adapter: Update privileges when an owner is updated #18777
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds privileges to the following objects: - tables - views - materialized views - sources - types - secrets - connections - secrets - clusters - databases - schemas This commit updates the on-disk stash representation and the catalog tables/views that present this information to users. Currently, privileges cannot be modified, and they are not looked at when executing statements. These features will be implemented in a future commit. Part of MaterializeInc#11579
This commit will update the privilege of an object whenever the object's owner is updated, in the following ways: - All privileges granted by the old owner are updated so that their grantor is the new owner. - All privileges granted to the old owner are transferred to the new owner. Part of MaterializeInc#11579
maddyblue
approved these changes
Apr 17, 2023
…ate-privilege-owners # Conflicts: # src/adapter/src/catalog.rs # src/adapter/src/catalog/storage.rs # test/sqllogictest/privileges.slt
def-
reviewed
Apr 17, 2023
There was a problem hiding this comment.
Sorry for the late review.
I tried out code coverage on this PR: https://buildkite.com/materialize/coverage/builds/26#0187900b-9c08-441b-be29-a36e2d86a3c1
It found some of the added lines were not run in any test, would it make sense and be possible to test them?
| if privilege.grantor == old_owner { | ||
| privilege.grantor = new_owner; | ||
| } else if privilege.grantor == new_owner { | ||
| new_present = true; |
| if privilege.grantee == old_owner { | ||
| privilege.grantee = new_owner; | ||
| } else if privilege.grantee == new_owner { | ||
| new_present = true; |
| // is inspired by PostgreSQL's algorithm but not identical. | ||
| if new_present { | ||
| // Group privileges by (grantee, grantor). | ||
| let privilege_map: BTreeMap<_, Vec<_>> = privileges.into_iter().fold( |
There was a problem hiding this comment.
This pretty large block seems untested.
| @@ -147,6 +147,14 @@ pub struct MzAclItem { | |||
| } | |||
|
|
|||
| impl MzAclItem { | |||
| pub fn empty(grantee: RoleId, grantor: RoleId) -> MzAclItem { | |||
There was a problem hiding this comment.
Is this function tested anywhere?
12 tasks
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit will update the privilege of an object whenever the
object's owner is updated, in the following ways:
grantor is the new owner.
owner.
Part of #11579
Motivation
This PR adds a known-desirable feature.
Tips for Reviewer
Checklist
$T ⇔ Proto$Tmapping (possibly in a backwards-incompatible way) and therefore is tagged with aT-protolabel.