Skip to content

CXH-1582: Surface role and group access in redshift connector#133

Merged
al-conductorone merged 2 commits into
mainfrom
cxh-1582-fix-redshift-role-group-grants
Jun 3, 2026
Merged

CXH-1582: Surface role and group access in redshift connector#133
al-conductorone merged 2 commits into
mainfrom
cxh-1582-fix-redshift-role-group-grants

Conversation

@al-conductorone

@al-conductorone al-conductorone commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Redshift access granted through a role or group now shows up in C1, including the individual users who inherit that access through their memberships.

@al-conductorone
Surface role and group grants for redshift connector (CXH-1582)
9a758bd 
staticEntitlements() in pkg/bsql/entitlements.go did not populate
v2.Entitlement.GrantableTo from the YAML grantable_to field, so role
and group principal grants on static entitlements were dropped during
C1 ingest. Mirror the resource-type lookup from mapEntitlement() so
static entitlements honor the configured types.

In examples/redshift-test.yml, widen grantable_to to include role and
group on the affected privilege entitlements, and attach expandable
annotations on every role/group grant map entry so the SDK fans the
grants out to member users at sync time. Verified against the local
Postgres-as-Redshift stub: group analysts' members alice and bob now
appear as derived user grants on schema:analytics.reports:usage.
@al-conductorone al-conductorone requested a review from a team June 2, 2026 20:27
@linear-code

linear-code Bot commented Jun 2, 2026

Copy link
Copy Markdown

CXH-1582

@al-conductorone al-conductorone requested review from a team and btipling June 2, 2026 20:27
@github-actions

github-actions Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Connector PR Review: CXH-1582: Surface role and group access in redshift connector

Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0
Review mode: incremental since 9a758bd
View review run

Review Summary

The new commits since the last review are a lint fix converting db.Exec and db.QueryRow to their context-aware counterparts (ExecContext, QueryRowContext) in the grant provisioning rejection tests. The full PR adds GrantableTo population for static entitlements, extends the Redshift example config with role and group grantable types and expandable grant annotations, and the test lint fix. No security or correctness issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

None.

github-actions[bot]
github-actions Bot reviewed Jun 2, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blocking issues found.

github-actions[bot]
github-actions Bot reviewed Jun 2, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blocking issues found.

@al-conductorone al-conductorone merged commit 7eec991 into main Jun 3, 2026
9 checks passed
@al-conductorone al-conductorone deleted the cxh-1582-fix-redshift-role-group-grants branch June 3, 2026 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@johnallers johnallers johnallers approved these changes

@luisina-santos luisina-santos luisina-santos approved these changes

@btipling btipling Awaiting requested review from btipling

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@al-conductorone @johnallers @luisina-santos @btipling