AI function privileges
This topic describes the AI function privileges, including AI MODEL and ACCESS AI MODEL, which are used for managing AI models and calling AI functions, respectively.
AI MODEL
AI MODEL privileges are used for managing AI models. These include three specific privileges: CREATE AI MODEL, ALTER AI MODEL, and DROP AI MODEL.
Syntax
The syntax for granting privileges is as follows:
-- Grant the privilege to create an AI model.
GRANT CREATE AI MODEL ON *.* TO 'username'@'host';
-- Grant the privilege to change an AI model.
GRANT ALTER AI MODEL ON *.* TO 'username'@'host';
-- Grant the privilege to drop an AI model.
GRANT DROP AI MODEL ON *.* TO 'username'@'host';
GRANT CREATE AI MODEL, ALTER AI MODEL, DROP AI MODEL ON *.* TO 'username'@'host';
The syntax for revoking privileges is as follows:
-- Revoke the privilege to create an AI model.
REVOKE CREATE AI MODEL ON *.* FROM 'username'@'host';
-- Revoke the privilege to change an AI model.
REVOKE ALTER AI MODEL ON *.* FROM 'username'@'host';
-- Revoke the privilege to drop an AI model.
REVOKE DROP AI MODEL ON *.* FROM 'username'@'host';
-- Check the privileges.
SHOW GRANTS FOR 'username'@'host';
Examples
-
Create a user.
CREATE USER test_ai_user@'%' IDENTIFIED BY '123456'; -
Log in as the
test_ai_useruser.obclient -h 127.0.0.1 -P 2881 -u test_ai_user@'%' -p *** -A -D test; -
Call the
CREATE_AI_MODEL_ENDPOINTprocedure.CALL DBMS_AI_SERVICE.CREATE_AI_MODEL_ENDPOINT (
-> 'user_ai_model_endpoint_1', '{
'> "ai_model_name": "my_model1",
'> "url": "https://https://api.deepseek.com",
'> "access_key": "sk-xxxxxxxxxxxx",
'> "request_model_name": "deepseek-chat",
'> "provider": "deepseek"
'> }');Since the user does not have the
CREATE AI MODELprivilege, an error is returned:ERROR 42501: Access denied; you need (at least one of) the create ai model endpoint privilege(s) for this operation -
Grant the
CREATE AI MODELprivilege to thetest_ai_useruser.GRANT CREATE AI MODEL ON *.* TO test_ai_user@'%'; -
Verify the privilege.
CALL DBMS_AI_SERVICE.CREATE_AI_MODEL_ENDPOINT (
-> 'user_ai_model_endpoint_1', '{
'> "ai_model_name": "my_model1",
'> "url": "https://https://api.deepseek.com",
'> "access_key": "sk-xxxxxxxxxxxx",
'> "request_model_name": "deepseek-caht",
'> "provider": "deepseek"
'> }');This time, the statement executes successfully.
ACCESS AI MODEL
The ACCESS AI MODEL privilege is used for calling AI functions, including AI_COMPLETE, AI_EMBED, AI_RERANK, and AI_PROMPT.
Syntax
The syntax for granting this privilege is as follows:
GRANT ACCESS AI MODEL ON *.* TO 'username'@'host';
The syntax for revoking this privilege is as follows:
REVOKE ACCESS AI MODEL ON *.* FROM 'username'@'host';
Examples
-
Call the
AI_COMPLETEfunction.SELECT AI_COMPLETE("ob_complete","Your task is to perform sentiment analysis on the provided text and determine whether the sentiment is positive or negative.
The text to analyze is as follows:
<text>
What a beautiful day!
</text>
Judgment criteria:
If the text expresses a positive sentiment, output 1; if it expresses a negative sentiment, output -1. Do not output anything else.\n") AS ans;Since the user does not have the
ACCESS AI MODELprivilege, an error is returned:ERROR 42501: Access denied; you need (at least one of) the access ai model endpoint privilege(s) for this operation -
Grant the
ACCESS AI MODELprivilege to thetest_ai_useruser.GRANT ACCESS AI MODEL ON *.* TO test_ai_user@'%'; -
Verify the privilege.
SELECT AI_COMPLETE("ob_complete","Your task is to perform sentiment analysis on the provided text and determine whether the sentiment is positive or negative.
The text to analyze is as follows:
<text>
What a beautiful day!
</text>
Judgment criteria:
If the text expresses a positive sentiment, output 1; if it expresses a negative sentiment, output -1. Do not output anything else.\n") AS ans;This time, the statement executes successfully.
+-----+
| ans |
+-----+
| 1 |
+-----+