Database permission model
AnalyticDB for MySQL lets you grant specific permissions at different levels to control access. This topic describes the relationship between SQL operations and the required permissions, and how to view and edit permissions.
Permission levels
An AnalyticDB for MySQL cluster supports access control at the following four permission levels:
-
GLOBAL: cluster level.
-
DB: database level.
-
TABLE: table level.
-
COLUMN: column level.
To allow a user to query only a specific column in a table, grant the SELECT permission on that column to the user. For example:
GRANT select (customer_id) ON customer TO 'test321'.
Operations and required permissions
|
Operation |
Permission |
Supported levels |
|
SELECT |
SELECT |
|
|
INSERT |
INSERT |
|
|
INSERT…SELECT…FROM… |
|
|
|
UPDATE |
UPDATE |
|
|
DELETE |
DELETE |
|
|
TRUNCATE TABLE |
DROP |
|
|
ALTER TABLE |
|
|
|
CREATE DATABASE |
CREATE |
GLOBAL |
|
CREATE TABLE |
CREATE |
|
|
SHOW CREATE TABLE |
SELECT |
|
|
DROP DATABASE |
DROP |
|
|
DROP TABLE |
DROP |
|
|
CREATE VIEW |
|
|
|
DROP VIEW |
DROP |
|
|
SHOW CREATE VIEW |
|
|
|
CREATE USER/DROP USER/RENAME USER |
CREATE_USER |
GLOBAL |
|
SET PASSWORD |
SUPER |
GLOBAL |
|
GRANT/REVOKE |
GRANT |
GLOBAL |
View permissions
View permissions by using SQL
You can use SQL to view permissions on Data Warehouse Edition, Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
Procedure
To view user permissions, execute the SHOW GRANTS statement. For more information, see SHOW GRANTS.
View permissions by using DMS
You can use DMS to view permissions on Data Warehouse Edition, Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
Prerequisites
-
Use an Alibaba Cloud account.
-
Use a RAM user that has been granted the
AliyunADBReadOnlyAccesspermission. To grant permissions to a RAM user, see Manage RAM user permissions.
Procedure
-
Connect to your AnalyticDB for MySQL cluster by using DMS. For more information, see Use DMS to connect to an AnalyticDB for MySQL cluster.
-
In the Instances Connected list on the left-side navigation pane of DMS, right-click the target instance.
-
From the shortcut menu, select Database account management.
-
On the Accounts page, view the user permissions.
View permissions in the AnalyticDB for MySQL console
You can view permissions in the AnalyticDB for MySQL console only for Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
Prerequisites
-
Use an Alibaba Cloud account.
-
Use a RAM user that has been granted the
AliyunADBReadOnlyAccesspermission. To grant permissions to a RAM user, see Manage RAM user permissions.
Procedure
Log on to the AnalyticDB for MySQL console.
In the upper-left corner of the page, select a region.
In the left-side navigation pane, click Clusters.
-
On the Data Lakehouse Edition tab, click the target Cluster ID.
-
In the left-side navigation pane, click Accounts.
-
In the Actions column for the target account, click Permissions and select View Permissions.
-
Select an authorization level to view the permissions for the corresponding scope, such as global, database, table, or column.
Edit permissions
Grant permissions by using SQL
You can use SQL statements to grant permissions on Data Warehouse Edition, Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
Prerequisites
To grant permissions by using SQL, the user must have the GRANT OPTION permission.
Procedure
Execute the GRANT statement to grant permissions to a user. For more information, see GRANT.
Grant permissions by using DMS
You can use DMS to grant permissions on Data Warehouse Edition, Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
Prerequisites
-
Use an Alibaba Cloud account.
-
Use a RAM user that has been granted the
AliyunADBFullAccessandAliyunServiceRoleForDMSpermissions. To grant permissions to a RAM user, see Manage RAM user permissions.
Procedure
-
Connect to your AnalyticDB for MySQL cluster by using DMS. For more information, see Use DMS to connect to an AnalyticDB for MySQL cluster.
-
In the Instances Connected list on the left-side navigation pane of DMS, right-click the target instance.
-
From the shortcut menu, select Database account management.
-
On the Accounts page, find the target account and click Edit in the Actions column.
-
In the Edit User dialog box, select the Global Permissions tab.
-
In the Permission Type list, select or clear the required permissions.
Grant permissions in the AnalyticDB for MySQL console
You can grant permissions in the AnalyticDB for MySQL console only for Enterprise Edition, Basic Edition, and Data Lakehouse Edition clusters.
Prerequisites
-
Use an Alibaba Cloud account.
-
Use a RAM user that has been granted the
AliyunADBFullAccesspermission. The associated database account must have theGRANT OPTIONpermission.
Procedure
Log on to the AnalyticDB for MySQL console.
In the upper-left corner of the page, select a region.
In the left-side navigation pane, click Clusters.
-
On the Data Lakehouse Edition tab, click the target Cluster ID.
-
In the left-side navigation pane, click Accounts.
-
In the Actions column for the target account, click Permissions and select Edit Permissions.
-
Select an Permission Level and select the required permissions under Permission Configuration.
-
Click the
icon and then click OK.