Get Grantee Privileges for an Object

NOTE:

This functionality is for Dremio v16.0+ Enterprise Edition only.

This API lists all users or groups with granted privileges for a specific object.

Endpoint Syntax

GET /api/v3/catalog/{ID}/grants

Required Privileges

All users executing this Rest API must have the MANAGE GRANTS privilege assigned to receive a response output.

Response Output

This is the standard response output for the API.

{
  "id": "126ced34-70d2-4e31-92bb-0ee687ebff24",
  "availablePrivileges": [
        "ALTER",
        "SELECT"
  ],
  "grants": [
    {
      "privileges": [
        "SELECT"
      ],
      "granteeType": "USER",
      "id": "821b04ae-0d0d-448c-a8b1-e77151732d4d",
      "name": "dremio",
      "firstName": "a",
      "lastName": "a",
      "email": "a@b.com"
    },
    {
      "privileges": [
        "SELECT"
      ],
      "granteeType": "ROLE",
      "id": "5cdaac3f-611b-4b78-bf37-85d8a85e4a1f",
      "name": "PUBLIC"
    }
  ]
}

Response Codes

  • 200 - Success.
  • 403 - The user executing the API request lacks the MANAGE GRANTS permission.
  • 404 - An object with the entityId is not found.

Examples

In the following examples, scenarios describe the conditions which influence the appearance or exclusion of certain parameters in the API’s response output.

Example 1: Curl Request

curl -X GET --location "http://localhost:9047/api/v3/catalog/c9baddf4-07db-4bb2-9b60-4d304dce3df8/grants" \
    -H "Authorization: _dremio9ug09rkbgu0kebmg77hopuuocc" \
    -H "Content-Type: application/json" \
    -H "Accept: application/json"

Example 2: Default State

By default, Dremio grants all privileges on an object to all users. When a privilege is assigned to the All Users User option, all other users or groups on the privilege table are assigned the privilege, which is illustrated by the presence of a grey check box as shown in the image below.

Under such circumstances, the privilege array for this API will still list all possible privileges. However, the user- and role-grants arrays will both be empty, as seen in the example response below.

{
  "availablePrivileges": [
        "ALTER",
        "SELECT"
  ],

  "grants": []
}

Example 3: Specific Users/Roles Grant

This example illustrates what happens when adding specific users or groups to the privileges table of the Sharing window. As part of this, the All Users entry will not have any privileges assigned, as the grants are now specified at the user or group level.

As a result of this, the privileges array in the API response will include privileges, and userGrants, roleGrants, or both will not be empty (as in Example 1). See the response output below:

{
  "id": "126ced34-70d2-4e31-92bb-0ee687ebff24",
   "availablePrivileges": [
        "ALTER",
        "SELECT"
  ],
  "grants": [
    {
      "privileges": [
        "SELECT"
      ],
      "granteeType": "USER",
      "id": "821b04ae-0d0d-448c-a8b1-e77151732d4d",
      "name": "dremio",
      "firstName": "a",
      "lastName": "a",
      "email": "a@b.com"
    }
   ]
}

Curl Request: Privileges for the Space Object

curl -X GET --location "http://localhost:9047/api/v3/grant?grantType=PROJECT" \
    -H "Authorization: _dremiohrr395nv31g8k610616tucp91g" \
    -H "Content-Type: application/json" \
    -H "Accept: application/json"