From 970a35d65809134fc65aa66aa46187cf1dce8fcb Mon Sep 17 00:00:00 2001 From: luozenglin <37725793+luozenglin@users.noreply.github.com> Date: Tue, 9 Aug 2022 11:02:47 +0800 Subject: [PATCH] [fix](docs) Fix some errors related to privilege and grant in the docs (#11377) Fix some errors related to privilege and grant in the docs --- .../privilege-ldap/user-privilege.md | 17 +++++---- .../Account-Management-Statements/GRANT.md | 37 ++++++++++--------- .../privilege-ldap/user-privilege.md | 16 ++++---- .../Account-Management-Statements/GRANT.md | 21 ++++++----- 4 files changed, 48 insertions(+), 43 deletions(-) diff --git a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md index b5db18346c..5f0739d262 100644 --- a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md +++ b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md @@ -107,28 +107,29 @@ Doris currently supports the following permissions ## Permission hierarchy -At the same time, according to the scope of application of permissions, we divide them into three levels: +At the same time, according to the scope of application of permissions, we divide them into four levels: -1. GLOBAL LEVEL: Global permissions. That is, permissions on `*.*` granted by GRANT statements. The granted permissions apply to any table in any database. -2. DATABASE LEVEL: Database-level permissions. That is, permissions on `db.*` granted by GRANT statements. The granted permissions apply to any table in the specified database. -3. TABLE LEVEL: Table-level permissions. That is, permissions on `db.tbl` granted by GRANT statements. The permissions granted apply to the specified tables in the specified database. +1. GLOBAL LEVEL: Global permissions. That is, permissions on `*.*.*` granted by GRANT statements. The granted permissions apply to any table in any database. +2. CATALOG LEVEL: Catalog level permissions. That is, the permissions on `ctl.*.*` granted through the GRANT statement. The permissions granted apply to any library table in the specified Catalog. +3. DATABASE LEVEL: Database-level permissions. That is, the permissions on `ctl.db.*` granted through the GRANT statement. The privileges granted apply to any table in the specified database. +4. TABLE LEVEL: Table-level permissions. That is, the permissions on `ctl.db.tbl` granted through the GRANT statement. The privileges granted apply to the specified table in the specified database. ## ADMIN /GRANT -ADMIN\_PRIV and GRANT\_PRIV have the authority of **"grant authority"** at the same time, which is more special. The operations related to these two privileges are described here one by one. +ADMIN_PRIV and GRANT_PRIV have the authority of **"grant authority"** at the same time, which is more special. The operations related to these two privileges are described here one by one. 1. CREATE USER - * Users with ADMIN or GRANT privileges at any level can create new users. + * Users with ADMIN privileges, or GRANT privileges at the GLOBAL and DATABASE levels can create new users. 2. DROP USER - * Only ADMIN privileges can delete users. + * Users with ADMIN authority or GRANT authority at the global level can drop users. 3. CREATE/DROP ROLE - * Only ADMIN privileges can create roles. + * Users with ADMIN authority or GRANT authority at the global level can create or drop role. 4. GRANT /REVOKE diff --git a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md index c5e9e3f464..05dff1c354 100644 --- a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md +++ b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md @@ -35,7 +35,7 @@ GRANT The GRANT command is used to grant the specified user or role specified permissions ```sql -GRANT privilege_list ON db_name[.tbl_name] TO user_identity [ROLE role_name] +GRANT privilege_list ON priv_level TO user_identity [ROLE role_name] GRANT privilege_list ON RESOURCE resource_name TO user_identity [ROLE role_name] ```` @@ -45,11 +45,11 @@ privilege_list is a list of privileges to be granted, separated by commas. Curre NODE_PRIV: Cluster node operation permissions, including node online and offline operations. Only the root user has this permission and cannot be granted to other users. ADMIN_PRIV: All privileges except NODE_PRIV. GRANT_PRIV: Privilege for operation privileges. Including creating and deleting users, roles, authorization and revocation, setting passwords, etc. - SELECT_PRIV: read permission on the specified library or table - LOAD_PRIV: Import privileges on the specified library or table - ALTER_PRIV: Schema change permission for the specified library or table - CREATE_PRIV: Create permission on the specified library or table - DROP_PRIV: drop privilege on the specified library or table + SELECT_PRIV: read permission on the specified database or table + LOAD_PRIV: Import privileges on the specified database or table + ALTER_PRIV: Schema change permission for the specified database or table + CREATE_PRIV: Create permission on the specified database or table + DROP_PRIV: drop privilege on the specified database or table USAGE_PRIV: access to the specified resource ALL and READ_WRITE in legacy permissions will be converted to: SELECT_PRIV,LOAD_PRIV,ALTER_PRIV,CREATE_PRIV,DROP_PRIV; @@ -58,16 +58,17 @@ privilege_list is a list of privileges to be granted, separated by commas. Curre Permission classification: 1. Node Privilege: NODE_PRIV - 2. Library table permissions: SELECT_PRIV, LOAD_PRIV, ALTER_PRIV, CREATE_PRIV, DROP_PRIV + 2. database table permissions: SELECT_PRIV, LOAD_PRIV, ALTER_PRIV, CREATE_PRIV, DROP_PRIV 3. Resource permission: USAGE_PRIV -db_name[.tbl_name] supports the following three forms: +Priv_level supports the following four forms: - 1. *.* permissions can be applied to all libraries and all tables in them - 2. db.* permissions can be applied to all tables under the specified library - 3. The db.tbl permission can be applied to the specified table under the specified library + 1. *.*.* permissions can be applied to all catalogs, all databases and all tables in them + 2. ctl.*.* permissions can be applied to all databases and all tables in them + 3. ctl.db.* permissions can be applied to all tables under the specified database + 4. ctl.db.tbl permission can be applied to the specified table under the specified database - The library or table specified here can be a library and table that does not exist. + The catalog or database, table specified here may be not exist. resource_name supports the following two forms: @@ -84,22 +85,22 @@ user_identity: ### Example -1. Grant permissions to all libraries and tables to the user +1. Grant permissions to all catalog and databases and tables to the user ```sql - GRANT SELECT_PRIV ON *.* TO 'jack'@'%'; + GRANT SELECT_PRIV ON *.*.* TO 'jack'@'%'; ```` -2. Grant permissions to the specified library table to the user +2. Grant permissions to the specified database table to the user ```sql - GRANT SELECT_PRIV,ALTER_PRIV,LOAD_PRIV ON db1.tbl1 TO 'jack'@'192.8.%'; + GRANT SELECT_PRIV,ALTER_PRIV,LOAD_PRIV ON ctl1.db1.tbl1 TO 'jack'@'192.8.%'; ```` -3. Grant permissions to the specified library table to the role +3. Grant permissions to the specified database table to the role ```sql - GRANT LOAD_PRIV ON db1.* TO ROLE 'my_role'; + GRANT LOAD_PRIV ON ctl1.db1.* TO ROLE 'my_role'; ```` 4. Grant access to all resources to users diff --git a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md index 976be837e1..3249b289db 100644 --- a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md +++ b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md @@ -109,11 +109,12 @@ Doris 目前支持以下几种权限 ## 权限层级 -同时,根据权限适用范围的不同,我们将库表的权限分为以下三个层级: +同时,根据权限适用范围的不同,我们将库表的权限分为以下四个层级: -1. GLOBAL LEVEL:全局权限。即通过 GRANT 语句授予的 `*.*` 上的权限。被授予的权限适用于任意数据库中的任意表。 -2. DATABASE LEVEL:数据库级权限。即通过 GRANT 语句授予的 `db.*` 上的权限。被授予的权限适用于指定数据库中的任意表。 -3. TABLE LEVEL:表级权限。即通过 GRANT 语句授予的 `db.tbl` 上的权限。被授予的权限适用于指定数据库中的指定表。 +1. GLOBAL LEVEL:全局权限。即通过 GRANT 语句授予的 `*.*.*` 上的权限。被授予的权限适用于任意数据库中的任意表。 +2. CATALOG LEVEL:Catalog级权限。即通过 GRANT 语句授予的 `ctl.*.*` 上的权限。被授予的权限适用于指定Catalog中的任意库表。 +3. DATABASE LEVEL:数据库级权限。即通过 GRANT 语句授予的 `ctl.db.*` 上的权限。被授予的权限适用于指定数据库中的任意表。 +4. TABLE LEVEL:表级权限。即通过 GRANT 语句授予的 `ctl.db.tbl` 上的权限。被授予的权限适用于指定数据库中的指定表。 将资源的权限分为以下两个层级: @@ -125,13 +126,14 @@ Doris 目前支持以下几种权限 ADMIN_PRIV 和 GRANT_PRIV 权限同时拥有**授予权限**的权限,较为特殊。这里对和这两个权限相关的操作逐一说明。 1. CREATE USER - - 拥有 ADMIN 权限,或任意层级的 GRANT 权限的用户可以创建新用户。 + - 拥有 ADMIN 权限,或 GLOBAL 和 DATABASE 层级的 GRANT 权限的用户可以创建新用户。 2. DROP USER - - 只有 ADMIN 权限可以删除用户。 + - 拥有 ADMIN 权限或全局层级的 GRANT 权限的用户可以删除用户。 3. CREATE/DROP ROLE - - 只有 ADMIN 权限可以创建角色。 + - 拥有 ADMIN 权限或全局层级的 GRANT 权限的用户可以创建角色。 4. GRANT/REVOKE - 拥有 ADMIN 权限,或者 GLOBAL 层级 GRANT 权限的用户,可以授予或撤销任意用户的权限。 + - 拥有 CATALOG 层级 GRANT 权限的用户,可以授予或撤销任意用户对指定CATALOG的权限。 - 拥有 DATABASE 层级 GRANT 权限的用户,可以授予或撤销任意用户对指定数据库的权限。 - 拥有 TABLE 层级 GRANT 权限的用户,可以授予或撤销任意用户对指定数据库中指定表的权限。 5. SET PASSWORD diff --git a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md index 76324ff25f..bc9167db51 100644 --- a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md +++ b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md @@ -35,7 +35,7 @@ GRANT GRANT 命令用于赋予指定用户或角色指定的权限 ```sql -GRANT privilege_list ON db_name[.tbl_name] TO user_identity [ROLE role_name] +GRANT privilege_list ON priv_level TO user_identity [ROLE role_name] GRANT privilege_list ON RESOURCE resource_name TO user_identity [ROLE role_name] ``` @@ -61,13 +61,14 @@ privilege_list 是需要赋予的权限列表,以逗号分隔。当前 Doris 2. 库表权限:SELECT_PRIV,LOAD_PRIV,ALTER_PRIV,CREATE_PRIV,DROP_PRIV 3. 资源权限:USAGE_PRIV -db_name[.tbl_name] 支持以下三种形式: +priv_level 支持以下四种形式: - 1. *.* 权限可以应用于所有库及其中所有表 - 2. db.* 权限可以应用于指定库下的所有表 - 3. db.tbl 权限可以应用于指定库下的指定表 + 1. *.*.* 权限可以应用于所有catalog及其中的所有库表 + 2. ctl.*.* 权限可以应用于指定catalog中的所有库表 + 3. ctl.db.* 权限可以应用于指定库下的所有表 + 4. ctl.db.tbl 权限可以应用于指定库下的指定表 - 这里指定的库或表可以是不存在的库和表。 + 这里指定的ctl或库或表可以是不存在的库和表。 resource_name 支持以下两种形式: @@ -84,22 +85,22 @@ user_identity: ### Example -1. 授予所有库和表的权限给用户 +1. 授予所有catalog和库表的权限给用户 ```sql - GRANT SELECT_PRIV ON *.* TO 'jack'@'%'; + GRANT SELECT_PRIV ON *.*.* TO 'jack'@'%'; ``` 2. 授予指定库表的权限给用户 ```sql - GRANT SELECT_PRIV,ALTER_PRIV,LOAD_PRIV ON db1.tbl1 TO 'jack'@'192.8.%'; + GRANT SELECT_PRIV,ALTER_PRIV,LOAD_PRIV ON ctl1.db1.tbl1 TO 'jack'@'192.8.%'; ``` 3. 授予指定库表的权限给角色 ```sql - GRANT LOAD_PRIV ON db1.* TO ROLE 'my_role'; + GRANT LOAD_PRIV ON ctl1.db1.* TO ROLE 'my_role'; ``` 4. 授予所有资源的使用权限给用户