Help Center/ MapReduce Service/ Component Operation Guide (LTS) (Ankara Region)/ Using MOTService/ MOTService Permissions Management/ Overview
Updated on 2024-11-29 GMT+08:00
View PDF
Share

Overview

Database users are used to connect to databases, access database objects, and execute SQL statements. Database users must have their database accounts to connect to databases. Database administrators need to create a database account for each database user.

The MOTService database supports rights separation so users can be granted different management permissions.

The MOTService database uses the non-rights separation mode by default. Users can modify the enableSeparationOfDuty parameter in the /srv/BigData/MOTService/data/postgresql.conf configuration file of the MOTService node. If this parameter is set to on, rights separation is enabled; if the value is off or not configured, the rights separation mode is not used.

Non-Rights Separation Model

When MOTService does not use the rights separation mode, database users are classified into system administrators and common users. Table 1 lists the object rights separation of different users.

Table 1 MOTService user types

Type

Description

System administrator

Has the highest-level database privileges, that is, has all system and object privileges.

When MOTService is installed or the database is initialized, a system administrator with the same name as the user specified by the -U parameter is automatically generated. Alternatively, you can execute the CREATE USER or ALTER USER statement to specify the SYSADMIN parameter and generate a system administrator.

NOTE:

For security purposes, system administrators are prohibited from remotely logging in to the MOTService database in trust mode. Other remote login modes are still available. So, you are advised to configure the local mode for system administrators in the pg_hba.conf file to ensure database access security.

Common user

By default, a common user can access the default system tables and views (except pg_authid, pg_largeobject, pg_user_status, and pg_auth_history), connect to the default database postgres, and use objects (including tables, views, and functions) in the public schema.

  • A system administrator can run the CREATE USER or ALTER USER statement to grant system permissions to a common user.
  • A system administrator can run the GRANT statement to grant certain object permissions to a common user.
  • A system administrator can execute the GRANT statement to grant other roles' or users' permissions to a common user.
Table 2 Default user permissions

Object Name

System Administrator

Common User

Tablespace

Has permissions to create, delete, access, and allocate tablespaces.

Does not have the permission to create, delete, or allocate tablespaces, but can be granted the permission to access tablespaces.

Table

Has full permissions on all tables.

Has full permissions only on their own tables, but does not have any permissions on other users' tables.

Index

Has the permission to create indexes on all tables.

Has the permission to create indexes only on their own tables.

Schema

Has full permissions on all schemas.

Has full permissions only on their own schemas, but does not have any permissions on other users' schemas.

Function

Has full permissions on all functions.

Has full permissions only on their own functions and the permission to call other users' functions in public schema.

View

Has full permissions on all views.

Has full permissions only on their own views, but does not have any permissions on other users' views.

Rights Separation Model

When the rights separation model is used, MOTService users are classified into four types: system administrator, security administrator, audit administrator, and common user. The rights of the system administrator, security administrator, and audit administrator are separated from each other. Ensure that the roles of the security administrator and audit administrator are not assigned to the same user. Table Table 3 lists the system permissions of each administrator.

The system administrator whose oid is 10 is a special user who has full permissions, and is generated in the system by default and cannot be created. You can run the select rolname,oid FROM pg_authid; command to view it.

Table 3 Administrator permissions with rights separation enabled

Administrator

Permission to Create Users

Permission to View Audit Logs

System Administrator Permission

System administrator

No

No

Yes

Security administrator

Yes

No

No

Audit administrator

No

Yes

No

Table 4 lists the object permissions of each type of administrators with rights separation enabled.

Table 4 Object permissions with rights separation enabled

Object Name

Initial User (oid: 10)

System Administrator

Security Administrator

Audit Administrator

Common User

Tablespace

Has full permissions.

Has permissions to create, delete, access, and allocate tablespaces.

Does not have the permission to create, delete, or allocate tablespaces, but can be granted the permission to access tablespaces.

Does not have the permission to create, delete, or allocate tablespaces, but can be granted the permission to access tablespaces.

Does not have the permission to create, delete, or allocate tablespaces, but can be granted the permission to access tablespaces.

Table

Has full permissions.

Has full permissions on their own tables and other users' tables in public schema.

Has full permissions on their own tables, but does not have any permissions on other users' tables.

Has full permissions on their own tables, but does not have any permissions on other users' tables.

Has full permissions on their own tables, but does not have any permissions on other users' tables.

Index

Has full permissions.

Has the permission to create indexes on their own tables and other users' tables in public schema.

Has the permission to create indexes only on their own tables.

Has the permission to create indexes only on their own tables.

Has the permission to create indexes only on their own tables.

Schema

Has full permissions.

Has full permissions only on their own schemas, but does not have any permissions on other users' schemas.

Has full permissions only on their own schemas, but does not have any permissions on other users' schemas.

Has full permissions only on their own schemas, but does not have any permissions on other users' schemas.

Has full permissions only on their own schemas, but does not have any permissions on other users' schemas.

Function

Has full permissions.

Has full permissions on their own functions and other users' functions in public schema.

Has full permissions only on their own functions and the permission to call other users' functions in public schema.

Has full permissions only on their own functions and the permission to call other users' functions in public schema.

Has full permissions only on their own functions and the permission to call other users' functions in public schema.

View

Has full permissions.

Has full permissions on their own views and other users' views in public schema.

Has full permissions only on their own views, but does not have any permissions on other users' views.

Has full permissions only on their own views, but does not have any permissions on other users' views.

Has full permissions only on their own views, but does not have any permissions on other users' views.