Sharing and Permissions
Enterprise Edition only
Sharing in Dremio can be configured for datasets, sources, spaces and folders.
How Sharing Works
By default, all users have access to sources and spaces in Dremio.
To restrict access to a source or space, select Specific users… and add the users that you want to have access to the source or space. Once a specific user has been added, access is restricted to only the users that were granted access. All other users no longer have access.
Access is granted with one of the following permissions:
- Can Query
- Can Edit
Rules
-
Datasets and folders inherit the permissions of their parent folder, source or space. Subsequent changes to the parents'
Sharingsettings are not reflected in the dataset or folder. -
Users need to have access each folder, source or space included in a dataset’s path to be able to access it.
-
Datasets (physical or virtual) in a user’s home space are not directly accessible to other users and cannot directly be shared. However, these datasets can be shared with other users through Ownership Chaining.
Sharing through Ownership Chaining
A dataset under restricted access can be shared with another Dremio user by creating a virtual dataset that selects from the underlying dataset, even if the other Dremio user doesn’t have access to the underlying data. This applies to each dataset in the data graph — the chain of datasets.
Simple Scenario
In the following scenario, VDS-1 (virtual dataset) is created from PDS-1 (physical dataset)
with the SELECT * FROM hdfs.table1 query.
The following permissions are set for each dataset:
| VDS-1 | PDS-1 | |
|---|---|---|
| Emma | Can Edit | Can Query |
| Joe | Can Query | No access |
The following describes the actions that each user can perform.
| User | Action | Outcome |
|---|---|---|
| Emma | View the results of the VDS-1 query | yes |
| Emma | Modify the VDS-1 original query | yes |
| Joe | View the results of the VDS-1 query | yes; through ownership chaining |
| Joe | Modify the VDS-1 original query | no |
What can Joe do?
- Because of ownership chaining, Joe can view the results of the VDS-1 query.
- Because Joe has no access to PDS-1, he cannot see PDS-1 in the Dremio UI and cannot modify the VDS-1 query.
Revoke Access Scenario
In this scenario, Emma has her permissions on the underlying dataset (PDS-1) revoked.
| VDS-1 | PDS-1 | |
|---|---|---|
| Emma | Can Edit | No access |
| Joe | Can Query | No access |
The following describes the actions that each user can perform.
| User | Action | Outcome |
|---|---|---|
| Emma | View the results of the VDS-1 query | yes |
| Emma | Modify the VDS-1 original query | no |
| Joe | View the results of the VDS-1 query | yes; through ownership chaining |
| Joe | Modify the VDS-1 original query | no |
What can Joe and Emma do?
- Because of ownership chaining, Joe can still view the results of the VDS-1 query.
- Because Joe and Emma have no access to PDS-1, both cannot see PDS-1 in the Dremio UI and cannot modify the VDS-1 query.
Change Query and Revoke Access Scenario
In this scenario, a second user (Joe) can edit the VDS-1 (virtual dataset) and has access to the underlying PDS (physical dataset).
Original Permissions
| VDS-1 | PDS-1 | |
|---|---|---|
| Emma | Can Edit | Can Query |
| Joe | Can Edit | Can Query |
Changed Permissions
Later, Joe has his permission revoked from both VDS-1 and PDS-1.
| VDS-1 | PDS-1 | |
|---|---|---|
| Emma | Can Edit | Can Query |
| Joe | No access | No access |
If Joe modified and saved VDS-1 before his permissions were revoked, subsequent queries are executed as ‘Joe’. Once Joe’s permissions are revoked, then subsequent queries fail with Permission Denied.
| User | Action | Outcome |
|---|---|---|
| Emma | View the results of the VDS-1 modified query | no |
| Emma | Modify the VDS-1 newly modified query | yes |
| Joe | View the results of the VDS-1 modified query | no |
| Joe | Modify the VDS-1 original query | no |
Permissions
Query and edit permissions can be defined on Datasets, Folders, Spaces, and Sources.
Dremio’s permission model is based on the UNIX model:
.. An attempt to add a file to a directory, delete a file from a directory, or to rename a file,
all require write permission for the directory ..
For example, given a folder named Taxes in a space named Personal.
You cannot delete or modify Taxes unless you have Can Edit permissions on the Personal space.
Any permissions on the Taxes folder are not valid.
If you attempt to delete the folder without Can Edit permissions on the Personal space,
the delete request fails with a 403 error.
Datasets
| Dataset | |
|---|---|
| Can Query |
|
| Can Edit |
|
| Further Notes | The ability to delete, rename, or move a Dataset is not controlled by the Sharing settings of the Dataset itself but by the Folder, Space, or Source which contains it. |
Folders
| Folder | |
|---|---|
| Can Query |
|
| Can Edit |
|
| Further Notes | Only Folders within a Space can be shared or modified. Folders within Sources inherit the settings of the containing Source and cannot be changed. The ability to delete, rename, or move a Folder is not controlled by the Sharing settings of the Folder itself but by the Folder, Space, or Source which contains it. |
Spaces
| Space | |
|---|---|
| Can Query |
|
| Can Edit |
|
Sources
| Source | |
|---|---|
| Can Query |
|
| Can Edit |
|
Source Impersonation
Some sources support the ability to do impersonation, that is, the ability to access the source data as the user in Dremio.
If the user cannot access specific datasets in the underlying source,
then they will be unable to view the data for those datasets.
However, as these permissions are independant of Dremio’s internal sharing abilities,
users will still see those datasets listed in the UI.
Note: Only Admins can refresh metadata on physical datasets (PDS) regardless of sharing authorizations.
Object Names
As a convenience, users are not shown the names of Datasets, Folders, Spaces, or Sources which they cannot query. However, users can still discover the names of these items (but not the data they represent). For example, if a user tried to create an item with the same name as an existing item, then the user could learn an item with that name already exists.