Security and governance

Db2 Big SQL can operate under different security models depending on the use case. Security in Db2 Big SQL can be based on database authorizations (authorizations enforced by the database engine) or else based on Hadoop security (authorizations enforced by the Apache Hadoop stack such as HDFS privileges/permissions and Apache Ranger policies).

The Db2 Big SQL server includes a powerful SQL processing engine that requires an administrator to have some awareness of database roles and privileges.

Authentication, authorization, privileges, and auditing

Authentication is the process by which a system verifies the identity of a user.

The authentication process produces a Db2 Big SQL authorization ID user in the Hortonworks Data Platform administrative group. Groups are a convenient way to authorize a collection of users.

After a user is authenticated, the system determines whether that user is allowed to access the data or resources of the local database.

During statement processing, authorization permits access by considering a union of the following permissions:
  • The permissions that are granted to the primary authorization ID that is associated with the SQL statement.
  • The permissions that are granted to the secondary authorization IDs (groups or roles) that are associated with the SQL statement.
  • The permissions that are granted to PUBLIC, including roles that are granted to PUBLIC, directly or indirectly, through other roles.

Users, identified by an authorization ID, can successfully run operations only if they have the authority to perform the specified function. For example, to create a table, a user must be authorized to create tables. The database manager requires that each user be specifically authorized to use each database function that is needed to perform a specific task. A user can acquire the necessary authorization through a GRANT of that authorization to their user ID or through membership in a role or a group that holds that authorization.

You can monitor user database actions by auditing the database. Auditing is often used to discover and guard against unknown or unacceptable behaviors versus permissions. Learn more about database auditing by reading Auditing.

Access controls and group-based permissions

In Db2 Big SQL, you can use explicit access controls through GRANT and REVOKE operations as well as GROUP-based permissions. By default, users belong to the non-privileged group PUBLIC. Users must be explicitly granted permissions, either directly or through group membership, for all operations.

All actions are performed as the Db2 Big SQL service user on behalf of the connected user (after all GRANT and REVOKE authorizations are enforced). All files and directories that are created by Db2 Big SQL are owned by the Db2 Big SQL service user and the service user must have appropriate file system permissions to interact with existing HDFS data.