"use strict";(self.webpackChunk=self.webpackChunk||[]).push([[8447],{3905:(e,t,r)=>{r.d(t,{Zo:()=>c,kt:()=>h});var n=r(7294);function i(e,t,r){return t in e?Object.defineProperty(e,t,{value:r,enumerable:!0,configurable:!0,writable:!0}):e[t]=r,e}function a(e,t){var r=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);t&&(n=n.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),r.push.apply(r,n)}return r}function s(e){for(var t=1;t<arguments.length;t++){var r=null!=arguments[t]?arguments[t]:{};t%2?a(Object(r),!0).forEach((function(t){i(e,t,r[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(r)):a(Object(r)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(r,t))}))}return e}function o(e,t){if(null==e)return{};var r,n,i=function(e,t){if(null==e)return{};var r,n,i={},a=Object.keys(e);for(n=0;n<a.length;n++)r=a[n],t.indexOf(r)>=0||(i[r]=e[r]);return i}(e,t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(n=0;n<a.length;n++)r=a[n],t.indexOf(r)>=0||Object.prototype.propertyIsEnumerable.call(e,r)&&(i[r]=e[r])}return i}var u=n.createContext({}),l=function(e){var t=n.useContext(u),r=t;return e&&(r="function"==typeof e?e(t):s(s({},t),e)),r},c=function(e){var t=l(e.components);return n.createElement(u.Provider,{value:t},e.children)},p="mdxType",d={inlineCode:"code",wrapper:function(e){var t=e.children;return n.createElement(n.Fragment,{},t)}},m=n.forwardRef((function(e,t){var r=e.components,i=e.mdxType,a=e.originalType,u=e.parentName,c=o(e,["components","mdxType","originalType","parentName"]),p=l(r),m=i,h=p["".concat(u,".").concat(m)]||p[m]||d[m]||a;return r?n.createElement(h,s(s({ref:t},c),{},{components:r})):n.createElement(h,s({ref:t},c))}));function h(e,t){var r=arguments,i=t&&t.mdxType;if("string"==typeof e||i){var a=r.length,s=new Array(a);s[0]=m;var o={};for(var u in t)hasOwnProperty.call(t,u)&&(o[u]=t[u]);o.originalType=e,o[p]="string"==typeof e?e:i,s[1]=o;for(var l=2;l<a;l++)s[l]=r[l];return n.createElement.apply(null,s)}return n.createElement.apply(null,r)}m.displayName="MDXCreateElement"},4747:(e,t,r)=>{r.r(t),r.d(t,{assets:()=>c,contentTitle:()=>u,default:()=>h,frontMatter:()=>o,metadata:()=>l,toc:()=>p});var n=r(7462),i=r(3366),a=(r(7294),r(3905)),s=["components"],o={id:"security",title:"SQL-based ingestion security",sidebar_label:"Security"},u=void 0,l={unversionedId:"multi-stage-query/security",id:"multi-stage-query/security",title:"SQL-based ingestion security",description:"\x3c!--",source:"@site/docs/latest/multi-stage-query/security.md",sourceDirName:"multi-stage-query",slug:"/multi-stage-query/security",permalink:"/docs/latest/multi-stage-query/security",draft:!1,tags:[],version:"current",frontMatter:{id:"security",title:"SQL-based ingestion security",sidebar_label:"Security"},sidebar:"docs",previous:{title:"API",permalink:"/docs/latest/multi-stage-query/api"},next:{title:"Examples",permalink:"/docs/latest/multi-stage-query/examples"}},c={},p=[{value:"S3",id:"s3",level:2}],d={toc:p},m="wrapper";function h(e){var t=e.components,r=(0,i.Z)(e,s);return(0,a.kt)(m,(0,n.Z)({},d,r,{components:t,mdxType:"MDXLayout"}),(0,a.kt)("blockquote",null,(0,a.kt)("p",{parentName:"blockquote"},"This page describes SQL-based batch ingestion using the ",(0,a.kt)("a",{parentName:"p",href:"/docs/latest/multi-stage-query/"},(0,a.kt)("inlineCode",{parentName:"a"},"druid-multi-stage-query")),"\nextension, new in Druid 24.0. Refer to the ",(0,a.kt)("a",{parentName:"p",href:"/docs/latest/ingestion/#batch"},"ingestion methods")," table to determine which\ningestion method is right for you.")),(0,a.kt)("p",null,"All authenticated users can use the multi-stage query task engine (MSQ task engine) through the UI and API if the\nextension is loaded. However, without additional permissions, users are not able to issue queries that read or write\nDruid datasources or external data. The permission needed depends on what the user is trying to do."),(0,a.kt)("p",null,"To submit a query:"),(0,a.kt)("ul",null,(0,a.kt)("li",{parentName:"ul"},"SELECT from a Druid datasource requires the READ DATASOURCE permission on that datasource."),(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("a",{parentName:"li",href:"/docs/latest/multi-stage-query/reference#insert"},"INSERT")," or ",(0,a.kt)("a",{parentName:"li",href:"/docs/latest/multi-stage-query/reference#replace"},"REPLACE")," into a Druid datasource requires the WRITE DATASOURCE\npermission on that datasource."),(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("a",{parentName:"li",href:"/docs/latest/multi-stage-query/reference#extern-function"},"EXTERN"),' and the input-source-specific table functions require READ permission on a\nresource named "EXTERNAL" with type "EXTERNAL". Users without the correct\npermission encounter a 403 error when trying to run queries that include ',(0,a.kt)("inlineCode",{parentName:"li"},"EXTERN"),".")),(0,a.kt)("p",null,"Once a query is submitted, it executes as a ",(0,a.kt)("a",{parentName:"p",href:"/docs/latest/multi-stage-query/concepts#execution-flow"},(0,a.kt)("inlineCode",{parentName:"a"},"query_controller"))," task. Query tasks that\nusers submit to the MSQ task engine are Overlord tasks, so they follow the Overlord's security model. This means that\nusers with access to the Overlord API can perform some actions even if they didn't submit the query, including\nretrieving status or canceling a query. For more information about the Overlord API and the task API, see ",(0,a.kt)("a",{parentName:"p",href:"/docs/latest/multi-stage-query/api"},"APIs for\nSQL-based ingestion"),"."),(0,a.kt)("p",null,"To interact with a query through the Overlord API, users need the following permissions:"),(0,a.kt)("ul",null,(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("inlineCode",{parentName:"li"},"INSERT")," or ",(0,a.kt)("inlineCode",{parentName:"li"},"REPLACE")," queries: Users must have READ DATASOURCE permission on the output datasource."),(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("inlineCode",{parentName:"li"},"SELECT")," queries: Users must have read permissions on the ",(0,a.kt)("inlineCode",{parentName:"li"},"__query_select")," datasource, which is a stub datasource that gets created.")),(0,a.kt)("h2",{id:"s3"},"S3"),(0,a.kt)("p",null,"The MSQ task engine can use S3 to store intermediate files when running queries. This can increase its reliability but requires certain permissions in S3.\nThese permissions are required if you configure durable storage. "),(0,a.kt)("p",null,"Permissions for pushing and fetching intermediate stage results to and from S3:"),(0,a.kt)("ul",null,(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("inlineCode",{parentName:"li"},"s3:GetObject")),(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("inlineCode",{parentName:"li"},"s3:PutObject")),(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("inlineCode",{parentName:"li"},"s3:AbortMultipartUpload"))),(0,a.kt)("p",null,"Permissions for removing intermediate stage results:"),(0,a.kt)("ul",null,(0,a.kt)("li",{parentName:"ul"},(0,a.kt)("inlineCode",{parentName:"li"},"s3:DeleteObject"))))}h.isMDXComponent=!0}}]);