Contents
Built-in Roles supported by StarRocks
In a StarRocks cluster, there are FIVE built-in roles:
db_admincluster_adminuser_adminsecurity_adminpublic
db_admin
Built-in database administrator. It has all data-related privileges and some basic privileges on operations and maintenance.
- Focused on management of databases and data
- Unavailable for user or cluster management
- Immutable role
| Privilege Level | Privilege Item |
|---|---|
| SYSTEM | CREATE RESOURCE, PLUGIN, FILE, BLACKLIST, OPERATE, CREATE EXTERNAL CATALOG, REPOSITORY, CREATE RESOURCE GROUP, CREATE GLOBAL FUNCTION, CREATE STORAGE VOLUME, SECURITY |
| CATALOG | USAGE, DROP, ALTER, CREATE |
| DATABASE | DROP, ALTER, CREATE, CREATE TABLE, CREATE VIEW, CREATE MATERIALIZED VIEW, CREATE FUNCTION, CREATE PIPE, CREATE MASKING POLICY, CREATE ROW ACCESS POLICY |
| TABLE | DROP, ALTER, INSERT, UPDATE, DELETE, SELECT, EXPORT |
| VIEW | DROP, ALTER, SELECT |
| MATERIALIZED VIEW | DROP, ALTER, SELECT, REFRESH |
| RESOURCE | USAGE, DROP, ALTER |
| RESOURCE GROUP | DROP, ALTER |
| FUNCTION | USAGE, DROP |
| GLOBAL FUNCTION | USAGE, DROP |
| STORAGE VOLUME | USAGE, DROP, ALTER |
| PIPE | USAGE, DROP, ALTER |
cluster_admin
Built-in cluster administrator.
- Focused on management of cluster infrastructure
- Granted with privileges on node management
- Immutable role
| Privilege Level | Privilege Item |
|---|---|
| SYSTEM | NODE |
user_admin
Built-in user administrator. It can be used to manage users, roles, and authorization.
- Focused on management of users and privileges
- Able to create, alter, and drop users
- Able to grant or revoke privileges or roles
- Immutable role
| Privilege Level | Privilege Item |
|---|---|
| SYSTEM | GRANT |
security_admin
Built-in security administrator. It can be used to manage security integrations and group providers.
- Focused on management of system security
- Able to manage security-related configurations and strategies
- Immutable role
| Privilege Level | Privilege Item |
|---|---|
| SYSTEM | SECURITY, OPERATE |
public
Built-in role that is granted to every user that can access the cluster. By default, it has no privilege. Automatically granted and activated to all cluster users. Mutable role — you can grant privileges or roles to this role if you want to grant them to all cluster users.
Manually created roles
1. read-only
-- Create a role.
CREATE ROLE read_only;
-- Grant the USAGE privilege on all catalogs to the role.
GRANT USAGE ON ALL CATALOGS TO ROLE read_only;
-- Grant the privilege to query all tables to the role.
GRANT SELECT ON ALL TABLES IN ALL DATABASES TO ROLE read_only;
-- Grant the privilege to query all views to the role.
GRANT SELECT ON ALL VIEWS IN ALL DATABASES TO ROLE read_only;
-- Grant the privilege to query all materialized views and the privilege to accelerate queries with them to the role.
GRANT SELECT ON ALL MATERIALIZED VIEWS IN ALL DATABASES TO ROLE read_only;
-- Grant the USAGE privilege on all database-level UDF to the role.
GRANT USAGE ON ALL FUNCTIONS IN ALL DATABASES TO ROLE read_only;
-- Grant the USAGE privilege on global UDF to the role.
GRANT USAGE ON ALL GLOBAL FUNCTIONS TO ROLE read_only;2. write
-- Create a role.
CREATE ROLE write;
-- Grant the USAGE privilege on all catalogs to the role.
GRANT USAGE ON ALL CATALOGS TO ROLE write;
-- Grant the INSERT and UPDATE privileges on all tables to the role.
GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN ALL DATABASES TO ROLE write;
-- Grant the REFRESH privilege on all materialized views to the role.
GRANT REFRESH ON ALL MATERIALIZED VIEWS IN ALL DATABASES TO ROLE write;3. migrate
We can use the built-in db_admin role which already covers all data and schema privileges without user management capabilities.
4. user-management
We can use the built-in user_admin role which grants only the GRANT system privilege. This allows full user/role management without any data access.