Sharing and Permissions Enterprise
Version Requirements
The functionality outlined on this page is for instances of Dremio v15.X and earlier.
If you're using Dremio v16.0+, then please reference the new Access Control functionality.
How Sharing Works
Sharing in Dremio can be configured for datasets, sources, spaces and folders.
By default, all users have access to sources and spaces and their child objects in Dremio.
To manage access to an object, see the process for granting or revoking privileges Once a specific user has been granted access to an object, access is then restricted to only users granted access. All other users no longer have access.
Access is granted with one of the following permissions:
- Can Query
- Can Edit
Rules
Datasets and folders inherit the permissions of their parent folder, source or space. Subsequent changes to the parents'
Sharingsettings are not reflected in the dataset or folder.Users need to have access each folder, source or space included in a dataset's path to be able to access it.
Datasets (tables and views) in a user's home space are not directly accessible to other users and cannot directly be shared. However, these datasets can be shared with other users through Privilege Delegation.
Sharing through Privilege Delegation
A dataset under restricted access can be shared with another Dremio user by creating a view that selects from the underlying dataset, even if the other Dremio user doesn't have access to the underlying data. This applies to each dataset in the data graph — the chain of datasets.
Simple Scenario
In the following scenario, View1 is created from Table1 with the SELECT * FROM hdfs.table1 query.
The following permissions are set for each dataset:
| View1 | Table1 | |
|---|---|---|
| Emma | Can Edit | Can Query |
| Joe | Can Query | No access |
The following describes the actions that each user can perform.
| User | Action | Outcome |
|---|---|---|
| Emma | View the results of the View1 query | yes |
| Emma | Modify the View1 original query | yes |
| Joe | View the results of the View1 query | yes; through privilege delegation |
| Joe | Modify the View1 original query | no |
Because of privilege delegation, Joe has Can Query permissions on View1, so he access View1 and view the results of the View1 query. Joe has no access to Table1, so he cannot see Table1 in the Dremio UI and cannot modify the View1 query.
Revoke Access Scenario
In this scenario, Emma has her permissions revoked on the underlying table, Table1.
| View1 | Table1 | |
|---|---|---|
| Emma | Can Edit | No access |
| Joe | Can Query | No access |
The following describes the actions that each user can perform.
| User | Action | Outcome |
|---|---|---|
| Emma | View the results of the View1 query | yes |
| Emma | Modify the View1 original query | no |
| Joe | View the results of the View1 query | yes; through privilege delegation |
| Joe | Modify the View1 original query | no |
Because of privilege delegation, Joe can still view the results of the View1 query. Because Joe and Emma have no access to Table1, neither can see Table1 in the Dremio UI and neither can modify the View1 query.
Change Query and Revoke Access Scenario
In this scenario, a second user (Joe) can edit View1 and has access to the underlying table, Table1.
Original Permissions
| View1 | Table1 | |
|---|---|---|
| Emma | Can Edit | Can Query |
| Joe | Can Edit | Can Query |
Changed Permissions
Later, Joe has his permission revoked from both View1 and Table1.
| View1 | Table1 | |
|---|---|---|
| Emma | Can Edit | Can Query |
| Joe | No access | No access |
If Joe modified and saved View1 before his permissions were revoked, subsequent queries are executed as 'Joe'. Once Joe's permissions are revoked, then subsequent queries fail with Permission Denied.
| User | Action | Outcome |
|---|---|---|
| Emma | View the results of the View1 modified query | no |
| Emma | Modify the View1 newly modified query | yes |
| Joe | View the results of the View1 modified query | no |
| Joe | Modify the View1 original query | no |
Permissions
Query and edit permissions can be defined on Datasets, Folders, Spaces, and Sources.
Dremio's permission model is based on the UNIX model:
.. An attempt to add a file to a directory, delete a file from a directory, or to rename a file,
all require write permission for the directory ..
For example, given a folder named Taxes in a space named Personal.
You cannot delete or modify Taxes unless you have Can Edit permissions on the Personal space.
Any permissions on the Taxes folder are not valid.
If you attempt to delete the folder without Can Edit permissions on the Personal space,
the delete request fails with a 403 error.
Datasets
| Dataset | |
|---|---|
| Can Query |
|
| Can Edit |
|
| Further Notes | The ability to delete, rename, or move a Dataset is not controlled by the Sharing settings of the Dataset itself but by the Folder, Space, or Source which contains it. |
Folders
| Folder | |
|---|---|
| Can Query |
|
| Can Edit |
|
| Further Notes | Only Folders within a Space can be shared or modified. Folders within Sources inherit the settings of the containing Source and cannot be changed. The ability to delete, rename, or move a Folder is not controlled by the Sharing settings of the Folder itself but by the Folder, Space, or Source which contains it. |
Spaces
| Space | |
|---|---|
| Can Query |
|
| Can Edit |
|
Sources
| Source | |
|---|---|
| Can Query |
|
| Can Edit |
|
Source Impersonation
Some sources support the ability to do impersonation, that is, the ability to access the source data as the user in Dremio.
If the user cannot access specific datasets in the underlying source,
then they will be unable to view the data for those datasets.
However, as these permissions are independant of Dremio's internal sharing abilities,
users will still see those datasets listed in the UI.
Note:
Only Admins can refresh metadata on tables regardless of sharing authorizations.
Object Names
As a convenience, users are not shown the names of Datasets, Folders, Spaces, or Sources which they cannot query. However, users can still discover the names of these items (but not the data they represent). For example, if a user tried to create an item with the same name as an existing item, then the user could learn an item with that name already exists.