github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/docs/RFCS/20150810_sql_privileges.md (about) 1 - Feature Name: SQL privileges 2 - Status: completed 3 - Start Date: 2015-08-10 4 - RFC PR: [#2054](https://github.com/cockroachdb/cockroach/pull/2054) 5 - Cockroach Issue: [#2005](https://github.com/cockroachdb/cockroach/issues/2005) 6 7 # Summary 8 9 Introduce SQL privileges for databases and tables. The aim is to provide a privilege 10 framework familiar to users of popular SQL servers while embracing simplicity. 11 12 We intentionally do not address privileges for other granularities (columns or rows), 13 or unsupported features (views, temporary tables, procedures, etc...). 14 15 # Motivation 16 17 The SQL interface needs permissioning on database and tables. 18 For ease of migration and understanding, we wish to use common SQL privileges 19 albeit adapted for our use, or simplified. 20 21 We use the [postgres](http://www.postgresql.org/docs/9.4/static/sql-grant.html) and 22 [mysql](https://dev.mysql.com/doc/refman/5.7/en/privileges-provided.html) privileges 23 as references. 24 25 # Detailed design 26 27 ## Privilege logic 28 29 ### Postgres 30 31 * all objects have owners. Owners default to all privileges on their objects. 32 * only the granter of a privilege can remove it. (eg: user A grants `SELECT` to B, only 33 A can remove `SELECT` from B. If another role granted `SELECT` as well, it stays). 34 * databases share no data between them except for user tables. As such they are closer 35 to our databases then the postgres schema. 36 * `SUPERUSER` is a user attribute. It allows everything. 37 * postgres has a `PUBLIC` schema granting liberal privileges to all users. 38 * privileges can be displayed using the `\du` command in psql. 39 * `ALL` is translated to the list of all privileges. 40 41 ### Mysql 42 43 * privileges are stored in a global table. It is thus possible to grant privileges 44 on objects that do not yet exist (eg: `GRANT ALL on db.* TO user1`). 45 * privileges can be displayed using `SHOW GRANTS [FOR x]`. 46 * `ALL` is a shortcut for setting and display. 47 48 ### Cockroach 49 50 * the `root` user has default `ALL` privileges on all new databases. It is also the only 51 user allowed to create databases. 52 * `root` user privileges cannot be removed. (This may change and be implicit `ALL` for `root`). 53 * table privileges are inherited from database privileges at creation time. After that, 54 they are allowed to diverge. 55 * `GRANT` is specified as a privilege. It may make more sense to use `WITH GRANT OPTION` 56 on the `GRANT` statement (similar to postgres and mysql). 57 * privileges can be displayed using `SHOW GRANTS [FOR x]`. 58 * `ALL` is a shortcut for setting and display. 59 60 ## Supported privileges 61 62 | Privilege | Level | 63 |-----------|-----------| 64 | ALL | DB, Table | 65 | CREATE | DB | 66 | DROP | DB, Table | 67 | GRANT | DB, Table | 68 | SELECT | Table | 69 | INSERT | Table | 70 | DELETE | Table | 71 | UPDATE | Table | 72 73 ## Statement comparison 74 75 *Important note*: there is a lot of simplification in the following summaries. 76 For more details, it is recommended to follow the links. 77 78 `CREATE DATABASE`: 79 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/create-database.html): 80 requires mysqladmin command or `CREATE` privilege on the database. 81 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-createdatabase.html): 82 requires `SUPERUSER` or `CREATEDB` user option. 83 * cockroach: requires `root` user. 84 85 `CREATE TABLE`: 86 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/create-table.html): 87 `CREATE` privilege on table. 88 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-createtable.html): 89 `CREATE` privilege in schema. 90 * cockroach: `CREATE` privilege on database. 91 92 `DROP DATABASE`: 93 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/drop-database.html): 94 `DROP` on database. 95 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-dropdatabase.html): 96 database owner only. 97 * cockroach: `DROP` on database, or `root` user. 98 99 `DROP TABLE`: 100 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/drop-table.html): 101 `DROP` on table. 102 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-droptable.html): 103 table or schema owner. or `SUPERUSER`. 104 * cockroach: `DROP` on table. 105 106 `GRANT`: 107 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/grant.html): 108 `GRANT OPTION` and the granted privileges. 109 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-grant.html): 110 `GRANT OPTION` and the granted privileges. 111 * cockroach: `GRANT` on affected object. Does not require the granted privileges. 112 113 `REVOKE`: 114 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/revoke.html): 115 `GRANT OPTION` and the revoked privileges (another invocation has stricter requirements). 116 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-revoke.html): 117 owner, or `GRANT OPTION` on revoked privileges. Complex rules for grantees. 118 * cockroach: `GRANT` on affected object. 119 120 `SELECT`: 121 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/select.html): 122 `SELECT` (doc seems incomplete). 123 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-select.html): 124 `SELECT` if tables are read. Also requires `UPDATE` when using `FOR UPDATE`. 125 * cockroach: `SELECT` if tables are read. 126 127 `INSERT`: 128 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/insert.html): 129 `INSERT`. `UPDATE` or `SELECT` for `ON DUPLICATE KEY UPDATE`. 130 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-insert.html): 131 `INSERT`. `SELECT` if using `RETURNING`. 132 * cockroach: `INSERT` on table. `SELECT` if using `SELECT` clause on tables. 133 134 `DELETE`: 135 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/delete.html): 136 `DELETE` on table. `SELECT` if `WHERE` clause operates on tables. 137 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-delete.html): 138 `DELETE` on table. `SELECT` if `USING` or `WHERE` clauses operate on tables. 139 * cockroach: `DELETE` on table. `SELECT` if `WHERE` clause operates on tables. 140 141 `UPDATE`: 142 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/update.html): 143 `UPDATE`. Also `SELECT` for `WHERE` clause with table. 144 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-update.html): 145 `UPDATE`. Also `SELECT` for `WHERE` clause with table. 146 * cockroach: `UPDATE`. Also `SELECT` for `WHERE` clause with table. 147 148 `TRUNCATE`: 149 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/truncate-table.html): 150 `DROP` on table. 151 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-truncate.html): 152 `TRUNCATE` privilege. 153 * cockroach: `DROP` on table. 154 155 `SHOW`: 156 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/show.html): 157 shows objects the user has privileges on. 158 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-show.html): 159 only `SHOW name` is supported. No privileges required. 160 * cockroach: no privileges required (we may wish something closer to mysql). 161 162 `SET`: 163 * [mysql](https://dev.mysql.com/doc/refman/5.7/en/set.html): 164 some require superuser, some cannot be changed after session start. 165 * [postgres](http://www.postgresql.org/docs/9.4/static/sql-set.html): 166 unknown. Probably no privileges. 167 * cockroach: session variables can be changed at will. Privileges for 168 other types of variables will be revisited. 169 170 ## Storing privileges 171 172 Privileges are stored in the `DatabaseDescriptor` and `TableDescriptor` using 173 a list sorted by user. 174 This gives the planner access to privileges after a descriptor lookup. 175 176 Future improvements include gossiping descriptors [#1743](https://github.com/cockroachdb/cockroach/pull/1743) 177 and potentially using a real table. 178 179 # Drawbacks 180 181 Postgres and mysql both have global user tables. We do not require users 182 to be in the user config, only to be properly authenticated. This means 183 that we cannot have user-defined super users. 184 185 Like all sql servers, privilege logic is very custom. This proposal closely 186 resembles the mysql logic modified for the lack of a global privilege table. 187 188 A proper use of privileges greatly depends on proper documentation. Both 189 postgres and mysql do an inadequate job of documenting required privileges 190 for various operations, sometimes mentioning nothing at all. 191 192 The right balance has to be found between simplicity and familiarity. 193 Simplifying `GRANT` to be a privilege in itself may be counter-intuitive 194 for those familiar with other sql servers. 195 196 # Alternatives 197 198 Two possible future features are: 199 * requirement that all users be in a global table/config. 200 * global permissions table/config. 201 202 # Unresolved questions 203 204 Examine privilege logic for other sql servers and sql layers on top of non-transactional 205 databases. 206 207 This is an incomplete list of statements. If approved, this RFC should be turned into a 208 document and kept up-to-date with implementation.