add pipe permission control specifications by leto-b · Pull Request #981 · apache/iotdb-docs
Expand Up
@@ -79,7 +79,7 @@ By declaratively configuring the specific content of the three parts through SQL
### 1.2 Functional limitations and instructions
The schema and auth synchronization functions have the following limitations: 1. The schema and auth synchronization functions have the following limitations:
- When using schema synchronization, it is required that the consensus protocol for `Schema region` and `ConfigNode` must be the default ratis protocol. This means that the `iotdb-system.properties` configuration file should contain the settings `config_node_consensus_protocol_class=org.apache.iotdb.consensus.ratis.RatisConsensus` and `schema_region_consensus_protocol_class=org.apache.iotdb.consensus.ratis.RatisConsensus`. If these are not specified, the default ratis protocol is used.
Expand All @@ -89,6 +89,22 @@ The schema and auth synchronization functions have the following limitations:
- During data synchronization tasks, please avoid performing any deletion operations to prevent inconsistent states between the two ends.
2. Pipe Permission Control Specifications
- When creating a pipe, a username and password can be specified for the extraction/write‑back plugins. If the password is incorrect, creation is prohibited. If not specified, the current user is used for synchronization by default.
- During data/metadata synchronization, filtering is first performed according to the path pattern (pattern/path) configured in the Pipe, followed by authentication based on the user’s read permissions: - If the permission scope is greater than or equal to the write path: full synchronization. - If the permission scope has no intersection with the write path: no synchronization. - If the permission scope is smaller than the write path or overlaps partially: synchronize only the intersecting part.
- When encountering data for which the user lacks permission: - If the sender’s skipIf=no‑privileges, the unauthorized data is skipped. - If skipIf is left empty (unconfigured), the task reports an error (Error 803). - Note: This skipIf configuration is independent of the receiver’s skipIf setting (which defaults to empty).
- Data under root.__system and root.__audit will not be synchronized.
## 2. Usage Instructions
Data synchronization tasks have three states: RUNNING, STOPPED, and DROPPED. The task state transitions are shown in the following diagram: Expand Down Expand Up @@ -514,7 +530,7 @@ pipe_all_sinks_rate_limit_bytes_per_second=-1 | password | Password for the username. | String | No | root | | batch.enable | Enables batch mode for log transmission to improve throughput and reduce IOPS. | Boolean: true, false | No | true | | batch.max-delay-seconds | Maximum delay (in seconds) for batch transmission. | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.size-bytes | Maximum batch size (in bytes) for batch transmission. | Long | No | 16*1024*1024 | | compressor | The selected RPC compression algorithm. Multiple algorithms can be configured and will be adopted in sequence for each request. | String: snappy / gzip / lz4 / zstd / lzma2 | No | "" | | compressor.zstd.level | When the selected RPC compression algorithm is zstd, this parameter can be used to additionally configure the compression level of the zstd algorithm. | Int: [-131072, 22] | No | 3 | Expand All @@ -524,7 +540,6 @@ pipe_all_sinks_rate_limit_bytes_per_second=-1
#### iotdb-thrift-ssl-sink
| **Parameter** | **Description** | Value Range | Required | Default Value | |:----------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------|:---------| :------------ | | sink | iotdb-thrift-ssl-sink | String: iotdb-thrift-ssl-sink | Yes | - | Expand All @@ -533,7 +548,7 @@ pipe_all_sinks_rate_limit_bytes_per_second=-1 | password | Password for the username. | String | No | root | | batch.enable | Enables batch mode for log transmission to improve throughput and reduce IOPS. | Boolean: true, false | No | true | | batch.max-delay-seconds | Maximum delay (in seconds) for batch transmission. | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.size-bytes | Maximum batch size (in bytes) for batch transmission. | Long | No | 16*1024*1024 | | compressor | The selected RPC compression algorithm. Multiple algorithms can be configured and will be adopted in sequence for each request. | String: snappy / gzip / lz4 / zstd / lzma2 | No | "" | | compressor.zstd.level | When the selected RPC compression algorithm is zstd, this parameter can be used to additionally configure the compression level of the zstd algorithm. | Int: [-131072, 22] | No | 3 | Expand Down
### 1.2 Functional limitations and instructions
The schema and auth synchronization functions have the following limitations: 1. The schema and auth synchronization functions have the following limitations:
- When using schema synchronization, it is required that the consensus protocol for `Schema region` and `ConfigNode` must be the default ratis protocol. This means that the `iotdb-system.properties` configuration file should contain the settings `config_node_consensus_protocol_class=org.apache.iotdb.consensus.ratis.RatisConsensus` and `schema_region_consensus_protocol_class=org.apache.iotdb.consensus.ratis.RatisConsensus`. If these are not specified, the default ratis protocol is used.
Expand All @@ -89,6 +89,22 @@ The schema and auth synchronization functions have the following limitations:
- During data synchronization tasks, please avoid performing any deletion operations to prevent inconsistent states between the two ends.
2. Pipe Permission Control Specifications
- When creating a pipe, a username and password can be specified for the extraction/write‑back plugins. If the password is incorrect, creation is prohibited. If not specified, the current user is used for synchronization by default.
- During data/metadata synchronization, filtering is first performed according to the path pattern (pattern/path) configured in the Pipe, followed by authentication based on the user’s read permissions: - If the permission scope is greater than or equal to the write path: full synchronization. - If the permission scope has no intersection with the write path: no synchronization. - If the permission scope is smaller than the write path or overlaps partially: synchronize only the intersecting part.
- When encountering data for which the user lacks permission: - If the sender’s skipIf=no‑privileges, the unauthorized data is skipped. - If skipIf is left empty (unconfigured), the task reports an error (Error 803). - Note: This skipIf configuration is independent of the receiver’s skipIf setting (which defaults to empty).
- Data under root.__system and root.__audit will not be synchronized.
## 2. Usage Instructions
Data synchronization tasks have three states: RUNNING, STOPPED, and DROPPED. The task state transitions are shown in the following diagram: Expand Down Expand Up @@ -514,7 +530,7 @@ pipe_all_sinks_rate_limit_bytes_per_second=-1 | password | Password for the username. | String | No | root | | batch.enable | Enables batch mode for log transmission to improve throughput and reduce IOPS. | Boolean: true, false | No | true | | batch.max-delay-seconds | Maximum delay (in seconds) for batch transmission. | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.size-bytes | Maximum batch size (in bytes) for batch transmission. | Long | No | 16*1024*1024 | | compressor | The selected RPC compression algorithm. Multiple algorithms can be configured and will be adopted in sequence for each request. | String: snappy / gzip / lz4 / zstd / lzma2 | No | "" | | compressor.zstd.level | When the selected RPC compression algorithm is zstd, this parameter can be used to additionally configure the compression level of the zstd algorithm. | Int: [-131072, 22] | No | 3 | Expand All @@ -524,7 +540,6 @@ pipe_all_sinks_rate_limit_bytes_per_second=-1
#### iotdb-thrift-ssl-sink
| **Parameter** | **Description** | Value Range | Required | Default Value | |:----------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------|:---------| :------------ | | sink | iotdb-thrift-ssl-sink | String: iotdb-thrift-ssl-sink | Yes | - | Expand All @@ -533,7 +548,7 @@ pipe_all_sinks_rate_limit_bytes_per_second=-1 | password | Password for the username. | String | No | root | | batch.enable | Enables batch mode for log transmission to improve throughput and reduce IOPS. | Boolean: true, false | No | true | | batch.max-delay-seconds | Maximum delay (in seconds) for batch transmission. | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.max-delay-ms | Maximum delay (in ms) for batch transmission. (Available since v2.0.5) | Integer | No | 1 | | batch.size-bytes | Maximum batch size (in bytes) for batch transmission. | Long | No | 16*1024*1024 | | compressor | The selected RPC compression algorithm. Multiple algorithms can be configured and will be adopted in sequence for each request. | String: snappy / gzip / lz4 / zstd / lzma2 | No | "" | | compressor.zstd.level | When the selected RPC compression algorithm is zstd, this parameter can be used to additionally configure the compression level of the zstd algorithm. | Int: [-131072, 22] | No | 3 | Expand Down