druid/docs/multi-stage-query/security.md

---
id: security
title: SQL-based ingestion security
sidebar_label: Security
---

<!--
  ~ Licensed to the Apache Software Foundation (ASF) under one
  ~ or more contributor license agreements.  See the NOTICE file
  ~ distributed with this work for additional information
  ~ regarding copyright ownership.  The ASF licenses this file
  ~ to you under the Apache License, Version 2.0 (the
  ~ "License"); you may not use this file except in compliance
  ~ with the License.  You may obtain a copy of the License at
  ~
  ~   http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing,
  ~ software distributed under the License is distributed on an
  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  ~ KIND, either express or implied.  See the License for the
  ~ specific language governing permissions and limitations
  ~ under the License.
  -->

:::info
 This page describes SQL-based batch ingestion using the [`druid-multi-stage-query`](../multi-stage-query/index.md)
 extension, new in Druid 24.0. Refer to the [ingestion methods](../ingestion/index.md#batch) table to determine which
 ingestion method is right for you.
:::

All authenticated users can use the multi-stage query task engine (MSQ task engine) through the UI and API if the
extension is loaded. However, without additional permissions, users are not able to issue queries that read or write
Druid datasources or external data. The permission needed depends on what the user is trying to do.

To submit a query:

- SELECT from a Druid datasource requires the READ DATASOURCE permission on that datasource.
- [INSERT](reference.md#insert) or [REPLACE](reference.md#replace) into a Druid datasource requires the WRITE DATASOURCE
  permission on that datasource.
- [EXTERN](reference.md#extern-function) and the input-source-specific table functions require READ permission on a
  resource named "EXTERNAL" with type "EXTERNAL". Users without the correct
  permission encounter a 403 error when trying to run queries that include `EXTERN`.

Once a query is submitted, it executes as a [`query_controller`](concepts.md#execution-flow) task. Query tasks that
users submit to the MSQ task engine are Overlord tasks, so they follow the Overlord's security model. This means that
users with access to the Overlord API can perform some actions even if they didn't submit the query, including
retrieving status or canceling a query. For more information about the Overlord API and the task API, see [APIs for
SQL-based ingestion](../api-reference/sql-ingestion-api.md). 

:::info
 Keep in mind that any user with access to Overlord APIs can submit `query_controller` tasks with only the WRITE DATASOURCE permission.
:::

Depending on what a user is trying to do, they might also need the following permissions:

- `INSERT` or `REPLACE` queries: Users must have DATASOURCE READ permission on the output datasource.
- `SELECT` queries: Users must have READ permission on the `__query_select` datasource, which is a stub datasource that gets created.
  

## Permissions for durable storage

The MSQ task engine can use Amazon S3 or Azure Blog Storage to store intermediate files when running queries. To upload, read, move and delete these intermediate files, the MSQ task engine requires certain permissions specific to the storage provider. 

### S3

The MSQ task engine needs the following permissions for pushing,  fetching, and removing intermediate stage results to and from S3:

- `s3:GetObject` to retrieve files. Note that `GetObject` also requires read permission on the object that gets retrieved. 
- `s3:PutObject` to upload files.
- `s3:AbortMultipartUpload` to cancel the upload of files
- `s3:DeleteObject` to delete files when they're no longer needed. 

### Azure

The MSQ task engine needs the following permissions for pushing, fetching, and removing intermediate stage results to and from Azure:

- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` to read and list files in durable storage 
- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` to write files in durable storage.
- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action` to create files in durable storage.
- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` to delete files when they're no longer needed.
Various documentation updates. (#13107) * Various documentation updates. 1) Split out "data management" from "ingestion". Break it into thematic pages. 2) Move "SQL-based ingestion" into the Ingestion category. Adjust content so all conceptual content is in concepts.md and all syntax content is in reference.md. Shorten the known issues page to the most interesting ones. 3) Add SQL-based ingestion to the ingestion method comparison page. Remove the index task, since index_parallel is just as good when maxNumConcurrentSubTasks: 1. 4) Rename various mentions of "Druid console" to "web console". 5) Add additional information to ingestion/partitioning.md. 6) Remove a mention of Tranquility. 7) Remove a note about upgrading to Druid 0.10.1. 8) Remove no-longer-relevant task types from ingestion/tasks.md. 9) Move ingestion/native-batch-firehose.md to the hidden section. It was previously deprecated. 10) Move ingestion/native-batch-simple-task.md to the hidden section. It is still linked in some places, but it isn't very useful compared to index_parallel, so it shouldn't take up space in the sidebar. 11) Make all br tags self-closing. 12) Certain other cosmetic changes. 13) Update to node-sass 7. * make travis use node12 for docs Co-authored-by: Vadim Ogievetsky <vadim@ogievetsky.com> 2022-09-17 00:58:11 -04:00			`---`
			`id: security`
			`title: SQL-based ingestion security`
			`sidebar_label: Security`
			`---`

			`<!--`
			`~ Licensed to the Apache Software Foundation (ASF) under one`
			`~ or more contributor license agreements. See the NOTICE file`
			`~ distributed with this work for additional information`
			`~ regarding copyright ownership. The ASF licenses this file`
			`~ to you under the Apache License, Version 2.0 (the`
			`~ "License"); you may not use this file except in compliance`
			`~ with the License. You may obtain a copy of the License at`
			`~`
			`~ http://www.apache.org/licenses/LICENSE-2.0`
			`~`
			`~ Unless required by applicable law or agreed to in writing,`
			`~ software distributed under the License is distributed on an`
			`~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY`
			`~ KIND, either express or implied. See the License for the`
			`~ specific language governing permissions and limitations`
			`~ under the License.`
			`-->`

Docusaurus2 upgrade for master (#14411) Co-authored-by: Victoria Lim <vtlim@users.noreply.github.com> Co-authored-by: Charles Smith <techdocsmith@gmail.com> 2023-08-16 22:01:21 -04:00			`:::info`
			This page describes SQL-based batch ingestion using the [`druid-multi-stage-query`](../multi-stage-query/index.md)
			`extension, new in Druid 24.0. Refer to the [ingestion methods](../ingestion/index.md#batch) table to determine which`
			`ingestion method is right for you.`
			`:::`
Various documentation updates. (#13107) * Various documentation updates. 1) Split out "data management" from "ingestion". Break it into thematic pages. 2) Move "SQL-based ingestion" into the Ingestion category. Adjust content so all conceptual content is in concepts.md and all syntax content is in reference.md. Shorten the known issues page to the most interesting ones. 3) Add SQL-based ingestion to the ingestion method comparison page. Remove the index task, since index_parallel is just as good when maxNumConcurrentSubTasks: 1. 4) Rename various mentions of "Druid console" to "web console". 5) Add additional information to ingestion/partitioning.md. 6) Remove a mention of Tranquility. 7) Remove a note about upgrading to Druid 0.10.1. 8) Remove no-longer-relevant task types from ingestion/tasks.md. 9) Move ingestion/native-batch-firehose.md to the hidden section. It was previously deprecated. 10) Move ingestion/native-batch-simple-task.md to the hidden section. It is still linked in some places, but it isn't very useful compared to index_parallel, so it shouldn't take up space in the sidebar. 11) Make all br tags self-closing. 12) Certain other cosmetic changes. 13) Update to node-sass 7. * make travis use node12 for docs Co-authored-by: Vadim Ogievetsky <vadim@ogievetsky.com> 2022-09-17 00:58:11 -04:00
Much improved table functions (#13627) Much improved table functions * Revises properties, definitions in the catalog * Adds a "table function" abstraction to model such functions * Specific functions for HTTP, inline, local and S3. * Extended SQL types in the catalog * Restructure external table definitions to use table functions * EXTEND syntax for Druid's extern table function * Support for array-valued table function parameters * Support for array-valued SQL query parameters * Much new documentation 2023-01-17 11:41:57 -05:00			`All authenticated users can use the multi-stage query task engine (MSQ task engine) through the UI and API if the`
			`extension is loaded. However, without additional permissions, users are not able to issue queries that read or write`
			`Druid datasources or external data. The permission needed depends on what the user is trying to do.`
Various documentation updates. (#13107) * Various documentation updates. 1) Split out "data management" from "ingestion". Break it into thematic pages. 2) Move "SQL-based ingestion" into the Ingestion category. Adjust content so all conceptual content is in concepts.md and all syntax content is in reference.md. Shorten the known issues page to the most interesting ones. 3) Add SQL-based ingestion to the ingestion method comparison page. Remove the index task, since index_parallel is just as good when maxNumConcurrentSubTasks: 1. 4) Rename various mentions of "Druid console" to "web console". 5) Add additional information to ingestion/partitioning.md. 6) Remove a mention of Tranquility. 7) Remove a note about upgrading to Druid 0.10.1. 8) Remove no-longer-relevant task types from ingestion/tasks.md. 9) Move ingestion/native-batch-firehose.md to the hidden section. It was previously deprecated. 10) Move ingestion/native-batch-simple-task.md to the hidden section. It is still linked in some places, but it isn't very useful compared to index_parallel, so it shouldn't take up space in the sidebar. 11) Make all br tags self-closing. 12) Certain other cosmetic changes. 13) Update to node-sass 7. * make travis use node12 for docs Co-authored-by: Vadim Ogievetsky <vadim@ogievetsky.com> 2022-09-17 00:58:11 -04:00
			`To submit a query:`

			`- SELECT from a Druid datasource requires the READ DATASOURCE permission on that datasource.`
			`- [INSERT](reference.md#insert) or [REPLACE](reference.md#replace) into a Druid datasource requires the WRITE DATASOURCE`
			`permission on that datasource.`
Much improved table functions (#13627) Much improved table functions * Revises properties, definitions in the catalog * Adds a "table function" abstraction to model such functions * Specific functions for HTTP, inline, local and S3. * Extended SQL types in the catalog * Restructure external table definitions to use table functions * EXTEND syntax for Druid's extern table function * Support for array-valued table function parameters * Support for array-valued SQL query parameters * Much new documentation 2023-01-17 11:41:57 -05:00			`- [EXTERN](reference.md#extern-function) and the input-source-specific table functions require READ permission on a`
			`resource named "EXTERNAL" with type "EXTERNAL". Users without the correct`
			permission encounter a 403 error when trying to run queries that include `EXTERN`.
Various documentation updates. (#13107) * Various documentation updates. 1) Split out "data management" from "ingestion". Break it into thematic pages. 2) Move "SQL-based ingestion" into the Ingestion category. Adjust content so all conceptual content is in concepts.md and all syntax content is in reference.md. Shorten the known issues page to the most interesting ones. 3) Add SQL-based ingestion to the ingestion method comparison page. Remove the index task, since index_parallel is just as good when maxNumConcurrentSubTasks: 1. 4) Rename various mentions of "Druid console" to "web console". 5) Add additional information to ingestion/partitioning.md. 6) Remove a mention of Tranquility. 7) Remove a note about upgrading to Druid 0.10.1. 8) Remove no-longer-relevant task types from ingestion/tasks.md. 9) Move ingestion/native-batch-firehose.md to the hidden section. It was previously deprecated. 10) Move ingestion/native-batch-simple-task.md to the hidden section. It is still linked in some places, but it isn't very useful compared to index_parallel, so it shouldn't take up space in the sidebar. 11) Make all br tags self-closing. 12) Certain other cosmetic changes. 13) Update to node-sass 7. * make travis use node12 for docs Co-authored-by: Vadim Ogievetsky <vadim@ogievetsky.com> 2022-09-17 00:58:11 -04:00
			Once a query is submitted, it executes as a [`query_controller`](concepts.md#execution-flow) task. Query tasks that
			`users submit to the MSQ task engine are Overlord tasks, so they follow the Overlord's security model. This means that`
			`users with access to the Overlord API can perform some actions even if they didn't submit the query, including`
docs: add line about write datasource perm for overlord api (#14114) Co-authored-by: Katya Macedo <38017980+ektravel@users.noreply.github.com> 2023-05-19 17:56:24 -04:00			`retrieving status or canceling a query. For more information about the Overlord API and the task API, see [APIs for`
			`SQL-based ingestion](../api-reference/sql-ingestion-api.md).`

Docusaurus2 upgrade for master (#14411) Co-authored-by: Victoria Lim <vtlim@users.noreply.github.com> Co-authored-by: Charles Smith <techdocsmith@gmail.com> 2023-08-16 22:01:21 -04:00			`:::info`
			Keep in mind that any user with access to Overlord APIs can submit `query_controller` tasks with only the WRITE DATASOURCE permission.
			`:::`
docs: add line about write datasource perm for overlord api (#14114) Co-authored-by: Katya Macedo <38017980+ektravel@users.noreply.github.com> 2023-05-19 17:56:24 -04:00
			`Depending on what a user is trying to do, they might also need the following permissions:`

			- `INSERT` or `REPLACE` queries: Users must have DATASOURCE READ permission on the output datasource.
			- `SELECT` queries: Users must have READ permission on the `__query_select` datasource, which is a stub datasource that gets created.

Various documentation updates. (#13107) * Various documentation updates. 1) Split out "data management" from "ingestion". Break it into thematic pages. 2) Move "SQL-based ingestion" into the Ingestion category. Adjust content so all conceptual content is in concepts.md and all syntax content is in reference.md. Shorten the known issues page to the most interesting ones. 3) Add SQL-based ingestion to the ingestion method comparison page. Remove the index task, since index_parallel is just as good when maxNumConcurrentSubTasks: 1. 4) Rename various mentions of "Druid console" to "web console". 5) Add additional information to ingestion/partitioning.md. 6) Remove a mention of Tranquility. 7) Remove a note about upgrading to Druid 0.10.1. 8) Remove no-longer-relevant task types from ingestion/tasks.md. 9) Move ingestion/native-batch-firehose.md to the hidden section. It was previously deprecated. 10) Move ingestion/native-batch-simple-task.md to the hidden section. It is still linked in some places, but it isn't very useful compared to index_parallel, so it shouldn't take up space in the sidebar. 11) Make all br tags self-closing. 12) Certain other cosmetic changes. 13) Update to node-sass 7. * make travis use node12 for docs Co-authored-by: Vadim Ogievetsky <vadim@ogievetsky.com> 2022-09-17 00:58:11 -04:00

msq: add durable storage info (#14035) * msq: add durable storage info * fix duplicate row * Apply suggestions from code review Co-authored-by: Karan Kumar <karankumar1100@gmail.com> --------- Co-authored-by: Karan Kumar <karankumar1100@gmail.com> 2023-04-14 03:58:23 -04:00
docs: durable storage azure cleanup (#15120) Co-authored-by: Laksh Singla <lakshsingla@gmail.com> 2023-10-31 18:20:38 -04:00			`## Permissions for durable storage`
msq: add durable storage info (#14035) * msq: add durable storage info * fix duplicate row * Apply suggestions from code review Co-authored-by: Karan Kumar <karankumar1100@gmail.com> --------- Co-authored-by: Karan Kumar <karankumar1100@gmail.com> 2023-04-14 03:58:23 -04:00
docs: durable storage azure cleanup (#15120) Co-authored-by: Laksh Singla <lakshsingla@gmail.com> 2023-10-31 18:20:38 -04:00			`The MSQ task engine can use Amazon S3 or Azure Blog Storage to store intermediate files when running queries. To upload, read, move and delete these intermediate files, the MSQ task engine requires certain permissions specific to the storage provider.`
msq: add durable storage info (#14035) * msq: add durable storage info * fix duplicate row * Apply suggestions from code review Co-authored-by: Karan Kumar <karankumar1100@gmail.com> --------- Co-authored-by: Karan Kumar <karankumar1100@gmail.com> 2023-04-14 03:58:23 -04:00
docs: durable storage azure cleanup (#15120) Co-authored-by: Laksh Singla <lakshsingla@gmail.com> 2023-10-31 18:20:38 -04:00			`### S3`
msq: add durable storage info (#14035) * msq: add durable storage info * fix duplicate row * Apply suggestions from code review Co-authored-by: Karan Kumar <karankumar1100@gmail.com> --------- Co-authored-by: Karan Kumar <karankumar1100@gmail.com> 2023-04-14 03:58:23 -04:00
docs: durable storage azure cleanup (#15120) Co-authored-by: Laksh Singla <lakshsingla@gmail.com> 2023-10-31 18:20:38 -04:00			`The MSQ task engine needs the following permissions for pushing, fetching, and removing intermediate stage results to and from S3:`
msq: add durable storage info (#14035) * msq: add durable storage info * fix duplicate row * Apply suggestions from code review Co-authored-by: Karan Kumar <karankumar1100@gmail.com> --------- Co-authored-by: Karan Kumar <karankumar1100@gmail.com> 2023-04-14 03:58:23 -04:00
docs: durable storage azure cleanup (#15120) Co-authored-by: Laksh Singla <lakshsingla@gmail.com> 2023-10-31 18:20:38 -04:00			- `s3:GetObject` to retrieve files. Note that `GetObject` also requires read permission on the object that gets retrieved.
			- `s3:PutObject` to upload files.
			- `s3:AbortMultipartUpload` to cancel the upload of files
			- `s3:DeleteObject` to delete files when they're no longer needed.
msq: add durable storage info (#14035) * msq: add durable storage info * fix duplicate row * Apply suggestions from code review Co-authored-by: Karan Kumar <karankumar1100@gmail.com> --------- Co-authored-by: Karan Kumar <karankumar1100@gmail.com> 2023-04-14 03:58:23 -04:00
docs: durable storage azure cleanup (#15120) Co-authored-by: Laksh Singla <lakshsingla@gmail.com> 2023-10-31 18:20:38 -04:00			`### Azure`

			`The MSQ task engine needs the following permissions for pushing, fetching, and removing intermediate stage results to and from Azure:`

			- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` to read and list files in durable storage
			- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` to write files in durable storage.
			- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action` to create files in durable storage.
			- `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` to delete files when they're no longer needed.