AI function service permissions

This topic describes the AI function service permissions, including AI MODEL and ACCESS AI MODEL, which are used to manage AI models and invoke AI functions.

AI model

The AI model-related privileges are used to manage AI models and include CREATE AI MODEL, ALTER AI MODEL, and DROP AI MODEL.

Syntax

The syntax for granting privileges is as follows:

-- Grant the CREATE AI MODEL privilege
GRANT CREATE AI MODEL ON *.* TO 'username'@'host';

-- Grant the ALTER AI MODEL privilege
GRANT ALTER AI MODEL ON *.* TO 'username'@'host';

-- Grant the DROP AI MODEL privilege
GRANT DROP AI MODEL ON *.* TO 'username'@'host';

-- Grant all three privileges
GRANT CREATE AI MODEL, ALTER AI MODEL, DROP AI MODEL ON *.* TO 'username'@'host';

The syntax for revoking privileges is as follows:

-- Revoke the CREATE AI MODEL privilege
REVOKE CREATE AI MODEL ON *.* FROM 'username'@'host';

-- Revoke the ALTER AI MODEL privilege
REVOKE ALTER AI MODEL ON *.* FROM 'username'@'host';

-- Revoke the DROP AI MODEL privilege
REVOKE DROP AI MODEL ON *.* FROM 'username'@'host';

-- Check the privileges
SHOW GRANTS FOR 'username'@'host';

Examples

1. Create a user.

   CREATE USER test_ai_user@'%' IDENTIFIED BY '123456';
   

2. Log in as the test_ai_user user.

   obclient -h 127.0.0.1 -P 2881 -u test_ai_user@'%' -p *** -A -D test;
   

3. Call the CREATE_AI_MODEL_ENDPOINT procedure.

   CALL DBMS_AI_SERVICE.CREATE_AI_MODEL_ENDPOINT (
          'user_ai_model_endpoint_1', '{
            "ai_model_name": "my_model1",
            "url": "https://api.deepseek.com",
            "access_key": "sk-xxxxxxxxxxxx",
            "request_model_name": "deepseek-chat",
            "provider": "deepseek"
          }');
   

   The operation fails because the CREATE AI MODEL privilege is not granted.

   ERROR 42501: Access denied; you need (at least one of) the create ai model endpoint privilege(s) for this operation
   

4. Grant the CREATE AI MODEL privilege to the test_ai_user user.

   GRANT CREATE AI MODEL ON *.* TO test_ai_user@'%';
   

5. Verify the privilege.

   CALL DBMS_AI_SERVICE.CREATE_AI_MODEL_ENDPOINT (
          'user_ai_model_endpoint_1', '{
            "ai_model_name": "my_model1",
            "url": "https://api.deepseek.com",
            "access_key": "sk-xxxxxxxxxxxx",
            "request_model_name": "deepseek-caht",
            "provider": "deepseek"
          }');
   

   The operation is successful.

Access AI model

The ACCESS AI MODEL privilege is used to call AI functions, including AI_COMPLETE, AI_EMBED, and AI_RERANK.

Syntax

The syntax for granting the privilege is as follows:

GRANT ACCESS AI MODEL ON *.* TO 'username'@'host';

The syntax for revoking the privilege is as follows:

REVOKE ACCESS AI MODEL ON *.* FROM 'username'@'host';

Examples

1. Call the AI_COMPLETE function.

   SELECT AI_COMPLETE("ob_complete","You are a translation master. Please translate the following text into English: {{Hello world.}}, and output only the translation result") as ans;
   

   Since the ACCESS AI MODEL privilege is not granted, an error is returned.

   ERROR 42501: Access denied; you need (at least one of) the access ai model endpoint privilege(s) for this operation
   

2. Grant the ACCESS AI MODEL privilege to the test_ai_user user.

   GRANT ACCESS AI MODEL ON *.* TO test_ai_user@'%';
   

3. Verify the privilege.

   SELECT AI_COMPLETE("ob_complete","You are a translation master. Please translate the following text into English: {{Hello world.}}, and output only the translation result") as ans;
   

   The execution is successful.

   ```shell
   +----------------+
   | ans            |
   +----------------+
   | "Hello world." |
   +----------------+
   1 row in set