All Products
Search

This Product

    Hologres:Create user mapping

    Document Center

    Hologres:Create user mapping

    Last Updated:Mar 26, 2026

    CREATE USER MAPPING maps a Hologres logon account to credentials used for accessing external data sources. Once mapped, that account can query MaxCompute, DLF, OSS, or another Hologres instance without embedding credentials directly in queries.

    Starting from Hologres V3.0, user mappings also support RAM roles, letting accounts assume a RAM role for cross-account access to DLF 2.5 data sources and other Hologres instances.

    Prerequisites

    Before you begin, make sure you have one of the following:

    • Superuser permissions on the Hologres instance

    • Owner permissions on the foreign server

    • Usage permissions on the foreign server (lets you create user mappings for yourself only)

    Limitations

    • MaxCompute data sources and DLF 1.0 do not support RAM role-based user mappings. Use AccessKey-based mappings for these sources.

    Syntax overview

    Two configuration paths are available: external database and foreign server. Both use the same base syntax but differ in how they reference the data source.

    -- External database path (recommended)
CREATE USER MAPPING FOR "<user_name>"
EXTERNAL DATABASE <ext_db_name>
OPTIONS ( <options> );

-- Foreign server path
CREATE USER MAPPING FOR "<user_name>"
SERVER <server_name>
OPTIONS ( <options> );

    The <options> block varies by data source. See the sections below for the full syntax per source.

    External database configuration

    The external database path uses CREATE EXTERNAL DATABASE to load metadata from an external source into Hologres. This is the recommended path for DLF 2.5.

    MaxCompute

    CREATE USER MAPPING FOR "<user_name>"
EXTERNAL DATABASE <ext_db_name>
OPTIONS
(
    access_id '<AccessKey_ID>',
    access_key '<AccessKey_secret>'
);

    DLF

    CREATE USER MAPPING FOR "<user_name>"
EXTERNAL DATABASE <ext_db_name>
OPTIONS
(
    -- DLF 1.0: AccessKey credentials required
    dlf_access_id '<AccessKey_ID>',
    dlf_access_key '<AccessKey_secret>',
    oss_access_id '<AccessKey_ID>',
    oss_access_key '<AccessKey_secret>'

    -- DLF 2.5 option 1: AccessKey credentials
    -- dlf_access_id '<AccessKey_ID>',
    -- dlf_access_key '<AccessKey_secret>'

    -- DLF 2.5 option 2: RAM role (Hologres V3.0+)
    -- rolearn 'acs:ram::<account-id>:role/<role-name>'
);
    When using rolearn, configure the hologram:GrantAssumeRole permission in RAM before creating the user mapping. See Configure RAM permissions for rolearn.

    Parameters

    ParameterDescription
    user_nameThe account to authorize. Accepts a RAM user name, a Hologres BASIC account name, or PUBLIC. Setting PUBLIC creates a mapping applied to all users with no account-specific mapping — use with caution, as it grants access to every Hologres user on that external database.
    ext_db_nameThe external database created in this Hologres instance using CREATE EXTERNAL DATABASE. For more information, see CREATE EXTERNAL DATABASE.
    access_idThe AccessKey ID of the access account. Get it from the Resource Access Management (RAM) console.
    access_keyThe AccessKey secret of the access account.
    dlf_access_idThe AccessKey ID of an Alibaba Cloud account or RAM user with DLF read and write permissions.
    dlf_access_keyThe AccessKey secret for DLF access.
    oss_access_idThe AccessKey ID of an Alibaba Cloud account or RAM user with OSS read and write permissions.
    oss_access_keyThe AccessKey secret for OSS access.
    rolearnThe Role ARN (Global Resource Descriptor) identifying the RAM role to assume. Format: acs:ram::<account-id>:role/<role-name>, where <role-name> is lowercase. To look up a Role ARN, see View RAM roles.

    Query existing mappings

    SELECT
    datname,
    usename,
    eumoptions
FROM
    pg_holo_external_user_mappings;

    Foreign server configuration

    The foreign server path uses a named foreign server created in the Hologres instance. For MaxCompute, use the built-in server odps_server.

    MaxCompute

    CREATE USER MAPPING FOR "<user_name>"
SERVER odps_server  -- Built-in server for MaxCompute
OPTIONS
(
    access_id '<AccessKey_ID>',
    access_key '<AccessKey_secret>'
);

    DLF

    CREATE USER MAPPING FOR "<user_name>"
SERVER <server_name>
OPTIONS
(
    -- DLF 1.0
    dlf_access_id '<AccessKey_ID>',
    dlf_access_key '<AccessKey_secret>',
    oss_access_id '<AccessKey_ID>',
    oss_access_key '<AccessKey_secret>'

    -- DLF 2.5 option 1: AccessKey credentials
    -- dlf_access_id '<AccessKey_ID>',
    -- dlf_access_key '<AccessKey_secret>'

    -- DLF 2.5 option 2: RAM role (Hologres V3.0+)
    -- rolearn 'acs:ram::<account-id>:role/<role-name>'
);

    Hologres (cross-database queries)

    CREATE USER MAPPING FOR "<user_name>"
SERVER <server_name>
OPTIONS
(
    access_id '<AccessKey_ID>',
    access_key '<AccessKey_secret>'
);

    Parameters

    ParameterDescription
    user_nameThe account to authorize. Accepts a RAM user name, a Hologres BASIC account name, or PUBLIC. Setting PUBLIC creates a mapping applied to all users with no account-specific mapping — use with caution, as it grants access to every Hologres user on that foreign server.
    server_nameThe foreign server name. For MaxCompute, use the built-in odps_server. For other sources, use the name you set when running CREATE SERVER. For more information, see Create a foreign server.
    access_idThe AccessKey ID of the access account. Get it from the Resource Access Management (RAM) console.
    access_keyThe AccessKey secret of the access account.
    dlf_access_idThe AccessKey ID of an Alibaba Cloud account or RAM user with DLF read and write permissions.
    dlf_access_keyThe AccessKey secret for DLF access.
    oss_access_idThe AccessKey ID of an Alibaba Cloud account or RAM user with OSS read and write permissions.
    oss_access_keyThe AccessKey secret for OSS access.
    rolearnThe Role ARN (Global Resource Descriptor) identifying the RAM role to assume. Format: acs:ram::<account-id>:role/<role-name>, where <role-name> is lowercase. To look up a Role ARN, see View RAM roles.

    Query existing mappings

    SELECT
    um.srvname AS "Server",
    um.usename AS "User name"
FROM
    pg_catalog.pg_user_mappings um
WHERE
    um.srvname != 'query_log_store_server'
ORDER BY 1, 2;

    Configure RAM permissions for rolearn

    When using a RAM role (rolearn) in a user mapping, configure the hologram:GrantAssumeRole permission on that role in RAM. Hologres checks this permission before allowing the user mapping to be created.

    The policy grants any user with the permission the ability to create a user mapping for the specified Role ARN in Hologres.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "hologram:GrantAssumeRole",
      "Resource": "<Role_ARN>"
    }
  ]
}

    Replace <Role_ARN> with the ARN of the role, for example acs:ram::123456789:role/myrole.

    Examples

    Grant a RAM user access to DLF 2.5 via a RAM role (external database)

    This example grants a RAM user access to a Paimon table in DLF 2.5 using a RAM role. All SQL steps are shown in order; the RAM console steps are described between them.

    Step 1: Create the external database.

    CREATE EXTERNAL DATABASE ext_db_dlf
WITH
    metastore_type 'dlf-rest'
    catalog_type 'paimon'
    dlf_catalog 'paimon_catalog';

    After creation, only the instance superuser and the database owner can access ext_db_dlf. Other accounts need a user mapping.

    Step 2: Create a RAM role with the required permissions.

    In the Resource Access Management (RAM) console:

    1. Click Role > Create Role. Set Trusted Entity Type to Alibaba Cloud Service, Role Type to Service Role, and Select Trusted Service to Interactive Analytics. Enter a role name and click Complete.

    2. On the Permission Model page, click Create Policy > Script Editor. Create two policies: Hologres permission check policy:

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "hologram:GrantAssumeRole",
            "Resource": "acs:ram::xxx:role/testramrole"
        }
    ]
}

      DLF permission check policy:

      {
    "Version": "1",
    "Statement": [
        {
            "Action": "dlf:CheckPermissions",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    3. On the Role page, click Grant Permission and attach both policies.

    role2222

    Step 3: Create the user mapping in Hologres.

    CREATE USER MAPPING FOR "p4_203535926287167253"
EXTERNAL DATABASE ext_db_dlf
OPTIONS
(
    rolearn 'acs:ram::xxx:role/testramrole'
);

    Step 4: Verify access.

    Log in to Hologres as the RAM user and run:

    SELECT * FROM ext_db_dlf.dlf_db.paimon_table;

    Grant a BASIC account access to MaxCompute (foreign server)

    -- Step 1: Create the BASIC account
CREATE USER basicuser;

-- Step 2: Grant the account access to odps_server
CREATE USER MAPPING
FOR "basicuser"
SERVER odps_server
OPTIONS
(
    access_id 'LTxxxxxxxxxx',
    access_key 'y8xxxxxxxxxxxxx'
);

    Usage notes

    • When PUBLIC is used as user_name, the mapping applies to every Hologres user on that external database or foreign server who does not have a more specific user mapping. This is a broad grant — confirm that all instance users should have access before using it.

    • For DLF 2.5 with RAM roles, Hologres V3.0 or later is required.

    • MaxCompute data sources and DLF 1.0 do not support rolearn. Use access_id and access_key for these sources.

    • The <role-name> portion of a Role ARN is stored in lowercase regardless of how the role was created. For example, a role named MyRole becomes acs:ram::<account-id>:role/myrole.

    What's next