Skip to content

add datasync and authority in table sql manual #1159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
HTHou merged 1 commit into from
Jun 11, 2026
Merged

add datasync and authority in table sql manual #1159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/.vuepress/sidebar/V2.0.x/en-Table.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,8 @@ export const enSidebar = {
{ text: 'Set Operations', link: 'Set-Operations_apache' },
],
},
{ text: 'Data Sync', link: 'SQL-Data-Sync_apache' },
{ text: 'Authority Management', link: 'SQL-Authority-Management_apache' },
{ text: 'Maintenance Statements', link: 'SQL-Maintenance-Statements_apache' },
{ text: 'Identifier', link: 'Identifier' },
{ text: 'Keywords', link: 'Keywords' },
Expand Down
2 changes: 2 additions & 0 deletions src/.vuepress/sidebar/V2.0.x/zh-Table.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,8 @@ export const zhSidebar = {
{ text: '集合操作', link: 'Set-Operations_apache' },
],
},
{ text: '数据同步', link: 'SQL-Data-Sync_apache' },
{ text: '权限管理', link: 'SQL-Authority-Management_apache' },
{ text: '运维语句', link: 'SQL-Maintenance-Statements_apache' },
{ text: '标识符', link: 'Identifier' },
{ text: '保留字&关键字', link: 'Keywords' },
Expand Down
378 changes: 378 additions & 0 deletions src/UserGuide/Master/Table/SQL-Manual/SQL-Authority-Management_apache.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,378 @@
<!--

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.

-->

# Authority Management

This document is the SQL manual for authority management starting from version V2.0.7. For detailed function usage, see [Authority Management](../User-Manual/Authority-Management-Upgrade_apache.md). For an introduction to authority management functions before version V2.0.7, refer to [Authority Management](../User-Manual/Authority-Management_apache.md)

## 1. Privilege List

<table>
<tbody>
<tr>
<th>Privilege Type</th>
<th>Privilege Name</th>
<th>Scope of Effect</th>
<th>Description</th>
</tr>
<!-- Global Privileges - SYSTEM -->
<tr>
<td rowspan="17">Global Privileges</td>
<td rowspan="6">SYSTEM</td>
<td rowspan="6">Global</td>
<td>Allows users to create, modify, and delete databases.</td>
</tr>
<tr>
<td>Allows users to create, modify, and delete tables and table views.</td>
</tr>
<tr>
<td>Allows users to create, delete, and view user-defined functions.</td>
</tr>
<tr>
<td>Allows users to create, start, stop, delete, and view PIPEs. Allows users to create, delete, and view PIPEPLUGINS.</td>
</tr>
<tr>
<td>Allows users to query and cancel queries. Allows users to view variables. Allows users to view cluster status.</td>
</tr>
<tr>
<td>Allows users to create, delete, and view deep learning models.</td>
</tr>
<!-- Global Privileges - SECURITY -->
<tr>
<td rowspan="10">SECURITY</td>
<td rowspan="10">Global</td>
<td>Allows users to create users.</td>
</tr>
<tr>
<td>Allows users to delete users.</td>
</tr>
<tr>
<td>Allows users to modify user passwords.</td>
</tr>
<tr>
<td>Allows users to view user privilege information.</td>
</tr>
<tr>
<td>Allows users to list all users.</td>
</tr>
<tr>
<td>Allows users to create roles.</td>
</tr>
<tr>
<td>Allows users to delete roles.</td>
</tr>
<tr>
<td>Allows users to view role privilege information.</td>
</tr>
<tr>
<td>Allows users to grant a role to a user or revoke it.</td>
</tr>
<tr>
<td>Allows users to list all roles.</td>
</tr>
<!-- Global Privileges - AUDIT -->
<tr>
<td>AUDIT</td>
<td>Global</td>
<td>Allows users to maintain audit log rules and view audit logs.</td>
</tr>
<!-- Data Privileges - CREATE -->
<tr>
<td rowspan="15">Data Privileges</td>
<td rowspan="3">CREATE</td>
<td>ANY</td>
<td>Allows creating any table and any database.</td>
</tr>
<tr>
<td>Database</td>
<td>Allows users to create tables under this database; allows users to create a database with this name.</td>
</tr>
<tr>
<td>Table</td>
<td>Allows users to create a table with this name.</td>
</tr>
<!-- Data Privileges - ALTER -->
<tr>
<td rowspan="3">ALTER</td>
<td>ANY</td>
<td>Allows modifying the definition of any table and any database.</td>
</tr>
<tr>
<td>Database</td>
<td>Allows users to modify the definition of a database and the definitions of tables under that database.</td>
</tr>
<tr>
<td>Table</td>
<td>Allows users to modify the definition of a table.</td>
</tr>
<!-- Data Privileges - SELECT -->
<tr>
<td rowspan="3">SELECT</td>
<td>ANY</td>
<td>Allows querying data from any table in any database in the system.</td>
</tr>
<tr>
<td>Database</td>
<td>Allows users to query data from any table in this database.</td>
</tr>
<tr>
<td>Table</td>
<td>Allows users to query data in this table. When executing multi-table queries, the database only displays data that the user has permission to access.</td>
</tr>
<!-- Data Privileges - INSERT -->
<tr>
<td rowspan="3">INSERT</td>
<td>ANY</td>
<td>Allows inserting/updating data into any table in any database.</td>
</tr>
<tr>
<td>Database</td>
<td>Allows users to insert/update data into any table within the scope of this database.</td>
</tr>
<tr>
<td>Table</td>
<td>Allows users to insert/update data into this table.</td>
</tr>
<!-- Data Privileges - DELETE -->
<tr>
<td rowspan="3">DELETE</td>
<td>ANY</td>
<td>Allows deleting data from any table.</td>
</tr>
<tr>
<td>Database</td>
<td>Allows users to delete data within the scope of this database.</td>
</tr>
<tr>
<td>Table</td>
<td>Allows users to delete data from this table.</td>
</tr>
</tbody>
</table>

## 2. SQL Statements

### 2.1 User and Role Management

1. Create User (Requires SECURITY privilege)

```SQL
CREATE USER <USERNAME> <PASSWORD>
eg: CREATE USER user1 'passwd';
```

2. Change Password

Users can change their own passwords, but changing other users' passwords requires the SECURITY privilege.

```SQL
ALTER USER <USERNAME> SET PASSWORD <password>
eg: ALTER USER tempuser SET PASSWORD 'newpwd';
```

3. Drop User (Requires SECURITY privilege)

```SQL
DROP USER <USERNAME>
eg: DROP USER user1;
```

4. Create Role (Requires SECURITY privilege)

```SQL
CREATE ROLE <ROLENAME>
eg: CREATE ROLE role1;
```

5. Drop Role (Requires SECURITY privilege)

```SQL
DROP ROLE <ROLENAME>
eg: DROP ROLE role1;
```

6. Grant Role to User (Requires SECURITY privilege)

```SQL
GRANT ROLE <ROLENAME> TO <USERNAME>
eg: GRANT ROLE admin TO user1;
```

7. Revoke Role from User (Requires SECURITY privilege)

```SQL
REVOKE ROLE <ROLENAME> FROM <USERNAME>
eg: REVOKE ROLE admin FROM user1;
```

8. List All Users (Requires SECURITY privilege)

```SQL
LIST USER;
```

9. List All Roles (Requires SECURITY privilege)

```SQL
LIST ROLE;
```

10. List All Users Under a Specified Role (Requires SECURITY privilege)

```SQL
LIST USER OF ROLE <ROLENAME>
eg: LIST USER OF ROLE roleuser;
```

11. List All Roles of a Specified User

Users can list their own roles, but listing other users' roles requires the SECURITY privilege.

```SQL
LIST ROLE OF USER <USERNAME>
eg: LIST ROLE OF USER tempuser;
```

12. List All Privileges of a User

Users can list their own privilege information, but listing other users' privileges requires the SECURITY privilege.

```SQL
LIST PRIVILEGES OF USER <USERNAME>
eg: LIST PRIVILEGES OF USER tempuser;
```

13. List All Privileges of a Role

Users can list the privilege information of roles they possess, but listing other roles' privileges requires the SECURITY privilege.

```SQL
LIST PRIVILEGES OF ROLE <ROLENAME>
eg: LIST PRIVILEGES OF ROLE actor;
```

### 2.2 Privilege Management

#### 2.2.1 Grant Privileges

1. Grant user management privileges to a user

```SQL
GRANT SECURITY TO USER <USERNAME>
eg: GRANT SECURITY TO USER TEST_USER;
```

2. Grant a user the privilege to create databases and create tables within the database scope, and allow the user to manage privileges within that scope

```SQL
GRANT CREATE ON DATABASE <DATABASE> TO USER <USERNAME> WITH GRANT OPTION
eg: GRANT CREATE ON DATABASE TESTDB TO USER TEST_USER WITH GRANT OPTION;
```

3. Grant a role the privilege to query a database

```SQL
GRANT SELECT ON DATABASE <DATABASE> TO ROLE <ROLENAME>
eg: GRANT SELECT ON DATABASE TESTDB TO ROLE TEST_ROLE;
```

4. Grant a user the privilege to query a table

```SQL
GRANT SELECT ON <DATABASE>.<TABLENAME> TO USER <USERNAME>
eg: GRANT SELECT ON TESTDB.TESTTABLE TO USER TEST_USER;
```

5. Grant a role the privilege to query all databases and tables

```SQL
GRANT SELECT ON ANY TO ROLE <ROLENAME>
eg: GRANT SELECT ON ANY TO ROLE TEST_ROLE;
```

6. ALL Syntax Sugar: ALL represents all privileges within the object scope. You can use the ALL field to flexibly grant privileges.

```SQL
GRANT ALL TO USER TESTUSER;
-- Grants all privileges available to the user, including global privileges and all data privileges in the ANY scope

GRANT ALL ON ANY TO USER TESTUSER;
-- Grants all data privileges available in the ANY scope to the user. After executing this statement, the user will have all data privileges on all databases

GRANT ALL ON DATABASE TESTDB TO USER TESTUSER;
-- Grants all data privileges available in the DB scope to the user. After executing this statement, the user will have all data privileges on this database

GRANT ALL ON TABLE TESTTABLE TO USER TESTUSER;
-- Grants all data privileges available in the TABLE scope to the user. After executing this statement, the user will have all data privileges on this table
```

#### 2.2.2 Revoke Privileges

1. Revoke user management privileges from a user

```SQL
REVOKE SECURITY FROM USER <USERNAME>
eg: REVOKE SECURITY FROM USER TEST_USER;
```

2. Revoke a user's privilege to create databases and create tables within the database scope

```SQL
REVOKE CREATE ON DATABASE <DATABASE> FROM USER <USERNAME>
eg: REVOKE CREATE ON DATABASE TEST_DB FROM USER TEST_USER;
```

3. Revoke a user's privilege to query a table

```SQL
REVOKE SELECT ON <DATABASE>.<TABLENAME> FROM USER <USERNAME>
eg: REVOKE SELECT ON TESTDB.TESTTABLE FROM USER TEST_USER;
```

4. Revoke a user's privilege to query all databases and tables

```SQL
REVOKE SELECT ON ANY FROM USER <USERNAME>
eg: REVOKE SELECT ON ANY FROM USER TEST_USER;
```

5. ALL Syntax Sugar: ALL represents all privileges within the object scope. You can use the ALL field to flexibly revoke privileges.

```SQL
REVOKE ALL FROM USER TESTUSER;
-- Revokes all global privileges and all data privileges in the ANY scope from the user

REVOKE ALL ON ANY FROM USER TESTUSER;
-- Revokes all data privileges in the ANY scope from the user, and does not affect DB-scope and TABLE-scope privileges

REVOKE ALL ON DATABASE TESTDB FROM USER TESTUSER;
-- Revokes all data privileges on the DB from the user, and does not affect TABLE privileges

REVOKE ALL ON TABLE TESTDB FROM USER TESTUSER;
-- Revokes all data privileges on the TABLE from the user
```

#### 2.2.3 View User Privileges

```SQL
LIST PRIVILEGES OF USER <USERNAME>
eg: LIST PRIVILEGES OF USER tempuser
```
Loading
Loading