Roles

Roles represents a collection of table groups. It is used to define and manage groups of tables in the configuration. The structure supports JSON, TOML, and YAML serialization formats.

By default, the role system is disabled. To enable it, you have to specify enable_role_system: true and roles_file settings in both your router’s and coordinator’s config.

Refer to the pkg/config/roles.go file for the most up-to-date configuration options.

Table Group

TableGroup represents a group of tables with associated roles and permissions.

SettingDescriptionPossible Values
idUnique identifier for the table group.Any string value
readersList of users with read access to the table group.Array of string values
writersList of users with write access to the table group.Array of string values
adminsList of users with admin access to the table group.Array of string values

Example

For example, let’s assume we have the following roles configuration:

table_groups:
  - id: "example_table_group"
    readers:
      - "user1"
      - "user2"
      - "user3"
    writers:
      - "prod_user"
    admins:
      - "admin_user"

When we try to connect to (any) database as user user1 and run a modify query, we get something like this:

CREATE KEY RANGE krid2 FROM 11 ROUTE TO sh2 FOR DISTRIBUTION ds1;
ERROR:  permission denied for user=user1 dbname=prod