Skip to content

Commit e6b6442

Browse files
glasstigerglasstiger
committed
new permissions: SETTINGS and DATABASE ADMIN
1 parent c04592e commit e6b6442

File tree

1 file changed

+15
-6
lines changed

1 file changed

+15
-6
lines changed

documentation/operations/rbac.md

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -380,10 +380,12 @@ The built-in admin has all permissions granted by default. Its access cannot be
380380
modified. It is root.
381381

382382
After startup we can use the built-in admin to create new users, service
383-
accounts and groups. We can also grant permissions to them. It is recommended
384-
that the built-in admin is disabled in the configuration files after users and
385-
groups are setup.
383+
accounts and groups with different set of permissions.
386384

385+
It is recommended that one or more database administrators are created by
386+
granting `ALL` or the `DATABASE ADMIN` permission to them.
387+
After the database administrators are setup, the built-in admin should be
388+
disabled in the configuration files.
387389
The following property key is used to enable/disable the built-in admin in
388390
server.conf:
389391

@@ -441,6 +443,7 @@ select * from all_permissions();
441443
| SELECT | Database | Table | Column | Allows selecting/reading table or column data. |
442444
| SET TABLE PARAM | Database | Table | Allows setting table parameters via ALTER TABLE SET PARAM command. |
443445
| SET TABLE TYPE | Database | Table | Allows changing table type via ALTER TABLE SET TYPE command. |
446+
| SETTINGS | Database | Allows changing database instance properties (name, colour and description) via the Web Console. |
444447
| SNAPSHOT | Database | Allows preparing database snapshot. |
445448
| SQL ENGINE ADMIN | Database | Allows the listing of currently running queries, and cancelling them via CANCEL QUERY command. |
446449
| SYSTEM ADMIN | Database | Allows the execution of various system related functions, such as reload_tls(), dump_memory_usage(), dump_thread_stacks(), flush_query_cache(), hydrate_table_metadata(). |
@@ -485,9 +488,15 @@ select * from all_permissions();
485488

486489
Currently only the `ALL` permission group supported.
487490

488-
| permission | level | description |
489-
|------------|-------------------------------------|--------------------------------------------------------------------------------------------|
490-
| ALL | Database | Table | Column | All permissions on all levels, it does not include permissions to assume service accounts. |
491+
| permission | level | description |
492+
|------------|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
493+
| ALL | Database | Table | Column | All permissions on any (database, table or column) level. It does not include permissions added to QuestDB's permission system in the future or to assume service accounts. |
494+
495+
#### Special permissions
496+
497+
| permission | level | description |
498+
|----------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
499+
| DATABASE ADMIN | Database | All permissions, including any permissions introduced in QuestDB in the future. It also grants permission to assume any service account present in the database. When granted with grant options, the user essentially gets the power of the built-in admin. |
491500

492501
Note the values in the `level` column.
493502

0 commit comments

Comments
 (0)