Built-in access control privileges#

The built-in access control system in Starburst Enterprise allows setting individual privileges on various entities.

Predefined privilege grants#

A newly installed cluster’s built-in access control system has the EXECUTE privilege predefined for Queries granted to the public role. This allows any user to execute a query by default. The sysadmin role can remove or change this setting.

Privilege actions#

When logged into Starburst Enterprise web UI with sysadmin or its equivalent, the Roles and privileges panel shows a list of configured roles, with a Privileges link for each one. Click that link to open a column on the right with a list of that role’s privilege settings. Up to three actions are available for each privilege, depending on the user’s current role and its grants.

Add privileges#

Click the Add privileges button in the Privileges view to be taken to the Add privilege screen. The role that the new privilege applies to appears at the top of the screen.

Each privilege can be configured for only one entity type. Select the entity type to add a privilege for from the row of radio buttons in the resulting screen. For each entity type, you must specify how broadly the action is to apply, which is entity-specific. This is described in the following sections for each entity category.

Each privilege can do one of the following for the role it is configured for:

  • Allow - Grant the role the privilege

  • Deny - Explicitly deny the role privilege

The Allow role receiving grant to grant to others option allows the privilege to be applied to all current and future users granted this role, as well grant these the ability to remove the privilege.

You can cancel the Add privilege action at any time by clicking the Cancel button. To save a privilege, click the Save privilege button.

Once saved, a privilege cannot be edited.

Remove privilege#

The sysadmin role, and roles for which a privilege has been marked with Allow role receiving grant to grant to others may delete a privilege from a role using the delete (trashbin) icon for that privilege. This action is not enabled if the current user and their selected role does not have the grant for that privilege from the Allow role receiving grant to grant to others option.

Copy entity name#

Each privilege has a copy icon. Clicking this icon copies the text immediately to its left.

Entity types#

The following sections describe the privileges available for each entity.

Table entities#

When selecting Tables in the Add privilege screen, you must choose All catalogs or a catalog from the Catalog dropdown, as well as All schemas or a schema from the Schema dropdown. You can also narrow your selection to:

  • a table or view in that schema

  • a column in that table or view

You can also enter a schema, table, or column name that does not currently exist as a custom entity. This creates a placeholder rule that applies to future queries once an entity with that name is created.

Select one or more of the following privileges to grant them to the role for the specified entity:

Table privileges#

Privilege

Grants the right to:

ALTER

Edit the properties of an existing table, view or schema, or to use the ALTER TABLE, ALTER VIEW, or ALTER SCHEMA commands.

CREATE

Create a new table in the current context, or use the CREATE TABLE or CREATE TABLE AS commands.

DELETE

Delete rows from an existing table or run the DELETE command.

DROP

Delete an existing table, view, or schema, or run the DROP TABLE, DROP VIEW, or DROP SCHEMA commands.

INSERT

Insert new rows into a table, or use the INSERT command.

REFRESH

Refresh a materialized view or run the REFRESH MATERIALIZED VIEW command.

SELECT

Browse the query editor’s catalog and schema tree, or use the SELECT command. Can optionally include a column mask or row filter to further control access to specific data in the result set.

SHOW

Browse the query editor’s catalog and schema tree, or use the following SQL commands: SHOW TABLES and SHOW CREATE TABLE.

UPDATE

Update rows in an existing table, or use the UPDATE command.

Column masks and filters#

You can control what data a user may see by applying column masks and row filters to a privilege. This option is only available on privileges that allow access to the SELECT action for one or more columns.

Column masks hide information from users by masking the values of columns as configured. Row filters exclude rows from a query’s result set when a custom expression matches the contents of the row. Masks and filters can be applied to tables, views, and materialized views.

For more information, read Built-in access control masks and filters.

Role entities#

When selecting Roles in the Add privilege screen, you can select All roles to apply the current change to all roles, or select a role name from the list. You cannot enter the name of an undefined role.

Use the checkboxes to grant the role one or more of the following privileges for the selected entity. The SHOW privilege allows the target role to run SHOW CURRENT ROLES.

Role privileges#

Privilege

Grants the right to:

CREATE

Create a new role, or run the CREATE ROLE command.

DROP

Delete an existing role, or run the DROP ROLE or REVOKE ROLES commands.

SHOW

Run the SHOW [CURRENT] ROLES, or SHOW ROLE GRANTS commands.

Note

Selecting All roles does not include the sysadmin role.

User entities#

When selecting Users in the Add privilege screen, you can select All users (recommended) or an individual name you select from the list. SEP does not reach into the cluster’s authentication system to list or validate all available usernames. You can enter a username that does not appear, but you must use the exact case and spelling of the name as recorded in the cluster’s authentication system.

There is one privilege to grant for the user entities:

User privileges#

Privilege

Grants the right to:

IMPERSONATE

Control whether the specified user can participate in User impersonation.

Warning

While this privilege focuses on users, the privilege itself is role-based. If specific users are selected in this privilege and they are not granted the role to which this privilege applies, the user does not have the privilege. When not using the All users option, you must ensure that the selected users have been granted the role.

Query entities#

When selecting Queries in the Add privilege screen, there are three privileges to grant:

Query privileges#

Privilege

Grants the right to:

EXECUTE

Run a query in the current context.

SHOW

See a list of all queries running in the cluster, and see the details of a particular query.

KILL

Enables the Kill query button to appear in the Query details panel for a long-running query; it does not affect the Cancel button in the Query editor, which is always available. Using the Kill query button stops a long-running query with the Cancel button in the query editor, or with the Kill query button in the Query details pane for that query.

Data product entities#

This entity type only appears as an option when starburst.data-product.enabled is set to true.

The Add privileges screen lets you specify how narrowly the privilege applies:

  • Select * on the domain field to manage all domains and all data products in those domains.

  • Select a specific domain and * for data products to manage that domain and all data products in the domain.

  • Select a specific domain and specific data product to manage that data product.

Use the checkboxes to grant one or more of the following privileges to the specified domain or data product:

Data product privileges#

Privilege

Grants the right to:

ALTER

Edit existing domain or data product.

CREATE

Create new data products within a domain.

DROP

Delete an existing domain or data product.

PUBLISH

Publish a created data product into the data source.

SHOW

Make a created data product visible to a set of users.

User interface entities#

The Starburst Enterprise web UI components that a user sees when assuming a given role depends on which user interface entities the role has been granted SHOW privileges for. This entity type allows you to grant or deny the ability for users in the role to access the various Starburst Enterprise web UI components.

Note

The role currently applied to your user affects the options you can see in the Features drop-down when setting SHOW privileges for user interface entities.

Use the SHOW checkbox to grant the role access to one or more of the following tabs in the Starburst Enterprise web UI:

User interface entities#

Privilege

Grants the right to view:

All available SEP features

Includes all individual UI screens listed in this table.

Query editor tab

The SEP query editor.

Data products tab

The data products screen and all associated tabs.

Cluster overview tab

The overview screen.

Query overview tab

The query overview report and its filters.

Cluster history tab

The cluster history charts and their filters.

Usage metrics tab

The usage metrics report and its filter.

All available settings

Includes the license information and customized login settings screens listed in this table.

License information settings tab

The license information report showing all possible SEP features and their statuses based on your current license file.

Customize login settings tab

The setting screen that allows you to customize the SEP login by uploading a logo, creating a banner message, or both.

Access logs for UI elements are disabled by default. To enable the access logs, set the starburst.access-control.audit.access-log.exclude-events configuration property to ui-view=none.

Location entities#

The location privilege applies only to object storage catalogs. Use this privilege to restrict creating or altering objects in unexpected object storage locations outside the configured default location of the current catalog.

Your cloud provider credentials, such as an IAM role or AWS key for S3 catalogs, may have broad access rights to multiple locations. If you provide these credentials when configuring a catalog for a narrow location, users connecting to that catalog may have the inadvertently granted right to make changes outside that narrow location.

Let’s say you configure a catalog to access the S3 location s3://bucket-name/folder-name/, but you configure the catalog with an AWS key that has write rights throughout all of s3://bucket-name/*. This allows anyone connecting to this catalog to create, for example, s3://bucket-name/different-folder.

If you set the location privilege for a role to s3://bucket-name/folder-name/*, you restrict creation or alteration of schemas or tables to the folder-name location only for that role.

The location privilege is only verified for CREATE or ALTER operations of a table or schema, because these are the only operations capable of creating objects outside the default location of the catalog. If that operation is within the configured location of the catalog, the catalog privileges and schema privileges are also considered.

The location privilege is not checked for SELECT, INSERT, UPDATE, or DELETE operations on object storage tables, where table privileges manage access instead.

A single location privilege is available to grant to any role:

Location privileges#

Privilege

Grants the right to:

Create SQL

Restricts creation or alteration of schemas or tables to only within the specified location.

Location access controls are disabled by default. To enable location access controls, set the following configuration property to true:

starburst.access-control.location.enabled=true

When location access controls are first enabled, only the sysadmin role has access to any locations. Location permissions must be granted through the Starburst Enterprise web UI.

Location URI must start with the location protocol and end with an asterisk /*, for example:

s3://my-bucket/path1/path2/*

Granting access to this location for a specific role allows that role to access s3://my-bucket/path1/path2/ and all of its sub-folders. Up to 10 location privileges can be added at a time.

Warning

Roles with assigned location access can not be deleted until location access is removed.

Location grants are recorded in the built-in access control audit log.

Function entities#

Selecting Other, then Functions allows you to control access to:

To control access to a specific function, type its name in the menu and select it. You can select one or more specific functions from the menu, one at a time, or you can check the All functions box to select all functions.

Note

You can create privileges for functions that do not yet exist, but you must ensure that you name them exactly as specified in the privilege.

The right to run any built-in functions other than those listed here is always allowed.

There is one privilege to grant:

Custom function privileges#

Privilege

Grants the right to:

EXECUTE

Run one or all custom functions.

Table functions#

When “Functions” is selected, you must indicate whether the functions you wish to configure access for are table functions using the Yes and No radio buttons. When Yes is selected, menus are enabled to select catalogs and schemas.

Select a specific catalog Catalog menu. Once a catalog is selected, the Schema menu is enabled. Select a specific schema from the Schema menu. Once the schema is selected, type the exact name of a specific table function in the Function box; you can specify more than one table function, but you must do so one entry at a time. When all table functions have been specified, set the desired privilege and Deny or Allow as usual. Ensure that the Execute action is checked, and click Save privilege to save.

Note

You can create privileges for table functions that do not yet exist, but you must ensure that you name them exactly as specified in the privilege.

Procedure entities#

Selecting Other, then Procedures lets you manage which roles can run catalog-defined procedures. Note that these are not the same as stored procedures provided by some data sources such as PostgreSQL.

The Add privilege screen lets you specify all catalogs with the All catalogs checkbox, or narrow the target to an individual catalog, then optionally to an individual schema or All schemas. Once you select the target of the privilege, enter the name of a procedure, or select the All procedures box to specify all procedures for the selected catalogs and schemas.

There is one privilege to grant:

Procedure privileges#

Privilege

Notes

EXECUTE

For catalogs that have defined procedures, grants the right to use the command CALL to run one or all procedures in a catalog, or to run the procedures restricted to a schema, or to run an individual procedure.

System session property entities#

Selecting Other, then System session properties in the Add privilege screen lets you choose one or more system session properties from the multi-select dropdown, or check the All system session properties box to specify all session properties to grant the privilege on.

There is one privilege to grant:

System session property privileges#

Privilege

Grants the right to:

SET

Allow all or one specified session property to be set.

Catalog session property entities#

Selecting Other, then Catalog session properties lets you specify a single catalog on which to grant session property privileges, or All catalogs. If the catalog’s data source enumerates catalog session properties, you can select an individual session property name from the third drop-down list. Alternatively, you can check the All catalog session properties box.

There is one privilege to grant:

Catalog session property privileges#

Privilege

Grants the right to:

SET

Allow all or one specified catalog session property to be set. Applies to catalogs that have a defined set of session properties.

Schema property entities#

Roles with administrative rights can grant and block access to schema properties by selecting Add privileges > Other > Schema properties.

There is one privilege to grant:

Schema property privileges#

Privilege

Grants the right to:

SET

Allow one, multiple, or all schema properties to be set.

Tables property entities#

Roles with administrative rights can grant and block access to table properties by selecting Add privileges > Other > Table properties.

Table property privileges#

Privilege

Grants the right to:

SET

Allow one, multiple, or all table properties to be set.