Roles
- Jason Kinchen
Overview
A role is a named binding between a set of users (the role membership) and a set of access rights (the role permissions). According to Wikipedia,
Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.
In SciDB, roles are used:
- to control access to namespaces and the arrays they contain, and
- to control access to database administrative functions.
When a user connects to SciDB, she acquires all access rights from all roles of which she is a member.
Role Operators
This table summarizes the AFL operators that manipulate roles.
| Operator | Description |
|---|---|
| list('roles') | List existing roles. |
| create_role | Create a new role. |
| drop_role | Remove a role. |
| add_user_to_role | Add a user account to one or more roles. The user account becomes a member of those roles. |
| drop_user_from_role | Remove a user account from one or more roles. The user account loses its membership in those roles. |
| show_roles_for_user | Show a user account's role memberships. |
| /wiki/spaces/ESD169/pages/50856184 | Show a role's members. |
| set_role_permissions | Associate a role with access rights to an entity (typically a namespace). |
| show_role_permissions | Show the access rights associated with the role. |
The create_user operator creates a role with the same name as the created user account. This allows access rights to be granted on a per-user basis. The automatically created per-user role is automatically removed by drop_user. The role has only a single member, the corresponding user account.
The Special admin and operator Roles
The role names admin and operator are special. When an administrator creates these roles using create_role(), they are automatically associated with access rights to an unnamed entity that represents the SciDB database. The output of show_role_permissions for an ordinary namespace access role, experimenter, and the two special roles illustrates this:
FL% show_role_permissions('experimenter');
{i} entity,name,permissions
{0} 'namespace','trials','clru'
AFL% show_role_permissions('operator');
{i} entity,name,permissions
{0} 'database','','o'
AFL% show_role_permissions('admin');
{i} entity,name,permissions
{0} 'database','','a'
The next sections describe the privileges associated with the operator and admin roles.
Operator Privileges
User accounts granted the operator role can perform the following administrative functions:
- May use the iquery --admin option to issue queries on a high priority communications channel
- May view and reset statistics with the stats_instance, stats_query, and stats_instance_reset operators.
- May examine array distributions with the list_array_residency operator.
- May view extended cluster membership information with the list_instances operator.
- May view all active queries, not just their own, with the list('queries') operator.
- May manipulate user accounts with the create_user, drop_user, and change_user operators.
- May manipulate roles with the create_role, drop_role, and set_role_permissions operators.
- May grant and revoke roles with the add_user_to_role and drop_user_from_role operators, but with the caveat that operators may not grant or revoke the special roles admin and operator.
- May examine the privileges and roles of other users with the show_user_permissions operator.
- May create and drop namespaces with the create_namespace and drop_namespace operators.
Admin Privileges
The database administrator account scidbadmin and all user accounts granted the admin role have all the operator privileges listed above, plus the following:
- May create and drop the special roles admin and operator.
- May add and remove user accounts from the special roles admin and operator.
- May perform file I/O using unrestricted path names. See File I/O Restrictions.
- May load and unload plugins using the load_library and unload_library operators.
- May change cluster membership using the add_instances, remove_instances, and unregister_instances operators.