Version:

Security Concepts

Overview

Kinetica provides secured access to data and data services by means of role-based access control (RBAC). Permissions are assigned at the table level, collection level, or globally, and can be assigned either directly or grouped into roles for assignment.

Note

Kinetica users, permissions, and roles can be managed through GAdmin's Security interface or through one of the APIs. See Security Usage for details.

Users

Kinetica supports authentication and authorization of both internal users, whose credentials are maintained within the database, and external users, whose credentials are maintained by another directory service (LDAP, AD, etc.).

Roles are maintained within the database for both types of users, though group memberships held by external users can be mapped to roles to automatically authorize those users to the appropriate level of access. See HTTPD + External Authentication for instructions on how to configure this mapping of external groups to roles.

Internal Users

Internal users have a username and password (encrypted), which are both stored within Kinetica.

An internal username must meet the following criteria:

  • alphanumeric, including underscore; not starting with a number: [a-z_][a-z_0-9]*
  • unique among internal usernames and role names
  • up to 64 characters long

Password must meet the following criteria:

  • up to 1024 characters long, by default; governed by the min_password_length parameter configured in the gpudb.conf file

External Users

External users have a username and password or user certificate stored in an external directory service and a corresponding user name stored within Kinetica. A proxy server is used to authenticate users to the external directory service and pass the authenticated request on to the database.

An external username must meet the following criteria:

  • identical to the external username, but with an @ prepended: @external_username
  • unique among external usernames

Note

Once authenticated, user authorization does not distinguish between internal and external users

Default Users

Kinetica comes with up to four default users:

  • admin
    • full permissions to do anything in Kinetica
    • system_admin permission by default; unable to modify
    • password is admin by default but must be updated after the first login
    • password can be changed; change will be stored securely in Kinetica
  • anonymous
    • no password
    • no permissions by default
  • graph
  • planner
    • System role reserved for use by the SQL query planner engine

User Endpoints

Calling user endpoints generally requires system_admin permission.

Roles

Roles are configurable sets of permissions, which enable easier maintenance of user authorizations within the database. A role can have any number of permissions assigned to it, and the role can be assigned to any number of users, giving those users all of the permissions associated with the role. A role can also be assigned to another role, creating a hierarchy of permissions. In this way, roles eliminate the need to manage each user's permissions individually.

An individual user's permissions are the set of all directly-granted permissions and permissions granted via roles.

One or more roles can automatically be granted to any external user, based on that user's group memberships within the external directory service used. See HTTPD + External Authentication for instructions on how to map external group memberships to roles.

A role name must meet the following criteria:

  • alphanumeric, including underscore; not starting with a number: [a-z_][a-z_0-9]*
  • unique among internal usernames and other role names
  • up to 64 characters long

A role may optionally be assigned a resource group, which will be imparted to any user assigned the role.

Important

A role cannot be assigned, as a member, to any role that is one of its member roles, whether that member role is assigned directly to it or via another role; e.g., if role A has role B as a member, role B cannot be assigned role A as a member directly, nor can role B be assigned role C, if role C has role A as a member.

Default Roles

There are two default roles within Kinetica:

  • authenticated
    • All users except anonymous are members of authenticated by default.
  • public
    • All users are members of public by default
    • The public role will grant permissions to users who have not authenticated

Role Endpoints

Calling role endpoints generally requires system_admin permission.

Permissions

Permissions allow users various levels of access to the database's data and management services. Permissions can be granted directly to users and also grouped within roles.

There are three categories of permissions within Kinetica:

Table-Level

Table-level permissions govern access to database objects and the data contained within them. These apply to tables, views, and collections.

The available permissions are:

  • table_insert
    • can insert records (upserting, via /insert/records using the update_on_existing_pk parameter, requires the table_update permission, as well)
  • table_update
    • can update records (upserting, via /insert/records using the update_on_existing_pk parameter, requires the table_insert permission, as well)
  • table_delete
    • can delete records
  • table_read
    • can read (select) records
  • table_admin
    • has all four table-level permissions above
    • can alter & drop the granted table
    • when granted on a collection, can create tables under that collection, as well as employ table-level permissions on any table in the collection
    • when granted at the root level, can employ all other table-level permissions on any table in the system

Note

The creator of a table or collection will automatically be given table_admin permission on that table, but will not have the permission to grant other users access to it; granting permission is reserved for users with the system_admin permission.

User-Level

User-level permissions govern access to user accounts, roles, & privileges.

The available permissions are:

  • system_user_admin
    • can manage users & roles
    • can grant/revoke permissions & roles (except the system_admin permission or a role containing it)

System-Level

System-level permissions govern access to both database objects and management services.

The available permissions are:

  • system_admin
    • has table_admin on all tables
    • can manage users & roles
    • can grant/revoke permissions & roles
  • system_write
    • has table_admin on all tables and data
    • can upload symbols via /insert/symbol
  • system_read
    • has table_read on all tables

Permission Endpoints

Calling permission endpoints generally requires system_admin or system_user_admin permission.