hdygxsj commented on code in PR #7818:
URL: https://github.com/apache/gravitino/pull/7818#discussion_r2239675400
##########
docs/security/access-control.md:
##########
@@ -922,3 +931,69 @@ You can follow the steps to achieve the authorization of
Gravitino.
12. `Staff` creates a table `mysql_table` under the schema `mysql_db`.
13. `Staff` can use Gravitino connector to query the tables from different
catalogs.
+
+## API required conditions
+
+The following table lists the required privileges for each API.
+
+| API | Required Conditions(s)
|
+|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------|
+| create metalake | The user must be the service admins,
configured in the server configurations.
|
+| load metalake | The user is in the metalake
|
+| alter metalake | The owner of the metalake
|
+| drop metalake | The owner of the metalake
|
+| create catalog | `CREATE_CATALOG` on the metalake or the owner
of the metalake
|
+| alter catalog | The owner of the catalog, metalake
|
+| drop catalog | The owner of the catalog, metalake
|
+| list catalog | The owner of the metalake can see all the
catalogs, others can see the catalogs which they can load
|
+| load catalog | The owner of the metalake, catalog.
`LOAD_CATALOG` on the metalake,catalog
|
+| create schema | `CREATE_SCHEMA` on the metalake, catalog or
the owner of the metalake, catalog
|
+| alter schema | The owner of the schema, catalog, metalake
|
+| drop schema | The owner of the schema, catalog, metalake
|
+| list schema | The owner of the metalake, catalog can see all
the schemas, others can see the schemas which they can load
|
+| load schema | The owner of the metalake, catalog, schema.
`LOAD_SCHEMA` on the metalake, catalog, schema
|
+| create table | `CREATE_TABLE` on the metalake, catalog,
schema or the owner of the metalake, catalog, schema
|
+| alter table | The owner of the table, schema,catalog,
metalake or `MODIFY_TABLE` on the table, schema, catalog, metalake
|
+| drop table | The owner of the table, schema, catalog,
metalake
|
+| list table | The owner of the schema, catalog, metalake can
see all the tables, others can see the table s which they can load
|
+| load table | The owner of the table, schema, metalake,
catalog. `SELECT_TABLE` or `MODIFY_TABLE` on the table, schema, catalog,
metalake |
Review Comment:
Should we remind users that the Table Owner needs USE_SCHEMA and USE_CATALOG
privileges to perform this operation?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
