Data Permission Overview
Data lake permissions can be configured in three dimensions: database, table, and function.
Authorization and fine-grained permission control are not supported for catalog objects and their sub-metadata objects created by users.
Cloud service administrators can configure permissions of different user groups for different managed objects to centrally manage data lake resources.
You can centrally manage permissions on resources in the data lake on the LakeFormation console. IAM users and user groups can also be associated with fine-grained permission policies of LakeFormation for authorization. For details, see Creating a Custom Policy. If there are a large number of data resources in the data lake, you are advised to use the LakeFormation console to centrally manage permissions on resources in the data lake.
The following table lists the main elements in LakeFormation permission configuration.
Element |
Description |
|---|---|
Authorization Entity |
You can specify any user, user group, or role to be the authorization entity. The name of an authorization entity cannot contain hyphens (-). Otherwise, the operation may fail. |
Granted To |
|
Authorization Permission |
Access permission on the authorization object that the authorization entity has. Different authorization objects support different access methods. For details, see Table 2. |
Object |
Operation Type |
Description |
|---|---|---|
Catalog |
ALL |
Perform all operations on catalogs. |
ALTER |
Modify catalogs. |
|
CREATE_DATABASE |
Create databases. |
|
DROP |
Delete catalogs. |
|
DESCRIBE |
Check the metadata of catalogs or switch catalogs. |
|
LIST_DATABASE |
View the resource list in a catalog. |
|
Database |
ALL |
Perform all operations on databases. |
ALTER |
Modify databases. |
|
DROP |
Delete databases. |
|
DESCRIBE |
Check the metadata of databases or switch databases. |
|
LIST_TABLE |
View the resource list in a database. |
|
LIST_FUNC |
View functions in a database. |
|
CREATE_TABLE |
Create a table in a database. |
|
CREATE_FUNC |
Create a function in a database. |
|
Table |
ALL |
Perform all operations on tables. |
ALTER |
Modify tables. |
|
DROP |
Delete tables. |
|
DESCRIBE |
Check the metadata of tables. |
|
UPDATE |
Update table data. |
|
INSERT |
Insert table data. |
|
SELECT |
Query data in a table. |
|
DELETE |
Delete data from a table. |
|
Column |
SELECT |
Query column data in a table. |
Function |
ALL |
Perform all operations on functions. |
ALTER |
Modify functions. |
|
DROP |
Delete functions. |
|
DESCRIBE |
Check the metadata of functions. |
|
EXEC |
Execute functions. |
|
Path |
READ |
Read files stored in a path. |
WRITE |
Write data into the files stored in a path. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
