GeminiDB DynamoDB-Compatible API Authentication

In enterprise applications, different departments or user roles have different data access requirements. If the access permissions of GeminiDB DynamoDB-Compatible API are not managed, data leakage or misoperations may occur. GeminiDB DynamoDB-Compatible API authentication is suitable when the data operation scope of different roles needs to be restricted. You can create multiple GeminiDB DynamoDB-Compatible API users and grant different permissions to them to control table query and write operations on GeminiDB DynamoDB-Compatible instances, improve data security, and protect sensitive data. After obtaining required permissions, the users can isolate and access data of GeminiDB DynamoDB-Compatible instances in multi-tenant or enterprise environments.

Permissions Supported by GeminiDB DynamoDB-Compatible API

GeminiDB DynamoDB-Compatible API authentication means you can control some table permissions through APIs of GeminiDB DynamoDB-Compatible instances. Row or column permissions cannot be controlled.

**Table 1** Supported permissions and scopes
Permission Type	Permission Scope	Function
CREATE	ALL KEYSPACES	Creates a table with any name.
ALTER	TABLE	Modifies the configuration of a table with a specific name.
DROP	TABLE	Deletes a table with a specific name.
SELECT	TABLE	Queries data of a table with a specific name.
MODIFY	TABLE	Writes data to a table with a specific name.

Using CQL Statements to Set User Permissions

Creating a user
```
-- Create a common user.
CREATE USER <username> WITH PASSWORD 'your_password' NOSUPERUSER;
```
- New users do not have any permissions before being authorized.
- The password of a new user must contain 8 to 32 characters and at least two types of the following characters: uppercase letters, lowercase letters, digits, and special characters ~!@#%^*-_=+?
  
  For more information, see Resetting the Administrator Password.

Assigning permissions to a user

-- Grant the permission of creating tables to the user.
GRANT CREATE ON ALL KEYSPACES TO <username>;

-- Grant the table-level query permission to the user.
GRANT SELECT ON TABLE <table_name>.<table_name> TO <username>;

-- Grant the table-level insert, update, and delete permissions to the user.
GRANT MODIFY ON TABLE <table_name>.<table_name> TO <username>;

Viewing user permissions
```
LIST ALL PERMISSIONS OF <username>;
```

Removing user permissions

-- Revoke the SELECT permission on a table from the user.
REVOKE SELECT ON TABLE <table_name>.<table_name> FROM <username>;

-- Revoke all permissions on a keyspace from the user.
REVOKE ALL PERMISSIONS ON KEYSPACE <table_name> FROM <username>;

Deleting a user
```
DROP USER <username>;
```
- rwuser is preset when an instance is created. This user has the permission to create all tables.
- The user who creates a table has all permissions on the table by default.
- You are advised to use rwuser to create DynamoDB tables and users, and then grant different permissions to the new users.

User Permissions of GeminiDB DynamoDB-Compatible Instance APIs

**Table 2** User permissions of APIs
GeminiDB DynamoDB-Compatible Instance API	User Permission
BatchGetItem	Table-level SELECT
BatchWriteItem	Table-level MODIFY
CreateTable	ALL KEYSPACES CREATE
DeleteItem	Table-level MODIFY
DeleteTable	Table-level DROP
DescribeStream	No permissions required
DescribeTimeToLive	No permissions required
DescribeTable	No permissions required
GetItem	Table-level SELECT
GetRecords	Table-level SELECT
GetShardIterator	No permissions required
ListStreams	No permissions required
ListTables	No permissions required
PutItem	Table-level MODIFY
Query	Table-level SELECT
Scan	Table-level SELECT
UpdateItem	Table-level MODIFY
UpdateTable	Table-level ALTER
UpdateTimeToLive	Table-level ALTER

Authentication Failure Error

{
    "__type": "AccessDeniedException",
    "message": "User <user_name> has no <permission_name> permission on <data_resource> or any of its parents"
}