Dremio Cloud
Dremio Software
 
On this page

    Sharing and Permissions enterprise

    Version Requirements

    The functionality outlined on this page is for instances of Dremio v15.X and earlier.

    If you’re using Dremio v16.0+, then please reference the new Access Control functionality.

    How Sharing Works

    Sharing in Dremio can be configured for datasets, sources, spaces and folders.

    By default, all users have access to sources and spaces and their child objects in Dremio.

    To manage access to an object, see the process for granting or revoking privileges Once a specific user has been granted access to an object, access is then restricted to only users granted access. All other users no longer have access.

    Access is granted with one of the following permissions:

    • Can Query
    • Can Edit

    Rules

    • Datasets and folders inherit the permissions of their parent folder, source or space. Subsequent changes to the parents’ Sharing settings are not reflected in the dataset or folder.

    • Users need to have access each folder, source or space included in a dataset’s path to be able to access it.

    • Datasets (physical or virtual) in a user’s home space are not directly accessible to other users and cannot directly be shared. However, these datasets can be shared with other users through Privilege Delegation.

    Sharing through Privilege Delegation

    A dataset under restricted access can be shared with another Dremio user by creating a virtual dataset that selects from the underlying dataset, even if the other Dremio user doesn’t have access to the underlying data. This applies to each dataset in the data graph — the chain of datasets.

    Simple Scenario

    In the following scenario, VDS-1 (virtual dataset) is created from PDS-1 (physical dataset) with the SELECT * FROM hdfs.table1 query.

    The following permissions are set for each dataset:

    VDS-1 PDS-1
    Emma Can Edit Can Query
    Joe Can Query No access

    The following describes the actions that each user can perform.

    User Action Outcome
    Emma View the results of the VDS-1 query yes
    Emma Modify the VDS-1 original query yes
    Joe View the results of the VDS-1 query yes; through privilege delegation
    Joe Modify the VDS-1 original query no

    Note:
    What can Joe do?

    • Because of privilege delegation, Joe can view the results of the VDS-1 query.
    • Because Joe has no access to PDS-1, he cannot see PDS-1 in the Dremio UI and cannot modify the VDS-1 query.

    Revoke Access Scenario

    In this scenario, Emma has her permissions on the underlying dataset (PDS-1) revoked.

    VDS-1 PDS-1
    Emma Can Edit No access
    Joe Can Query No access

    The following describes the actions that each user can perform.

    User Action Outcome
    Emma View the results of the VDS-1 query yes
    Emma Modify the VDS-1 original query no
    Joe View the results of the VDS-1 query yes; through privilege delegation
    Joe Modify the VDS-1 original query no

    Note:
    What can Joe and Emma do?

    • Because of privilege delegation, Joe can still view the results of the VDS-1 query.
    • Because Joe and Emma have no access to PDS-1, both cannot see PDS-1 in the Dremio UI and cannot modify the VDS-1 query.

    Change Query and Revoke Access Scenario

    In this scenario, a second user (Joe) can edit the VDS-1 (virtual dataset) and has access to the underlying PDS (physical dataset).

    Original Permissions

    VDS-1 PDS-1
    Emma Can Edit Can Query
    Joe Can Edit Can Query

    Changed Permissions
    Later, Joe has his permission revoked from both VDS-1 and PDS-1.

    VDS-1 PDS-1
    Emma Can Edit Can Query
    Joe No access No access

    If Joe modified and saved VDS-1 before his permissions were revoked, subsequent queries are executed as ‘Joe’. Once Joe’s permissions are revoked, then subsequent queries fail with Permission Denied.

    User Action Outcome
    Emma View the results of the VDS-1 modified query no
    Emma Modify the VDS-1 newly modified query yes
    Joe View the results of the VDS-1 modified query no
    Joe Modify the VDS-1 original query no

    Permissions

    Query and edit permissions can be defined on Datasets, Folders, Spaces, and Sources.

    Dremio’s permission model is based on the UNIX model:
    .. An attempt to add a file to a directory, delete a file from a directory, or to rename a file, all require write permission for the directory ..

    For example, given a folder named Taxes in a space named Personal. You cannot delete or modify Taxes unless you have Can Edit permissions on the Personal space. Any permissions on the Taxes folder are not valid. If you attempt to delete the folder without Can Edit permissions on the Personal space, the delete request fails with a 403 error.

    Datasets

    Dataset
    Can Query
    • Perform queries against the Dataset.
    Can Edit
    • See the SQL which defines the Dataset.
    • Make and save changes to the Dataset’s definition.
    • Share the Dataset.
    Further Notes The ability to delete, rename, or move a Dataset is not controlled by the Sharing settings of the Dataset itself but by the Folder, Space, or Source which contains it.

    Folders

    Folder
    Can Query
    • List the child Datasets and Folders of the Folder.
    Can Edit
    • Modify settings for the Folder.
    • Share the Folder.
    • Add child Datasets and Folders.
    • Delete, rename, and move child Datasets and Folders.
    Further Notes Only Folders within a Space can be shared or modified. Folders within Sources inherit the settings of the containing Source and cannot be changed. The ability to delete, rename, or move a Folder is not controlled by the Sharing settings of the Folder itself but by the Folder, Space, or Source which contains it.

    Spaces

    Space
    Can Query
    • List the child Datasets and Folders of the Space.
    Can Edit
    • Modify settings for the Space.
    • Delete the Space.
    • Share the Space.
    • Add child Datasets and Folders.
    • Delete, rename, and move child Datasets and Folders.

    Sources

    Source
    Can Query
    • List the child Datasets and Folders of the Source.
    • Initially add formatting settings to a Dataset or folder to convert it to a Physical Dataset.
    Can Edit
    • Modify settings for the Source.
    • Delete the Source.
    • Share the Source.
    • Modify and remove formatting settings for Dataset and folder based Physical Datasets.

    Source Impersonation
    Some sources support the ability to do impersonation, that is, the ability to access the source data as the user in Dremio. If the user cannot access specific datasets in the underlying source, then they will be unable to view the data for those datasets. However, as these permissions are independant of Dremio’s internal sharing abilities, users will still see those datasets listed in the UI.

    Note:
    Only Admins can refresh metadata on physical datasets (PDS) regardless of sharing authorizations.

    Object Names

    As a convenience, users are not shown the names of Datasets, Folders, Spaces, or Sources which they cannot query. However, users can still discover the names of these items (but not the data they represent). For example, if a user tried to create an item with the same name as an existing item, then the user could learn an item with that name already exists.