SingleStore Managed Service

Role Creation

SingleStore recommends the following roles be used as a starting point for all use of the RBAC functionality. It is strongly suggested that these commands be kept in a separate, version-controlled, file and loaded into SingleStore. These scripts should be executed on all nodes where users will connect, typically all aggregators and on all leaves if the application’s design requires it to bypass the aggregators.

Compliance Officer

CREATE ROLE 'compliance_role';
GRANT USAGE on *.* to ROLE 'compliance_role' WITH GRANT OPTION;

CREATE GROUP 'compliance';
GRANT ROLE 'compliance_role' to 'compliance';

Security Officer

CREATE ROLE 'security_role';
GRANT CREATE USER on *.* to ROLE 'security_role';

CREATE GROUP 'security';
GRANT ROLE 'security_role' to 'security';

Database Administrator

CREATE ROLE 'dba_role';
GRANT CREATE DATABASE, DROP DATABASE on *.* to ROLE 'dba_role';
GRANT RELOAD on *.* to ROLE 'dba_role';
GRANT SUPER on *.* to ROLE 'dba_role';
GRANT SHOW METADATA on *.* to ROLE 'dba_role';

CREATE GROUP 'dba';
GRANT ROLE 'dba_role' to 'dba';

Cluster Administrator

CREATE ROLE 'cluster_role';
GRANT CLUSTER on *.* to ROLE 'cluster_role';
GRANT SHOW METADATA on *.* to ROLE 'cluster_role';

CREATE GROUP 'cluster';
GRANT ROLE 'cluster_role' to 'cluster';

Backup Operator

CREATE ROLE 'backup_operator_role';
GRANT BACKUP, RELOAD on *.* to ROLE 'backup_operator_role';

CREATE GROUP 'backup_admins';
GRANT ROLE 'backup_operator_role' to 'backup_admins';

Application Schema Owner Create one for each distinct application:

CREATE ROLE 'app_<NAME>_schema_role';
GRANT CREATE, ALTER, DROP on <NAME>.* to ROLE 'app_<NAME>_schema_role';
GRANT CREATE VIEW, ALTER VIEW, DROP VIEW on <NAME>.* to ROLE 'app_<NAME>_schema_role';
GRANT SHOW VIEW on <NAME>.* to ROLE 'app_<NAME>_schema_role';
GRANT CREATE TEMPORARY TABLES on <NAME>.* to ROLE 'app_<NAME>_schema_role';

CREATE GROUP 'app_<NAME>_schema';
GRANT ROLE 'app_<NAME>_schema_role' to 'app_<NAME>_schema';

Application Service Account Create one for each distinct application:

CREATE ROLE 'app_<NAME>_role';
GRANT SELECT, INSERT, UPDATE, DELETE on <NAME>.* to ROLE 'app_<NAME>_role';
GRANT SHOW VIEW on <NAME>.* to ROLE 'app_<NAME>_role';
GRANT LOCK TABLES on <NAME>.* to ROLE 'app_<NAME>_role';
GRANT CREATE TEMPORARY TABLES on <NAME>.* to ROLE 'app_<NAME>_role';

CREATE GROUP 'app_<NAME>';
GRANT ROLE 'app_<NAME>_role' to 'app_<NAME>';