Permission Policies and Supported Actions for LakeFormation Resources
Supported Actions for LakeFormation SQL Resources
For the list of actions supported by DLI for SQL resource authentication, refer to Data Permissions List.
Table 1 lists the supported actions for LakeFormation SQL resources.
LakeFormation Permission Policies (Spark)
|
Type |
SQL Statement |
Permission to Authenticate Access to Metadata Using IAM |
Permission to Authenticate Access to SQL Resources |
|---|---|---|---|
|
DDL statement |
ALTER DATABASE |
database:describe database:alter |
database:DESCRIBE database:ALTER |
|
ALTER TABLE |
database:describe table:describe table:alter database:create |
database:DESCRIBE table:DESCRIBE table:ALTER database:CREATE_TABLE column:SELECT or table:SELECT |
|
|
ALTER VIEW |
database:describe table:describe table:alter |
database:DESCRIBE table:DESCRIBE column:SELECT table:ALTER |
|
|
CREATE DATABASE |
database:describe database:create |
database:DESCRIBE catalog:CREATE_DATABASE |
|
|
CREATE OR REPLACE FUNCTION (CREATE) |
database:describe function:create |
database:DESCRIBE database:CREATE_FUNC |
|
|
CREATE OR REPLACE FUNCTION (REPLACE) |
database:describe function:describe function:alter |
database:CREATE_FUNC database:DESCRIBE function:DESCRIBE function:ALTER |
|
|
CREATE TABLE |
database:describe table:describe table:create |
database:DESCRIBE database:CREATE_TABLE |
|
|
CREATE VIEW |
database:describe table:describe table:drop table:create |
database:CREATE_TABLE table:DESCRIBE (source\target) table:DROP(target) column:SELECT |
|
|
DROP DATABASE |
database:describe database:drop |
database:DESCRIBE database:DROP |
|
|
DROP FUNCTION |
database:describe function:describe function:drop |
database:DESCRIBE function:DESCRIBE function:DROP |
|
|
DROP TABLE |
database:describe table:describe credential:describe table:drop |
database:DESCRIBE table:DESCRIBE table:DROP |
|
|
DROP VIEW |
database:describe table:describe table:drop |
database:DESCRIBE table:DESCRIBE(target\source) table:DROP(target) |
|
|
REPAIR TABLE |
database:describe table:describe credential:describe table:alter |
database:DESCRIBE table:DESCRIBE table:ALTER table:SELECT |
|
|
TRUNCATE TABLE |
database:describe table:describe table:alter |
database:DESCRIBE table:DESCRIBE table:SELECT table:UPDATE |
|
|
DML statement |
INSERT TABLE |
database:describe table:describe table:alter credential:describe |
database:DESCRIBE table:DESCRIBE table:ALTER table:INSERT column:SELECT or table:SELECT |
|
LOAD DATA |
database:describe table:describe credential:describe |
database:DESCRIBE table:DESCRIBE table:UPDATE table:ALTER table:SELECT |
|
|
DR statement |
SELECT |
database:describe table:describe credential:describe |
database:DESCRIBE table:DESCRIBE column:SELECT |
|
EXPLAIN |
Depends on the SQL statement. |
Depends on the SQL statement. |
|
|
Auxiliary statement |
ANALYZE TABLE |
database:describe table:describe credential:describe table:alter |
database:DESCRIBE table:DESCRIBE table:SELECT table:ALTER |
|
DESCRIBE DATABASE |
database:describe |
database:DESCRIBE |
|
|
DESCRIBE FUNCTION |
database:describe function:describe |
database:DESCRIBE function:DESCRIBE |
|
|
DESCRIBE QUERY |
database:describe table:describe |
database:DESCRIBE table:DESCRIBE table:SELECT |
|
|
DESCRIBE TABLE |
database:describe table:describe |
database:DESCRIBE table:DESCRIBE |
|
|
REFRESH TABLE |
database:describe table:describe credential:describe |
database:DESCRIBE table:DESCRIBE table:SELECT |
|
|
REFRESH FUNCTION |
database:describe function:describe |
database:DESCRIBE function:DESCRIBE |
|
|
SHOW COLUMNS |
database:describe table:describe |
database:DESCRIBE table:DESCRIBE |
|
|
SHOW CREATE TABLE |
database:describe table:describe |
database:DESCRIBE table:DESCRIBE |
|
|
SHOW DATABASES |
database:describe |
catalog:LIST_DATABASE database:DESCRIBE |
|
|
SHOW FUNCTIONS |
database:describe function:describe |
database:DESCRIBE |
|
|
SHOW PARTITIONS |
database:describe table:describe |
database:DESCRIBE table:DESCRIBE |
|
|
SHOW TABLE EXTENDED |
database:describe table:describe |
catalog:LIST_DATABASE database:DESCRIBE table:DESCRIBE database:LIST_TABLE |
|
|
SHOW TABLES |
database:describe table:describe |
catalog:LIST_DATABASE database:LIST_TABLE database:DESCRIBE |
|
|
SHOW TBLPROPERTIES |
database:describe table:describe |
database:DESCRIBE table:DESCRIBE |
|
|
SHOW VIEWS |
database:describe table:describe |
catalog:LIST_DATABASE database:LIST_TABLE database:DESCRIBE |
LakeFormation Permission Policies (HetuEngine)
|
Type |
Syntax |
LakeFormation Permission Required for SQL Authentication |
LakeFormation Permission Required for Metadata API Calling |
|---|---|---|---|
|
Schema |
create schema |
catalog:CREATE_DATABASE |
catalog:CREATE_DATABASE catalog:DESCRIBE |
|
show schemas |
catalog:LIST_DATABASE |
catalog:LIST_DATABASE |
|
|
drop schema |
database:DROP |
catalog:LIST_DATABASE database:DESCRIBE database:DROP |
|
|
alter schema set location/owner |
database:ALTER |
catalog:LIST_DATABASE database:DESCRIBE database:ALTER |
|
|
desc schema |
database:LIST_DATABASE |
database:LIST_DATABASE database:DESCRIBE |
|
|
Table |
create table |
database:CREATE_TABLE |
database:DESCRIBE database:CREATE_TABLE |
|
create table as select |
database:CREATE_TABLE Source table: SELECT (or column:SELECT) |
database:DESCRIBE database:CREATE_TABLE table:DESCRIBE (source table) table:select (source table) |
|
|
show create table |
table:DESCRIBE |
table:DESCRIBE table:select |
|
|
select from table |
table:SELECT (or column:SELECT) |
table:DESCRIBE table:SELECT (or column:SELECT) |
|
|
insert into table |
table:INSERT table:SELECT (or column:SELECT) |
table:DESCRIBE table:ALTER |
|
|
alter table |
table:ALTER |
table:DESCRIBE table:ALTER |
|
|
show tables |
database:LIST_TABLE |
catalog:LIST_DATABASE database:LIST_TABLE |
|
|
drop table |
table:DROP |
table:DESCRIBE table:DROP |
|
|
truncate table |
table:DELETE |
table:DESCRIBE |
|
|
desc table |
table:DESCRIBE |
catalog:LIST_DATABASE table:DESCRIBE |
|
|
comment |
table:ALTER |
table:DESCRIBE table:ALTER |
|
|
view |
create view |
database:CREATE_TABLE Source table: SELECT (or column:SELECT) |
database:CREATE_TABLE table:DESCRIBE (source table) table:select (source table) |
|
drop view |
table:DROP |
table:DESCRIBE table:DROP |
|
|
alter view |
table:ALTER |
table:DESCRIBE table:ALTER (table:SELECT) |
|
|
select from view |
table:DESCRIBE (source table and view) table:select (source table and view) |
table:DESCRIBE (source table and view) table:select (source table and view) |
|
|
show views |
database:LIST_TABLE |
catalog:LIST_DATABASE database:LIST_TABLE table:DESCRIBE |
|
|
show create view |
table:DESCRIBE |
table:DESCRIBE |
|
|
column |
show columns |
table:SELECT (or column:SELECT) |
catalog:LIST_DATABASE table:DESCRIBE table:SELECT (or column:SELECT) |
|
select [column] from table |
table:SELECT (or column:SELECT) |
table:DESCRIBE table:SELECT (or column:SELECT) |
|
|
stats |
show stats |
table:SELECT (or column:SELECT) |
table:DESCRIBE table:SELECT (or column:SELECT) |
|
analyze |
table:INSERT table:SELECT (or column:SELECT) |
table:DESCRIBE table:ALTER |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
