From cebca92156d16cdfa7ebf5e2997977899d5f19df Mon Sep 17 00:00:00 2001 From: Leto_b Date: Wed, 2 Apr 2025 11:51:50 +0800 Subject: [PATCH 1/4] add authority namagement in table model --- src/.vuepress/sidebar/V2.0.x/en-Table.ts | 7 + src/.vuepress/sidebar/V2.0.x/zh-Table.ts | 5 + .../sidebar_timecho/V2.0.x/en-Table.ts | 7 + .../sidebar_timecho/V2.0.x/zh-Table.ts | 5 + .../Table/User-Manual/Authority-Management.md | 493 ++++++++++++++++++ .../User-Manual/Authority-Management.md | 493 ++++++++++++++++++ .../Table/User-Manual/Authority-Management.md | 483 +++++++++++++++++ .../User-Manual/Authority-Management.md | 483 +++++++++++++++++ 8 files changed, 1976 insertions(+) create mode 100644 src/UserGuide/Master/Table/User-Manual/Authority-Management.md create mode 100644 src/UserGuide/latest-Table/User-Manual/Authority-Management.md create mode 100644 src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md create mode 100644 src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md diff --git a/src/.vuepress/sidebar/V2.0.x/en-Table.ts b/src/.vuepress/sidebar/V2.0.x/en-Table.ts index 2093e570e..e758d1194 100644 --- a/src/.vuepress/sidebar/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/en-Table.ts @@ -93,6 +93,13 @@ export const enSidebar = { prefix: 'User-Manual/', children: [ { text: 'Data Sync', link: 'Data-Sync_apache' }, + { + text: 'Security Management', + collapsible: true, + children: [ + { text: 'Authority Management(V2.0.2)', link: 'Authority-Management' }, + ], + }, { text: 'System Maintenance', collapsible: true, diff --git a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts index aad81b998..60556e8b2 100644 --- a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts @@ -86,6 +86,11 @@ export const zhSidebar = { prefix: 'User-Manual/', children: [ { text: '数据同步', link: 'Data-Sync_apache' }, + { + text: '安全管理', + collapsible: true, + children: [{ text: '权限管理(v2.0.2)', link: 'Authority-Management' }], + }, { text: '系统运维', collapsible: true, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts index e34adcdf3..3c14e78bf 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts @@ -97,6 +97,13 @@ export const enSidebar = { prefix: 'User-Manual/', children: [ { text: 'Data Sync', link: 'Data-Sync_timecho' }, + { + text: 'Security Management', + collapsible: true, + children: [ + { text: 'Authority Management(V2.0.2)', link: 'Authority-Management' }, + ], + }, { text: 'Tiered Storage', link: 'Tiered-Storage_timecho' }, { text: 'System Maintenance', diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts index 058d1ba58..7a8fb9863 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts @@ -88,6 +88,11 @@ export const zhSidebar = { prefix: 'User-Manual/', children: [ { text: '数据同步', link: 'Data-Sync_timecho' }, + { + text: '安全管理', + collapsible: true, + children: [{ text: '权限管理(v2.0.2)', link: 'Authority-Management' }], + }, { text: '多级存储', link: 'Tiered-Storage_timecho' }, { text: '系统运维', diff --git a/src/UserGuide/Master/Table/User-Manual/Authority-Management.md b/src/UserGuide/Master/Table/User-Manual/Authority-Management.md new file mode 100644 index 000000000..cfbfa2713 --- /dev/null +++ b/src/UserGuide/Master/Table/User-Manual/Authority-Management.md @@ -0,0 +1,493 @@ + + +# Authority Management (V2.0.2) + +IoTDB provides permission management functionality to implement fine-grained access control for data and cluster systems, ensuring data and system security. This document introduces the basic concepts, user definitions, permission management, authentication logic, and functional use cases of the permission module in IoTDB's table model. + +## 1. Basic Concepts + +### 1.1 User + +A **user** is a legitimate database user. Each user is associated with a unique username and authenticated via a password. Before accessing the database, a user must provide valid credentials (a username and password that exist in the database). + +### 1.2 Permission + +A database supports multiple operations, but not all users can perform every operation. If a user is authorized to execute a specific operation, they are said to have the **permission** for that operation. + +### 1.3 Role + +A **role** is a collection of permissions, identified by a unique role name. Roles typically correspond to real-world identities (e.g., "traffic dispatcher"), where a single identity may encompass multiple users. Users sharing the same real-world identity often require the same set of permissions, and roles abstract this grouping for unified management. + +### 1.4 Default User and Role + +Upon initialization, IoTDB includes a default user: + +* ​**Username**​: `root` +* ​**Default password**​: `root` + +The `root` user is the ​**administrator**​, inherently possessing all permissions. This user cannot be granted or revoked permissions and cannot be deleted. The database maintains only one administrator user. Newly created users or roles start with **no permissions** by default. + +## 2. Permission List + +In IoTDB's table model, there are two main types of permissions: Global Permissions and Data Permissions . + +### 2.1 Global Permissions + +Global permissions restrict a user's ability to administer the database system, including user management and role management. + +The following table describes the types of global permissions: + +| Permission Name | Description | +| ----------------- |----------------------------------------------------------------------------------------------------------------------------------| +| MANAGE\_USER | - Create users
- Delete users
- Modify user passwords
- View user permission details
- List all users | +| MANAGE\_ROLE | - Create roles
- Delete roles
- View role permission details
- Grant/revoke roles to/from users
- List all roles | + +### 2.2 Data Permissions + +Data permissions consist of permission types and permission scopes. + +* Permission Types: + * CREATE: Permission to create resources + * DROP: Permission to delete resources + * ALTER: Permission to modify definitions + * SELECT: Permission to query data + * INSERT: Permission to insert/update data + * DELETE: Permission to delete data +* Permission Scopes: + * ANY: System-wide (affects all databases and tables) + * DATABASE: Database-wide (affects the specified database and its tables) + * TABLE: Table-specific (affects only the specified table) +* Scope Enforcement Logic: + +When performing table-level operations, the system matches user permissions with data permission scopes hierarchically. Example: If a user attempts to write data to `DATABASE1.TABLE1`, the system checks for write permissions in this order: 1. `ANY` scope → 2. `DATABASE1` scope → 3. `DATABASE1.TABLE1` scope. The check stops at the first successful match or fails if no permissions are found. + +* Permission Type-Scope-Effect Matrix + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Permission TypeScope(Hierarchy)Effect
CREATEANYCreate any table/database
DATABASECreate tables in the specified database; create a database with the specified name
TABLECreate a table with the specified name
DROPANYDelete any table/database
DATABASEDelete the specified database or its tables
TABLEDelete the specified table
ALTERANYModify definitions of any table/database
DATABASEModify definitions of the specified database or its tables
TABLEModify the definition of the specified table
SELECTANYQuery data from any table in any database
DATABASEQuery data from any table in the specified database
TABLEQuery data from the specified table
INSERTANYInsert/update data in any table
DATABASEInsert/update data in any table within the specified database
TABLEInsert/update data in the specified table
DELETEANYDelete data from any table
DATABASEDelete data from tables within the specified database
TABLEDelete data from the specified table
+ +## 3. User and Role Management + +1. Create User (Requires `MANAGE_USER` Permission) + +```SQL +CREATE USER +eg: CREATE USER user1 'passwd' +``` + +Constraints: + +* Username: 4-32 characters (letters, numbers, special chars: `!@#$%^&*()_+-=`). Cannot duplicate the admin (`root`) username. +* Password: 4-32 characters (letters, numbers, special chars). Stored as MD5 hash by default. + +2. Update Password + +Users can update their own passwords. Updating others' passwords requires `MANAGE_USER`. + +```SQL +ALTER USER SET PASSWORD +eg: ALTER USER tempuser SET PASSWORD 'newpwd' +``` + +3. Delete User (Requires `MANAGE_USER`) + +```SQL +DROP USER +eg: DROP USER user1 +``` + +4. Create Role (Requires `MANAGE_ROLE`) + +```SQL +CREATE ROLE +eg: CREATE ROLE role1 +``` + +Constraints: + +* Role Name: 4-32 characters (letters, numbers, special chars). Cannot duplicate the admin role name. + +5. Delete Role (Requires `MANAGE_ROLE`) + +```SQL +DROP ROLE +eg: DROP ROLE role1 +``` + +6. Assign Role to User (Requires `MANAGE_ROLE`) + +```SQL +GRANT ROLE TO +eg: GRANT ROLE admin TO user1 +``` + +7. Revoke Role from User (Requires `MANAGE_ROLE`) + +```SQL +REVOKE ROLE FROM +eg: REVOKE ROLE admin FROM user1 +``` + +8. List All Users (Requires `MANAGE_USER`) + +```SQL +LIST USER +``` + +9. List All Roles (Requires `MANAGE_ROLE`) + +```SQL +LIST ROLE +``` + +10. List Users in a Role (Requires `MANAGE_USER`) + +```SQL +LIST USER OF ROLE +eg: LIST USER OF ROLE roleuser +``` + +11. List Roles of a User + +* Users can list their own permissions. +* Listing others' permissions requires `MANAGE_USER`. + +```SQL +LIST ROLE OF USER +eg: LIST ROLE OF USER tempuser +``` + +12. List User Permissions + +* Users can list their own permissions. +* Listing others' permissions requires `MANAGE_USER`. + +```SQL +LIST PRIVILEGES OF USER +eg: LIST PRIVILEGES OF USER tempuser +``` + +13. List Role Permissions + +* Users can list permissions of roles they have. +* Listing other roles' permissions requires `MANAGE_ROLE`. + +```SQL +LIST PRIVILEGES OF ROLE +eg: LIST PRIVILEGES OF ROLE actor +``` + +## 4. Permission Management + +IoTDB supports granting and revoking permissions through the following three methods: + +* Direct assignment/revocation by a super administrator +* Assignment/revocation by users with the `GRANT OPTION` privilege +* Assignment/revocation via roles (managed by super administrators or users with `MANAGE_ROLE` permissions) + +In the IoTDB Table Model, the following principles apply when granting or revoking permissions: + +* **Global permissions** can be granted/revoked without specifying a scope. +* **Data permissions** require specifying both the permission type and permission scope. When revoking, only the explicitly defined scope is affected, regardless of hierarchical inclusion relationships. +* Preemptive permission planning is allowed—permissions can be granted for databases or tables that do not yet exist. +* Repeated granting/revoking of permissions is permitted. +* `WITH GRANT OPTION`: Allows users to manage permissions within the granted scope. Users with this option can grant or revoke permissions for other users in the same scope. + +### 4.1 Granting Permissions + +1. Grant a user the permission to manage users + +```SQL +GRANT MANAGE_USER TO USER +eg: GRANT MANAGE_USER TO USER TEST_USER +``` + +2. Grant a user the permission to create databases and tables within the database, and allow them to manage permissions in that scope + +```SQL +GRANT CREATE ON DATABASE TO USER WITH GRANT OPTION +eg: GRANT CREATE ON DATABASE TESTDB TO USER TEST_USER WITH GRANT OPTION +``` + +3. Grant a role the permission to query a database + +```SQL +GRANT SELECT ON DATABASE TO ROLE +eg: GRANT SELECT ON DATABASE TESTDB TO ROLE TEST_ROLE +``` + +4. Grant a user the permission to query a table + +```SQL +GRANT SELECT ON . TO USER +eg: GRANT SELECT ON TESTDB.TESTTABLE TO USER TEST_USER +``` + +5. Grant a role the permission to query all databases and tables + +```SQL +GRANT SELECT ON ANY TO ROLE +eg: GRANT SELECT ON ANY TO ROLE TEST_ROLE +``` + +6. ALL Syntax Sugar: ALL represents all permissions within a given scope, allowing flexible permission granting. + +```sql +GRANT ALL TO USER TESTUSER +-- Grants all possible permissions to the user, including global permissions and all data permissions under ANY scope. + +GRANT ALL ON ANY TO USER TESTUSER +-- Grants all data permissions under the ANY scope. After execution, the user will have all data permissions across all databases. + +GRANT ALL ON DATABASE TESTDB TO USER TESTUSER +-- Grants all data permissions within the specified database. After execution, the user will have all data permissions on that database. + +GRANT ALL ON TABLE TESTTABLE TO USER TESTUSER +-- Grants all data permissions on the specified table. After execution, the user will have all data permissions on that table. +``` + +### 4.2 Revoking Permissions + +1. Revoke a user's permission to manage users + +```SQL +REVOKE MANAGE_USER FROM USER +eg: REVOKE MANAGE_USER FROM USER TEST_USER +``` + +2. Revoke a user's permission to create databases and tables within the database + +```SQL +REVOKE CREATE ON DATABASE FROM USER +eg: REVOKE CREATE ON DATABASE TEST_DB FROM USER TEST_USER +``` + +3. Revoke a user's permission to query a table + +```SQL +REVOKE SELECT ON . FROM USER +eg: REVOKE SELECT ON TESTDB.TESTTABLEFROM USER TEST_USER +``` + +4. Revoke a user's permission to query all databases and tables + +```SQL +REVOKE SELECT ON ANY FROM USER +eg: REVOKE SELECT ON ANY FROM USER TEST_USER +``` + +5. ALL Syntax Sugar: ALL represents all permissions within a given scope, allowing flexible permission revocation. + +```sql +REVOKE ALL FROM USER TESTUSER +-- Revokes all global permissions and all data permissions under ANY scope. + +REVOKE ALL ON ANY FROM USER TESTUSER +-- Revokes all data permissions under the ANY scope, without affecting DB or TABLE-level permissions. + +REVOKE ALL ON DATABASE TESTDB FROM USER TESTUSER +-- Revokes all data permissions on the specified database, without affecting TABLE-level permissions. + +REVOKE ALL ON TABLE TESTDB FROM USER TESTUSER +-- Revokes all data permissions on the specified table. +``` + +### 4.3 Viewing User Permissions + +Each user has an access control list that identifies all the permissions they have been granted. You can use the `LIST PRIVILEGES OF USER ` statement to view the permission information of a specific user or role. The output format is as follows: + +| ROLE | SCOPE | PRIVIVLEGE | WITH GRANT OPTION | +|--------------|---------| -------------- |-------------------| +| | DB1.TB1 | SELECT | FALSE | +| | | MANAGE\_ROLE | TRUE | +| ROLE1 | DB2.TB2 | UPDATE | TRUE | +| ROLE1 | DB3.\* | DELETE | FALSE | +| ROLE1 | \*.\* | UPDATE | TRUE | + +* ​**ROLE column**​: If empty, it indicates the user's own permissions. If not empty, it means the permission is derived from a granted role. +* ​**SCOPE column**​: Represents the permission scope of the user/role. Table-level permissions are denoted as `DB.TABLE`, database-level permissions as `DB.*`, and ANY-level permissions as `*.*`. +* ​**PRIVILEGE column**​: Lists the specific permission types. +* ​**WITH GRANT OPTION column**​: If `TRUE`, it means the user can grant their own permissions to others. +* A user or role can have permissions in both the tree model and the table model, but the system will only display the permissions relevant to the currently connected model. Permissions under the other model will not be shown. + +## 5. Example + +Using the content from the [Sample Data](../Reference/Sample-Data.md) as an example, the data in the two tables may belong to the **bj** and **sh** data centers, respectively. To prevent each center from accessing the other's database data, we need to implement permission isolation at the data center level. + +### 5.1 Creating Users + +Use `CREATE USER ` to create users. For example, the **root** user with all permissions can create two user roles for the **ln** and **sgcc** groups, named **bj\_write\_user** and ​**sh\_write\_user**​, both with the password ​**write\_pwd**​. The SQL statements are: + +```SQL +CREATE USER bj_write_user 'write_pwd' +CREATE USER sh_write_user 'write_pwd' +``` + +To display the users, use the following SQL statement: + +```Plain +LIST USER +``` + +The result will show the two newly created users, as follows: + +```sql ++-------------+ +| User| ++-------------+ +|bj_write_user| +| root| +|sh_write_user| ++-------------+ +``` + +### 5.2 Granting User Permissions + +Although the two users have been created, they do not yet have any permissions and thus cannot perform database operations. For example, if the **bj\_write\_user** attempts to write data to ​**table1**​, the SQL statement would be: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +``` + +The system will deny the operation and display an error: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 701: database is not specified +IoTDB> use database1 +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: DATABASE database1 +``` + +The **root** user can grant **bj\_write\_user** write permissions for **table1** using the `GRANT ON TO USER ` statement, for example: + +```sql +GRANT INSERT ON database1.table1 TO USER bj_write_user +``` + +After granting permissions, **bj\_write\_user** can successfully write data: + +```SQL +IoTDB> use database1 +Msg: The statement is executed successfully. +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: The statement is executed successfully. +``` + +### 5.3 Revoking User Permissions + +After granting permissions, the **root** user can revoke them using the `REVOKE ON FROM USER ` statement. For example: + +```sql +REVOKE INSERT ON database1.table1 FROM USER bj_write_user +REVOKE INSERT ON database1.table2 FROM USER sh_write_user +``` + +Once permissions are revoked, **bj\_write\_user** will no longer have write access to ​**table1**​: + +```sql +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: No permissions for this operation, please add privilege INSERT ON database1.table1 +``` diff --git a/src/UserGuide/latest-Table/User-Manual/Authority-Management.md b/src/UserGuide/latest-Table/User-Manual/Authority-Management.md new file mode 100644 index 000000000..cfbfa2713 --- /dev/null +++ b/src/UserGuide/latest-Table/User-Manual/Authority-Management.md @@ -0,0 +1,493 @@ + + +# Authority Management (V2.0.2) + +IoTDB provides permission management functionality to implement fine-grained access control for data and cluster systems, ensuring data and system security. This document introduces the basic concepts, user definitions, permission management, authentication logic, and functional use cases of the permission module in IoTDB's table model. + +## 1. Basic Concepts + +### 1.1 User + +A **user** is a legitimate database user. Each user is associated with a unique username and authenticated via a password. Before accessing the database, a user must provide valid credentials (a username and password that exist in the database). + +### 1.2 Permission + +A database supports multiple operations, but not all users can perform every operation. If a user is authorized to execute a specific operation, they are said to have the **permission** for that operation. + +### 1.3 Role + +A **role** is a collection of permissions, identified by a unique role name. Roles typically correspond to real-world identities (e.g., "traffic dispatcher"), where a single identity may encompass multiple users. Users sharing the same real-world identity often require the same set of permissions, and roles abstract this grouping for unified management. + +### 1.4 Default User and Role + +Upon initialization, IoTDB includes a default user: + +* ​**Username**​: `root` +* ​**Default password**​: `root` + +The `root` user is the ​**administrator**​, inherently possessing all permissions. This user cannot be granted or revoked permissions and cannot be deleted. The database maintains only one administrator user. Newly created users or roles start with **no permissions** by default. + +## 2. Permission List + +In IoTDB's table model, there are two main types of permissions: Global Permissions and Data Permissions . + +### 2.1 Global Permissions + +Global permissions restrict a user's ability to administer the database system, including user management and role management. + +The following table describes the types of global permissions: + +| Permission Name | Description | +| ----------------- |----------------------------------------------------------------------------------------------------------------------------------| +| MANAGE\_USER | - Create users
- Delete users
- Modify user passwords
- View user permission details
- List all users | +| MANAGE\_ROLE | - Create roles
- Delete roles
- View role permission details
- Grant/revoke roles to/from users
- List all roles | + +### 2.2 Data Permissions + +Data permissions consist of permission types and permission scopes. + +* Permission Types: + * CREATE: Permission to create resources + * DROP: Permission to delete resources + * ALTER: Permission to modify definitions + * SELECT: Permission to query data + * INSERT: Permission to insert/update data + * DELETE: Permission to delete data +* Permission Scopes: + * ANY: System-wide (affects all databases and tables) + * DATABASE: Database-wide (affects the specified database and its tables) + * TABLE: Table-specific (affects only the specified table) +* Scope Enforcement Logic: + +When performing table-level operations, the system matches user permissions with data permission scopes hierarchically. Example: If a user attempts to write data to `DATABASE1.TABLE1`, the system checks for write permissions in this order: 1. `ANY` scope → 2. `DATABASE1` scope → 3. `DATABASE1.TABLE1` scope. The check stops at the first successful match or fails if no permissions are found. + +* Permission Type-Scope-Effect Matrix + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Permission TypeScope(Hierarchy)Effect
CREATEANYCreate any table/database
DATABASECreate tables in the specified database; create a database with the specified name
TABLECreate a table with the specified name
DROPANYDelete any table/database
DATABASEDelete the specified database or its tables
TABLEDelete the specified table
ALTERANYModify definitions of any table/database
DATABASEModify definitions of the specified database or its tables
TABLEModify the definition of the specified table
SELECTANYQuery data from any table in any database
DATABASEQuery data from any table in the specified database
TABLEQuery data from the specified table
INSERTANYInsert/update data in any table
DATABASEInsert/update data in any table within the specified database
TABLEInsert/update data in the specified table
DELETEANYDelete data from any table
DATABASEDelete data from tables within the specified database
TABLEDelete data from the specified table
+ +## 3. User and Role Management + +1. Create User (Requires `MANAGE_USER` Permission) + +```SQL +CREATE USER +eg: CREATE USER user1 'passwd' +``` + +Constraints: + +* Username: 4-32 characters (letters, numbers, special chars: `!@#$%^&*()_+-=`). Cannot duplicate the admin (`root`) username. +* Password: 4-32 characters (letters, numbers, special chars). Stored as MD5 hash by default. + +2. Update Password + +Users can update their own passwords. Updating others' passwords requires `MANAGE_USER`. + +```SQL +ALTER USER SET PASSWORD +eg: ALTER USER tempuser SET PASSWORD 'newpwd' +``` + +3. Delete User (Requires `MANAGE_USER`) + +```SQL +DROP USER +eg: DROP USER user1 +``` + +4. Create Role (Requires `MANAGE_ROLE`) + +```SQL +CREATE ROLE +eg: CREATE ROLE role1 +``` + +Constraints: + +* Role Name: 4-32 characters (letters, numbers, special chars). Cannot duplicate the admin role name. + +5. Delete Role (Requires `MANAGE_ROLE`) + +```SQL +DROP ROLE +eg: DROP ROLE role1 +``` + +6. Assign Role to User (Requires `MANAGE_ROLE`) + +```SQL +GRANT ROLE TO +eg: GRANT ROLE admin TO user1 +``` + +7. Revoke Role from User (Requires `MANAGE_ROLE`) + +```SQL +REVOKE ROLE FROM +eg: REVOKE ROLE admin FROM user1 +``` + +8. List All Users (Requires `MANAGE_USER`) + +```SQL +LIST USER +``` + +9. List All Roles (Requires `MANAGE_ROLE`) + +```SQL +LIST ROLE +``` + +10. List Users in a Role (Requires `MANAGE_USER`) + +```SQL +LIST USER OF ROLE +eg: LIST USER OF ROLE roleuser +``` + +11. List Roles of a User + +* Users can list their own permissions. +* Listing others' permissions requires `MANAGE_USER`. + +```SQL +LIST ROLE OF USER +eg: LIST ROLE OF USER tempuser +``` + +12. List User Permissions + +* Users can list their own permissions. +* Listing others' permissions requires `MANAGE_USER`. + +```SQL +LIST PRIVILEGES OF USER +eg: LIST PRIVILEGES OF USER tempuser +``` + +13. List Role Permissions + +* Users can list permissions of roles they have. +* Listing other roles' permissions requires `MANAGE_ROLE`. + +```SQL +LIST PRIVILEGES OF ROLE +eg: LIST PRIVILEGES OF ROLE actor +``` + +## 4. Permission Management + +IoTDB supports granting and revoking permissions through the following three methods: + +* Direct assignment/revocation by a super administrator +* Assignment/revocation by users with the `GRANT OPTION` privilege +* Assignment/revocation via roles (managed by super administrators or users with `MANAGE_ROLE` permissions) + +In the IoTDB Table Model, the following principles apply when granting or revoking permissions: + +* **Global permissions** can be granted/revoked without specifying a scope. +* **Data permissions** require specifying both the permission type and permission scope. When revoking, only the explicitly defined scope is affected, regardless of hierarchical inclusion relationships. +* Preemptive permission planning is allowed—permissions can be granted for databases or tables that do not yet exist. +* Repeated granting/revoking of permissions is permitted. +* `WITH GRANT OPTION`: Allows users to manage permissions within the granted scope. Users with this option can grant or revoke permissions for other users in the same scope. + +### 4.1 Granting Permissions + +1. Grant a user the permission to manage users + +```SQL +GRANT MANAGE_USER TO USER +eg: GRANT MANAGE_USER TO USER TEST_USER +``` + +2. Grant a user the permission to create databases and tables within the database, and allow them to manage permissions in that scope + +```SQL +GRANT CREATE ON DATABASE TO USER WITH GRANT OPTION +eg: GRANT CREATE ON DATABASE TESTDB TO USER TEST_USER WITH GRANT OPTION +``` + +3. Grant a role the permission to query a database + +```SQL +GRANT SELECT ON DATABASE TO ROLE +eg: GRANT SELECT ON DATABASE TESTDB TO ROLE TEST_ROLE +``` + +4. Grant a user the permission to query a table + +```SQL +GRANT SELECT ON . TO USER +eg: GRANT SELECT ON TESTDB.TESTTABLE TO USER TEST_USER +``` + +5. Grant a role the permission to query all databases and tables + +```SQL +GRANT SELECT ON ANY TO ROLE +eg: GRANT SELECT ON ANY TO ROLE TEST_ROLE +``` + +6. ALL Syntax Sugar: ALL represents all permissions within a given scope, allowing flexible permission granting. + +```sql +GRANT ALL TO USER TESTUSER +-- Grants all possible permissions to the user, including global permissions and all data permissions under ANY scope. + +GRANT ALL ON ANY TO USER TESTUSER +-- Grants all data permissions under the ANY scope. After execution, the user will have all data permissions across all databases. + +GRANT ALL ON DATABASE TESTDB TO USER TESTUSER +-- Grants all data permissions within the specified database. After execution, the user will have all data permissions on that database. + +GRANT ALL ON TABLE TESTTABLE TO USER TESTUSER +-- Grants all data permissions on the specified table. After execution, the user will have all data permissions on that table. +``` + +### 4.2 Revoking Permissions + +1. Revoke a user's permission to manage users + +```SQL +REVOKE MANAGE_USER FROM USER +eg: REVOKE MANAGE_USER FROM USER TEST_USER +``` + +2. Revoke a user's permission to create databases and tables within the database + +```SQL +REVOKE CREATE ON DATABASE FROM USER +eg: REVOKE CREATE ON DATABASE TEST_DB FROM USER TEST_USER +``` + +3. Revoke a user's permission to query a table + +```SQL +REVOKE SELECT ON . FROM USER +eg: REVOKE SELECT ON TESTDB.TESTTABLEFROM USER TEST_USER +``` + +4. Revoke a user's permission to query all databases and tables + +```SQL +REVOKE SELECT ON ANY FROM USER +eg: REVOKE SELECT ON ANY FROM USER TEST_USER +``` + +5. ALL Syntax Sugar: ALL represents all permissions within a given scope, allowing flexible permission revocation. + +```sql +REVOKE ALL FROM USER TESTUSER +-- Revokes all global permissions and all data permissions under ANY scope. + +REVOKE ALL ON ANY FROM USER TESTUSER +-- Revokes all data permissions under the ANY scope, without affecting DB or TABLE-level permissions. + +REVOKE ALL ON DATABASE TESTDB FROM USER TESTUSER +-- Revokes all data permissions on the specified database, without affecting TABLE-level permissions. + +REVOKE ALL ON TABLE TESTDB FROM USER TESTUSER +-- Revokes all data permissions on the specified table. +``` + +### 4.3 Viewing User Permissions + +Each user has an access control list that identifies all the permissions they have been granted. You can use the `LIST PRIVILEGES OF USER ` statement to view the permission information of a specific user or role. The output format is as follows: + +| ROLE | SCOPE | PRIVIVLEGE | WITH GRANT OPTION | +|--------------|---------| -------------- |-------------------| +| | DB1.TB1 | SELECT | FALSE | +| | | MANAGE\_ROLE | TRUE | +| ROLE1 | DB2.TB2 | UPDATE | TRUE | +| ROLE1 | DB3.\* | DELETE | FALSE | +| ROLE1 | \*.\* | UPDATE | TRUE | + +* ​**ROLE column**​: If empty, it indicates the user's own permissions. If not empty, it means the permission is derived from a granted role. +* ​**SCOPE column**​: Represents the permission scope of the user/role. Table-level permissions are denoted as `DB.TABLE`, database-level permissions as `DB.*`, and ANY-level permissions as `*.*`. +* ​**PRIVILEGE column**​: Lists the specific permission types. +* ​**WITH GRANT OPTION column**​: If `TRUE`, it means the user can grant their own permissions to others. +* A user or role can have permissions in both the tree model and the table model, but the system will only display the permissions relevant to the currently connected model. Permissions under the other model will not be shown. + +## 5. Example + +Using the content from the [Sample Data](../Reference/Sample-Data.md) as an example, the data in the two tables may belong to the **bj** and **sh** data centers, respectively. To prevent each center from accessing the other's database data, we need to implement permission isolation at the data center level. + +### 5.1 Creating Users + +Use `CREATE USER ` to create users. For example, the **root** user with all permissions can create two user roles for the **ln** and **sgcc** groups, named **bj\_write\_user** and ​**sh\_write\_user**​, both with the password ​**write\_pwd**​. The SQL statements are: + +```SQL +CREATE USER bj_write_user 'write_pwd' +CREATE USER sh_write_user 'write_pwd' +``` + +To display the users, use the following SQL statement: + +```Plain +LIST USER +``` + +The result will show the two newly created users, as follows: + +```sql ++-------------+ +| User| ++-------------+ +|bj_write_user| +| root| +|sh_write_user| ++-------------+ +``` + +### 5.2 Granting User Permissions + +Although the two users have been created, they do not yet have any permissions and thus cannot perform database operations. For example, if the **bj\_write\_user** attempts to write data to ​**table1**​, the SQL statement would be: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +``` + +The system will deny the operation and display an error: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 701: database is not specified +IoTDB> use database1 +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: DATABASE database1 +``` + +The **root** user can grant **bj\_write\_user** write permissions for **table1** using the `GRANT ON TO USER ` statement, for example: + +```sql +GRANT INSERT ON database1.table1 TO USER bj_write_user +``` + +After granting permissions, **bj\_write\_user** can successfully write data: + +```SQL +IoTDB> use database1 +Msg: The statement is executed successfully. +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: The statement is executed successfully. +``` + +### 5.3 Revoking User Permissions + +After granting permissions, the **root** user can revoke them using the `REVOKE ON FROM USER ` statement. For example: + +```sql +REVOKE INSERT ON database1.table1 FROM USER bj_write_user +REVOKE INSERT ON database1.table2 FROM USER sh_write_user +``` + +Once permissions are revoked, **bj\_write\_user** will no longer have write access to ​**table1**​: + +```sql +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: No permissions for this operation, please add privilege INSERT ON database1.table1 +``` diff --git a/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md b/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md new file mode 100644 index 000000000..e9a60e6dc --- /dev/null +++ b/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md @@ -0,0 +1,483 @@ + + +# 权限管理 (V2.0.2) + +IoTDB 提供了权限管理功能,用于对数据和集群系统执行精细的访问控制,保障数据与系统安全。本篇介绍了 IoTDB 表模型中权限模块的基本概念、用户定义、权限管理、鉴权逻辑与功能用例。 + +## 1. 基本概念 + +### 1.1 用户 + +用户即数据库的合法使用者。一个用户与一个唯一的用户名相对应,并且拥有密码作为身份验证的手段。一个人在使用数据库之前,必须先提供合法的(即存于数据库中的)用户名与密码。 + +### 1.2 权限 + +数据库提供多种操作,但并非所有的用户都能执行所有操作。如果一个用户可以执行某项操作,则称该用户有执行该操作的权限。 + +### 1.3 角色 + +角色是若干权限的集合,并且有一个唯一的角色名作为标识符。角色通常和一个现实身份相对应(例如交通调度员),而一个现实身份可能对应着多个用户。这些具有相同现实身份的用户往往具有相同的一些权限,角色就是为了能对这样的权限进行统一的管理的抽象。 + +### 1.4 默认用户与角色 + +安装初始化后的 IoTDB 中有一个默认用户 root,默认密码为 root。该用户为管理员用户,拥有所有权限,无法被赋予、撤销权限,也无法被删除,数据库内仅有一个管理员用户。一个新创建的用户或角色不具备任何权限。 + + +## 2. 权限列表 + +IoTDB 表模型主要有两类权限:全局权限、数据权限。 + +### 2.1 全局权限 + +全局权限限制了用户管理数据库的能力,包括用户管理和角色管理。 + +下表描述了全局权限的种类: + +| 权限名称 | 描述 | +| ----------------- |----------------------------------------------------------------------------------------| +| MANAGE\_USER | - 允许用户创建用户
- 允许用户删除用户
- 允许用户修改用户密码
- 允许用户查看用户的权限信息
- 允许用户列出所有用户 | +| MANAGE\_ROLE | - 允许用户创建角色
- 允许用户删除角色
- 允许用户查看角色的权限信息
- 允许用户将角色授予某个用户或撤销
- 允许用户列出所有角色 | + + +### 2.2 数据权限 + +数据权限由权限类型和范围组成。 + +* 权限类型包括:CREATE(创建权限),DROP(删除权限),ALTER(修改权限),SELECT(查询数据权限),INSERT(插入/更新数据权限),DELETE(删除数据权限)。 + +* 范围包括:ANY(系统范围内),DATABASE(数据库范围内),TABLE(单个表)。 + - 作用于 ANY 的权限会影响所有数据库和表。 + - 作用于数据库的权限会影响该数据库及其所有表。 + - 作用于表的权限仅影响该表。 + +* 范围生效说明:执行单表操作时,数据库会匹配用户权限与数据权限范围。例如,用户尝试向 DATABASE1.TABLE1 写入数据时,系统会依次检查用户是否有对 ANY、DATABASE1或 DATABASE1.TABLE1 的写入权限,直到匹配成功或者匹配失败。 + +* 权限类型、范围及效果逻辑关系如下表所示: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
权限类型权限范围(层级)权限效果
CREATEANY允许创建任意表、创建任意数据库
数据库允许用户在该数据库下创建表;允许用户创建该名称的数据库
允许用户创建该名称的表
DROPANY允许删除任意表、删除任意数据库
数据库允许用户删除该数据库;允许用户删除该数据库下的表
D允许用户删除该表
ALTERANY允许修改任意表的定义、任意数据库的定义
数据库允许用户修改数据库的定义,允许用户修改数据库下表的定义
允许用户修改表的定义
SELECTANY允许查询系统内任意数据库中任意表的数据
数据库允许用户查询该数据库中任意表的数据
允许用户查询该表中的数据。执行多表查询时,数据库仅展示用户有权限访问的数据。
INSERTANY允许任意数据库的任意表插入/更新数据
数据库允许用户向该数据库范围内任意表插入/更新数据
允许用户向该表中插入/更新数据
DELETEANY允许删除任意表的数据
数据库允许用户删除该数据库范围内的数据
允许用户删除该表中的数据
+ +## 3. 用户、角色管理 +1. 创建用户(需 MANAGE_USER 权限) + +```SQL +CREATE USER +eg: CREATE USER user1 'passwd' +``` + +- 用户名约束:4~32个字符,支持使用英文大小写字母、数字、特殊字符`(!@#$%^&*()_+-=)`,用户无法创建和管理员用户同名的用户。 +- 密码约束:4~32个字符,可使用大写小写字母、数字、特殊字符`(!@#$%^&*()_+-=)`,密码默认采用 MD5 进行加密。 + +2. 更新密码 + +用户可以更新自己的密码,但更新其他用户密码需要具备 MANAGE_USER 权限。 + +```SQL +ALTER USER SET PASSWORD +eg: ALTER USER tempuser SET PASSWORD 'newpwd' +``` + +3. 删除用户(需 MANAGE_USER 权限) + +```SQL +DROP USER +eg: DROP USER user1 +``` + +4. 创建角色 (需 MANAGE_ROLE 权限) + +```SQL +CREATE ROLE +eg: CREATE ROLE role1 +``` + +角色名约束:4~32个字符,支持使用英文大小写字母、数字、特殊字符`(!@#$%^&*()_+-=)`,用户无法创建和管理员用户同名的角色。 + +5. 删除角色 (需 MANAGE_ROLE 权限) + +```SQL +DROP ROLE +eg: DROP ROLE role1 +``` + +6. 赋予用户角色 (需 MANAGE_ROLE 权限) + +```SQL +GRANT ROLE TO +eg: GRANT ROLE admin TO user1 +``` + +7. 移除用户角色 (需 MANAGE_ROLE 权限) + +```SQL +REVOKE ROLE FROM +eg: REVOKE ROLE admin FROM user1 +``` + +8. 列出所有用户(需 MANAGE_USER 权限) + +```SQL +LIST USER +``` + +9. 列出所有的角色 (需 MANAGE_ROLE 权限) + +```SQL +LIST ROLE +``` + +10. 列出指定角色下所有用户(需 MANAGE_USER 权限) + +```SQL +LIST USER OF ROLE +eg: LIST USER OF ROLE roleuser +``` + +11. 列出指定用户下的所有角色 + +用户可以列出自己的角色,但列出其他用户的角色需要拥有 MANAGE_ROLE 权限。 + +```SQL +LIST ROLE OF USER +eg: LIST ROLE OF USER tempuser +``` + +12. 列出用户所有权限 + +用户可以列出自己的权限信息,但列出其他用户的权限需要拥有 MANAGE_USER 权限。 + +```SQL +LIST PRIVILEGES OF USER +eg: LIST PRIVILEGES OF USER tempuser +``` + +13. 列出角色所有权限 + +用户可以列出自己具有的角色的权限信息,列出其他角色的权限需要有 MANAGE_ROLE 权限。 + +```SQL +LIST PRIVILEGES OF ROLE +eg: LIST PRIVILEGES OF ROLE actor +``` + +## 4. 权限管理 + +IoTDB支持通过如下三种途径进行用户授权和撤销权限: + +- 超级管理员直接授予或撤销 + +- 拥有GRANT OPTION权限的用户授予或撤销 + +- 通过角色授予或撤销(由超级管理员或具备MANAGE_ROLE权限的用户操作角色) + +在IoTDB 表模型中,授权或撤销权限时需遵循以下原则: + +- 授权/撤销全局权限时,无需指定权限的范围。 + +- 授予/撤销数据权限时,需要指定权限类型和权限范围。在撤销权限时只会撤销指定的权限范围,不会受权限范围包含关系的影响。 + +- 允许对尚未创建的数据库或表提前进行权限规划和授权。 + +- 允许重复授权/撤销权限。 + +- WITH GRANT OPTION: 允许用户在授权范围内管理权限。用户可以授予或撤销其他用户在该范围内的权限。 + +### 4.1 授予权限 + +1. 给用户授予管理用户的权限 + +```SQL +GRANT MANAGE_USER TO USER +eg: GRANT MANAGE_USER TO USER TEST_USER +``` + +2. 给用户授予创建数据库及在数据库范围内创建表的权限,且允许用户在该范围内管理权限 + +```SQL +GRANT CREATE ON DATABASE TO USER WITH GRANT OPTION +eg: GRANT CREATE ON DATABASE TESTDB TO USER TEST_USER WITH GRANT OPTION +``` + +3. 给角色授予查询数据库的权限 + +```SQL +GRANT SELECT ON DATABASE TO ROLE +eg: GRANT SELECT ON DATABASE TESTDB TO ROLE TEST_ROLE +``` + +4. 给用户授予查询表的权限 + +```SQL +GRANT SELECT ON . TO USER +eg: GRANT SELECT ON TESTDB.TESTTABLE TO USER TEST_USER +``` + +5. 给角色授予查询所有数据库及表的权限 + +```SQL +GRANT SELECT ON ANY TO ROLE +eg: GRANT SELECT ON ANY TO ROLE TEST_ROLE +``` + +6. ALL 语法糖:ALL 表示对象范围内所有权限,可以使用 ALL 字段灵活地授予权限。 + +```sql +GRANT ALL TO USER TESTUSER +-- 将用户可以获取的所有权限授予给用户,包括全局权限和 ANY 范围的所有数据权限 + +GRANT ALL ON ANY TO USER TESTUSER +-- 将 ANY 范围内可以获取的所有权限授予给用户,执行该语句后,用户将拥有在所有数据库上的所有数据权限 + +GRANT ALL ON DATABASE TESTDB TO USER TESTUSER +-- 将 DB 范围内可以获取的所有权限授予给用户,执行该语句后,用户将拥有在该数据库上的所有数据权限 + +GRANT ALL ON TABLE TESTTABLE TO USER TESTUSER +-- 将 TABLE 范围内可以获取的所有权限授予给用户,执行该语句后,用户将拥有在该表上的所有数据权限 +``` + +### 4.2 撤销权限 + +1. 取消用户管理用户的权限 + +```SQL +REVOKE MANAGE_USER FROM USER +eg: REVOKE MANAGE_USER FROM USER TEST_USER +``` + +2. 取消用户创建数据库及在数据库范围内创建表的权限 + +```SQL +REVOKE CREATE ON DATABASE FROM USER +eg: REVOKE CREATE ON DATABASE TEST_DB FROM USER TEST_USER +``` + +3. 取消用户查询表的权限 + +```SQL +REVOKE SELECT ON . FROM USER +eg: REVOKE SELECT ON TESTDB.TESTTABLEFROM USER TEST_USER +``` + +4. 取消用户查询所有数据库及表的权限 + +```SQL +REVOKE SELECT ON ANY FROM USER +eg: REVOKE SELECT ON ANY FROM USER TEST_USER +``` + +5. ALL 语法糖:ALL 表示对象范围内所有权限,可以使用 ALL 字段灵活地撤销权限。 + +```sql +REVOKE ALL FROM USER TESTUSER +-- 取消用户所有的全局权限以及 ANY 范围的所有数据权限 + +REVOKE ALL ON ANY FROM USER TESTUSER +-- 取消用户 ANY 范围的所有数据权限,不会影响 DB 范围和 TABLE 范围的权限 + +REVOKE ALL ON DATABASE TESTDB FROM USER TESTUSER +-- 取消用户在 DB 上的所有数据权限,不会影响 TABLE 权限 + +REVOKE ALL ON TABLE TESTDB FROM USER TESTUSER +-- 取消用户在 TABLE 上的所有数据权限 +``` + +### 4.3 查看用户权限 + +每个用户都有一个权限访问列表,标识其获得的所有权限。可使用 `LIST PRIVILEGES OF USER ` 语句查看某个用户或角色的权限信息,输出格式如下: + +| ROLE | SCOPE | PRIVIVLEGE | WITH GRANT OPTION | +|--------------|---------| -------------- |-------------------| +| | DB1.TB1 | SELECT | FALSE | +| | | MANAGE\_ROLE | TRUE | +| ROLE1 | DB2.TB2 | UPDATE | TRUE | +| ROLE1 | DB3.\* | DELETE | FALSE | +| ROLE1 | \*.\* | UPDATE | TRUE | + +其中: +- `ROLE` 列:如果为空,则表示为该用户的自身权限。如果不为空,则表示该权限来源于被授予的角色。 +- `SCOPE` 列:表示该用户/角色的权限范围,表范围的权限表示为`DB.TABLE`,数据库范围的权限表示为`DB.*`, ANY 范围的权限表示为`*.*`。 +- `PRIVIVLEGE` 列:列出具体的权限类型。 +- `WITH GRANT OPTION` 列:如果为 TRUE,表示用户可以将自己的权限授予他人。 +- 用户或者角色可以同时具有树模型和表模型的权限,但系统会根据当前连接的模型来显示相应的权限,另一种模型下的权限则不会显示。 + +## 5. 5. 示例 + +以 [示例数据](../Reference/Sample-Data.md) 内容为例,两个表的数据可能分别属于 bj、sh 两个数据中心,彼此间不希望对方获取自己的数据库数据,因此我们需要将不同的数据在数据中心层进行权限隔离。 + +### 5.1 5.1 创建用户 + +使用 `CREATE USER ` 创建用户。例如,可以使用具有所有权限的root用户为 ln 和 sgcc 集团创建两个用户角色,名为 `bj_write_user`, `sh_write_user`,密码均为 `write_pwd`。SQL 语句为: + +```SQL +CREATE USER bj_write_user 'write_pwd' +CREATE USER sh_write_user 'write_pwd' +``` + +使用展示用户的 SQL 语句: + +```Plain +LIST USER +``` + +可以看到这两个已经被创建的用户,结果如下: + +```sql ++-------------+ +| User| ++-------------+ +|bj_write_user| +| root| +|sh_write_user| ++-------------+ +``` + +### 5.2 5.2 赋予用户权限 + +虽然两个用户已经创建,但是不具有任何权限,因此并不能对数据库进行操作,例如使用 `bj_write_user` 用户对 table1 中的数据进行写入,SQL 语句为: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +``` + +系统不允许用户进行此操作,会提示错误: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 701: database is not specified +IoTDB> use database1 +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: DATABASE database1 +``` + +root 用户使用 `GRANT ON TO USER ` 语句赋予用户`bj_write_user`对 table1 的写入权限,例如: + +```sql +GRANT INSERT ON database1.table1 TO USER bj_write_user +``` + +使用`bj_write_user`再尝试写入数据 + +```SQL +IoTDB> use database1 +Msg: The statement is executed successfully. +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: The statement is executed successfully. +``` + +### 5.3 5.3 撤销用户权限 + +授予用户权限后,可以使用 `REVOKE ON FROM USER `来撤销已经授予用户的权限。例如,用root用户撤销`bj_write_user`和`sh_write_user`的权限: + +```sql +REVOKE INSERT ON database1.table1 FROM USER bj_write_user +REVOKE INSERT ON database1.table2 FROM USER sh_write_user +``` + +撤销权限后,`bj_write_user`就没有向table1写入数据的权限了。 + +```sql +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: No permissions for this operation, please add privilege INSERT ON database1.table1 +``` diff --git a/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md b/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md new file mode 100644 index 000000000..e9a60e6dc --- /dev/null +++ b/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md @@ -0,0 +1,483 @@ + + +# 权限管理 (V2.0.2) + +IoTDB 提供了权限管理功能,用于对数据和集群系统执行精细的访问控制,保障数据与系统安全。本篇介绍了 IoTDB 表模型中权限模块的基本概念、用户定义、权限管理、鉴权逻辑与功能用例。 + +## 1. 基本概念 + +### 1.1 用户 + +用户即数据库的合法使用者。一个用户与一个唯一的用户名相对应,并且拥有密码作为身份验证的手段。一个人在使用数据库之前,必须先提供合法的(即存于数据库中的)用户名与密码。 + +### 1.2 权限 + +数据库提供多种操作,但并非所有的用户都能执行所有操作。如果一个用户可以执行某项操作,则称该用户有执行该操作的权限。 + +### 1.3 角色 + +角色是若干权限的集合,并且有一个唯一的角色名作为标识符。角色通常和一个现实身份相对应(例如交通调度员),而一个现实身份可能对应着多个用户。这些具有相同现实身份的用户往往具有相同的一些权限,角色就是为了能对这样的权限进行统一的管理的抽象。 + +### 1.4 默认用户与角色 + +安装初始化后的 IoTDB 中有一个默认用户 root,默认密码为 root。该用户为管理员用户,拥有所有权限,无法被赋予、撤销权限,也无法被删除,数据库内仅有一个管理员用户。一个新创建的用户或角色不具备任何权限。 + + +## 2. 权限列表 + +IoTDB 表模型主要有两类权限:全局权限、数据权限。 + +### 2.1 全局权限 + +全局权限限制了用户管理数据库的能力,包括用户管理和角色管理。 + +下表描述了全局权限的种类: + +| 权限名称 | 描述 | +| ----------------- |----------------------------------------------------------------------------------------| +| MANAGE\_USER | - 允许用户创建用户
- 允许用户删除用户
- 允许用户修改用户密码
- 允许用户查看用户的权限信息
- 允许用户列出所有用户 | +| MANAGE\_ROLE | - 允许用户创建角色
- 允许用户删除角色
- 允许用户查看角色的权限信息
- 允许用户将角色授予某个用户或撤销
- 允许用户列出所有角色 | + + +### 2.2 数据权限 + +数据权限由权限类型和范围组成。 + +* 权限类型包括:CREATE(创建权限),DROP(删除权限),ALTER(修改权限),SELECT(查询数据权限),INSERT(插入/更新数据权限),DELETE(删除数据权限)。 + +* 范围包括:ANY(系统范围内),DATABASE(数据库范围内),TABLE(单个表)。 + - 作用于 ANY 的权限会影响所有数据库和表。 + - 作用于数据库的权限会影响该数据库及其所有表。 + - 作用于表的权限仅影响该表。 + +* 范围生效说明:执行单表操作时,数据库会匹配用户权限与数据权限范围。例如,用户尝试向 DATABASE1.TABLE1 写入数据时,系统会依次检查用户是否有对 ANY、DATABASE1或 DATABASE1.TABLE1 的写入权限,直到匹配成功或者匹配失败。 + +* 权限类型、范围及效果逻辑关系如下表所示: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
权限类型权限范围(层级)权限效果
CREATEANY允许创建任意表、创建任意数据库
数据库允许用户在该数据库下创建表;允许用户创建该名称的数据库
允许用户创建该名称的表
DROPANY允许删除任意表、删除任意数据库
数据库允许用户删除该数据库;允许用户删除该数据库下的表
D允许用户删除该表
ALTERANY允许修改任意表的定义、任意数据库的定义
数据库允许用户修改数据库的定义,允许用户修改数据库下表的定义
允许用户修改表的定义
SELECTANY允许查询系统内任意数据库中任意表的数据
数据库允许用户查询该数据库中任意表的数据
允许用户查询该表中的数据。执行多表查询时,数据库仅展示用户有权限访问的数据。
INSERTANY允许任意数据库的任意表插入/更新数据
数据库允许用户向该数据库范围内任意表插入/更新数据
允许用户向该表中插入/更新数据
DELETEANY允许删除任意表的数据
数据库允许用户删除该数据库范围内的数据
允许用户删除该表中的数据
+ +## 3. 用户、角色管理 +1. 创建用户(需 MANAGE_USER 权限) + +```SQL +CREATE USER +eg: CREATE USER user1 'passwd' +``` + +- 用户名约束:4~32个字符,支持使用英文大小写字母、数字、特殊字符`(!@#$%^&*()_+-=)`,用户无法创建和管理员用户同名的用户。 +- 密码约束:4~32个字符,可使用大写小写字母、数字、特殊字符`(!@#$%^&*()_+-=)`,密码默认采用 MD5 进行加密。 + +2. 更新密码 + +用户可以更新自己的密码,但更新其他用户密码需要具备 MANAGE_USER 权限。 + +```SQL +ALTER USER SET PASSWORD +eg: ALTER USER tempuser SET PASSWORD 'newpwd' +``` + +3. 删除用户(需 MANAGE_USER 权限) + +```SQL +DROP USER +eg: DROP USER user1 +``` + +4. 创建角色 (需 MANAGE_ROLE 权限) + +```SQL +CREATE ROLE +eg: CREATE ROLE role1 +``` + +角色名约束:4~32个字符,支持使用英文大小写字母、数字、特殊字符`(!@#$%^&*()_+-=)`,用户无法创建和管理员用户同名的角色。 + +5. 删除角色 (需 MANAGE_ROLE 权限) + +```SQL +DROP ROLE +eg: DROP ROLE role1 +``` + +6. 赋予用户角色 (需 MANAGE_ROLE 权限) + +```SQL +GRANT ROLE TO +eg: GRANT ROLE admin TO user1 +``` + +7. 移除用户角色 (需 MANAGE_ROLE 权限) + +```SQL +REVOKE ROLE FROM +eg: REVOKE ROLE admin FROM user1 +``` + +8. 列出所有用户(需 MANAGE_USER 权限) + +```SQL +LIST USER +``` + +9. 列出所有的角色 (需 MANAGE_ROLE 权限) + +```SQL +LIST ROLE +``` + +10. 列出指定角色下所有用户(需 MANAGE_USER 权限) + +```SQL +LIST USER OF ROLE +eg: LIST USER OF ROLE roleuser +``` + +11. 列出指定用户下的所有角色 + +用户可以列出自己的角色,但列出其他用户的角色需要拥有 MANAGE_ROLE 权限。 + +```SQL +LIST ROLE OF USER +eg: LIST ROLE OF USER tempuser +``` + +12. 列出用户所有权限 + +用户可以列出自己的权限信息,但列出其他用户的权限需要拥有 MANAGE_USER 权限。 + +```SQL +LIST PRIVILEGES OF USER +eg: LIST PRIVILEGES OF USER tempuser +``` + +13. 列出角色所有权限 + +用户可以列出自己具有的角色的权限信息,列出其他角色的权限需要有 MANAGE_ROLE 权限。 + +```SQL +LIST PRIVILEGES OF ROLE +eg: LIST PRIVILEGES OF ROLE actor +``` + +## 4. 权限管理 + +IoTDB支持通过如下三种途径进行用户授权和撤销权限: + +- 超级管理员直接授予或撤销 + +- 拥有GRANT OPTION权限的用户授予或撤销 + +- 通过角色授予或撤销(由超级管理员或具备MANAGE_ROLE权限的用户操作角色) + +在IoTDB 表模型中,授权或撤销权限时需遵循以下原则: + +- 授权/撤销全局权限时,无需指定权限的范围。 + +- 授予/撤销数据权限时,需要指定权限类型和权限范围。在撤销权限时只会撤销指定的权限范围,不会受权限范围包含关系的影响。 + +- 允许对尚未创建的数据库或表提前进行权限规划和授权。 + +- 允许重复授权/撤销权限。 + +- WITH GRANT OPTION: 允许用户在授权范围内管理权限。用户可以授予或撤销其他用户在该范围内的权限。 + +### 4.1 授予权限 + +1. 给用户授予管理用户的权限 + +```SQL +GRANT MANAGE_USER TO USER +eg: GRANT MANAGE_USER TO USER TEST_USER +``` + +2. 给用户授予创建数据库及在数据库范围内创建表的权限,且允许用户在该范围内管理权限 + +```SQL +GRANT CREATE ON DATABASE TO USER WITH GRANT OPTION +eg: GRANT CREATE ON DATABASE TESTDB TO USER TEST_USER WITH GRANT OPTION +``` + +3. 给角色授予查询数据库的权限 + +```SQL +GRANT SELECT ON DATABASE TO ROLE +eg: GRANT SELECT ON DATABASE TESTDB TO ROLE TEST_ROLE +``` + +4. 给用户授予查询表的权限 + +```SQL +GRANT SELECT ON . TO USER +eg: GRANT SELECT ON TESTDB.TESTTABLE TO USER TEST_USER +``` + +5. 给角色授予查询所有数据库及表的权限 + +```SQL +GRANT SELECT ON ANY TO ROLE +eg: GRANT SELECT ON ANY TO ROLE TEST_ROLE +``` + +6. ALL 语法糖:ALL 表示对象范围内所有权限,可以使用 ALL 字段灵活地授予权限。 + +```sql +GRANT ALL TO USER TESTUSER +-- 将用户可以获取的所有权限授予给用户,包括全局权限和 ANY 范围的所有数据权限 + +GRANT ALL ON ANY TO USER TESTUSER +-- 将 ANY 范围内可以获取的所有权限授予给用户,执行该语句后,用户将拥有在所有数据库上的所有数据权限 + +GRANT ALL ON DATABASE TESTDB TO USER TESTUSER +-- 将 DB 范围内可以获取的所有权限授予给用户,执行该语句后,用户将拥有在该数据库上的所有数据权限 + +GRANT ALL ON TABLE TESTTABLE TO USER TESTUSER +-- 将 TABLE 范围内可以获取的所有权限授予给用户,执行该语句后,用户将拥有在该表上的所有数据权限 +``` + +### 4.2 撤销权限 + +1. 取消用户管理用户的权限 + +```SQL +REVOKE MANAGE_USER FROM USER +eg: REVOKE MANAGE_USER FROM USER TEST_USER +``` + +2. 取消用户创建数据库及在数据库范围内创建表的权限 + +```SQL +REVOKE CREATE ON DATABASE FROM USER +eg: REVOKE CREATE ON DATABASE TEST_DB FROM USER TEST_USER +``` + +3. 取消用户查询表的权限 + +```SQL +REVOKE SELECT ON . FROM USER +eg: REVOKE SELECT ON TESTDB.TESTTABLEFROM USER TEST_USER +``` + +4. 取消用户查询所有数据库及表的权限 + +```SQL +REVOKE SELECT ON ANY FROM USER +eg: REVOKE SELECT ON ANY FROM USER TEST_USER +``` + +5. ALL 语法糖:ALL 表示对象范围内所有权限,可以使用 ALL 字段灵活地撤销权限。 + +```sql +REVOKE ALL FROM USER TESTUSER +-- 取消用户所有的全局权限以及 ANY 范围的所有数据权限 + +REVOKE ALL ON ANY FROM USER TESTUSER +-- 取消用户 ANY 范围的所有数据权限,不会影响 DB 范围和 TABLE 范围的权限 + +REVOKE ALL ON DATABASE TESTDB FROM USER TESTUSER +-- 取消用户在 DB 上的所有数据权限,不会影响 TABLE 权限 + +REVOKE ALL ON TABLE TESTDB FROM USER TESTUSER +-- 取消用户在 TABLE 上的所有数据权限 +``` + +### 4.3 查看用户权限 + +每个用户都有一个权限访问列表,标识其获得的所有权限。可使用 `LIST PRIVILEGES OF USER ` 语句查看某个用户或角色的权限信息,输出格式如下: + +| ROLE | SCOPE | PRIVIVLEGE | WITH GRANT OPTION | +|--------------|---------| -------------- |-------------------| +| | DB1.TB1 | SELECT | FALSE | +| | | MANAGE\_ROLE | TRUE | +| ROLE1 | DB2.TB2 | UPDATE | TRUE | +| ROLE1 | DB3.\* | DELETE | FALSE | +| ROLE1 | \*.\* | UPDATE | TRUE | + +其中: +- `ROLE` 列:如果为空,则表示为该用户的自身权限。如果不为空,则表示该权限来源于被授予的角色。 +- `SCOPE` 列:表示该用户/角色的权限范围,表范围的权限表示为`DB.TABLE`,数据库范围的权限表示为`DB.*`, ANY 范围的权限表示为`*.*`。 +- `PRIVIVLEGE` 列:列出具体的权限类型。 +- `WITH GRANT OPTION` 列:如果为 TRUE,表示用户可以将自己的权限授予他人。 +- 用户或者角色可以同时具有树模型和表模型的权限,但系统会根据当前连接的模型来显示相应的权限,另一种模型下的权限则不会显示。 + +## 5. 5. 示例 + +以 [示例数据](../Reference/Sample-Data.md) 内容为例,两个表的数据可能分别属于 bj、sh 两个数据中心,彼此间不希望对方获取自己的数据库数据,因此我们需要将不同的数据在数据中心层进行权限隔离。 + +### 5.1 5.1 创建用户 + +使用 `CREATE USER ` 创建用户。例如,可以使用具有所有权限的root用户为 ln 和 sgcc 集团创建两个用户角色,名为 `bj_write_user`, `sh_write_user`,密码均为 `write_pwd`。SQL 语句为: + +```SQL +CREATE USER bj_write_user 'write_pwd' +CREATE USER sh_write_user 'write_pwd' +``` + +使用展示用户的 SQL 语句: + +```Plain +LIST USER +``` + +可以看到这两个已经被创建的用户,结果如下: + +```sql ++-------------+ +| User| ++-------------+ +|bj_write_user| +| root| +|sh_write_user| ++-------------+ +``` + +### 5.2 5.2 赋予用户权限 + +虽然两个用户已经创建,但是不具有任何权限,因此并不能对数据库进行操作,例如使用 `bj_write_user` 用户对 table1 中的数据进行写入,SQL 语句为: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +``` + +系统不允许用户进行此操作,会提示错误: + +```sql +IoTDB> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 701: database is not specified +IoTDB> use database1 +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: DATABASE database1 +``` + +root 用户使用 `GRANT ON TO USER ` 语句赋予用户`bj_write_user`对 table1 的写入权限,例如: + +```sql +GRANT INSERT ON database1.table1 TO USER bj_write_user +``` + +使用`bj_write_user`再尝试写入数据 + +```SQL +IoTDB> use database1 +Msg: The statement is executed successfully. +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: The statement is executed successfully. +``` + +### 5.3 5.3 撤销用户权限 + +授予用户权限后,可以使用 `REVOKE ON FROM USER `来撤销已经授予用户的权限。例如,用root用户撤销`bj_write_user`和`sh_write_user`的权限: + +```sql +REVOKE INSERT ON database1.table1 FROM USER bj_write_user +REVOKE INSERT ON database1.table2 FROM USER sh_write_user +``` + +撤销权限后,`bj_write_user`就没有向table1写入数据的权限了。 + +```sql +IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2025-03-26 13:37:00', 190.0, 30.1, false, '2025-03-26 13:37:34') +Msg: org.apache.iotdb.jdbc.IoTDBSQLException: 803: Access Denied: No permissions for this operation, please add privilege INSERT ON database1.table1 +``` From bbbbfe6cf78adeb93fe6dff94592cc9819354b86 Mon Sep 17 00:00:00 2001 From: Leto_b Date: Wed, 2 Apr 2025 11:57:47 +0800 Subject: [PATCH 2/4] add authority namagement in table model --- .../Master/Table/User-Manual/Authority-Management.md | 8 ++++---- .../latest-Table/User-Manual/Authority-Management.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md b/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md index e9a60e6dc..4a4c4d7ab 100644 --- a/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md +++ b/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md @@ -403,11 +403,11 @@ REVOKE ALL ON TABLE TESTDB FROM USER TESTUSER - `WITH GRANT OPTION` 列:如果为 TRUE,表示用户可以将自己的权限授予他人。 - 用户或者角色可以同时具有树模型和表模型的权限,但系统会根据当前连接的模型来显示相应的权限,另一种模型下的权限则不会显示。 -## 5. 5. 示例 +## 5. 示例 以 [示例数据](../Reference/Sample-Data.md) 内容为例,两个表的数据可能分别属于 bj、sh 两个数据中心,彼此间不希望对方获取自己的数据库数据,因此我们需要将不同的数据在数据中心层进行权限隔离。 -### 5.1 5.1 创建用户 +### 5.1 创建用户 使用 `CREATE USER ` 创建用户。例如,可以使用具有所有权限的root用户为 ln 和 sgcc 集团创建两个用户角色,名为 `bj_write_user`, `sh_write_user`,密码均为 `write_pwd`。SQL 语句为: @@ -434,7 +434,7 @@ LIST USER +-------------+ ``` -### 5.2 5.2 赋予用户权限 +### 5.2 赋予用户权限 虽然两个用户已经创建,但是不具有任何权限,因此并不能对数据库进行操作,例如使用 `bj_write_user` 用户对 table1 中的数据进行写入,SQL 语句为: @@ -466,7 +466,7 @@ IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maint Msg: The statement is executed successfully. ``` -### 5.3 5.3 撤销用户权限 +### 5.3 撤销用户权限 授予用户权限后,可以使用 `REVOKE ON FROM USER `来撤销已经授予用户的权限。例如,用root用户撤销`bj_write_user`和`sh_write_user`的权限: diff --git a/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md b/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md index e9a60e6dc..4a4c4d7ab 100644 --- a/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md +++ b/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md @@ -403,11 +403,11 @@ REVOKE ALL ON TABLE TESTDB FROM USER TESTUSER - `WITH GRANT OPTION` 列:如果为 TRUE,表示用户可以将自己的权限授予他人。 - 用户或者角色可以同时具有树模型和表模型的权限,但系统会根据当前连接的模型来显示相应的权限,另一种模型下的权限则不会显示。 -## 5. 5. 示例 +## 5. 示例 以 [示例数据](../Reference/Sample-Data.md) 内容为例,两个表的数据可能分别属于 bj、sh 两个数据中心,彼此间不希望对方获取自己的数据库数据,因此我们需要将不同的数据在数据中心层进行权限隔离。 -### 5.1 5.1 创建用户 +### 5.1 创建用户 使用 `CREATE USER ` 创建用户。例如,可以使用具有所有权限的root用户为 ln 和 sgcc 集团创建两个用户角色,名为 `bj_write_user`, `sh_write_user`,密码均为 `write_pwd`。SQL 语句为: @@ -434,7 +434,7 @@ LIST USER +-------------+ ``` -### 5.2 5.2 赋予用户权限 +### 5.2 赋予用户权限 虽然两个用户已经创建,但是不具有任何权限,因此并不能对数据库进行操作,例如使用 `bj_write_user` 用户对 table1 中的数据进行写入,SQL 语句为: @@ -466,7 +466,7 @@ IoTDB:database1> INSERT INTO table1(region, plant_id, device_id, model_id, maint Msg: The statement is executed successfully. ``` -### 5.3 5.3 撤销用户权限 +### 5.3 撤销用户权限 授予用户权限后,可以使用 `REVOKE ON FROM USER `来撤销已经授予用户的权限。例如,用root用户撤销`bj_write_user`和`sh_write_user`的权限: From 35d7b0e573e2b3d238dd4c14d0ea92b6ccff50e5 Mon Sep 17 00:00:00 2001 From: Leto_b Date: Thu, 3 Apr 2025 11:46:26 +0800 Subject: [PATCH 3/4] adjust content and sidebar name --- src/.vuepress/sidebar/V2.0.x/en-Table.ts | 2 +- src/.vuepress/sidebar/V2.0.x/zh-Table.ts | 2 +- src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts | 2 +- src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts | 2 +- src/UserGuide/Master/Table/User-Manual/Authority-Management.md | 2 +- src/UserGuide/latest-Table/User-Manual/Authority-Management.md | 2 +- .../UserGuide/Master/Table/User-Manual/Authority-Management.md | 2 +- .../UserGuide/latest-Table/User-Manual/Authority-Management.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/.vuepress/sidebar/V2.0.x/en-Table.ts b/src/.vuepress/sidebar/V2.0.x/en-Table.ts index e758d1194..dbad4d60d 100644 --- a/src/.vuepress/sidebar/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/en-Table.ts @@ -94,7 +94,7 @@ export const enSidebar = { children: [ { text: 'Data Sync', link: 'Data-Sync_apache' }, { - text: 'Security Management', + text: 'Security Permissions', collapsible: true, children: [ { text: 'Authority Management(V2.0.2)', link: 'Authority-Management' }, diff --git a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts index 60556e8b2..52013507a 100644 --- a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts @@ -87,7 +87,7 @@ export const zhSidebar = { children: [ { text: '数据同步', link: 'Data-Sync_apache' }, { - text: '安全管理', + text: '安全权限', collapsible: true, children: [{ text: '权限管理(v2.0.2)', link: 'Authority-Management' }], }, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts index 3c14e78bf..789a7fa96 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts @@ -98,7 +98,7 @@ export const enSidebar = { children: [ { text: 'Data Sync', link: 'Data-Sync_timecho' }, { - text: 'Security Management', + text: 'Security Permissions', collapsible: true, children: [ { text: 'Authority Management(V2.0.2)', link: 'Authority-Management' }, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts index 7a8fb9863..ddfd7fdf8 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts @@ -89,7 +89,7 @@ export const zhSidebar = { children: [ { text: '数据同步', link: 'Data-Sync_timecho' }, { - text: '安全管理', + text: '安全权限', collapsible: true, children: [{ text: '权限管理(v2.0.2)', link: 'Authority-Management' }], }, diff --git a/src/UserGuide/Master/Table/User-Manual/Authority-Management.md b/src/UserGuide/Master/Table/User-Manual/Authority-Management.md index cfbfa2713..abec9a183 100644 --- a/src/UserGuide/Master/Table/User-Manual/Authority-Management.md +++ b/src/UserGuide/Master/Table/User-Manual/Authority-Management.md @@ -52,7 +52,7 @@ In IoTDB's table model, there are two main types of permissions: Global Permissi ### 2.1 Global Permissions -Global permissions restrict a user's ability to administer the database system, including user management and role management. +Global permissions include user management and role management. The following table describes the types of global permissions: diff --git a/src/UserGuide/latest-Table/User-Manual/Authority-Management.md b/src/UserGuide/latest-Table/User-Manual/Authority-Management.md index cfbfa2713..abec9a183 100644 --- a/src/UserGuide/latest-Table/User-Manual/Authority-Management.md +++ b/src/UserGuide/latest-Table/User-Manual/Authority-Management.md @@ -52,7 +52,7 @@ In IoTDB's table model, there are two main types of permissions: Global Permissi ### 2.1 Global Permissions -Global permissions restrict a user's ability to administer the database system, including user management and role management. +Global permissions include user management and role management. The following table describes the types of global permissions: diff --git a/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md b/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md index 4a4c4d7ab..7947398ab 100644 --- a/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md +++ b/src/zh/UserGuide/Master/Table/User-Manual/Authority-Management.md @@ -48,7 +48,7 @@ IoTDB 表模型主要有两类权限:全局权限、数据权限。 ### 2.1 全局权限 -全局权限限制了用户管理数据库的能力,包括用户管理和角色管理。 +全局权限包含用户管理和角色管理。 下表描述了全局权限的种类: diff --git a/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md b/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md index 4a4c4d7ab..7947398ab 100644 --- a/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md +++ b/src/zh/UserGuide/latest-Table/User-Manual/Authority-Management.md @@ -48,7 +48,7 @@ IoTDB 表模型主要有两类权限:全局权限、数据权限。 ### 2.1 全局权限 -全局权限限制了用户管理数据库的能力,包括用户管理和角色管理。 +全局权限包含用户管理和角色管理。 下表描述了全局权限的种类: From 18d10178cfd3d0d73ae5fa48869b5c6fa7e7181f Mon Sep 17 00:00:00 2001 From: Leto_b Date: Thu, 3 Apr 2025 17:05:27 +0800 Subject: [PATCH 4/4] adjust sidebar --- src/.vuepress/sidebar/V2.0.x/en-Table.ts | 2 +- src/.vuepress/sidebar/V2.0.x/zh-Table.ts | 2 +- src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts | 2 +- src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/.vuepress/sidebar/V2.0.x/en-Table.ts b/src/.vuepress/sidebar/V2.0.x/en-Table.ts index dbad4d60d..23feddf88 100644 --- a/src/.vuepress/sidebar/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/en-Table.ts @@ -97,7 +97,7 @@ export const enSidebar = { text: 'Security Permissions', collapsible: true, children: [ - { text: 'Authority Management(V2.0.2)', link: 'Authority-Management' }, + { text: 'Authority Management', link: 'Authority-Management' }, ], }, { diff --git a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts index 52013507a..fad0619f8 100644 --- a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts @@ -89,7 +89,7 @@ export const zhSidebar = { { text: '安全权限', collapsible: true, - children: [{ text: '权限管理(v2.0.2)', link: 'Authority-Management' }], + children: [{ text: '权限管理', link: 'Authority-Management' }], }, { text: '系统运维', diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts index 789a7fa96..180c016a3 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts @@ -101,7 +101,7 @@ export const enSidebar = { text: 'Security Permissions', collapsible: true, children: [ - { text: 'Authority Management(V2.0.2)', link: 'Authority-Management' }, + { text: 'Authority Management', link: 'Authority-Management' }, ], }, { text: 'Tiered Storage', link: 'Tiered-Storage_timecho' }, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts index ddfd7fdf8..83d409f17 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts @@ -91,7 +91,7 @@ export const zhSidebar = { { text: '安全权限', collapsible: true, - children: [{ text: '权限管理(v2.0.2)', link: 'Authority-Management' }], + children: [{ text: '权限管理', link: 'Authority-Management' }], }, { text: '多级存储', link: 'Tiered-Storage_timecho' }, {