Sharing and Permissions

[info] Enterprise Edition only

Sharing in Dremio can be configured for datasets, sources, spaces and folders.

How Sharing Works

By default, all users have access to sources and spaces in Dremio.

To restrict access to a source or space, select Specific users... and add the users that you want to have access to the source or space. Once a specific user has been added, access is restricted to only the users that were granted access. All other users no longer have access.

Access is granted with one of the following permissions:

  • Can Query
  • Can Edit

Rules

  • Datasets and folders inherit the permissions of their parent folder, source or space. Subsequent changes to the parents' Sharing settings are not reflected in the dataset or folder.

  • Users need to have access each folder, source or space included in a dataset's path to be able to access it.

  • Datasets (physical or virtual) in a user's home space are not directly accessible to other users and cannot directly be shared. However, these datasets can be shared with other users through Ownership Chaining.

Sharing through Ownership Chaining

A dataset under restricted access can be shared with another Dremio user by creating a virtual dataset that selects from the underlying dataset, even if the other Dremio user doesn't have access to the underlying data. This applies to each dataset in the data graph — the chain of datasets.

Simple Scenario

In the following scenario, VDS-1 (virtual dataset) is created from PDS-1 (physical dataset) with the SELECT * FROM hdfs.table1 query.

The following permissions are set for each dataset:

VDS-1 PDS-1
Emma Can Edit Can Query
Joe Can Query No access

The following describes the actions that each user can perform.

User Action Outcome
Emma View the results of the VDS-1 query yes
Emma Modify the VDS-1 original query yes
Joe View the results of the VDS-1 query yes; through ownership chaining
Joe Modify the VDS-1 original query no

[info] What can Joe do?

  • Because of ownership chaining, Joe can view the results of the VDS-1 query.
  • Because Joe has no access to PDS-1, he cannot see PDS-1 in the Dremio UI and cannot modify the VDS-1 query.

Revoke Access Scenario

In this scenario, Emma has her permissions on the underlying dataset (PDS-1) revoked.

VDS-1 PDS-1
Emma Can Edit No access
Joe Can Query No access

The following describes the actions that each user can perform.

User Action Outcome
Emma View the results of the VDS-1 query yes
Emma Modify the VDS-1 original query no
Joe View the results of the VDS-1 query yes; through ownership chaining
Joe Modify the VDS-1 original query no

[info] What can Joe and Emma do?

  • Because of ownership chaining, Joe can still view the results of the VDS-1 query.
  • Because Joe and Emma have no access to PDS-1, both cannot see PDS-1 in the Dremio UI and cannot modify the VDS-1 query.

Change Query and Revoke Access Scenario

In this scenario, a second user (Joe) can edit the VDS-1 (virtual dataset) and has access to the underlying PDS (physical dataset).

Original Permissions

VDS-1 PDS-1
Emma Can Edit Can Query
Joe Can Edit Can Query

Changed Permissions
Later, Joe has his permission revoked from both VDS-1 and PDS-1.

VDS-1 PDS-1
Emma Can Edit Can Query
Joe No access No access

If Joe modified and saved VDS-1 before his permissions were revoked, subsequent queries are executed as 'Joe'. Once Joe's permissions are revoked, then subsequent queries fail with Permission Denied.

User Action Outcome
Emma View the results of the VDS-1 modified query no
Emma Modify the VDS-1 newly modified query yes
Joe View the results of the VDS-1 modified query no
Joe Modify the VDS-1 original query no

Permissions

Query and edit permissions can be defined on Datasets, Folders, Spaces, and Sources.

Dremio's permission model is based on the UNIX model:
.. An attempt to add a file to a directory, delete a file from a directory, or to rename a file, all require write permission for the directory ..

For example, given a folder named Taxes in a space named Personal. You cannot delete or modify Taxes unless you have Can Edit permissions on the Personal space. Any permissions on the Taxes folder are not valid. If you attempt to delete the folder without Can Edit permissions on the Personal space, the delete request fails with a 403 error.

Datasets

Dataset
Can Query
  • Perform queries against the Dataset.
Can Edit
  • See the SQL which defines the Dataset.
  • Make and save changes to the Dataset's definition.
  • Share the Dataset.
Further Notes The ability to delete, rename, or move a Dataset is not controlled by the Sharing settings of the Dataset itself but by the Folder, Space, or Source which contains it.

Folders

Folder
Can Query
  • List the child Datasets and Folders of the Folder.
Can Edit
  • Modify settings for the Folder.
  • Share the Folder.
  • Add child Datasets and Folders.
  • Delete, rename, and move child Datasets and Folders.
Further Notes Only Folders within a Space can be shared or modified. Folders within Sources inherit the settings of the containing Source and cannot be changed. The ability to delete, rename, or move a Folder is not controlled by the Sharing settings of the Folder itself but by the Folder, Space, or Source which contains it.

Spaces

Space
Can Query
  • List the child Datasets and Folders of the Space.
Can Edit
  • Modify settings for the Space.
  • Delete the Space.
  • Share the Space.
  • Add child Datasets and Folders.
  • Delete, rename, and move child Datasets and Folders.

Sources

Source
Can Query
  • List the child Datasets and Folders of the Source.
  • Initially add formatting settings to a Dataset or folder to convert it to a Physical Dataset.
Can Edit
  • Modify settings for the Source.
  • Delete the Source.
  • Share the Source.
  • Modify and remove formatting settings for Dataset and folder based Physical Datasets.

Source Impersonation
Some sources support the ability to do impersonation, that is, the ability to access the source data as the user in Dremio. If the user cannot access specific datasets in the underlying source, then they will be unable to view the data for those datasets. However, as these permissions are independant of Dremio's internal sharing abilities, users will still see those datasets listed in the UI.

[info] Note: Only Admins can refresh metadata on physical datasets (PDS) regardless of sharing authorizations.

Object Names

As a convenience, users are not shown the names of Datasets, Folders, Spaces, or Sources which they cannot query. However, users can still discover the names of these items (but not the data they represent). For example, if a user tried to create an item with the same name as an existing item, then the user could learn an item with that name already exists.


results matching ""

    No results matching ""