Authority Control #
Definition #
DBPlusEngine provides distributed cooperation capability for the database. Concurrently, some database features are abstracted to the upper layer for unified management, to reduce user difficulties and improve operation efficiency.
Authority control is one of these capabilities.
The following is a list of some of the benefits for giving authority control to DBPlusEngine for unified management:
- Avoid confusion for users when accessing heterogeneous resources, while eliminating the worry of which dialect to use for management.
- Use logical database and logical table for authorization management, which is isolated from the lower real database table, making it more convenient for users to understand.
- Avoid the inconsistency of authorization information caused by the change of database resources, and there will be no consumption due to information synchronization.
Therefore, in order to make authority control easier to use, the DBPlusEngine team created a new authority control system.
Related Concepts #
User #
Refers to the user of DBPlusEngine.
Initial user #
Refers to the user set through the configuration file before DBPlusEngine is started.
Ordinary users #
Corresponding to the initial user, ordinary users are dynamically created during the operation of DBPlusEngine.
Role #
Role is a named collection of a certain number of authorities. Role based authority control can simplify the process of user authority management.
Privilege #
Refers to the power of the user to perform operations on specific targets.
DistSQL #
DistSQL (Distributed SQL) is DBPlusEngine’s operating language. Once DBPlusEngine abstracts and unifies the authority control ability, it provides a proprietary DistSQL syntax to facilitate the administrator’s management and maintenance of users and permissions.
DML #
Data Manipulation Language, including INSERT, SELECT, UPDATE and DELETE statements.
DDL #
Data Definition Language, including CREATE, ALTER, DROP and TRUNCATE statements.
Impact on the System #
- Finely granular authority control
It can precisely control the operation authorities granted to each user at the database level, table level and column level.
- Unified interactive language
Use unique DistSQL to DBPlusEngine for user and authority management. No matter whether the storage node selects MySQL, PostgreSQL, openGauss or Oracle, it can carry out undifferentiated authority control.
- Authority control takes effect in real time
Changes to users or authorizations take effect in real time without restarting the DBPlusEngine.
- Authorization information is automatically synchronized in the cluster
When the user and authorization information are changed, other computing nodes in the cluster can also receive the change in real time to complete the user authorization update. The administrator does not need to repeat operations at multiple nodes to facilitate cluster management.
Principle #
Authority storage #
In the architecture of DBPlusEngine, the computing node (DBPlusEngine-Proxy) is stateless and does not provide data storage capacity. Therefore, the user account and authorization information will be stored in the governance center.
At the same time, thanks to the capability of the Governance Center, the information can be distributed to multiple computing nodes in the cluster in real time, which will greatly reduce the maintenance cost of users when using the cluster and provide management efficiency.
On the other hand, due to the unified authority management mechanism, the DBPlusEngine will no longer forward the received native DCL statements to the lower storage node, but will give an unsupported prompt. Users must use DistSQL provided by DBPlusEngine for account and authorization management.
Authority provider #
DBPlusEngine uses pluggable architecture to organize and expand features. Among them, the authority engine provides users with a variety of different authority providers, which are:
| Name | Description | Control Granularity | Support Dynamic Management |
|---|---|---|---|
| ALL_PERMITTED | There are no authority restrictions. Every user has super authorization. | Null | ❌ |
| DATABASE_PERMITTED | Database level authority can be restricted, and the logical database that each user can access needs to be specified through the configuration file before startup. | Database Level | ❌ |
| SphereEx:PERMITTED | Enterprise level authority provider, which can perform fine-grained authorization management. | Database, table and column level | ✔️ |
Note: The authority provider is specified by the administrator before the DBPlusEngine is started.
Authentication process #
In DBPlusEngine, authority is verified level by level from top to bottom. When the user has the upper authority, it will not be checked down to ensure the authentication efficiency. Such as:
- If the user has global SELECT authority, there is no need to check whether the user has the SELECT authorization of the target database table during the SELECT operation.
- If the user has the INSERT authority at the database level, it is not necessary to check whether the user has the INSERT authorization of the target table during the INSERT operation.
And so on.