View Manager extension
Imply View Manager is an alpha feature that should be considered preview and subject to change or removal at any time. Alpha features are provided "as is," and are not subject to Imply SLAs.
The Imply View Manager extension lets you define views that expose only a subset of data for a datasource. The view manager is a key feature for Druid's Row and column security model.
The View Manager provides a set of View Manager APIs for view management. To manage permissions to views, use the Coordinator Security API. For an example, see Row and column level security.
The Druid Coordinator acts as the "view manager" for SQL view definitions and stores the definitions in the SQL metadata store in the druid_views table. Druid Brokers periodically refresh a snapshot of the current view state from the Coordinators. Brokers also listen for updates pushed from the Coordinator. When they receive an update, the Brokers modify the schema to match the current set of view definitions, making them available for querying. You can use the API to check the freshness and availability of views on all Brokers.
Unsupported use cases
The View Manager provides row and column level security by filtering the data in rows and columns to prevent users access to data. The feature is not designed to provide a generic logic abstraction layer for Druid.
The following query features are not supported in view definitions:
- Subqueries of any kind.
- Joins of any kind.
UNION ALL.- Aggregations.
LIMIT,OFFSET,ORDER BYoperations.- Queries on anything that is not a base datasource: lookups, INFORMATION_SCHEMA, sys.* tables, or other views.
- Transforms on the projected columns. Note: transforms within filters are allowed.
Configuration
Enable and configure the View Manager in the common.runtime.properties.
- Load the "imply-view-manager" extension. For example:
druid.extensions.loadList=["druid-hdfs-storage", "druid-kafka-indexing-service", "druid-datasketches", "druid-basic-security", "imply-view-manager"]
- Specify the view manager:
# Specify the view manager
druid.sql.viewmanager.type=imply
Managing view access
You can manage access to views similar to the way you manage access to datasourcs using the Coordinator Security API. The VIEW resource type controls access to views as follows:
- To query a view, you need
READaccess to the view. For example, to access a view named "english":{
"resource": {
"name": "english",
"type": "VIEW"
},
"action": "READ"
} - To create or delete a view, you need
WRITEaccess to theCONFIGtype resource. For example:{
"resource": {
"name": ".*",
"type": "CONFIG"
},
"action": "READ"
},
{
"resource": {
"name": ".*",
"type": "CONFIG"
},
"action": "WRITE"
}
Advanced configuration and tuning properties
The following properties are for tuning the View Manager behavior. In general you shouldn't need to change these properties without guidance:
| property | description | default |
|---|---|---|
druid.sql.viewmanager.imply.pollingPeriod | Frequency in milliseconds that Brokers poll Coordinators to refresh view state | 60000 |
druid.sql.viewmanager.imply.maxRandomDelay | Random delay in milliseconds between Broker polling period to prevent herd effects from overwhelming Coordinators. | 6000 |
druid.sql.viewmanager.imply.maxSyncRetries | Number of retry attempts before Brokers abandon a view state refresh from Coordinators | 5 |
druid.sql.viewmanager.imply.cacheDirectory | Local disk path where Brokers can store a snapshot of viewstate to allow cold startup when Coordinators are not available. | None. |
druid.sql.viewmanager.imply.enableCacheNotifications | Allow Coordinators to propagate view state changes to Brokers. | true |
druid.sql.viewmanager.imply.cacheNotificationTimeout | Timeout period in milliseconds for view state change notifications. | 5000 |
Learn more
See the following topics for more information:
- Row and column level security to learn how to use views to secure data.
- View Manager APIs for a list of APIs and links to examples.
- Coordinator Security API for details of the security API.