Access control
RisingWave uses a user-based access control to handle authentication and authorization. Privileges can be granted to or revoked by users to control what actions can be performed on different object levels.
When creating a user, the administrator of an organization can determine the system-level permissions and set a password. The system permissions and the user names can be revised with the ALTER USER
command. For details about the system permissions, see System permissions.
Database privileges can be configured later by using GRANT
and REVOKE
commands. The privileges are managed at these object levels:
- Database
- Schema
- Table
- Source
- Materialized view
For database privileges that can be applied to each of the object levels, see Privileges.
Users
Create a user
Syntax:
CREATE USER user_name [ [ WITH ] system_permission [ ... ]['PASSWORD' { password | NULL }] ];
For details about system permissions, see System permissions.
Create a user with default permissions:
CREATE USER user_name;
Create a user and permit it to create databases, and set a password for it:
CREATE USER user001 WITH CREATEDB PASSWORD '1234abcd';
Alter user
You can alter the system permissions, password, or name of a user by using the ALTER USER
command.
The following statement modifies the password and initial permissions of user001
.
ALTER USER user001 WITH NOSUPERUSER CREATEDB PASSWORD '4d2Df1ee5';
The following statement renames user1
to user001
.
ALTER USER user1 RENAME TO user001;
Privileges
See the table below for the privileges available in RisingWave and the corresponding object levels that they can apply to.
Privilege | Description | Object Level |
---|---|---|
SELECT | Permission to retrieve data from a relation object. | Table, Source, Materialized View |
INSERT | Permission to add new rows to a table. | Table |
UPDATE | Permission to modify existing data in a table. | Table |
DELETE | Permission to remove rows from a table. | Table |
CREATE | Permission to create new objects within the database. | Schema, Database, Table |
CONNECT | Permission to connect to a database. | Database |
You use the GRANT
command to grant privileges to a user, and the REVOKE
command to revoke privileges from a user. For the syntaxes of these two commands, see GRANT
and REVOKE
.
This statement grants the SELECT
privilege for materialized view mv1
, which is in schema schema1
of database db1
, to user user1
. user1
is able to grant the SELECT
privilege to other users.
GRANT SELECT
ON MATERIALIZED VIEW mv1 IN SCHEMA db1.schema1
TO user1 WITH GRANT OPTION GRANTED BY user;
This statement grants the SELECT
and UPDATE
privileges for source s1
to user user1
.
GRANT SELECT, UPDATE
ON SOURCE s1
TO user1;