Skip to main content

Read-Only Access

If you do not need the ability to make changes to your database via Cluvio, which is the common case, it is best to reduce the permissions for the role that is configured in Cluvio's datasource.

Here are the basics on how to accomplish this for each of the supported databases. You should check the database documentation to make sure that the setup matches the exact desired level of permissions.

Assuming the database is in the default schema and named my_database, that the user to be used by cluvio is named cluvio_readonly and that the secret_password is replaced with a proper password, the commands to execute are the following:

PostgreSQL:

CREATE ROLE cluvio_readonly LOGIN PASSWORD 'secret_password';
GRANT CONNECT ON DATABASE my_database TO cluvio_readonly;
GRANT USAGE ON SCHEMA public TO cluvio_readonly;
GRANT SELECT ON ALL TABLES IN schema public TO cluvio_readonly;

Redshift:

CREATE USER cluvio_readonly PASSWORD 'secret_password';
GRANT USAGE ON SCHEMA public TO cluvio_readonly;
GRANT SELECT ON ALL TABLES IN schema public TO cluvio_readonly;

MySQL / MariaDB (ssh tunnel on the same host)

CREATE USER 'cluvio_readonly'@'localhost' IDENTIFIED BY 'secret_password';
GRANT SELECT ON my_database.* TO 'cluvio_readonly'@'localhost';
FLUSH PRIVILEGES;

MySQL / MariaDB (remote connection)

CREATE USER 'cluvio_readonly'@'%' IDENTIFIED BY 'secret_password';
GRANT SELECT ON my_database.* TO 'cluvio_readonly'@'%';
FLUSH PRIVILEGES;

BigQuery

The permissions on Google Big Query are controlled via the Roles attached to the Service Account in the IAM & Admin section in the Big Query console. Cluvio needs at least the following permissions to fetch the schema and run queries:

BigQuery > BigQuery Data Viewer
BigQuery > BigQuery User