Access Control

Treasure Data offers ways to control access to resources and capabilities. Permission and access control settings are managed within the Console.

Table of Contents

Permissions Overview

The Team page displays the users associated with an account and visible to all users. The Treasure Data permission system has 3 levels built in:

  • Owner
    There can only be one ‘Owner’ user for each account – it’s the user that originally created the account. This user has permission to perform any permission on the account, including closing it.
  • Administrator(s)
    All users in the account are initially added as ‘Restricted’ (see below for definition). Any of these users can be promoted as account ‘Administrator’. An account administrator can perform practically any operation on an account. This includes managing other Restricted users' settings but excludes managing other Administrator and Owner users' settings.
  • Restricted
    ‘Restricted’ is the permission level associated with any new user by default. As the permission system is designed around granting permission to databases (read and/or write), restricted users need to be explicitly granted access to a database in order to be able to perform any operation.
    Restricted users can be granted either Full Access, ‘Query-only’, or ‘Import-only’ access level to any of the databases in the account independently. (Please see the table below for details). We modeled these three access levels to mimic ‘read & write’, ‘read’, and ‘write’ permissions (with exceptions depicted in the tables below.) Restricted users cannot change their whitelist settings.

REST APIs Access

REST API access is controlled through API keys. Almost every REST API call needs to be issued with a valid API key for authentication and resource authorization purposes.

There are two types of API keys: Master and Write-only.
By default, every new user is created with one Master and one Write-only API key; however, any user can generate any number of the two types of API keys. Any of the API Keys can be revoked at any time by the user themselves or any user having ‘Manage User’ permissions – see table above.

  • Master
    This is the traditional type of API key and it can be used to perform all permitted operations listed in the table above based on the user’s permission level and access, no exception.
  • Write-only
    This API key type provides an additional layer of security in controlling access to a Treasure Data account through the REST APIs, especially when access has to be provided to 3rd parties or API keys need to be embedded in ingestion libraries (see the Overview of Data Import page). Based on the permissions and access levels associated to a user, the user’s Write-only API key will only allow importing data into Treasure Data to those databases it has write access to.

Access levels

Console or Master API key

This is a superset of the actions that can be performed through either the Console or the REST APIs – some actions may not be available at the REST API level and some others (e.g. Data Import) are not available with the Console.

Action Owner Admin Full
Access
Query
only
Import
only
Add User OK OK
Manage User OK OK (1)
Delete User OK OK (1)
List Databases OK OK OK OK OK
Create Database OK OK n/a (2) n/a (2) n/a (2)
Manage Database OK OK OK (2) OK (2) OK (2)
Delete Database OK OK OK (2) OK (2) OK (2)
List Tables OK OK OK OK
Create Table OK OK OK
Delete Table OK OK OK
Data Import (td-agent) OK OK OK OK
Data Import (Result Output to TD) OK OK OK OK
Data Import (Bulk Import) OK OK OK OK
Data Import (embulk-output-td) OK OK OK
Data Import (Data Connector) OK OK OK OK
Data Import (FileUploader v2) OK OK OK OK
Data Import (Insert Into) OK OK OK (3)
Delete Data OK OK OK
Issue Query OK OK OK OK
Kill Own Query OK OK OK OK
Kill Query from Others OK OK OK (4)
Export Table OK OK OK OK

Notes:

  1. ‘Administrator’ users can only ‘Manage User’ and ‘Delete User’ for ‘Restricted’ users but are not allowed to manage and delete other Administrators user or the account ‘Owner’.
    The ‘Manage User’ permission includes granting or revoking the ‘Administrator’ role – therefore an ‘Administrator’ user can promote a user to ‘Administrator’ but cannot demote an user from ‘Administrator’ to ‘Restricted’ user.
  2. Any user (including Restricted ones) can create a new database and they will ‘own’ and have all permissions for it. ‘Full Access’, ‘Query-only’, and ‘Import-only’ permissions for ‘Create Database’ don’t apply in that case. ‘Restricted’ users can only ‘Delete’ and ‘Manage’ databases they created (and therefore own). ‘Administrators’ and ‘Owner’ can always manage databases.
  3. While the end-goal of INSERT INTO is to write the result back into a table, it requires special permissions. The executing user must possess read (‘Query-only’, ‘Full Access’, ‘Admin’, or ‘Owner’) permissions for all the databases accessed by the query as well as read & write permission (‘Full Access’, ‘Admin’, or ‘Owner’) to the database the result is inserted into the query will fail otherwise.
  4. Restricted users with ‘Query-only permission can see all the jobs running on the database they have 'Query-only’ permissions for but will not be able to kill a job unless it’s their own.

Write-only API key

Action Owner Admin Full
Access
Query
only
Import
only
Add User
Manage User
Delete User
List Databases
Create Database OK OK n/a (1) n/a (1) n/a (1)
Manage Database
Delete Database
List Tables
Create Table OK OK OK OK
Delete Table
Data Import (td-agent) OK OK OK OK
Data Import (Result Output to TD) (2) (2) (2) (2)
Data Import (Bulk Import) (2) (2) (2) (2)
Data Import (embulk-output-td) (2) (2) (2)
Data Import (Data Connector) (2) (2) (2) (2)
Data Import (Insert Into) (3) (3) (3) (3) (3)
Issue Query
Kill Own Query
Kill Query from Others
Export Table

Notes:

  1. Any user (including Restricted ones) can create a new database and they will ‘own’ and have all permissions for it. ‘Full Access’, ‘Query-only’, and ‘Import-only’ permissions for ‘Create Database’ don’t apply in that case. ‘Restricted’ users can only ‘Delete’ and ‘Manage’ databases they created (and therefore own). ‘Administrators’ and ‘Owner’ can always manage databases.
  2. Bulk Import and Result Output to TD (based on Bulk Import) require the ability to check the status of a job, and this is not possible using a write-only API key.
  3. INSERT INTO requires the ability to execute a query, which is not allowed using a Write-only API key.

Last modified: Nov 04 2016 16:37:20 UTC

If this article is incorrect or outdated, or omits critical information, please let us know. For all other issues, please see our support channels.