From 956baa2b9ab37a1510480c438478195f46bfe4a8 Mon Sep 17 00:00:00 2001 From: soyeric128 Date: Mon, 26 Aug 2024 22:03:19 -0400 Subject: [PATCH 1/2] updated --- .../56-security/access-control/03-ownership.md | 15 ++++++++++----- .../10-sql-commands/00-ddl/02-user/10-grant.md | 14 ++++++++++---- .../10-sql-commands/00-ddl/02-user/11-revoke.md | 6 +++--- 3 files changed, 23 insertions(+), 12 deletions(-) diff --git a/docs/en/guides/56-security/access-control/03-ownership.md b/docs/en/guides/56-security/access-control/03-ownership.md index 5dc8af7870..7ddf54c08c 100644 --- a/docs/en/guides/56-security/access-control/03-ownership.md +++ b/docs/en/guides/56-security/access-control/03-ownership.md @@ -2,17 +2,22 @@ title: Ownership --- -Ownership is a specialized privilege that signifies the exclusive rights and responsibilities a role holds over a specific data object (currently including a database, table, UDF, and stage) within Databend. The ownership of an object is automatically granted to the current role of the user who creates it. +Ownership is a specialized privilege that signifies the exclusive rights and responsibilities a role holds over a specific data object (currently including a database, table, UDF, and stage) within Databend. ## Granting Ownership -The ownership of an object can be granted from one role to another. Once it is granted from one role to another, the ownership is transferred to the new role. +An object's ownership is automatically granted to the role of the user who creates it and can be transferred between roles using the [GRANT](/sql/sql-commands/ddl/user/grant) command: -- Granting ownership to the built-in role `public` is not recommended for security reasons. If a user is in the `public` role when creating a object, then all users will have ownership of the object because each Databend user has the `public` role by default. Databend recommends creating and assigning customized roles to users instead of using the `public` role for clarified ownership management. For information about the built-in roles, see [Built-in Roles](02-roles.md). -- If a role that has ownership of an object is deleted, an account_admin can grant ownership of the object to another role. +- Granting ownership of an object to a new role transfers full ownership to the new role, removing it from the previous role. For example, if Role A initially owns a table and you grant ownership to Role B, Role B will become the new owner, and Role A will no longer have ownership rights to that table. +- Granting ownership to the built-in role `public` is not recommended for security reasons. If a user is in the `public` role when creating a object, then all users will have ownership of the object because each user has the `public` role by default. Databend recommends creating and assigning customized roles to users instead of using the `public` role for clarified ownership management. For information about the built-in roles, see [Built-in Roles](02-roles.md). - Ownership cannot be granted for tables in the `default` database, as it is owned by the built-in role `account_admin`. -Dropping an object will revoke ownership from the owner role. However, restoring (UNDROP, if available) a dropped object will NOT restore ownership. In this case, you will need an `account_admin` to grant ownership to a role again. +## Revoking Ownership Not Allowed + +Revoking ownership is *not* supported because every object must have an owner. + +- If an object is dropped, it will not retain its ownership by the original role. If the object is restored (if possible), ownership will not be automatically reassigned, and an `account_admin` will need to manually reassign ownership to a role. +- If a role that owns an object is deleted, an `account_admin` can transfer ownership of the object to another role. ## Examples diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md index 074abb7754..f27c7dc3bd 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md @@ -6,11 +6,11 @@ import FunctionDescription from '@site/src/components/FunctionDescription'; -Grants privileges, roles, and ownership of a specific database object. This involves: +Grants privileges, roles, and ownership for a specific database object. This includes: -- Granting privileges to a user or a role. -- Granting a role to a user or a role. -- Granting ownership to a role. +- Granting privileges to users or roles. +- Assigning roles to users or other roles. +- Transferring ownership to a role. See also: @@ -60,6 +60,8 @@ privileges_level ::= | UDF ``` +To understand what a privilege is and how it works, see [Privileges](/guides/security/access-control/privileges). + ### Granting Role ```sql @@ -70,6 +72,8 @@ GRANT ROLE TO GRANT ROLE TO ROLE ``` +To understand what a role is and how it works, see [Roles](/guides/security/access-control/roles). + ### Granting Ownership ```sql @@ -83,6 +87,8 @@ GRANT OWNERSHIP ON STAGE TO ROLE '' GRANT OWNERSHIP ON UDF TO ROLE '' ``` +To understand what ownership is and how it works, see [Ownership](/guides/security/access-control/ownership). + ## Examples ### Example 1: Granting Privileges to a User diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md index 74f4cb668a..6774da6219 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/11-revoke.md @@ -6,10 +6,10 @@ import FunctionDescription from '@site/src/components/FunctionDescription'; -Revokes privileges, roles, and ownership of a specific database object. This involves: +Revokes privileges, roles, and ownership of a specific database object. This includes: -- Revoking privileges from a user or a role. -- Revoking a role from a user or a role. +- Revoking privileges from users or roles. +- Removing roles from users or other roles. See also: From cd348585d03ad109a4875c3080ee807a7f61722a Mon Sep 17 00:00:00 2001 From: soyeric128 Date: Mon, 26 Aug 2024 22:10:48 -0400 Subject: [PATCH 2/2] Update 10-grant.md --- .../10-sql-commands/00-ddl/02-user/10-grant.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md index f27c7dc3bd..cbbea6d08a 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/02-user/10-grant.md @@ -21,6 +21,8 @@ See also: ### Granting Privileges +To understand what a privilege is and how it works, see [Privileges](/guides/security/access-control/privileges). + ```sql GRANT { schemaObjectPrivileges | ALL [ PRIVILEGES ] ON @@ -60,10 +62,10 @@ privileges_level ::= | UDF ``` -To understand what a privilege is and how it works, see [Privileges](/guides/security/access-control/privileges). - ### Granting Role +To understand what a role is and how it works, see [Roles](/guides/security/access-control/roles). + ```sql -- Grant a role to a user GRANT ROLE TO @@ -72,10 +74,10 @@ GRANT ROLE TO GRANT ROLE TO ROLE ``` -To understand what a role is and how it works, see [Roles](/guides/security/access-control/roles). - ### Granting Ownership +To understand what ownership is and how it works, see [Ownership](/guides/security/access-control/ownership). + ```sql -- Grant ownership of a specific table within a database to a role GRANT OWNERSHIP ON . TO ROLE '' @@ -87,8 +89,6 @@ GRANT OWNERSHIP ON STAGE TO ROLE '' GRANT OWNERSHIP ON UDF TO ROLE '' ``` -To understand what ownership is and how it works, see [Ownership](/guides/security/access-control/ownership). - ## Examples ### Example 1: Granting Privileges to a User