Use the GRANT statement to grant specific permissions, such as read and write permissions on a table or all permissions on a database.
Applicable engines
The GRANT statement applies to LindormTable and LindormTSDB. There are no version restrictions.
Syntax
grant_permission_statement ::= GRANT privilege_definition ON resource_definition TO user_identifier
privilege_definition ::= ALL | READ | WRITE | ADMIN | TRASH | SYSTEM
resource_definition ::= GLOBAL | DATABASE identifier | SCHEMA identifier | TABLE identifierUsage notes
Whether a GRANT statement can be executed successfully depends on the permissions of the user who runs it.
Permissions (privilege_definition)
The following permissions are available:
Permission | Description |
ALL or ALL PRIVILEGE | Grants a user all permissions. This includes READ, WRITE, ADMIN, and TRASH permissions. |
READ | Grants the read permission to a user. |
WRITE | Grants the write permission to a user. |
ADMIN | Grant the user the "Administrator" permission. Important The ADMIN permission is independent of READ and WRITE permissions. Granting the ADMIN permission on a database does not grant permission to read from or write to tables in that database. You must grant read and write permissions for tables separately. |
TRASH | Grants the delete permission to a user. |
SYSTEM | Grants a user cluster-level management permissions. This includes the GLOBAL ADMIN permission. Important You cannot grant the SYSTEM permission at the database level. |
Permission scope (resource_definition)
The GRANT statement in LindormTable and LindormTSDB supports the following resource scopes:
Permissions | LindormTable | LindormTSDB | Description |
GLOBAL | 0 | 0 | Grants a specific permission on all global resources. Important Avoid granting GLOBAL permissions, especially GLOBAL ALL PRIVILEGES. |
DATABASE | • | 0 | Grants a specific permission on a database. This is equivalent to SCHEMA. Note LindormTable versions 2.5.3.3 and later support the |
TABLE | 0 | Not supported | Grants a specific permission on a specified table. |
The priority of resource scopes is GLOBAL > DATABASE (SCHEMA) > TABLE. For example, if a user has the GLOBAL READ permission, they can read tables in any database.
When you use the DATABASE, SCHEMA, or TABLE keyword, you must specify the name of the object (identifier). For example, DATABASE default, SCHEMA default, and TABLE test refer to the default database and the test table.
Authorization object (user_identifier)
user_identifier is the username of the user to whom you want to grant permissions.
Examples
Grant all permissions
Grant all permissions on the db1 database to the user user1.
GRANT ALL ON DATABASE db1 TO user1;
-- Or
GRANT ALL ON SCHEMA db1 TO user1;Grant specific permissions
Grant the administrator permission on the table2 table in the db2 database to the user user2.
GRANT ADMIN ON TABLE db2.table2 TO user2;Grant the write permission on the table3 table in the current database to the user user3.
GRANT WRITE ON TABLE table3 TO user3;Grant the global read permission to the user user4.
GRANT READ ON GLOBAL TO user4;