GeminiDB DynamoDB-Compatible API Authentication
In enterprise applications, different departments or user roles have different data access requirements. If the access permissions of GeminiDB DynamoDB-Compatible API are not managed, data leakage or misoperations may occur. GeminiDB DynamoDB-Compatible API authentication is suitable when the data operation scope of different roles needs to be restricted. You can create multiple GeminiDB DynamoDB-Compatible API users and grant different permissions to them to control table query and write operations on GeminiDB DynamoDB-Compatible instances, improve data security, and protect sensitive data. After obtaining required permissions, the users can isolate and access data of GeminiDB DynamoDB-Compatible instances in multi-tenant or enterprise environments.
Permissions Supported by GeminiDB DynamoDB-Compatible API
GeminiDB DynamoDB-Compatible API authentication means you can control some table permissions through APIs of GeminiDB DynamoDB-Compatible instances. Row or column permissions cannot be controlled.
Permission Type | Permission Scope | Function |
|---|---|---|
CREATE | ALL KEYSPACES | Creates a table with any name. |
ALTER | TABLE | Modifies the configuration of a table with a specific name. |
DROP | TABLE | Deletes a table with a specific name. |
SELECT | TABLE | Queries data of a table with a specific name. |
MODIFY | TABLE | Writes data to a table with a specific name. |
Using CQL Statements to Set User Permissions
- Creating a user
-- Create a common user. CREATE USER <username> WITH PASSWORD 'your_password' NOSUPERUSER;
- New users do not have any permissions before being authorized.
The password of a new user must contain 8 to 32 characters and at least two types of the following characters: uppercase letters, lowercase letters, digits, and special characters ~!@#%^*-_=+?
For more information, see Resetting the Administrator Password.
- Assigning permissions to a user
-- Grant the permission of creating tables to the user. GRANT CREATE ON ALL KEYSPACES TO <username>;
-- Grant the table-level query permission to the user. GRANT SELECT ON TABLE <table_name>.<table_name> TO <username>;
-- Grant the table-level insert, update, and delete permissions to the user. GRANT MODIFY ON TABLE <table_name>.<table_name> TO <username>;
- Viewing user permissions
LIST ALL PERMISSIONS OF <username>;
- Removing user permissions
-- Revoke the SELECT permission on a table from the user. REVOKE SELECT ON TABLE <table_name>.<table_name> FROM <username>;
-- Revoke all permissions on a keyspace from the user. REVOKE ALL PERMISSIONS ON KEYSPACE <table_name> FROM <username>;
- Deleting a user
DROP USER <username>;
- rwuser is preset when an instance is created. This user has the permission to create all tables.
- The user who creates a table has all permissions on the table by default.
- You are advised to use rwuser to create DynamoDB tables and users, and then grant different permissions to the new users.
User Permissions of GeminiDB DynamoDB-Compatible Instance APIs
GeminiDB DynamoDB-Compatible Instance API | User Permission |
|---|---|
BatchGetItem | Table-level SELECT |
BatchWriteItem | Table-level MODIFY |
CreateTable | ALL KEYSPACES CREATE |
DeleteItem | Table-level MODIFY |
DeleteTable | Table-level DROP |
DescribeStream | No permissions required |
DescribeTimeToLive | No permissions required |
DescribeTable | No permissions required |
GetItem | Table-level SELECT |
GetRecords | Table-level SELECT |
GetShardIterator | No permissions required |
ListStreams | No permissions required |
ListTables | No permissions required |
PutItem | Table-level MODIFY |
Query | Table-level SELECT |
Scan | Table-level SELECT |
UpdateItem | Table-level MODIFY |
UpdateTable | Table-level ALTER |
UpdateTimeToLive | Table-level ALTER |
Authentication Failure Error
{
"__type": "AccessDeniedException",
"message": "User <user_name> has no <permission_name> permission on <data_resource> or any of its parents"
} Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
