Help Center/ MapReduce Service/ Component Operation Guide (LTS)/ Using Doris/ Managing Doris User Permissions/ Creating a Doris Permission Role
Updated on 2024-10-09 GMT+08:00
View PDF
Share

Creating a Doris Permission Role

The Doris permission management system implements row-level fine-grained permission control and role-based permission access control.

Only clusters of MRS 3.3.0 and later versions support role assignment on FusionInsight Manager. If the cluster is of MRS 3.3.0 or earlier, you need to connect to the database as user root (the default password is empty) regardless of whether Kerberos authentication is enabled.

Prerequisite

  • The Doris service is running properly.
  • The role name cannot be operator or admin.
  • When Kerberos authentication is enabled for the cluster (the cluster is in security mode), it takes about 2 minutes for the permission to take effect after the Doris permission is successfully assigned.

Adding the Doris Role (Kerberos authentication is enabled for the cluster (the cluster is in security mode))

  1. Log in to FusionInsight Manager and choose System > Permission > Role. On the displayed page, click Create Role.
  1. Specify Role Name. In the Configure Resource Permission area, click the cluster name. On the displayed service list page, click the Doris service.

    Determine whether to create a role with the Doris administrator rights based on service requirements.

    • The Doris administrator has all the rights except the node operation rights.
    • Role Name: The name of the role to be added cannot contain hyphens (-) and cannot start with a digit.
    • If yes, go to 3.
    • If no, go to 4.

  2. Select Doris Admin Privilege and click OK.
  3. Click Doris Read Write Privileges and select Select, Drop, Load, Alter, Create, or Grant for the corresponding resource.

    Determine whether to grant the permission based on the service requirements.

  4. After the authorization is complete, click OK.

Adding a User and Binding the User to the Doris Role (Kerberos authentication is enabled for the cluster (the cluster is in security mode))

  1. Log in to FusionInsight Managerr and choose System > Permission > User and click Create.
  2. Select Human-Machine for User Type and set Password and Confirm Password to the password of the user.

    • Username: The username to be added cannot contain hyphens (-). Otherwise, the authentication fails.
    • Password: The password cannot contain special characters $, ., and #. Otherwise, the authentication will fail.

  3. In the Role area, click Add. In the displayed dialog box, select a role with the Doris permission and click OK to add the role. Then, click OK.
  4. Log in to FusionInsight Manager as the new user and change the initial password of the user.
  5. Log in to the node where the MySQL client is installed and use the new user name and new password to connect to the Doris service.

    export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1

    mysql -udorisuser -pUser password -PDatabase connection port -hIP address of Doris FE instance

    • The database connection port is the query connection port of the Doris FE. You can log in to FusionInsight Manager, choose Cluster > Services > Doris > Configurations, and query the value of query_port of the Doris service.
    • To obtain the IP address of the Doris FE instance, log in to FusionInsight Manager of the MRS cluster and choose Cluster > Services > Doris > Instances to view the IP address of any FE instance.
    • You can also use the MySQL connection software or Doris WebUI to connect to the database.

Adding a Role and Binding It to a User (Kerberos authentication is disabled for the cluster (the cluster is in normal mode))

  1. Log in to the node where the MySQL client is installed and connect to the Doris service as user admin.

    mysql -uadmin -PDatabase connection port -hIP address of Doris FE instance

    • The default password of user admin is empty.
    • The database connection port is the query connection port of the Doris FE. You can also log in to FusionInsight Manager, choose Cluster > Services > Doris > Configurations, and query the value of query_port of the Doris service.
    • To obtain the IP address of the Doris FE instance, log in to FusionInsight Manager of the MRS cluster and choose Cluster > Services > Doris > Instances to view the IP address of any FE instance.
    • You can also use the MySQL connection software or Doris WebUI to connect to the database.

  2. Run the following command to create a role:

    CREATE ROLE dorisrole;

  3. Run the following command to grant permissions to the role. For details about the permissions, see About Doris User Permissions. For example, to grant the ADMIN_PRIV permission to the role, run the following command:

    GRANT ADMIN_PRIV ON *.*.* TO ROLE 'dorisrole';

  4. Run the following commands to create a user and bind the user to a role:

    CREATE USER 'dorisuser'@'%' IDENTIFIED BY 'password' DEFAULT ROLE 'dorisrole';

    There can be security risks if a command contains the authentication password. You are advised to disable the command recording function (history) before running the command.