Namespace Management

A namespace defines a group of tables, within which all of the table names must be uniquely identified. Namespaces permit you to do table privilege management as a group operation.

• Namespace Resolution
• Manage Namespaces
• Namespace scoped privileges
• Granting Authorization Access to Namespaces

Namespace Resolution

You can grant authorization permissions to a namespace to determine who can access both the namespace and the tables within it.

To resolve a table from a table_name that appears in an SQL statement, the following rules apply:

• • If the table_name contains a namespace name, no resolution is needed, because a qualified table name uniquely identifies a table.
  • If you don't specify a namespace name explicitly, the namespace used is the one contained in the ExecuteOptions instance that is given as input to the executeSync(), execute(), or prepare() methods of TableAPI.
  • If ExecuteOptions doesn't specify a namespace, the default sysdefault namespace is used.

Using different namespaces in ExecuteOptions allows executing the same queries on separate but similar tables.

Manage Namespaces

SHOW NAMESPACES

The SHOW NAMESPACES statement provides the list of namespaces in the system. You can specify AS JSON if you want the output to be in JSON format.

Example 1: The following statement lists the namespaces present in the system.

SHOW NAMESPACES

Output:

namespaces
  sysdefault

Example 2: The following statement lists the namespaces present in the system in JSON format.

SHOW AS JSON NAMESPACES

Output:

{"namespaces" : ["sysdefault"]}

DROP NAMESPACE

You can remove a namespace by using the DROP NAMESPACE statement.

IF EXISTS is an optional clause. If you specify this clause, and if a namespace with the same name does not exist, no error is generated. If you don't specify this clause, and if a namespace with the same name does not exist, an error is generated indicating that the namespace does not exist.

CASCADE is an optional clause that enables you to specify whether to drop the tables and their indexes in this namespace. If you specify this clause, and if the namespace contains any tables, then the namespace together with all the tables in this namespace will be deleted. If you don't specify this clause, and if the namespace contains any tables, then an error is generated indicating that the namespace is not empty.

The following statement removes the namespace named ns1.

DROP NAMESPACE IF EXISTS ns1 CASCADE

Namespace scoped privileges

You can add one or more namespaces to your store, create tables within them, and grant permission for users to access namespaces and tables. For general information on managing Roles and Users, see Grant Roles or Privileges in the Security Guide.

For information on implication relationship among Oracle NoSQL Database privileges, see Privilege Hierarchy in the Security Guide.

Granting Authorization Access to Namespaces

You can manage permission for users or roles to access namespaces and tables. These are the applicable permissions given to the developers and other users:

Table 3-1 Namespace Privileges and Permissions

Privilege	Description
CREATE_ANY_NAMESPACE DROP_ANY_NAMESPACE	Grant permission to a user or to a role to create or drop any namespace. GRANT CREATE_ANY_NAMESPACE TO <User|Role>; GRANT DROP_ANY_NAMESPACE TO <User|Role>;
CREATE_TABLE_IN_NAMESPACE DROP_TABLE_IN_NAMESPACE EVOLVE_TABLE_IN_NAMESPACE	Grant permission to a user or to a role to create, drop or evolve tables in a specific namespace. You can evolve tables to update table definitions, add or remove fields, or change field properties, such as a default value. You may even add a particular kind of column, like an IDENTITY column, to increment some value automatically. Only tables that already exist in the store are candidates for table evolution. For more details, see Alter Table. GRANT CREATE_TABLE_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>; GRANT DROP_TABLE_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>; GRANT EVOLVE_TABLE_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>user_role;
CREATE_INDEX_IN_NAMESPACE DROP_INDEX_IN_NAMESPACE	Grant permission to a user or to a role to create or drop an index in a specific namespace. GRANT CREATE_INDEX_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>; GRANT DROP_INDEX_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>;
READ_IN_NAMESPACE INSERT_IN_NAMESPACE DELETE_IN_NAMESPACE	Grant permission to a role to read, insert, or delete items in a specific namespace. GRANT READ_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>; GRANT INSERT_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>; GRANT DELETE_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>;
MODIFY_IN_NAMESPACE	Helper label for granting or revoking permissions to all DDL privileges for a specific namespace to a user or role. GRANT MODIFY_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>; REVOKE MODIFY_IN_NAMESPACE ON NAMESPACE namespace_name TO <User|Role>;

Grant privileges on a namespace

You can grant permissions to a role or a user on a namespace. Following is the syntax for granting permissions on a namespace:

GRANT {Namespace-scoped privileges} ON NAMESPACE namespace_name TO <User|Role>
Namespace-scoped privileges ::= namespace_privilege [, namespace_privilege]

where,

• namespace_privilege

  The namespace privilege that can be granted to a user or a role. For more information on the applicable privileges, see the Privilege column in the Namespace Privileges and Permissions table.

• namespace_name

  The namespace that the user wishes to access.

• <User|Role>

  The name of the KVStore user or the role of a user.

For example, you can grant read access to a user for all the tables in the namespace.

Example:

GRANT READ_IN_NAMESPACE ON NAMESPACE ns1 TO Kate;

Here, ns1 is the namespace and Kate is the user.

Note:

The label MODIFY_IN_NAMESPACE can be used as a helper for granting or revoking permissions to all DDL privileges for a specific namespace to a user or role.

Revoke privileges on a namespace

You can revoke the permissions from a role or a user on a namespace. Following is the syntax for revoking the permissions on a namespace.

REVOKE {Namespace-scoped privileges} ON NAMESPACE namespace_name FROM <User|Role>
Namespace-scoped privileges ::= namespace_privilege [, namespace_privilege]

where,

• namespace_privilege

  The namespace privilege that can be revoked from a user or a role. For more information on the applicable privileges, see the Privilege column in the Namespace Privileges and Permissions table.

• namespace_name

  The namespace that the user wishes to access.

• <User|Role>

  The name of the KVStore user or the role of a user.

For example, you can revoke the read access from a user for all the tables in the namespace.

Example:

REVOKE READ_IN_NAMESPACE ON NAMESPACE ns1 FROM Kate;

Here, ns1 is the namespace and Kate is the user.

Note:

The label MODIFY_IN_NAMESPACE can be used as a helper for granting or revoking permissions to all DDL privileges for a specific namespace to a user or role.

The following example shows:

1. Creation of a namespace and a table.
2. Revocation of the privilege to create any other new tables in the namespace, but allow the table to be dropped.

Example: Namespace Scoped Privileges

CREATE NAMESPACE IF NOT EXISTS ns1; 
GRANT MODIFY_IN_NAMESPACE ON NAMESPACE ns1 TO usersRole; 
CREATE TABLE ns1:t (id INTEGER, name STRING, primary key (id)); 
INSERT INTO ns1:t VALUES (1, 'Smith'); 
SELECT * FROM ns1:t; 
REVOKE CREATE_TABLE_IN_NAMESPACE ON NAMESPACE ns1 FROM usersRole; 
DROP NAMESPACE ns1 CASCADE;

Note:

You can save all of the above commands as a sql script and execute it in a single command. If you want to execute any of the above commands outside of a SQL prompt, remove the semi colon at the end.