Use the user management and role management features in the Security Center to set fine-grained permissions on resources, ensuring that only authorized users can access or manage them.
Prerequisites
You have created an instance. For more information, see Create an instance.
Roles and users
Roles
EMR Serverless StarRocks provides the following built-in roles:
|
Role name |
Description |
|
|
Manages database objects, such as creating and modifying them. |
|
|
A global role that is automatically granted to all users. Provides basic permissions to access public system resources. |
|
|
Manages user accounts, including creating users and granting permissions. |
Users
EMR Serverless StarRocks provides the following user types.
|
User type |
Description |
|
Super administrator |
A user is considered a super administrator if they have the |
|
Regular user |
A regular user has only the default |
User management
Create a user
-
Go to the StarRocks Manager page.
-
Log on to the E-MapReduce console.
-
In the left navigation pane, choose EMR Serverless > StarRocks.
-
In the top menu bar, select a region as needed.
-
Click StarRocks Manager, or click Connect in the Actions column of the created instance.
For more information on connecting to a StarRocks instance, see Connect to a StarRocks instance by using EMR StarRocks Manager.
-
-
In the left navigation pane, choose .
-
On the Users page, click Add User.
-
In the dialog box, configure the following parameters and click OK.
Parameter
Description
User Source
The authentication method. The following options are available:
-
Custom: Creates a user using StarRocks's built-in user management.
-
RAM User: Uses an existing RAM user for authentication. This applies to scenarios where you integrate with DLF.
Note-
Supported versions: StarRocks v3.2 and later.
-
Not applicable to: DLF 1.0 (Legacy).
-
Username
-
Custom: Enter a username. It must be 2 to 64 characters long and can contain only letters, digits, hyphens (-), and underscores (_).
-
RAM User: Enter the name of an existing RAM user. If you have not created a RAM user, see Create a RAM user.
Password and Confirm Password
Enter a password. It must be 8 to 30 characters long and include uppercase and lowercase letters, digits, and special characters (for example, @, #, $, %, ^, *, _, +, -).
Role
You can assign existing built-in or custom roles to the new user.
NoteTo follow the principle of least privilege, grant users only the minimum permissions they need. This practice helps prevent security risks caused by excessive permissions.
-
Grant permissions to a user
You can grant the new user permissions on specific resources.
-
On the Users page, click Add Permission in the Actions column for the target user.
-
On the Permission Settings tab, click Add Permission.
-
In the Add Permission panel, configure the following parameters and click OK.
Parameter
Description
Resource
The following resources are supported:
-
Catalogs: Controls access to internal data catalogs, databases, and tables.
-
External Data Catalogs: Controls access to external data catalogs, such as Hive, Iceberg, and Hudi.
-
Database: Controls a user's permissions to create, modify, delete, or query a specific database.
-
Table: Controls create, read, update, and delete (CRUD) permissions on specific tables.
-
Views: Controls permissions to view or operate on specific views.
-
Materialized View: Controls permissions to manage or access specific materialized views.
Permission
Available permissions:
-
Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.
-
External Data Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.
-
Database: ALL, ALTER, DROP, CREATE TABLE, CREATE VIEW, CREATE FUNCTION, CREATE MATERIALIZED VIEW, CREATE PIPE.
-
Table: ALL, ALTER, DROP, SELECT, INSERT, UPDATE, EXPORT, DELETE.
-
Views: ALL, SELECT, ALTER, DROP.
-
Materialized View: ALL, SELECT, ALTER, REFRESH, DROP.
-
Edit and delete users
-
Edit a user: In the Actions column for a user, click Modify Description, Change Password, or Add Permission to change their description, password, or permissions.
-
Delete a user:
-
Built-in user: The
adminuser cannot be deleted. -
Custom user: A user with the required permissions can click Delete in the Actions column for a target user.
-
Role management
Create a role
If the built-in roles do not meet your needs, create a custom role for more fine-grained permission control.
-
On the StarRocks Manager page, choose .
-
On the Roles page, click Create Role.
-
In the Create Role dialog box, enter a description and click OK.
Grant permissions to a role
You can grant specific permissions to a new or existing role to meet different business requirements.
-
On the Roles page, click Add Permission in the Actions column for the target role.
-
On the Permission Settings tab, click Add Permission.
-
In the Add Permission panel, select a resource and its corresponding permissions, and then click OK.
Parameter
Description
Resource
The following resources are supported:
-
Catalogs: Controls this role's access to internal data catalogs, databases, and tables.
-
External Data Catalogs: Controls this role's access to external data catalogs, such as Hive, Iceberg, and Hudi.
-
Database: Controls this role's permissions to create, modify, delete, or query a specific database.
-
Table: Controls this role's create, read, update, and delete (CRUD) permissions on specific tables.
-
Views: Controls this role's permissions to view or operate on specific views.
-
Materialized View: Controls this role's permissions to manage or access specific materialized views.
Permission
Available permissions:
-
Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.
-
External Data Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.
-
Database: ALL, ALTER, DROP, CREATE TABLE, CREATE VIEW, CREATE FUNCTION, CREATE MATERIALIZED VIEW, CREATE PIPE.
-
Table: ALL, ALTER, DROP, SELECT, INSERT, UPDATE, EXPORT, DELETE.
-
Views: ALL, SELECT, ALTER, DROP.
-
Materialized View: ALL, SELECT, ALTER, REFRESH, DROP.
-
Edit and delete roles
-
Edit a role:
-
Built-in role: You cannot edit or modify the permissions of a built-in role.
-
Custom role: To edit a custom role, click Edit or Add Permission in the Actions column for that role to change its description, assigned users, and permissions.
-
-
Delete a role:
-
Built-in role: You cannot delete a built-in role.
-
Custom role: To delete a custom role, click Delete in the Actions column for that role.
-
Use cases
This section provides two common use cases.
Create a user and grant permissions
-
On the EMR StarRocks Manager page, choose .
-
Create a user.
-
On the Users page, click Add User.
-
In the dialog box, configure the parameters and click OK.
For parameter details, see the table in the Create a user section.
-
-
Grant permissions to the new user.
-
On the Users page, click Add Permission in the Actions column for the new user.
-
On the Permission Settings tab, click Add Permission.
-
In the Add Permission panel, select a resource and its corresponding permissions, and then click OK.
-
Create a role and assign it to a user
Create a custom role if the built-in roles do not meet your specific needs for permission management.
-
On the EMR StarRocks Manager page, choose .
-
Create a role.
-
On the Roles page, click Create Role.
-
In the Create Role dialog box, enter a description and click OK.
-
-
Add permissions to the new role.
-
On the Roles page, click Add Permission in the Actions column for the new role.
-
On the Permission Settings tab, click Add Permission.
-
In the Add Permission panel, select a resource and its corresponding permissions, and then click OK.
-
-
Assign the role to an existing user.
-
Click the User List tab.
-
On the Users tab, click Add User.
-
In the Add Permission panel, select the target user and click OK.
-
Related documents
To view SQL queries, analyze execution plans, and troubleshoot SQL issues for your instance, see Diagnosis and analysis.