Built-in access control roles

The built-in access control system in Starburst Enterprise is role-based. It uses roles to bundle together one or more privileges, which are the rights to perform actions. A role has a name and an optional description. Privileges can be granted to roles to configure actions and access to entities such as catalogs and tables.

• Built-in access control overview provides configuration instructions and a terminology overview.

• This page describes the roles-first approach of this system.

• Built-in access control privileges describes the entities that can be tracked and the privileges settable on each.

• Differences between built-in access control and Apache Ranger compares the two systems.

Users are assigned one or more roles. By selecting a role, you gain the rights defined by the role’s privileges. You can see the role you are currently using in the top right corner of Starburst Enterprise web UI. With the query editor or CLI, use the SHOW CURRENT ROLES command.

If you are assigned to more than one role, you can switch your current role in the Starburst Enterprise web UI or with the SET ROLE rolename command, as described in CLI access control.

Pre-defined roles

Two roles are system-defined and always exist:

• sysadmin: This role can perform any action in the built-in access control system and must be reserved for trusted administrators. The sysadmin role is assigned by the starburst.access-control.authorized-users property in the coordinator’s config.properties file, or by membership in a group named in the starburst.access-control.authorized-groups property.

• public: This default role is automatically assigned to new users logging in for the first time, if no other role is pre-assigned to that username. Any privilege granted to this role is effectively added to all SEP users. The public role is always enabled and cannot be revoked.

User roles

Users can be granted more than one role. All users are implicitly granted the pre-defined role public. By assuming a role, you have all the privileges of that role, plus all the privileges of any ancestors of that role.

In the CLI, users have access to all of the roles to which they are assigned. This allows users to access all of the privileges granted to them by each role unless altered by SQL commands.

In the Starburst Enterprise web UI, users are assigned to one role at a time even if they have access to more than one role. By default that role is the public role and all users always have those privileges. The public role is never unassigned, it is implicitly available even if a user switches to another role.

To select a different role, navigate to the Switch role menu:

1. In the Starburst Enterprise web UI, click the user settings menu and select Switch role.

2. From the Switch role dialog, click the Role field and select one of your assigned roles.

3. To save your role for this session, click Switch role.

To specify the role you want to access when you first log in, on the Switch role dialog, specify that role, set Remember selected role, and click Switch role to save your settings.

If you log out of the session and later reopen the session in the same browser tab or window, the Starburst Enterprise web UI defaults to the role you were previously using unless you have specified otherwise.

Role assignments

Every active user session, initiated with JDBC or any other client, has a list of associated roles.

When a session is initiated, the current roles are determined by the following rules in order of priority:

1. Connection-defined roles

2. User-assigned roles

Connection-defined roles

The role is defined as a part of a JDBC connection. This overrides the otherwise default public role, with two conditions:

• The username is already a member of the connection-defined role

• The sysadmin role is never assigned this way

User-assigned roles

With no connection-defined role, user role assignments are those assigned by administrators, plus the public role. User cluster access privileges are granted by the union of all assigned roles.

Administrators can grant privileges to the public role. These privileges allow users secure minimum access to cluster information and statistics without disclosing cluster data tables.

There is a system-defined set of privileges granted to public by default. Those privileges are always granted to all users with the public role. Do not delete these privileges unless you are certain about the results.

The following table shows the system-defined default privileges for the public role:

Default privileges for the public role

Privilege	Entity
EXECUTE	Queries
SELECT	system.jdbc
SELECT	system.runtime

The sysadmin role is never automatically assigned. To assign a user to the sysadmin role it must be explicitly set from the Switch role menu, described above, or using the SET ROLE sysadmin command.

If you use SET ROLE, your rights are reduced to those granted by that one role. To restore the rights of more than one assigned role, other than sysadmin, use SET ROLE ALL.

Add new roles

Users logged in with the sysadmin role or users granted the CREATE ROLE privilege can add new roles to the cluster’s built-in access control system. If you have that privilege, you see a CREATE ROLE button on several screens. This button’s dialog accepts a role name and description. The description cannot be edited later.