The role-based access control model in YSQL is a collection of privileges on resources given to roles. Thus, the entire RBAC model is built around roles, resources, and privileges. It is essential to understand these concepts in order to understand the RBAC model.
Roles in YSQL can represent individual users or a group of users. They encapsulate a set of privileges that can be assigned to other roles (or users). Roles are essential to implementing and administering access control on a YugabyteDB cluster. Below are some important points about roles:
Roles which have
LOGINprivilege are users. Hence, all users are roles, but all roles are not users.
Roles can be granted to other roles, making it possible to organize roles into a hierarchy.
Roles inherit the privileges of all other roles granted to them.
YSQL defines a number of specific resources, that represent underlying database objects. A resource can denote one object or a collection of objects. YSQL resources are hierarchical as described below:
- Databases and tables follow the hierarchy:
- ROLES are hierarchical (they can be assigned to other roles). They follow the hierarchy:
The table below lists out the various resources.
||Denotes one database. Typically includes all the tables and indexes defined in that database.|
||Denotes one table. Includes all the indexes defined on that table.|
||Denotes one role.|
||Collection of all databases in the database.|
||Collection of all roles in the database.|
Privileges are necessary to execute operations on database objects. Privileges can be granted at any level of the database hierarchy and are inherited downwards. The set of privileges include:
||database, table, role||ALTER|
||database, table, role||GRANT privilege, REVOKE privilege|
||database, table, role, index||CREATE|
||database, table, role, index||DROP|
||database, table||INSERT, UPDATE, DELETE, TRUNCATE|
ALTER TABLEprivilege on the base table is required in order to
DROPindexes on it.
Read more about YSQL privileges.