You can use the GRANT syntax to grant a user the specified permissions. For example, you can grant a user the read and write permission of a table or the full permission of a database.
Applicable engines
The GRANT syntax is applicable to all versions of LindormTable and LindormTSDB.
Syntax
grant_permission_statement ::= GRANT privilege_definition ON resource_definition TO user_identifier
privilege_definition ::= ALL | READ | WRITE | ADMIN | TRASH | SYSTEM
resource_definition ::= GLOBAL | DATABASE identifier | SCHEMA identifier | TABLE identifierParameters
Whether a GRANT statement can be executed successfully depends on the permissions that are granted to the user who executes the statement. For more information, see User and permission management.
Permission (privilege_definition)
The following table describes the permissions that can be granted.
Permission | Description |
ALL or ALL PRIVILEGE | Grant the user all permissions on the resources, including READ, WRITE, ADMIN, and TRASH. |
READ | Grant the user the read permission on the resources. |
WRITE | Grant the user the write permission on the resources. |
ADMIN | Grant the user the administrator permissions on the resources. Important The ADMIN permission is independent of the READ and WRITE permissions. A user granted the ADMIN permission on a database may fail to read or write all tables in the database unless the user is granted the read or write permissions on the tables. |
TRASH | Grant the user the delete permission on the resources. |
SYSTEM | Grant the user the cluster management permissions on the resources. The SYSTEM permission includes the ADMIN permission on the GLOBAL level. Important You cannot grant the SYSTEM permission on a specific database. |
Resource level (resource_definition)
The following table describes the level of resources on which you can grant permissions in LindormTable and LindormTSDB by using the GRANT syntax.
Resource level | LindormTable | LindormTSDB | Description |
GLOBAL | 〇 | 〇 | Grant the user permissions on global resources. Important We recommend that you do not grant permissions, especially the ALL PRIVILEGE permission, on resources of the GLOBAL level. |
DATABASE | 〇 | 〇 | Grant the user permissions on the specified database. The DATABASE level is equivalent to the SCHEMA level. Note LindormTable 2.5.3.3 and later versions support the |
TABLE | 〇 | ✖️ | Grant the user permissions on the specified table. |
The three resource levels in the preceding table are in the following descending order of scope: GLOBAL > DATABASE (SCHEMA) > TABLE. For example, if a user have the READ permission on resources of the GLOBAL level, the user can read all tables in a database.
When you use the DATABASE, SCHEMA, or TABLE keyword, you must specify the identifier of the permission level. For example, DATABASE default and SCHEMA default indicates the database named default, and TABLE test indicates the table named test.
User to which permissions are granted (user_identifier)
The user_identifier parameter indicates the user to which permissions are granted.
Examples
Grant all permissions to a user
Grant all permissions on the database db1 to a user named user1.
GRANT ALL ON DATABASE db1 TO user1;
-- or
GRANT ALL ON SCHEMA db1 TO user1;Grant the specified permissions to a user
Grant the ADMIN permission on table2 in the database db2 to a user named user2.
GRANT ADMIN ON TABLE db2.table2 TO user2;Grant the WRITE permission on table3 in the current database to a user named user3.
GRANT WRITE ON TABLE table3 TO user3;Grant the READ permission on the GLOBAL level to a user named user4.
GRANT READ ON GLOBAL TO user4;