Skip to main content
Version: 3.2

Privileges supported by StarRocks

Privileges granted to a user or role determine which operations the user or role can perform on certain objects. Privileges can be used to implement fine-grained access control to safeguard data security.

This topic describes privileges provided by StarRocks on different objects and their meanings. Privileges are granted and revoked by using GRANT and REVOKE. The privileges that can be granted on an object are specific to the object type. For example, table privileges are different from database privileges.

NOTE: The privileges described in this topic are available only from v3.0. The privilege framework and syntax in v3.0 are not backward compatible with those in earlier versions. After an upgrade to v3.0, most of your original privileges are still retained except those for specific operations. For the detailed differences, see Upgrade notes at the end of this topic.

Privilege list

This section describes privileges that are available on different objects.

SYSTEM

PrivilegeDescription
NODEOperates nodes, such as adding, deleting, or decommissioning nodes. To ensure cluster security, this privilege cannot be directly granted to users or roles. The cluster_admin role has this privilege.
GRANTCreates a user or role, alters a user or role, or grants privileges to a user or role. This privilege cannot be directly granted to users or roles. The user_admin role has this privilege.
CREATE RESOURCE GROUPCreates a resource group.
CREATE RESOURCECreates resources for Spark Load jobs or external tables.
CREATE EXTERNAL CATALOGCreates an external catalog.
PLUGINInstalls or uninstalls a plugin.
REPOSITORYCreates, deletes, or views repositories.
BLACKLISTCreates, deletes, or displays SQL blacklists.
FILECreates, deletes, or views files.
OPERATEManages replicas, configuration items, variables, and transactions.
CREATE GLOBAL FUNCTIONCreates a global UDF.
CREATE STORAGE VOLUMECreates a storage volume for a remote storage system.

RESOURCE GROUP

PrivilegeDescription
ALTERAdds or deletes classifiers for a resource group.
DROPDeletes a resource group.
ALLHas all the above privileges on a resource group.

RESOURCE

PrivilegeDescription
USAGEUses a resource.
ALTERAlters a resource.
DROPDeletes a resource.
ALLHas all the above privileges on a resource.

USER

PrivilegeDescription
IMPERSONATEAllows user A to perform operations as user B.

GLOBAL FUNCTION (Global UDFs)

PrivilegeDescription
USAGEUses a function in a query.
DROPDeletes a function.
ALLHas all the above privileges on a function.

CATALOG

ObjectPrivilegeDescription
CATALOG (internal catalog)USAGEUses the internal catalog (default_catalog).
CATALOG (internal catalog)CREATE DATABASECreates databases in the internal catalog.
CATALOG (internal catalog)ALLHas all the above privileges on the internal catalog.
CATALOG (external catalog)USAGEUses an external catalog to view tables in it.
CATALOG (external catalog)DROPDeletes an external catalog.
CATALOG (external catalog)ALLHas all the above privileges on the external catalog.

Notes: StarRocks internal catalog cannot be deleted.

DATABASE

PrivilegeDescription
ALTERSets properties for a database, rename a database, or sets quotas for a database.
DROPDeletes a database.
CREATE TABLECreates tables in a database.
CREATE VIEWCreates a view.
CREATE FUNCTIONCreates a function.
CREATE MATERIALIZED VIEWCreates a materialized view.
ALLHas all the above privileges on a database.

TABLE

PrivilegeDescription
ALTERModifies a table or refreshes metadata in an external table.
DROPDrops a table.
SELECTQueries data in a table.
INSERTInserts data into a table.
UPDATEUpdates data in a table.
EXPORTExports data from a StarRocks table.
DELETEDeletes data from a table based on the specified condition or deletes all the data from a table.
ALLHas all the above privileges on a table.

VIEW

PrivilegeDescription
SELECTQueries data in a view.
ALTERModifies the definition of a view.
DROPDeletes a logical view.
ALLHas all the above privileges on a view.

MATERIALIZED VIEW

PrivilegeDescription
SELECTQueries a materialized view to accelerate queries.
ALTERChanges a materialized view.
REFRESHRefreshes a materialized view.
DROPDeletes a materialized view.
ALLHas all the above privileges on a materialized view.

FUNCTION (Database-level UDFs)

PrivilegeDescription
USAGEUses a function.
DROPDeletes a function.
ALLHas all the above privileges on a function.

STORAGE VOLUME

PrivilegeDescription
ALTERAlters the credential properties, comment, or status (enabled) of a storage volume.
DROPDrops a storage volume.
USAGEDescribes a storage volume and sets a storage volume as the default storage volume.
ALLHas all the above privileges on a storage volume.

Upgrade notes

During an upgrade from v2.x to v3.0, some of your operations may be unable to perform due to the introduction of the new privilege system. The following table describes the changes before and after the upgrade.

OperationCommands involvedBeforeAfter
Change tableALTER TABLE, CANCEL ALTER TABLEUsers who have the LOAD_PRIV privilege on a table or the database to which the table belongs can perform the ALTER TABLE and CANCEL ALTER TABLE operations.You must have the ALTER privilege on the table to perform these two operations.
Refresh external tableREFRESH EXTERNAL TABLEUsers who have the LOAD_PRIV privilege on an external table can refresh the external table.You must have the ALTER privilege on the external table to perform this operation.
Backup and restoreBACKUP, RESTOREUsers who have the LOAD_PRIV privilege on a database can back up and restore the database or any table in the database.The administrator must grant backup and restore privileges to users again after the upgrade.
Recover after deletionRECOVERUsers who have the ALTER_PRIV, CREATE_PRIV, and DROP_PRIV privileges on the database and table can recover the database and table.You must have the CREATE DATABASE privilege on the default_catalog to recover the database. You must have the CREATE TABLE privilege on the database and the DROP privilege on the table.
Create and change usersCREATE USER, ALTER USERUsers who have the GRANT_PRIV privilege on the database can create and change users.You must have the user_admin role to create and change users.
Grant and revoke privilegesGRANT, REVOKEUsers who have the GRANT_PRIV privilege on an object can grant privileges on the object to other users or roles.After the upgrade, you can still grant the privileges you already have on that object to other users or roles after the upgrade.
In the new privilege system:
  • You must have the user_admin role to grant privileges to other users or roles.
  • If your GRANT statement includes WITH GRANT OPTION, you can grant the privileges involved in the statement to other users or roles.

In v2.x, StarRocks does not fully implement role-based access control (RBAC). When you assign a role to a user, StarRocks directly grants all the privileges of the role to the user, instead of the role itself. Therefore, the user does not actually own the role.

In v3.0, StarRocks renovates its privilege system. After an upgrade to v3.0, your original roles are retained but there is still no ownership between users and roles. If you want to use the new RBAC system, perform the GRANT operation to assign roles and privileges.