Release Notes
Introduction to CelerData Cloud Serverless
Quick Start
Warehouses
- Overview of warehouses
- Manage warehouses
Catalog, database, table, view, and MV
- Overview of database objects
- Catalog
- Table types
- Asynchronous materialized views
Data Loading
- Batch load data from Amazon S3
- Load streaming data from Confluent Cloud
- Load data from a local file system
Data access control
- Overview of access control
- Privileges
- Manage user privileges
- Column and row-level security
Networking and private connectivity
- Connect with a Private Link
- IP Firewall
Usage and Billing
- Understand usage and billing
Organization and Account
- Organization and account
Integration
- Authenticate to AWS resources
- BI tools
- IDE tools
  - DataGrip
  - DBeaver
Query Acceleration
- CBO
- Colocate join
- Indexing
  - Bitmap indexing
  - Bloomfilter indexing
- Data Deduplication
  - Use Bitmap for exact count distinct
  - Use HLL for approximate count distinct
- Lateral join
Reference
- AWS IAM policies
- Information Schema
- Data Types
- System Metadatabase
- Keywords
- SQL Statements
- SQL Functions
  - Function List
  - String Functions
    - CONCAT
    - HEX
    - LOWER
    - SPLIT
    - LPAD
    - SUBSTRING
    - PARSE_URL
    - INSTR
    - REPEAT
    - LCASE
    - REPLACE
    - HEX_DECODE_BINARY
    - RPAD
    - SPLIT_PART
    - STRCMP
    - SPACE
    - CHARACTER_LENGTH
    - URL_ENCODE
    - APPEND_TAILING_CHAR_IF_ABSENT
    - LTRIM
    - HEX_DECODE_STRING
    - URL_DECODE
    - LEFT
    - STARTS_WITH
    - CONCAT
    - GROUP_CONCAT
    - STR_TO_MAP
    - STRLEFT
    - STRRIGHT
    - MONEY_FORMAT
    - RIGHT
    - SUBSTRING_INDEX
    - UCASE
    - TRIM
    - FIND_IN_SET
    - RTRIM
    - ASCII
    - UPPER
    - REVERSE
    - LENGTH
    - UNHEX
    - ENDS_WITH
    - CHAR_LENGTH
    - NULL_OR_EMPTY
    - LOCATE
    - CHAR
  - Predicate Functions
    - REGEXP
    - REGEXP_EXTRACT_ALL
    - REGEXP_EXTRACT
    - REGEXP_REPLACE
    - LIKE
  - Map Functions
    - MAP_KEYS
    - MAP_VALUES
    - MAP_CONCAT
    - MAP_SIZE
    - MAP_FROM_ARRAYS
    - MAP_APPLY
    - TRANSFORM_KEYS
    - CARDINALITY
    - DISTINCT_MAP_KEYS
    - MAP_FILTER
    - ELEMENT_AT
    - TRANSFORM_VALUES
  - Binary Functions
    - TO_BINARY
    - FROM_BINARY
  - Geospatial Functions
    - ST_X
    - ST_Y
    - S_CIRCLE
    - ST_DISTANCE_SPHERE
    - ST_POINT
    - ST_POLYGON
    - ST_ASTEXT
    - ST_CONTAINS
    - ST_GEOMETRY_FROM_TEXT
    - ST_LINE_FROM_TEXT
  - Lambda Expression
    - Lambda Expression
  - Utility Functions
    - SLEEP
    - UUID
    - IS_NOT_NULL
    - CURRENT_VERSION
    - LAST_QUERY_ID
    - HOST_NAME
    - VERSION
    - UUID_NUMERIC
    - CATALOG
    - IS_NULL
    - CURRENT_ROLE
    - DATABASE
  - Bitmap Functions
    - BITMAP_SUBSET_LIMIT
    - TO_BITMAP
    - BITMAP_AGG
    - BITMAP_FROM_STRING
    - BITMAP_OR
    - BITMAP_REMOVE
    - BITMAP_AND
    - BITMAP_TO_BASE64
    - BITMAP_MIN
    - BITMAP_CONTAINS
    - SUB_BITMAP
    - BITMAP_UNION
    - BITMAP_COUNT
    - BITMAP_UNION_INT
    - BITMAP_XOR
    - BITMAP_UNION_COUNT
    - BITMAP_HAS_ANY
    - BITMAP_INTERSECT
    - BITMAP_AND_NOT
    - BITMAP_TO_STRING
    - BITMAP_HASH
    - INTERSECT_COUNT
    - BITMAP_EMPTY
    - BITMAP_MAX
    - BASE64_TO_ARRAY
    - BITMAP_TO_ARRAY
  - Struct Functions
    - NAMED_STRUCT
    - ROW
  - Aggregate Functions
    - RETENTION
    - MI
    - MULTI_DISTINCT_SUM
    - WINDOW_FUNNEL
    - STDDEV_SAMP
    - GROUPING_ID
    - HLL_HASH
    - AVG
    - HLL_UNION_AGG
    - COUNT
    - BITMAP
    - HLL_EMPTY
    - SUM
    - MAX_BY
    - PERCENTILE_CONT
    - COVAR_POP
    - PERCENTILE_APPROX
    - HLL_RAW_AGG
    - STDDEV
    - CORR
    - COVAR_SAMP
    - MIN_BY
    - MAX
    - VAR_SAMP
    - STD
    - HLL_UNION
    - APPROX_COUNT_DISTINCT
    - MULTI_DISTINCT_COUNT
    - VARIANCE
    - ANY_VALUE
    - COUNT_IF
    - GROUPING
    - PERCENTILE_DISC
  - Array Functions
    - ARRAY_CUM_SUM
    - ARRAY_MAX
    - ARRAY_LENGTH
    - ARRAY_REMOVE
    - UNNEST
    - ARRAY_SLICE
    - ALL_MATCH
    - ARRAY_CONCAT
    - ARRAY_SORT
    - ARRAY_POSITION
    - ARRAY_DIFFERENCE
    - ARRAY_CONTAINS
    - ARRAY_JOIN
    - ARRAY_INTERSECT
    - CARDINALITY
    - ARRAY_CONTAINS_ALL
    - ARRAYS_OVERLAP
    - ARRAY_MIN
    - ARRAY_MAP
    - ELEMENT_AT
    - ARRAY_APPEND
    - ARRAY_SORTBY
    - ARRAY_TO_BITMAP
    - ARRAY_GENERATE
    - ARRAY_AVG
    - ARRAY_FILTER
    - ANY_MATCH
    - REVERSE
    - ARRAY_AGG
    - ARRAY_DISTINCT
    - ARRAY_SUM
  - Condition Functions
    - NULLIF
    - IFNULL
    - IF
    - CASE_WHEN
    - COALESCE
  - Math Functions
    - COT
    - LOG10
    - PMOD
    - RAND
    - GREATEST
    - COS_SIMILARITY
    - ROUND
    - ACOS
    - ATAN
    - EXP
    - MOD
    - SIN
    - RADIANS
    - SQUARE
    - LOG2
    - CONV
    - SINH
    - SIGN
    - COSH
    - FMOD
    - TANH
    - LOG
    - SQRT
    - POSITIVE
    - CEILING
    - POW
    - TRUNCATE
    - FLOOR
    - COS_SIMIlARITY_NORM
    - DIVIDE
    - ABS
    - BIN
    - LEAST
    - CEIL
    - PI
    - DEGREES
    - MULTIPLY
    - ASIN
    - NEGATIVE
    - LN
    - E
    - TAN
    - COS
    - ATAN2
  - Date and Time Functions
    - DAYNAME
    - MINUTE
    - FROM_UNIXTIME
    - HOUR
    - MONTHNAME
    - MONTHS_ADD
    - ADD_MONTHS
    - DATE_SUB
    - PREVIOUS_DAY
    - TO_TERA_DATA
    - MINUTES_SUB
    - WEEKS_ADD
    - HOURS_DIFF
    - UNIX_TIMESTAMP
    - DAY
    - DATE_SLICE
    - DATE
    - CURTIME
    - SECONDS_SUB
    - MONTH
    - WEEK
    - TO_DATE
    - TIMEDIFF
    - MONTHS_DIFF
    - STR_TO_JODATIME
    - WEEK_ISO
    - MICROSECONDS_SUB
    - TIME_SLICE
    - MAKEDATE
    - DATE_TRUNC
    - JODATIME
    - DAYOFWEEK
    - YEARS_SUB
    - TIMESTAMP_ADD
    - HOURS_SUB
    - STR2DATE
    - TIMESTAMP
    - FROM_DAYS
    - WEEK_OF_YEAR
    - YEAR
    - TIMESTAMP_DIFF
    - TO_TERA_TIMESTAMP
    - DAYOFMONTH
    - DAYOFYEAR
    - DATE_FORMAT
    - MONTHS_SUB
    - NEXT_DAY
    - MINUTES_DIFF
    - DATA_ADD
    - MINUTES_ADD
    - CURDATE
    - DAY_OF_WEEK_ISO
    - CURRENt_TIMESTAMP
    - STR_TO_DATE
    - LAST_DAY
    - WEEKS_SUB
    - TO_DAYS
    - DATEDIFF
    - NOW
    - TO_ISO8601
    - TIME_TO_SEC
    - QUARTER
    - SECONDS_DIFF
    - UTC_TIMESTAMP
    - DATA_DIFF
    - SECONDS_ADD
    - ADDDATE
    - WEEKSDIFF
    - CONVERT_TZ
    - MICROSECONDS_ADD
    - SECOND
    - YEARS_DIFF
    - YEARS_ADD
    - HOURS_ADD
    - DAYS_SUB
    - DAYS_DIFF
  - Cryptographic Functions
    - SHA2
    - BASE64_DECODE_BINARY
    - SM3
    - AES_DECRYPT
    - MD5
    - AES_ENCRYPT
    - MD5SUM
    - MD5SUM_NUMERIC
    - FROM_BASE64
    - TO_BASE64
    - BASE64_DECODE_STRING
  - Percentile Functions
    - PERCENTILE_APPROX_RAW
    - PERCENTILE_UNION
    - PERCENTILE_HASH
    - PERCENTILE_EMPTY
  - Bit Functions
    - BITOR
    - BITAND
    - BIT_SHIFT_RIGHT_LOGICAL
    - BITXOR
    - BITNOT
    - BIT_SHIFT_LEFT
    - BIT_SHIFT_RIGHT
  - JSON Functions
    - Overview of JSON functions and operators
    - JSON_KEYS
    - JSON_STRING
    - GET_JSON_INT
    - GET_JSON_STRING
    - GET_JSON_DOUBLE
    - JSON_EACH
    - TO_JSON
    - JSON_LENGTH
    - ARROW FUNCTION
    - CAST
    - JSON_QUERY
    - JSON_EXISTS
    - JSON Operators
    - JSON_ARRAY
    - PARSE_JSON
    - JSON_OBJECT
  - Hash Functions
    - MURMUR_HASH3_32
  - Scalar Functions
    - HLL_CARDINALITY
  - Table Functions
    - GENERATE_SERIES
    - FILES

Overview of access control

CelerData Cloud Serverless employs a role-based access control (RBAC) framework, which allows account administrators to precisely manage and regulate access to objects or data in their CelerData cloud accounts.

CelerData's RBAC framework is built on the following key concepts:

Object: An entity whose access can be granted, such as a catalog, a database, or a table. Unauthorized access is prohibited.
Privilege: A defined level of access to an object. Several different privileges can be used to control the granularity of the access granted.
User: A user identity recognized by CelerData. Authenticated users can directly log into CelerData.
Role: An entity to which privileges can be granted. Roles can be assigned to other roles as well as to users.

Objects and privileges

Objects in CelerData have a logical hierarchy, which is related to the concept they represent. For example, Database is contained in Catalog, and Table, View, Materialized View, and Function are contained in Database.

The following figure shows the complete hierarchy of objects in a CelerData cloud account:

Access Control-1

Each object has a set of privilege items that can be granted. These privileges define which operations can be performed on these objects. You can grant and revoke privileges from roles or users through the GRANT and REVOKE commands.

Users

In a CelerData cloud account, each user is identified by a unique username, which is the only identifier of the user.

Grant privileges to users

Users are entities to which privileges can be granted. Both privileges and roles can be assigned to users. The maximum privilege scope of each user identity is the union of its own privileges and the privileges of the roles assigned to this user identity. CelerData ensures that each user can only perform authorized operations.

We recommend that you use roles to pass privileges in most cases. For example, after you create a role, you can grant privileges to the role and then assign the role to users. If you want to grant temporary or special privileges, you can directly grant them to users. This simplifies privilege management and offers flexibility.

Roles

Roles are the entities to which privileges can be granted and revoked. Roles can be seen as a collection of privileges that can be assigned to users, to allow them to perform required actions. A user can be assigned multiple roles so they can perform different actions using separate sets of privileges. To simplify management, CelerData recommends that you manage privileges through roles. Special and temporary privileges can be directly granted to users.

To facilitate management, CelerData provides several system-defined roles with specific privileges, which helps you meet daily management and maintenance requirements. You can also flexibly customize roles to meet specific business needs and security needs. Note that the privilege scope of system-defined roles cannot be modified.

After a role is activated, users can perform operations that are authorized by the role. You can set default roles that are automatically activated when the user logs in. Users can also manually activate a role owned by this used in the current session.

System-defined roles

CelerData provides several types of system-defined roles:

db_admin: This role has database management privileges, including the privileges to perform all operations on catalogs, databases, tables, views, materialized views, functions, and global functions.
user_admin: This role has administrative privileges on users and roles, including privileges to create users, roles, and grant and revoke privileges.
public: This role is owned by any user and activated by default in any session, including adding new users. The public role does not have any privileges by default. You can modify the privileges scope of this role.
account_admin: This role is owned by the creator of the CelerData cloud account. Users who have this role can manage everything in this cloud account.
org_admin: This role is owned by the creator of the root account for the CelerData organization, which means only the root account's creator has the role by default. Users who have this role can manage all accounts in this organization, also they can manage everything in the current cloud account because the org_admin role is granted the account_admin role.
cluster_admin: This role has warehouse management privileges, including the privileges to create, drop, scale, suspend, and resume warehouses.
security_admin: This role has security management privileges, including the privileges to perform all operations on IP Firewall and Private Links.

Custom roles

You can create custom roles to meet specific business requirements and modify their privilege scope. At the same time, for the convenience of management, you can assign roles to other roles to create privilege hierarchy and inheritance. Then, the privileges associated with a role are inherited by another role.

Role hierarchy and privilege inheritance

The following figure shows an example of privilege inheritance.

NOTE
The maximum number of inheritance levels for a role is 16. The inheritance relationship can not be bidirectional.

Access Control-2

As shown in the figure:

role_s is assigned to role_p. role_p implicitly inherits priv_1 of role_s.
role_p is assigned to role_g, role_g implicitly inherits priv_2 of role_p and priv_1 of role_s.
After a role is assigned to a user, the user also has the privileges of this role.

Active roles

In CelerData, all the roles of a user will always be activated. You can use SELECT CURRENT_ROLE(); to view all the active roles in the current session.