Contents


Built-in Roles supported by StarRocks

In a StarRocks cluster, there are FIVE built-in roles:

  • db_admin
  • cluster_admin
  • user_admin
  • security_admin
  • public

db_admin

Built-in database administrator. It has all data-related privileges and some basic privileges on operations and maintenance.

  1. Focused on management of databases and data
  2. Unavailable for user or cluster management
  3. Immutable role
Privilege LevelPrivilege Item
SYSTEMCREATE RESOURCE, PLUGIN, FILE, BLACKLIST, OPERATE, CREATE EXTERNAL CATALOG, REPOSITORY, CREATE RESOURCE GROUP, CREATE GLOBAL FUNCTION, CREATE STORAGE VOLUME, SECURITY
CATALOGUSAGE, DROP, ALTER, CREATE
DATABASEDROP, ALTER, CREATE, CREATE TABLE, CREATE VIEW, CREATE MATERIALIZED VIEW, CREATE FUNCTION, CREATE PIPE, CREATE MASKING POLICY, CREATE ROW ACCESS POLICY
TABLEDROP, ALTER, INSERT, UPDATE, DELETE, SELECT, EXPORT
VIEWDROP, ALTER, SELECT
MATERIALIZED VIEWDROP, ALTER, SELECT, REFRESH
RESOURCEUSAGE, DROP, ALTER
RESOURCE GROUPDROP, ALTER
FUNCTIONUSAGE, DROP
GLOBAL FUNCTIONUSAGE, DROP
STORAGE VOLUMEUSAGE, DROP, ALTER
PIPEUSAGE, DROP, ALTER

cluster_admin

Built-in cluster administrator.

  1. Focused on management of cluster infrastructure
  2. Granted with privileges on node management
  3. Immutable role
Privilege LevelPrivilege Item
SYSTEMNODE

user_admin

Built-in user administrator. It can be used to manage users, roles, and authorization.

  1. Focused on management of users and privileges
  2. Able to create, alter, and drop users
  3. Able to grant or revoke privileges or roles
  4. Immutable role
Privilege LevelPrivilege Item
SYSTEMGRANT

security_admin

Built-in security administrator. It can be used to manage security integrations and group providers.

  1. Focused on management of system security
  2. Able to manage security-related configurations and strategies
  3. Immutable role
Privilege LevelPrivilege Item
SYSTEMSECURITY, OPERATE

public

Built-in role that is granted to every user that can access the cluster. By default, it has no privilege. Automatically granted and activated to all cluster users. Mutable role — you can grant privileges or roles to this role if you want to grant them to all cluster users.


Manually created roles

1. read-only

-- Create a role.
CREATE ROLE read_only;
-- Grant the USAGE privilege on all catalogs to the role.
GRANT USAGE ON ALL CATALOGS TO ROLE read_only;
-- Grant the privilege to query all tables to the role.
GRANT SELECT ON ALL TABLES IN ALL DATABASES TO ROLE read_only;
-- Grant the privilege to query all views to the role.
GRANT SELECT ON ALL VIEWS IN ALL DATABASES TO ROLE read_only;
-- Grant the privilege to query all materialized views and the privilege to accelerate queries with them to the role.
GRANT SELECT ON ALL MATERIALIZED VIEWS IN ALL DATABASES TO ROLE read_only;
-- Grant the USAGE privilege on all database-level UDF to the role.
GRANT USAGE ON ALL FUNCTIONS IN ALL DATABASES TO ROLE read_only;
-- Grant the USAGE privilege on global UDF to the role.
GRANT USAGE ON ALL GLOBAL FUNCTIONS TO ROLE read_only;

2. write

-- Create a role.
CREATE ROLE write;
-- Grant the USAGE privilege on all catalogs to the role.
GRANT USAGE ON ALL CATALOGS TO ROLE write;
-- Grant the INSERT and UPDATE privileges on all tables to the role.
GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN ALL DATABASES TO ROLE write;
-- Grant the REFRESH privilege on all materialized views to the role.
GRANT REFRESH ON ALL MATERIALIZED VIEWS IN ALL DATABASES TO ROLE write;

3. migrate

We can use the built-in db_admin role which already covers all data and schema privileges without user management capabilities.

4. user-management

We can use the built-in user_admin role which grants only the GRANT system privilege. This allows full user/role management without any data access.