Help Center/ MapReduce Service/ Component Operation Guide (LTS) (Ankara Region)/ Using Doris/ Permissions Management/ Doris Permissions Management
Updated on 2024-11-29 GMT+08:00
View PDF
Share

Doris Permissions Management

The Doris permission management system implements row-level fine-grained permission control and role-based permission access control.

User Permissions

Table 1 lists the permissions supported by the Doris.

Table 1 Doris permission list

Permission

Description

Node_priv

Node change permission to add and delete FE, BE, and DBroker nodes, and take them offline.

This permission can be granted only at the global level.

Admin_priv

All permissions except NODE_PRIV.

Grant_priv

Permission to grant, revoke, add, delete, and change users and roles.

Users with this permission cannot grant the NODE_PRIV permission to other users unless they already have the NODE_PRIV permission.

Select_priv

Read-only permission on databases and tables.

Load_priv

Write permission on databases and tables, including permission to load, insert, and delete data.

Alter_priv

Permission to modify databases and tables, including renaming databases and tables, adding, deleting, and changing columns, and adding and deleting partitions.

Create_priv

Permission to create databases, tables, and views.

Drop_priv

Permission to delete databases, tables, and views.

Usage_priv

Permission to use resources and workload groups.

Database and table permissions are classified into the following four levels based on the scope:

  • CATALOG LEVEL: catalog-level permission on any databases and tables in the specified catalog
  • DATABASE LEVEL: database-level permission on any tables in specified databases
  • TABLE LEVEL: table-level permission on specified tables in a specified database
  • RESOURCE LEVEL: resource-level permission on specified resources

Prerequisite

  • The Doris service is running properly.
  • The role name must not be operator or admin.
  • If Kerberos authentication is enabled for the cluster (the cluster is in security mode), it takes about 2 minutes for the permission to take effect after assignment.

Adding a Doris Role (Security Mode)

  1. Log in to Manager and choose System > Permission > Role. On the displayed page, click Create Role.
  1. Specify Role Name. In the Configure Resource Permission area, click the cluster name. On the displayed service list page, click the Doris service.

    Determine whether to create a role with the Doris administrator rights based on service requirements.

    • The Doris administrator has all the rights except the node operation rights.
    • The role name cannot contain hyphens (-). Otherwise, the authentication will fail.
    • If you want to create such a role, go to 3.
    • If you don't, go to 4.

  2. Select Doris Admin Privilege and click OK.
  3. Click Doris Read Write Privileges and select Select, Drop, Load, Alter, Create, or Grant for the corresponding resource.

    Determine whether to grant the permission based on the service requirements.

  4. Wait until the authorization is complete, and click OK.

Adding a User and Binding the User to the Doris Role (Security Mode)

  1. Log in to Manager and choose System > Permission > User and click Create.
  2. Select Human-Machine for User Type and set Password and Confirm Password to the password of the user.

    • Username: The username cannot contain hyphens (-). Otherwise, the authentication will fail.
    • Password: The password cannot contain special characters the dollar sign ($), period (.), or number sign (#). Otherwise, the authentication will fail.

  3. In the Role area, click Add. In the displayed dialog box, select a role with the Doris permission and click OK to add the role. Then, click OK.
  4. Log in to FusionInsight Manager as the new user and change the initial password.
  5. Log in to the node where the MySQL client is installed and use the new username and new password to connect to the Doris service.

    export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1

    mysql -uDoris user-pDatabase login password -PConnection port for FE queries-hIP address of the Doris FE instance

    • To obtain the query connection port of the Doris FE instance, you can log in to FusionInsight Manager, choose Cluster > Services > Doris > Configurations, and query the value of query_port of the Doris service.
    • To obtain the IP address of the Doris FE instance, log in to FusionInsight Manager of the MRS cluster and choose Cluster > Services > Doris > Instances to view the IP address of any FE instance.
    • You can also use the MySQL connection software or Doris web UI to connect to the database.

Adding a Role and Binding It to a User (Normal Mode)

  1. Log in to the node where the MySQL client is installed and connect to the Doris service as user admin.

    mysql -uadmin -PConnection port for FE queries -hIP address of the Doris FE instance

    • The default password of user admin is empty.
    • To obtain the query connection port of the Doris FE instance, you can log in to FusionInsight Manager, choose Cluster > Services > Doris > Configurations, and query the value of query_port of the Doris service.
    • To obtain the IP address of the Doris FE instance, log in to FusionInsight Manager of the MRS cluster and choose Cluster > Services > Doris > Instances to view the IP address of any FE instance.
    • You can also use the MySQL connection software or Doris web UI to connect to the database.

  2. Run the following command to create a role:

    CREATE ROLE dorisrole;

  3. Run the following command to grant a permission to the role. For details about permissions, see User Permissions. For example, to grant the ADMIN_PRIV permission to the role, run the following command:

    GRANT ADMIN_PRIV ON *.*.* TO ROLE 'dorisrole';

  4. Run the following command to create a user and bind the user to a role:

    CREATE USER 'dorisuser'@'%' IDENTIFIED BY 'password' DEFAULT ROLE 'dorisrole';

Parent topic: Permissions Management