Skip to content

Commit 20f3902

Browse files
TCeasonTCeason
committed
chore: add privilege doc about view and connection
1 parent b855fa8 commit 20f3902

File tree

3 files changed

+74
-38
lines changed

3 files changed

+74
-38
lines changed

docs/en/guides/56-security/access-control/01-privileges.md

Lines changed: 48 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -104,46 +104,49 @@ Databend offers a range of privileges that allow you to exercise fine-grained co
104104

105105
### All Privileges
106106

107-
| Privilege | Object Type | Description |
108-
|:-----------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------|
109-
| ALL | All | Grants all the privileges for the specified object type. |
110-
| ALTER | Global, Database, Table, View | Alters a database, table, user or UDF. |
111-
| CREATE | Global, Table | Creates a table or UDF. |
112-
| CREATE DATABASE | Global | Creates a database or UDF. |
113-
| CREATE WAREHOUSE | Global | Creates a warehouse. |
114-
| DELETE | Table | Deletes or truncates rows in a table. |
115-
| DROP | Global, Database, Table, View | Drops a database, table, view or UDF. Undrops a table. |
116-
| INSERT | Table | Inserts rows into a table. |
117-
| SELECT | Database, Table | Selects rows from a table. Shows or uses a database. |
118-
| UPDATE | Table | Updates rows in a table. |
119-
| GRANT | Global | Grants / revokes privileges to / from a user or role. |
120-
| SUPER | Global, Table | Kills a query. Sets global configs. Optimizes a table. Analyzes a table. Operates a stage(Lists stages. Creates, Drops a stage), catalog or share. |
121-
| USAGE | Global | Synonym for “no privileges”. |
122-
| CREATE ROLE | Global | Creates a role. |
123-
| DROP ROLE | Global | Drops a role. |
124-
| CREATE USER | Global | Creates a SQL user. |
125-
| DROP USER | Global | Drops a SQL user. |
126-
| WRITE | Stage | Write into a stage. |
127-
| READ | Stage | Read a stage. |
128-
| USAGE | UDF | Use udf. |
107+
| Privilege | Object Type | Description |
108+
|:------------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------|
109+
| ALL | All | Grants all the privileges for the specified object type. |
110+
| ALTER | Global, Database, Table, View | Alters a database, table, user or UDF. |
111+
| CREATE | Global, Table | Creates a table or UDF. |
112+
| CREATE DATABASE | Global | Creates a database or UDF. |
113+
| CREATE WAREHOUSE | Global | Creates a warehouse. |
114+
| CREATE CONNECTION | Global | Creates a connection. |
115+
| DELETE | Table | Deletes or truncates rows in a table. |
116+
| DROP | Global, Database, Table, View | Drops a database, table, view or UDF. Undrops a table. |
117+
| INSERT | Table | Inserts rows into a table. |
118+
| SELECT | Database, Table | Selects rows from a table. Shows or uses a database. |
119+
| UPDATE | Table | Updates rows in a table. |
120+
| GRANT | Global | Grants / revokes privileges to / from a user or role. |
121+
| SUPER | Global, Table | Kills a query. Sets global configs. Optimizes a table. Analyzes a table. Operates a stage(Lists stages. Creates, Drops a stage), catalog or share. |
122+
| USAGE | Global | Synonym for “no privileges”. |
123+
| CREATE ROLE | Global | Creates a role. |
124+
| DROP ROLE | Global | Drops a role. |
125+
| CREATE USER | Global | Creates a SQL user. |
126+
| DROP USER | Global | Drops a SQL user. |
127+
| WRITE | Stage | Write into a stage. |
128+
| READ | Stage | Read a stage. |
129+
| USAGE | UDF | Use udf. |
130+
| ACCESS CONNECTION | CONNECTION | Access connection. |
129131

130132
### Global Privileges
131133

132-
| Privilege | Description |
133-
|:-----------------|:------------------------------------------------------------------------------------------------------------------|
134-
| ALL | Grants all the privileges for the specified object type. |
135-
| ALTER | Adds or drops a table column. Alters a cluster key. Re-clusters a table. |
136-
| CREATEROLE | Creates a role. |
137-
| CREAT DATABASE | Creates a DATABASE. |
138-
| CREATE WAREHOUSE | Creates a WAREHOUSE. |
139-
| DROPUSER | Drops a user. |
140-
| CREATEUSER | Creates a user. |
141-
| DROPROLE | Drops a role. |
142-
| SUPER | Kills a query. Sets or unsets a setting. Operates a stage, catalog or share. Calls a function. COPY INTO a stage. |
143-
| USAGE | Connects to a databend query only. |
144-
| CREATE | Creates a UDF. |
145-
| DROP | Drops a UDF. |
146-
| ALTER | Alters a UDF. Alters a SQL user. |
134+
| Privilege | Description |
135+
|:------------------|:------------------------------------------------------------------------------------------------------------------|
136+
| ALL | Grants all the privileges for the specified object type. |
137+
| ALTER | Adds or drops a table column. Alters a cluster key. Re-clusters a table. |
138+
| CREATEROLE | Creates a role. |
139+
| CREAT DATABASE | Creates a DATABASE. |
140+
| CREATE WAREHOUSE | Creates a WAREHOUSE. |
141+
| CREATE CONNECTION | Creates a CONNECTION. |
142+
| DROPUSER | Drops a user. |
143+
| CREATEUSER | Creates a user. |
144+
| DROPROLE | Drops a role. |
145+
| SUPER | Kills a query. Sets or unsets a setting. Operates a stage, catalog or share. Calls a function. COPY INTO a stage. |
146+
| USAGE | Connects to a databend query only. |
147+
| CREATE | Creates a UDF. |
148+
| DROP | Drops a UDF. |
149+
| ALTER | Alters a UDF. Alters a SQL user. |
147150

148151
### Table Privileges
149152

@@ -224,3 +227,11 @@ Please note that you can use the [USE DATABASE](/sql/sql-commands/ddl/database/d
224227
|:----------|:---------------------------------------------------------|
225228
| SUPER | SHOW CREATE catalog. Creates or drops a catalog. |
226229
| ALL | Grants all the privileges for the specified object type. |
230+
231+
### Connection Privileges
232+
233+
| Privilege | Description |
234+
|:------------------|:-------------------------------------------------------------------------------------------------------------------|
235+
| Access Connection | Can access Connection. |
236+
| ALL | Grants Access Connection privileges for the specified object type. |
237+
| OWNERSHIP | Grants full control over a Connection. Only a single role can hold this privilege on a specific object at a time. |

docs/en/sql-reference/10-sql-commands/00-ddl/05-view/ddl-create-view.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ So, if you delete the table which the view depends on, it occurs an error that t
3131
CREATE [ OR REPLACE ] VIEW [ IF NOT EXISTS ] [ db. ]view_name [ (<column>, ...) ] AS SELECT query
3232
```
3333

34+
## Access control requirements
35+
36+
To access a view, users only require the SELECT privilege on the view itself.
37+
38+
Separate permissions are not required on the view’s underlying tables. This mechanism simplifies access control and enhances data security.
39+
3440
## Examples
3541

3642
```sql

docs/en/sql-reference/10-sql-commands/00-ddl/13-connection/create-connection.md

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ sidebar_position: 1
44
---
55
import FunctionDescription from '@site/src/components/FunctionDescription';
66

7-
<FunctionDescription description="Introduced or updated: v1.2.339"/>
7+
<FunctionDescription description="Introduced or updated: v1.2.780"/>
88

99
Creates a connection to external storage.
1010

@@ -62,6 +62,25 @@ CREATE CONNECTION <connection_name>
6262
| ROLE_ARN | The Amazon Resource Name (ARN) of the IAM role that Databend will assume to access your S3 resources. |
6363

6464

65+
## Access control requirements
66+
67+
| Privilege | Object Type | Description |
68+
|:------------------|:------------|:----------------------|
69+
| CREATE CONNECTION | Global | Creates a connection. |
70+
71+
72+
To create a connection, the user performing the operation or the [current_role](/guides/security/access-control/roles) must have the CREATE CONNECTION [privilege](/guides/security/access-control/privileges).
73+
74+
:::note
75+
76+
The enable_experimental_connection_rbac_check settings governs connection-level access control. It is disabled by default.
77+
Connection creation solely requires the user to possess superuser privileges, bypassing detailed RBAC checks.
78+
When enabled, granular permission verification is enforced during connection establishment.
79+
80+
This is an experimental feature and may be enabled by default in the future.
81+
82+
:::
83+
6584
## Examples
6685

6786
### Using Access Keys

0 commit comments

Comments
 (0)