Access Management Enterprise
Dremio employs access management, which allows for the assignment of access policies, or privileges, to users or groups.
Based on the inheritance model, when a user is granted privileges to an object with child objects, the user's privilege also applies to the child objects. This is also known as scope, meaning the specific objects to which a privilege applies.
Access to objects is granted via privileges assigned to users or groups.
Object Hierarchy
Each object resides within a container in a hierarchy of containers. The upper-most container exists as the system user, or administrator account. All other objects are contained within sources or spaces, organized into folders. The hierarchy of these objects is illustrated below.
Inheritance
The objects to which privileges are granted depend on the inheritance model. In other words, granting access to a parent object, such as a folder, also gives that user access to any existing and future datasets contained in that folder. For example, giving a user privileges to ALL DATASETS will only grant the user access to existing datasets, not the folders that contain the datasets. In comparison, granting privileges at the source level will extend that user's access to the source's existing and future folders/schema and datasets. The object to which a user's privileges are applied is also known as the scope, and follow a parent-child relationship.
By the rules of inheritance, user or group access may be granted as high or low in the object hierarchy as you wish for access to reach.
Permissions granted to an individual table or view mean that a user's access only extends to that dataset, not to the parent folder or other datasets created in the same folder. So if a user only needs access to a single dataset, administrators need only grant privileges to that object.
Consider the image above, which shows an example of object structure in Dremio. If a user is granted privileges to a single dataset, such as TableA1
, then that is the one object they have access to. However, if a user is granted privileges at the folder level, such as Folder1
, then that user's access extends to any existing and future child objects created, including FolderA
, TableA1
, TableB1
, and so on.
If a user has privileges for a single table, they may create views based on that dataset, but with the user now having ALTER
and MANAGE GRANTS
privileges for any view. However, the user still retains the same privileges as before with the original dataset. For more information, read Privilege Delegation.
Scope
Scope is a concept used to describe what objects a user or group has access to. Privileges are assigned by object, which ultimately determines what a grantee may perform set functions upon. For example, you may set a user's scope to FolderA
, which will give the user access to all existing and future datasets contained in the folder, as well as the datasets' wikis. But they will not have access to any other folders or the source. The object a user is granted access to is dependent on the inheritance model, which means based on the object type, it may contain child objects. For example, if a user is granted privilege to a folder, the user's access also extends to all existing and future datasets contained in that folder.
For example, user1
is granted the SELECT
privilege to the folder FolderC
. This object contains multiple datasets, which the user may now access. However, there exists a parent folder and another subfolder with its own datasets.
Because of the established scope, user1
may not access FolderD
because they were only granted access to FolderC
's objects.
Current vs. Future Objects
Based on the selected scope, you may restrict a user's access to future and existing datasets. For example, if you select a single table as the scope of a user's privilege, then that user may only perform that action to the existing dataset, as well as any future views they create using that table. However, they may not access any views created from a table by another user (see the example below). However, if the scope is instead set at the folder level, then the user may perform the granted privilege to all tables and views contained in that folder (see the example below).
Ownership
Object ownership is a security feature used to control access to an object as well as oversee who has that control. In Dremio, each object MUST have an owner, and may have only one owner. Ownership is automatically granted to the user who initially creates the object. For example, if User1 creates an S3 data source, Dremio automatically assigns ownership of the source to User1.
The implication of ownership is that only an object's owner retains all privileges for that object. As a result, the owner can grant or revoke user and role access to that object and its child objects, modify the object's settings, and drop or delete the object as desired. See Privilege Delegation and Methods of Privilege Assignment for examples and more information.
To assign or modify object ownership, use the GRANT SQL command. If an owner is deleted or removed, the object's access control settings may not work.
Tables with restricted access may be shared with other Dremio users through the creation of views. When a user creates a view from a table they have access to, they become the owner of that new view. The user may then grant privileges to other users for that view as shown in Example 1 below.
- In Dremio 21.0.0 and subsequent versions, view owners can be changed only using SQL commands; editing the SQL in a view does not change the view's ownership.
- In Dremio 20.x and previous versions, the view owner is the user who most recently edited the view's SQL. Any user with access to the underlying table can edit the view's SQL to become the view's owner.
The shared view still selects from the underlying dataset using the view owner's permissions at the time of the view's last modification, even if the end user querying the view lacks access to the underlying table. This applies to each table on the data graph and chain of datasets.
Dataset Ownership
To identify dataset owners, query sys."tables" or sys.views. In the query result, the owner_id
column lists the ID of the user or role that owns the dataset. The owner_type
column identifies whether the owner is a user or role.
If a dataset has no owner, the owner_id
value is $deleted$
(for datasets created in Dremio 21.0.0 and subsequent versions) or $unowned$
(for datasets created before Dremio 21.0.0).
For datasets with no owner, the system user (administrative account) can use the GRANT SQL command to grant ownership to a user or role that has access to the table (or the underlying table, for a view).
Privilege Delegation
Example 1: Privilege delegation on a View
user1
has SELECT
access to Table1
and creates View1
, which is based upon Table1
. Whereas in Table1
she was restricted to only querying, with View1
she now has ALTER
and MANAGE GRANTS
privileges. user1
may now grant user2
with the SELECT
privilege for View1
because of privilege delegation. The privileges for both the table and view are outlined below:
View1 | Table1 | |
---|---|---|
user1 | ALTER, MANAGE GRANTS | SELECT |
user2 | SELECT | No access |
user2
previously lacked access to the data found in Table1
, but may now perform queries on View1
. The following table describes what actions each user may perform:
User | Action | Outcome |
---|---|---|
user1 | View the results of View1 queries | yes |
user1 | Modify the original query of View1 | yes |
user2 | View the results of View1 queries | yes |
user2 | Modify the original query of View1 | no |
Because of view delegation, user2
can view the results of the View1
query. However, user2
has no access to Table1
, so they cannot see the original dataset from the Dremio interface and also cannot modify the original View1
query.
Example 2: Privilege delegation on a View with revoked access to the original Table
user1
originally had SELECT
access to Table1
, which they used to create View1
. However, an administrator just revoked their SELECT
access to Table1
.
View1 | Table1 | |
---|---|---|
user1 | ALTER, MANAGE GRANTS | No access |
user2 | SELECT | No access |
This now impacts the actions of user1
with regard to View1
. The following table describes what actions each user may now perform:
User | Action | Outcome |
---|---|---|
user1 | View the results of View1 queries | no |
user1 | Modify the original query of View1 | yes (and no) |
user2 | View the results of View1 queries | no |
user2 | Modify the original query of View1 | no |
Because of privilege delegation, user1
and user2
may no longer view the results of the View1
query. Both users lack privileges for the underlying table Table1
, so neither can see the table or view from the Dremio interface. However, user1
can no longer modify the original View1
query unless that user removes the reference to Table1
from it. If user1
attempts to modify the query but does not remove the reference, that user will not be able to save the modified query.
Example 3: Privilege delegation on a View with original query changed and revoked access
Both user1
and user2
had ALTER
and MANAGE GRANTS
privileges for Table1
and View1
created from it.
View1 | Table1 | |
---|---|---|
user1 | ALTER, MANAGE GRANTS | SELECT |
user2 | ALTER, MANAGE GRANTS | SELECT |
An administrator then revokes access to both Table1
and View1
from user2
.
If user2
modified and saved View1
before their privileges were revoked, subsequent queries would be executed as user2
. Once the privileges of user2
become revoked, subsequent queries performed by user1
would display an error message about lacking sufficient privileges. This is because View1
was last altered by user2
, making user2
the owner of View1
.
The following table describes what actions each user may now perform:
User | Action | Outcome |
---|---|---|
user1 | View the results of View1 modified queries | no |
user1 | Modify the original query of View1 | yes |
user2 | View the results of View1 queries | no |
user2 | Modify the original query of View1 | no |
user2
may no longer view or query either View1
or Table1
from the Dremio interface. user1
would need to modify the original query to retain ownership of the dataset and resume viewing query results.
Methods of Privilege Assignment
When assigning privileges to users, you may follow one of three methods: granting to a single dataset, granting to ALL DATASETS, and granting to a scope. Examples of these methods may be found under each section.
Each of these examples includes an SQL command. For more information regarding syntax, review the Privileges (GRANT/REVOKE) SQL commands.
1. Granting to a Single Dataset
When you have a user that needs access to only one table and no other objects, then you would simply assign them privileges for that dataset (see the example scenario outlined below).
You should use this method if you want to restrict a user's access from any other existing or future datasets.
If you're granting the user access to a table, then remember that they'll be able to create views based on that dataset, which that user can then grant access to other users.
Example: Single dataset
You have a user that you only only want to give access to an individual table. You would need to navigate to the Privileges screen from that dataset's settings and grant the user the SELECT
privilege, or perform the following command from the SQL Editor:
GRANT SELECT ON TABLE TableA1 TO USER user1
The image below illustrates the objects user1
now has access to.
This restricts user1
so that they may only access the TableA1
table, not any other datasets contained in the same folder. However, user1
may still create views based on TableA1
.
2. Granting to ALL DATASETS
When you have a user that needs access to all existing datasets, then you would use the SQL syntax ON ALL DATASETS
(see the example scenario outlined below). This gives the user access to all existing datasets. The user would not, however, automatically receive access to any future datasets created by other users.
You should use this method of privilege assignment if you want to restrict a user's access from parent objects, but still wish for them to have access to all existing datasets.
Example: ALL DATASETS
You have a specific user that needs access to all datasets in a specific folder, but they do not require privileges for the folders containing these tables. You would then execute the following command from the SQL Editor:
All datasets exampleGRANT SELECT ON ALL DATASETS IN SYSTEM TO USER user1
The image below illustrates the objects user1
now has access to.
This command restricts the scope of user1
to all datasets presently found in source1
, such as TableC1
and TableD1
. Should additional datasets be created in the future, user1
will not have access to them.
3. Granting to a Scope
When you want to grant a user access to a parent object, such as a folder, this will also grant the user access to any datasets contained (see the example scenario outlined below).
You should use this method of privilege management if you wanted to grant a user access to all existing and future datasets contained under a parent object.
Example: Scope
This method grants a user access to all existing and future datasets contained under a specified object. To accomplish this, you need to navigate to the Privileges screen from that folder's settings and grant the user the SELECT
privilege, or execute the following command from the SQL Editor:
GRANT SELECT ON FOLDER Folder3 TO USER user1
The image below illustrates the objects user1
now has access to.
This grants user1
the SELECT
privilige on Folder3
, which means they now have access to all existing and future datasets contained in that folder and its subfolders.