### Using Access Keys
Expand Down
Loading