Help Center/ CloudTable Service/ User Guide/ Using Doris/ Configuring Doris User Permissions

Updated on 2025-08-12 GMT+08:00

View PDF

Configuring Doris User Permissions

Doris user permission management enables unified management of users, roles, and permissions on each node in the cluster. You can create roles, create users, and bind users to roles on the console to control user permissions. Operations of different users do not affect each other, improving service efficiency.

Notes

The deletion operation is irreversible. Even if a role with the same name is added immediately after the deletion, the permission may be different from that of the deleted one. Ensure that the role is not in use before deleting it.
Before deleting a user, ensure that it is no longer needed. The deletion operation is irreversible. Even if an account with the same name is added immediately after the deletion, the permission may be different from that of the deleted one.
The password of an existing account cannot be viewed. If you forget the password, you can reset the password.
The operation permissions of an account on the database can be viewed.
The username and role name are case sensitive.

Prerequisites

A Doris cluster has been created and is running properly.
The MySQL client has been installed.

Step 1: Create a Doris Role

Log in to the CloudTable console.
Choose Cluster Management. In the right pane, select the target cluster. Choose Role Management on the page that is displayed.

Click Create Role. On the Create Role page, set parameters.

**Table 1** Role permissions
Parameter	Description
Rolename	The role name must start with a letter and contain 1 to 64 characters.
Global Permission	Global permissions refer to the permissions on all databases and tables, including the SELECT, LOAD, ALTER, CREATE, and DROP permissions.
Each Level Permission	Database And Table refers to the databases and tables created in the cluster. A role has high-risk permissions for databases but only common permissions for tables. Permission types High-risk permissions: CREATE TABLE and DROP TABLE Common permissions: SELECT, LOAD, and ALTER

Click OK.

Step 2: Create a Doris User

After a role is created, choose Account Management.

Click Create Account. On the Create Account page, set the username and password.

**Table 2** Account parameters
Parameter	Description
Username	The username must start with a letter and contain 1 to 64 characters.
Password	Enter a password for the user. NOTE: The password must meet the following requirements: Contain 8 to 16 characters. Contain at least four types of the following characters: uppercase letters, lowercase letters, digits, and special characters ($@!%*?&) Cannot be the same as the username or the username spelled backwards.
Confirm Password	Enter the password again.

Click OK.

Step 3: Bind a Role to a Doris User and Access the Cluster

For example, role A has the permission to query, insert, modify, create, and delete data. After being bound to role A, the user has the permissions of role A.

After a role and user are created, choose Account Management, locate the target account, click More, and select Assign Role in the Operation column.
In the Assign Role dialog box, select a role. Click OK.
Click Permission in the Operation column and check that the user has the role permissions.
Connect to the cluster as the created user.
For details about how to connect to a non-security cluster, see Using the MySQL Client to Connect to a Doris Normal Cluster.
```
./mysql -uadmin -pPassword -h Internal IP address of the cluster -P9030
```
For details about how to connect to a security cluster, see Using the MySQL Client to Connect to a Doris Security Cluster.
```
./mysql -uadmin -h Internal IP address of the cluster -P9030 --ssl-ca={path}/certificate.crt --ssl-mode=VERIFY_CA -pPassword
```
Execute the query, insert, change, create, and delete commands in the CLI.
- If these commands can be executed, the role is bound successfully.
- If these commands cannot be executed, check whether the role has been configured with permissions and whether it has been bound to the user. If the fault persists, contact technical support.

Managing User Permissions

Managing roles
- Deleting a role: Click Delete in the Operation column. On the displayed page, enter DELETE in the text box or click Auto Enter, and click OK.
- Modifying role permissions: Click Edit in the Operation column. On the displayed page, select permissions as needed and click OK.
- Viewing role permissions: Click Permission in the Operation column. On the displayed page, view the role's permissions on databases and tables.
Managing users
- Viewing user permissions: Click Permission in the Operation column. On the displayed page, view the user's permissions on databases and tables.
- Deleting a user: Click Delete in the Operation column. In the displayed dialog box, click Yes.
- Changing the user password: Click More and select Update Password in the Operation column. On the displayed page, change the password and click OK.

Common Commands for User Permissions

Creating a role
```
CREATE Role role_name;
```
role_name: name of the role to be created
Assigning permissions to a role
- Grant the permissions on a specified database table.
```
GRANT LOAD_PRIV ON ctl1.db1.* TO ROLE 'my_role';
```
- Grant the permission to use specified resources.
```
GRANT USAGE_PRIV ON RESOURCE 'spark_resource' TO ROLE 'my_role';
```
Deleting a role
```
DROP ROLE role1;
```

Creating a user

Use the CREATE USER command to create a Doris user (without a role).

CREATE USER 'Jack' IDENTIFIED BY 'password';

**Table 3** Parameters
Parameter	Description
Jack	Username
password	Password of the created user

You can run the command to specify an IP address.

CREATE USER 'jack02' @'192.168.%'  identified by '123456'  DEFAULT ROLE 'default_role';

Use the CREATE USER command to create a Doris user (with the default role assigned).
```
CREATE USER 'jeo' IDENTIFIED BY 'password' DEFAULT ROLE 'default_role';
```