grant

Syntax

grant(userId|groupId,accessType,[objs])

Arguments

userId | groupId is a string indicating a user name or a group name.

accessType is the privilege type or memory limit.

objs (optional) is a STRING scalar/vector indicating the objects that the priviledges specified by accessType applies to. "*" means all objects. When accessType is COMPUTE_GROUP_EXEC, objs must be compute group(s).

See the privilege table in User Access Control for the values that accessType and objs can take.

Note:
  • When managing privileges for shared tables, stream tables or streaming engines, objs must be in the format "tableName@nodeAlias" or "nodeAlias:tableName".
  • When managing privileges for IMOLTP databases and tables, objs must be in the format "oltp://database/table@nodeAlias" or "oltp://database@nodeAlias".

Details

  1. Grant a user or group with the specified privilege.
  2. Set the memory limit of a query result (when accessType = QUERY_RESULT_MEM_LIMIT) or the memory limit of a task group (when accessType = TASK_GROUP_MEM_LIMIT) for a user. Different from commands setMemLimitOfQueryResult and setMemLimitOfTaskGroupResult, grant only applies to the specified user (group is not supported). You can use revoke to remove the memory limit set with grant.

Administrators can grant users all privileges (accessType) through this command, but regular users, after having the relevant OWNER privileges, can only grant the following privileges through this command: TABLE_READ, TABLE_WRITE, TABLE_INSERT, TABLE_UPDATE, TABLE_DELETE, DB_READ, DB_WRITE, DB_INSERT, DB_UPDATE, DB_DELETE, DBOBJ_DELETE, DBOBJ_CREATE and VIEW_EXEC.

When the accessType is DB_OWNER, objs can be specified as a prefix rule to limit the databases that the user can create and manage. Multiple prefix rules can be passed in a vector to objs. If there is already a global DB_OWNER privilege granted, adding prefix rules will be invalid. Prefix rules do not override each other if one contains the other. The authorized prefix rules can be viewed using the getUserAccess function.

When a user attempts to create or manage a database, if the user's privilege is denied globally, the operation is prohibited; otherwise, the user's privileges are the union of all the prefix rules, meaning if the database name matches any of the authorized prefix rules, the operation is permitted.

Note that the prefix rules can only be specified with function grant, and revoked with revoke, but cannot be denied with deny. When the accessType is DB_OWNER, deny only takes effect at a global scope and overrides all previously-defined prefix rules.

Examples

Grant all members of group "production" the read privilege to all tables and databases:

grant(`production, TABLE_READ, "*")

Grant all members of group "research" the write privilege to the table "dfs://db1/t1":

grant(`research, TABLE_WRITE, "dfs://db1/t1")

Grant all members of group "research" the table creation privilege to the databases "dfs://db1" and "dfs://db2":

grant("research", DBOBJ_CREATE, ["dfs://db1","dfs://db2"])

Grant the user "AlexSmith" the DB_MANAGE privilege:

grant("AlexSmith", DB_MANAGE)

Grant the user "AlexSmith" the script execution privilege:

grant("AlexSmith", SCRIPT_EXEC)

Grant the user "AlexSmith" the script test privilege:

grant("AlexSmith", TEST_EXEC)

Grant the user "AlexSmith" the execution privilege of function f1 under the namespace test1:

grant("AlexSmith", VIEW_EXEC, "test1::f1")

Grant the user "AlexSmith" the execution privilege of all functions under the namespace test2:

grant("AlexSmith", VIEW_EXEC, "test2::*")

The namespace must be a module name. For example, for a module test.dos under the directory moduleDir/mod1/test.dos, grant the user the execution privileges of all functions under the module namespace: 

grant("AlexSmith", VIEW_EXEC, "mod1::test::*")

The following script is not supported:

grant("AlexSmith", VIEW_EXEC, "mod1::*")

If privilege on a namespace is granted, and later the function views in the namespace are removed with dropFunctionView, once the last function view in the namespace is deleted, the authorization for that namespace will also be automatically revoked. Similarly, if there are no function views in the namespace at the time of authorization, an exception will be thrown. For function views without a namespace, they are considered global. The following two methods are equivalent:

grant("AlexSmith", VIEW_EXEC, "::f")
grant("AlexSmith", VIEW_EXEC, f)

Set the memory limit of query result to 4 GB for the user "AlexSmith".

grant("AlexSmith", QUERY_RESULT_MEM_LIMIT, 4)

Grant user "AlexSmith" the privilege to create and manage databases with prefix "dbxxx".

grant("AlexSmith", DB_OWNER, "dfs://ddb*")

Multiple patterns can be passed in a vector to objs. For example:

grant("AlexSmith", DB_OWNER, ["dfs://ddb_prefix1*","dfs://ddb_prefix2*"])