Access Control Enterprise
Dremio allows for the implementation of granular-level privileges, which defines a user/role’s access privilege and available actions for specific objects, such as folders and datasets. This is called access management, and gives administrators the ability to restrict access to any object in Dremio.
Based on the inheritance model, when a user is granted privileges to an object with child objects, the user's privilege also applies to the child objects. This is also known as scope, meaning the specific objects to which a privilege applies.
Access to objects is granted via privileges assigned to users or groups.
The following features are available:
- Privileges: Privileges enable users to perform explicit operations on objects in Dremio. Additionally, privileges may be set on individual datasets (tables or views) or whole schemas, allowing for a simplified configuration with larger catalogs.
- Row-access and column-masking policies: Row-access and column-masking policies enable you to grant users access to particular rows or columns.
- Flexible Management: Privileges can be easily configured using SQL Commands, REST APIs, and an intuitive and easy-to-use user interface.
- Ownership: An object-oriented model allows for a clearly-defined and transferable owner for all aspects in Dremio, including source and space configuration.
- Roles: Administrators may create and manage identities in Dremio alongside identities from corporate LDAP or IdP, including standards-based synchronization (SCIM).
The following topics cover the various aspects of access management, along with instructions for how to apply privileges via Dremio:
- Best Practices
- Privileges
- Role Management
- Inbound Impersonation
- Integrating with AWS Lake Formation
- Integrating with Privacera
- Apache Ranger: Row-Level Filtering & Column-Masking
- Dremio-Native: Row-Access & Column-Masking Policies
The following APIs are available for managing access control:
The following SQL commands may be used from the SQL Runner:
Object Hierarchy
Each object resides within a container in a hierarchy of containers. The upper-most container exists as the system user, or administrator account. All other objects are contained within sources or spaces, organized into folders. The hierarchy of these objects is illustrated below.
Inheritance
The objects to which privileges are granted depend on the inheritance model. In other words, granting access to a parent object, such as a folder, also gives that user access to any existing and future datasets contained in that folder. For example, giving a user privileges to ALL DATASETS will only grant the user access to existing datasets, not the folders that contain the datasets. In comparison, granting privileges at the source level will extend that user's access to the source's existing and future folders/schema and datasets. The object to which a user's privileges are applied is also known as the scope, and follow a parent-child relationship.
By the rules of inheritance, user or group access may be granted as high or low in the object hierarchy as you wish for access to reach.
Permissions granted to an individual table or view mean that a user's access only extends to that dataset, not to the parent folder or other datasets created in the same folder. So if a user only needs access to a single dataset, administrators need only grant privileges to that object.
Consider the image above, which shows an example of object structure in Dremio. If a user is granted privileges to a single dataset, such as TableA1
, then that is the one object they have access to. However, if a user is granted privileges at the folder level, such as Folder1
, then that user's access extends to any existing and future child objects created, including FolderA
, TableA1
, TableB1
, and so on.
If a user has privileges for a single table, they may create views based on that dataset, but with the user now having ALTER
and MANAGE GRANTS
privileges for any view. However, the user still retains the same privileges as before with the original dataset. For more information, read View Delegation.
Scope
Scope is a concept used to describe what objects a user or group has access to. Privileges are assigned by object, which ultimately determines what a grantee may perform set functions upon. For example, you may set a user's scope to FolderA
, which will give the user access to all existing and future datasets contained in the folder, as well as the datasets' wikis. But they will not have access to any other folders or the source. The object a user is granted access to is dependent on the inheritance model, which means based on the object type, it may contain child objects. For example, if a user is granted privilege to a folder, the user's access also extends to all existing and future datasets contained in that folder.
For example, user1
is granted the SELECT
privilege to the folder FolderC
. This object contains multiple datasets, which the user may now access. However, there exists a parent folder and another subfolder with its own datasets.
Because of the established scope, user1
may not access FolderD
because they were only granted access to FolderC
's objects.
Current vs. Future Objects
Based on the selected scope, you may restrict a user's access to future and existing datasets. For example, if you select a single table as the scope of a user's privilege, then that user may only perform that action to the existing dataset, as well as any future views they create using that table. However, they may not access any views created from a table by another user (see the example below). However, if the scope is instead set at the folder level, then the user may perform the granted privilege to all tables and views contained in that folder (see the example below).
Ownership
Object ownership is a security feature used to control access to an object as well as oversee who has that control. In Dremio, each object MUST have an owner, and may have only one owner. Ownership is automatically granted to the user who initially creates the object. For example, if User1 creates an S3 data source, Dremio automatically assigns ownership of the source to User1.
The implication of ownership is that only an object's owner retains all privileges for that object. As a result, the owner can grant or revoke user and role access to that object and its child objects, modify the object's settings, and drop or delete the object as desired. Read View Delegation and Granting Privileges Using SQL Commands for examples and more information.
The following behaviors and limitations apply to ownership:
- Each object may only have one owner.
- An object's creator is automatically granted ownership.
- Object owners must have the USAGE privilege on the system, source, or folder that contains the object to query or grant and revoke other privileges on the object.
- Object ownership may be assigned or modified with GRANT TO USER or GRANT TO ROLE commands.
- If an owner is deleted or removed, the object's access control settings may not work.
- Object owners may be identified by querying sys."tables" or sys.views for views.
- If an object has no owner, the owner_id will display as
$unowned
.
- If an object has no owner, the owner_id will display as
For datasets with no owner, the system user (administrative account) can use the GRANT SQL command to grant ownership to a user or role that has access to the table (or the underlying table, for a view).
View Delegation
View delegation means that tables with restricted access may be shared with other Dremio users through the creation of views. When a user with SELECT access to a table creates a view, that user automatically becomes owner of the new object.
Upon creating the view, the same rules of ownership apply to the view. The owner or delegation identity does not change when a view is edited or queried, but must be manually changed via the GRANT TO USER or GRANT TO ROLE commands. To identify the owner of a view, query the sys.views
table.
The shared view still selects from the underlying dataset using the view owner's permissions at the time of the view's last modification, even if the end user querying the view lacks privileges to modify the underlying table. This applies to each table on the data graph and chain of datasets.
View delegation is different from privilege assignment. View delegation is implicit delegation of the SELECT privilege on underlying objects. For example, suppose user1
has the SELECT privilege on Table1
and creates View1
based on Table1
. If user1
grants the SELECT privilege on View1
to user2
, then the SELECT privilege that user1
has on Table1
is implicitly granted to user2
. user2
can see the data in Table1
even though they lack explicit SELECT privileges on Table1
. Privilege assignment is an explicit delegation: the owner of an object or a user who belongs to the ADMIN role grants privileges on the object to other users.
Example: View Delegation
user1
has SELECT
access to Table1
and creates View1
, which is based upon Table1
. Whereas in Table1
, user1
was restricted to only querying, with View1
, they now have ALTER
and MANAGE GRANTS
privileges. user1
may now grant user2
with the SELECT
privilege for View1
because of view delegation. The privileges for both the table and view are outlined below:
View1 | Table1 | |
---|---|---|
user1 | ALTER, MANAGE GRANTS | SELECT |
user2 | SELECT | No access |
user2
previously lacked access to the data in Table1
but may now see it using SELECT queries on View1
. The following table describes the actions that each user may perform:
User | Action | Outcome |
---|---|---|
user1 | View the results of View1 queries | yes |
user1 | Modify the original query of View1 | yes |
user2 | View the results of View1 queries | yes |
user2 | Modify the original query of View1 | no |
Because of view delegation, user2
can view the data in Table1
through the results of queries on View1
. However, user2
has no access to Table1
, so they cannot see the original dataset from the Dremio interface and cannot modify the original View1
query.
Example: View Delegation with Revoked Access to the Original Table
To continue the previous example, suppose user1
originally had SELECT
access to Table1
, which they used to create View1
. If an administrator revokes their SELECT
access to Table1
, the following table lists the privileges that user1
and user2
now have on Table1
and View1
:
View1 | Table1 | |
---|---|---|
user1 | ALTER, MANAGE GRANTS | No access |
user2 | SELECT | No access |
The revoked privilege affects the actions that user1
can take with regard to View1
. The following table describes what actions each user may now perform:
User | Action | Outcome |
---|---|---|
user1 | View the results of View1 queries | no |
user1 | Modify the original query of View1 | yes (and no) |
user2 | View the results of View1 queries | no |
user2 | Modify the original query of View1 | no |
user1
and user2
may no longer view the results of the View1
query. Both users lack privileges for the underlying table Table1
, so neither can see data from the table or view from the Dremio interface. Also, user1
can no longer modify the original View1
query unless they remove the reference to Table1
from it. If user1
attempts to modify the query but does not remove the reference, they will not be able to save the modified query.
Example: View Delegation with Original Query Changed and Revoked Access
In this example, both user1
and user2
have ALTER
and MANAGE GRANTS
privileges for Table1
and View1
created from it, as shown in the following table:
View1 | Table1 | |
---|---|---|
user1 | ALTER, MANAGE GRANTS | SELECT |
user2 | ALTER, MANAGE GRANTS | SELECT |
Suppose an administrator then revokes access to both Table1
and View1
from user2
. If user2
modified and saved View1
before their privileges were revoked, subsequent queries would be executed as user2
. After the privileges of user2
are revoked, subsequent queries performed by user1
would display an error message about lacking sufficient privileges. This is because View1
was last altered by user2
, making user2
the owner of View1
.
user2
can no longer see Table1
or query either View1
or Table1
from the Dremio interface. user1
can see only the last definition of View1
that user2
saved. user1
must modify the last definition of View1
to retain ownership and resume viewing query results.
Privileges
Privileges refer to the defined levels of access or permissions that are assigned to roles or users within Dremio. Privileges determine the operations a user or role can perform on securable objects. Examples of privileges in Dremio include SELECT on a table or view, INSERT on a table, DELETE on a table, CREATE TABLE on a folder, and MANAGE GRANTS on any object.
The assignment of privileges to roles, or users, should be based on the principle of least privilege, where users or roles are given only the minimum privileges required to perform their tasks effectively.
Privileges can be managed using SQL, APIs, or the Dremio Console.
For more information, please refer to Privileges.
Granting Privileges Using the Dremio Console
You can share catalog objects with others in your organization by granting privileges on the objects to users and roles as follows:
-
Locate the desired object.
-
Click or depending on the object.
-
In the object settings dialog, select Privileges from the settings sidebar.
For some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.
- In the Privileges dialog, in the field under Add User/Role, enter the exact names of the users and roles to which you want to grant privileges.
Because all users are members of the PUBLIC role, you can use the PUBLIC role to grant privileges to all users.
- Click Add to Privileges.
For each entry in the Add User/Role field that matches a user or role in Dremio, a record appears in the USERS/ROLES table.
-
In the USERS/ROLES table, toggle the checkbox for each privilege you want to grant for that user or role. For a description of the privilege, hover over the column name in the USERS/ROLES table. See the example below:
-
(Optional) Repeat steps 4-6 if you want to add more users or roles and grant them privileges.
-
When finished, click Save.
Revoking Privileges Using the Dremio Console
To revoke user and role privileges, complete the following steps:
-
Locate the desired object.
-
Click or depending on the object.
-
In the object settings dialog, select Privileges from the settings sidebar.
noteFor some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.
-
In the USERS/ROLES table, locate the desired user or role record. If the user or role is not listed, then they do not have specific privileges on the object.
-
To revoke some but not all privileges for the user or role, clear the checkboxes in the columns for the privileges you wish to revoke.
-
To revoke all privileges for a user or role, click next to the user or role name and select Remove.
For a description of the privilege, hover over the column name in the USERS/ROLES table. See the example below:
-
- When finished, click Save.
If a user has a specific privilege on an object through their memberships in multiple roles and the privilege is revoked for one of the roles, the user retains the privilege until it is revoked on the same object for all roles to which the user belongs.
You can also grant or revoke privileges using SQL commands or APIs.
Granting Privileges Using SQL Commands
When granting privileges to users and roles with SQL commands, you may follow one of three methods: granting to a single dataset, granting to ALL DATASETS, and granting to a scope. Examples of these methods may be found under each section.
Each example includes an SQL command. For more information about command syntax, review the Privileges (GRANT/REVOKE) SQL commands.
Because all users are members of the PUBLIC role, you can use the PUBLIC role to grant privileges to all users.
Granting to a Single Dataset
When you have a user that needs access to only one table and no other objects, then you would simply assign them privileges for that dataset (see the example scenario outlined below).
You should use this method if you want to restrict a user's access to any other existing or future datasets.
If you're granting the user access to a table, then remember that they'll be able to create views based on that dataset, which that user can then grant access to other users.
Example: Single Dataset
You have a user that you only want to give access to an individual table. You would need to navigate to the Privileges screen from that dataset's settings and grant the user the SELECT
privilege, or perform the following command from the SQL Editor:
GRANT SELECT ON TABLE TableA1 TO USER user1
The image below illustrates the objects user1
now has access to.
This restricts user1
so that they may only access the TableA1
table, not any other datasets contained in the same folder. However, user1
may still create views based on TableA1
.
Granting to ALL DATASETS
When you have a user that needs access to all existing datasets, then you would use the SQL syntax ON ALL DATASETS
(see the example scenario outlined below). This gives the user access to all existing datasets. The user would not, however, automatically receive access to any future datasets created by other users.
You should use this method of privilege assignment if you want to restrict a user's access to parent objects, but still wish for them to have access to all existing datasets.
Example: All Datasets
You have a specific user that needs access to all datasets in a specific folder, but they do not require privileges for the folders containing these tables. You would then execute the following command from the SQL Editor:
All datasets exampleGRANT SELECT ON ALL DATASETS IN SYSTEM TO USER user1
The image below illustrates the objects user1
now has access to.
This command restricts the scope of user1
to all datasets presently found in source1
, such as TableC1
and TableD1
. Should additional datasets be created in the future, user1
will not have access to them.
Granting to a Scope
When you want to grant a user access to a parent object, such as a folder, this will also grant the user access to any datasets contained (see the example scenario outlined below).
You should use this method of privilege management if you wanted to grant a user access to all existing and future datasets contained under a parent object.
Example: Scope
This method grants a user access to all existing and future datasets contained under a specified object. To accomplish this, you need to navigate to the Privileges screen from that folder's settings and grant the user the SELECT
privilege, or execute the following command from the SQL Editor:
GRANT SELECT ON FOLDER Folder3 TO USER user1
The image below illustrates the objects user1
now has access to.
This grants user1
the SELECT
privilege on Folder3
, which means they now have access to all existing and future datasets contained in that folder and its subfolders.