Built-in access control roles#
The built-in access control system in Starburst Enterprise is role-based. It uses roles to bundle together one or more privileges, which are the rights to perform actions. A role has a name and an optional description. Privileges can be granted to roles to configure actions and access to entities such as catalogs and tables.
Built-in access control overview provides configuration instructions and a terminology overview.
This page describes the roles-first approach of this system.
Built-in access control privileges describes the entities that can be tracked and the privileges settable on each.
Differences between built-in access control and Apache Ranger compares the two systems.
Users are assigned one or more roles. By selecting a role, you gain the rights
defined by the role’s privileges. You can see the role you are currently using
in the top right corner of Starburst Enterprise web UI. With the query editor or CLI, use the SHOW CURRENT ROLES command.
If you are assigned to more than one role, you can switch your current role in
the Starburst Enterprise web UI or with the SET ROLE rolename command, as described in
CLI access control.
Pre-defined roles#
Two roles are system-defined and always exist:
sysadmin: This role can perform any action in the built-in access control system and must be reserved for trusted administrators. The
sysadminrole is assigned by thestarburst.access-control.authorized-usersproperty in the coordinator’sconfig.propertiesfile, or by membership in a group named in thestarburst.access-control.authorized-groupsproperty.public: This default role is automatically assigned to new users logging in for the first time, if no other role is pre-assigned to that username. Any privilege granted to this role is effectively added to all SEP users. The
publicrole is always enabled and cannot be revoked.
User roles#
Users can be granted more than one role. All users are implicitly granted the
pre-defined role public. By assuming a role, you have all the privileges of
that role, plus all the privileges of any ancestors of that role.
In the CLI, users have access to all of the roles to which they are assigned. This allows users to access all of the privileges granted to them by each role unless altered by SQL commands.
In the Starburst Enterprise web UI, users are assigned to one role at a time even if they have
access to more than one role. By default that role is the public role and
all users always have those privileges. The public role is never unassigned,
it is implicitly available even if a user switches to another role.
To select a different role, navigate to the Switch role menu:
In the Starburst Enterprise web UI, click the user settings menu and select Switch role.
From the Switch role dialog, click the Role field and select one of your assigned roles.
To save your role for this session, click Switch role.
To specify the role you want to access when you first log in, on the Switch role dialog, specify that role, set Remember selected role, and click Switch role to save your settings.
If you log out of the session and later reopen the session in the same browser tab or window, the Starburst Enterprise web UI defaults to the role you were previously using unless you have specified otherwise.
Role assignments#
Every active user session, initiated with JDBC or any other client, has a list of associated roles.
When a session is initiated, the current roles are determined by the following rules in order of priority:
Connection-defined roles
User-assigned roles
Connection-defined roles#
The role is defined as a part of a JDBC connection.
This overrides the otherwise default public role, with two conditions:
The username is already a member of the connection-defined role
The
sysadminrole is never assigned this way
User-assigned roles#
With no connection-defined role, user role assignments are those assigned by
administrators, plus the public role. User cluster access privileges
are granted by the union of all assigned roles.
Administrators can grant privileges to the public role. These privileges
allow users secure minimum access to cluster information and statistics without
disclosing cluster data tables.
There is a system-defined set of privileges granted to public by default.
Those privileges are always granted to all users with the public role. Do
not delete these privileges unless you are certain about the results.
The following table shows the system-defined default privileges for the
public role:
Privilege |
Entity |
|---|---|
EXECUTE |
Queries |
SELECT |
system.jdbc |
SELECT |
system.runtime |
The sysadmin role is never automatically assigned. To assign a user to the
sysadmin role it must be explicitly set from the Switch role menu,
described above, or using the SET ROLE sysadmin
command.
If you use SET ROLE, your rights are reduced to those granted by that one
role. To restore the rights of more than one assigned role, other than
sysadmin, use SET ROLE ALL.
Add new roles#
Users logged in with the sysadmin role or users granted the CREATE ROLE
privilege can add new roles to the cluster’s built-in access control system. If
you have that privilege, you see a CREATE ROLE button on several screens.
This button’s dialog accepts a role name and description. The description cannot
be edited later.
