CXH-1396: add Amazon Redshift example#125
Conversation
al-conductorone
force-pushed
the
cxh-1396-redshift-example
branch
3 times, most recently
from
a170a92 to
9d20148
Compare
| display_name: "resource.DisplayName + ' member'" | ||
| description: "'Membership in Redshift role ' + resource.DisplayName" | ||
| purpose: assignment | ||
| grantable_to: [user, role] |
There was a problem hiding this comment.
C1 only grants to users, and the query is wrong for granting to role
TO { username [ WITH GRANT OPTION ] | ROLE role_name | GROUP group_name | PUBLIC } [, ...]
TO ROLE
TO GROUP
| display_name: "resource.DisplayName + ' CONNECT'" | ||
| description: "'CONNECT on database ' + resource.DisplayName" | ||
| purpose: permission | ||
| grantable_to: [user, role, group] |
There was a problem hiding this comment.
This has the same problem, and elsewhere we should only grant to user or fix the queries.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| grantee: "principal.ID" | ||
| grant: | ||
| no_transaction: true | ||
| queries: |
There was a problem hiding this comment.
🟡 Suggestion: The database grants query runs per-database (no scope: cluster), but svv_database_privileges likely returns cluster-wide results regardless of which database you're connected to. This would produce duplicate grants — the same CONNECT row emitted once per database iteration. Consider adding scope: cluster here to match the database list query.
| # Read-only: https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html lists CREATE/TEMP/USAGE/ALTER as the | ||
| # database-level grantable privileges, not CONNECT. svv_database_privileges | ||
| # still surfaces CONNECT rows, so visibility works, but a GRANT CONNECT path | ||
| # is not documented and is left out until validated. |
There was a problem hiding this comment.
🟡 Suggestion: grantable_to: [user] means role-to-role grants (synced via the svv_role_grants block below) are visible but not provisionable. If granting a role to another role should be supported, add role to the list: grantable_to: [user, role].
Connector PR Review: CXH-1396: add Amazon Redshift exampleBlocking Issues: 0 | Suggestions: 2 | Threads Resolved: 0 Review SummaryFull review of new commits since Security IssuesNone found. Correctness IssuesNone found. Suggestions
Prompt for AI agents |
C1 only provisions grants to user grantees, and the existing GRANT/REVOKE queries assume a username (no TO ROLE / TO GROUP keyword). Listing role or group in grantable_to advertised provisioning paths the SQL could not actually execute. Restrict every static_entitlements grantable_to to [user] across role, database, schema, and table entitlements. Grant-discovery blocks still emit role/group principals where the privilege views report them; that is state reporting, not provisioning.
al-conductorone
force-pushed
the
cxh-1396-redshift-example
branch
from
16f2613 to
dc14fe3
Compare
2 participants
Adds an Amazon Redshift configuration on top of #124. Customers can sync the entire cluster (users, groups, roles, schemas, tables) and grant or revoke schema-level and table-level access through ConductorOne.