Arcadia Engine's Analytical Views implements authorization criteria through Sentry and Ranger to restrict access to specific databases, tables, or columns.
The system translates authorization checks on analytical views into corresponding checks on underlying base tables.
Arcadia Engine checks the user's authorization for analytical views, which makes the system secure.
Arcadia Engine uses the user's system privileges on objects (columns, tables, databases, and servers) to authorize access to analytical views.
For example, consider userA, who belongs to the groupA, which in turn has roleA. The analytical view av1 is based on table t. Then,
SELECT
privilege on table t, then whenever userA submits a query on t it will be routed to analytical view av1.SELECT
privilege on table t, userA will
not be able to alter or insert into any analytical view based on table t. To
do that, userA must have ALL
and
INSERT
privileges, respectively.This section describes operations on analytical views, and the corresponding necessary authorization levels.
For example, consider one of the steps of the analytical view refresh mechanism:
INSERT INTO analytical_view_name SELECT … FROM base_table;
This statement requires INSERT
privilege on
analytical_view_name
, and a SELECT
privilege on
base_table. Internally, Arcadia Engine verifies that the user has both
INSERT
and SELECT
privileges for
base_table
.
CREATE ANALYTICAL VIEW td.av1
STORED AS PARQUET
AS SELECT y,m,d,max(v)
FROM sd.t
GROUP BY y,m,d;
(SELECT privilege on base table sd.t
OR
SELECT COLUMN privilege on y,m,d,v of sd.t)
AND
ALL privilege on target td
REFRESH ANALYTICAL VIEW
ALL privilege on sd.t
DROP ANALYTICAL VIEW td.av1;
ALL privilege on sd.t
td.av1
neededSHOW [EXTENDED] [ALL] ANALYTICAL VIEWS
Some TABLE level privilege on the base tables
DESCRIBE [FORMATTED] aview_name
Shows all the columns in the analytical view if the user has the following privileges:
ANY TABLE privilege
OR
SELECT privilege on ANY COLUMN
SELECT max(v),y,m,d
FROM sd.t
GROUP BY y,m,d;
Query routes to analytical view if the user has the following privileges:
SELECT privilege on sd.t
OR
SELECT COLUMN privilege on y, m, d, v of sd.t
SELECT y, m, d
FROM td.av1;
SELECT privilege on sd.
For native access, must have TABLE
access, as COLUMN
privilege is not enough.
EXPLAIN SELECT max(v),y,m,d
FROM sd.t
GROUP BY y,m,d;
SELECT privilege on sd.t
OR
SELECT COLUMN privilege on y, m, d, v of sd.t
SELECT y,m,d,max_v FROM logical_view;
Where the logical view has the following definition:
CREATE VIEW logical_view
AS SELECT max(v)
AS max_v,y,m,d
FROM sd.t
GROUP BY y,m,d;)
TABLE SELECT privilege on logical_view
No privilege check on matching analytical views required
EXPLAIN SELECT y,m,d,max_v FROM logical_view;
If issued internally by Arcadia Visualization Server:
TABLE SELECT
privilege on logical_view
If issued in SQL visualization or through command line interface:
TABLE SELECT privilege on logical_view
AND
(TABLE SELECT privilege on sd.t
OR
COLUMN SELECT privilege on y, m, d, v on sd.t)
Copyright © 2015, 2019, Arcadia Data Inc. All rights reserved.