Doris Permissions Management

The Doris permission management system implements row-level fine-grained permission control and role-based permission access control.

Table 1 lists the permissions supported by the Doris.

**Table 1** Doris Permission List
Permission	Permission Introduction
Node_priv	Node change permission. Add, delete, and bring offline FE, BE, and DBroker nodes. This permission can be granted only to the Global level.
Admin_priv	All permissions except NODE_PRIV.
Grant_priv	Permission change permission, including granting permissions, revoking permissions, and adding, deleting, and changing users and roles. Users with this permission cannot grant the node_priv permission to other users unless they already have the node_priv permission.
Select_priv	Read-only permission on databases and tables.
Load_priv	Write permission on databases and tables, including Load, Insert, and Delete.
Alter_priv	Permission to modify databases and tables. including renaming databases or tables, adding, deleting, or changing columns, and adding or deleting partitions.
Create_priv	Permission to create databases, tables, and views.
Drop_priv	Delete permissions on databases, tables, and views.
Usage_priv	Permissions to use resources and workload groups.

Database table permissions are classified into the following four levels based on the permission application scope:

CATALOG LEVEL: data directory-level permission. The granted permission applies to any database table in the specified catalog.
DATABASE LEVEL: database-level permission. The granted permissions apply to any table in the specified database.
TABLE LEVEL: table-level permission. The granted permissions apply to the specified table in the specified database.

RESOURCE LEVEL: resource-level permission. The granted permission applies to the specified resource.

The Doris service is running properly.
The role name cannot be operator or admin.
When Kerberos authentication is enabled for the cluster (the cluster is in security mode), it takes about 2 minutes for the permission to take effect after the Doris permission is successfully assigned.
Only clusters of MRS 3.3.0 and later versions support role assignment on FusionInsight Manager. If the cluster is of MRS 3.3.0 or earlier, you need to connect to the database as user root (the default password is empty) regardless of whether Kerberos authentication is enabled.

Specify Role Name. In the Configure Resource Permission area, click the cluster name. On the displayed service list page, click the Doris service.

Determine whether to create a role with the Doris administrator rights based on service requirements.
- The Doris administrator has all the rights except the node operation rights.
- Role Name: The name of the role to be added cannot contain hyphens (-) and cannot start with a digit.
- If yes, go to 3.
- If no, go to 4.
Select Doris Admin Privilege and click OK.
Click Doris Read Write Privileges and select Select, Drop, Load, Alter, Create, or Grant for the corresponding resource.

Determine whether to grant the permission based on the service requirements.
After the authorization is complete, click OK.

Log in to Manager and choose System > Permission > User and click Create.
Select Human-Machine for User Type and set Password and Confirm Password to the password of the user.
- Username: The username to be added cannot contain hyphens (-). Otherwise, the authentication fails.
- Password: The password cannot contain special characters $, ., and #. Otherwise, the authentication will fail.
In the Role area, click Add. In the displayed dialog box, select a role with the Doris permission and click OK to add the role. Then, click OK.
Log in to FusionInsight Manager as the new user and change the initial password of the user.
Log in to the node where the MySQL client is installed and use the new user name and new password to connect to the Doris service.

export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1

mysql -udorisuser -pUser password -PDatabase connection port -hIP address of Doris FE instance
- The database connection port is the query connection port of the Doris FE. You can log in to FusionInsight Manager, choose Cluster > Services > Doris > Configurations, and query the value of query_port of the Doris service.
- To obtain the IP address of the Doris FE instance, log in to FusionInsight Manager of the MRS cluster and choose Cluster > Services > Doris > Instances to view the IP address of any FE instance.
- You can also use the MySQL connection software or Doris WebUI to connect to the database.

Log in to the node where the MySQL client is installed and connect to the Doris service as user admin.

mysql -uadmin -PDatabase connection port -hIP address of Doris FE instance
- The default password of user admin is empty.
- The database connection port is the query connection port of the Doris FE. You can also log in to FusionInsight Manager, choose Cluster > Services > Doris > Configurations, and query the value of query_port of the Doris service.
- To obtain the IP address of the Doris FE instance, log in to FusionInsight Manager of the MRS cluster and choose Cluster > Services > Doris > Instances to view the IP address of any FE instance.
- You can also use the MySQL connection software or Doris WebUI to connect to the database.
Run the following command to create a role:

CREATE ROLE dorisrole;
Run the following command to grant permissions to the role. For details about the permissions, see Introduction to User Rights. For example, to grant the ADMIN_PRIV permission to the role, run the following command:

GRANT ADMIN_PRIV ON *.*.* TO ROLE 'dorisrole';
Run the following commands to create a user and bind the user to a role:

CREATE USER 'dorisuser'@'%' IDENTIFIED BY 'password' DEFAULT ROLE 'dorisrole';