-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adapter: Update privileges when an owner is updated #18777
adapter: Update privileges when an owner is updated #18777
Conversation
This commit adds privileges to the following objects: - tables - views - materialized views - sources - types - secrets - connections - secrets - clusters - databases - schemas This commit updates the on-disk stash representation and the catalog tables/views that present this information to users. Currently, privileges cannot be modified, and they are not looked at when executing statements. These features will be implemented in a future commit. Part of MaterializeInc#11579
This commit will update the privilege of an object whenever the object's owner is updated, in the following ways: - All privileges granted by the old owner are updated so that their grantor is the new owner. - All privileges granted to the old owner are transferred to the new owner. Part of MaterializeInc#11579
…ate-privilege-owners # Conflicts: # src/adapter/src/catalog.rs # src/adapter/src/catalog/storage.rs # test/sqllogictest/privileges.slt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the late review.
I tried out code coverage on this PR: https://buildkite.com/materialize/coverage/builds/26#0187900b-9c08-441b-be29-a36e2d86a3c1
It found some of the added lines were not run in any test, would it make sense and be possible to test them?
if privilege.grantor == old_owner { | ||
privilege.grantor = new_owner; | ||
} else if privilege.grantor == new_owner { | ||
new_present = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems untested
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #18804
if privilege.grantee == old_owner { | ||
privilege.grantee = new_owner; | ||
} else if privilege.grantee == new_owner { | ||
new_present = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems untested
// is inspired by PostgreSQL's algorithm but not identical. | ||
if new_present { | ||
// Group privileges by (grantee, grantor). | ||
let privilege_map: BTreeMap<_, Vec<_>> = privileges.into_iter().fold( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pretty large block seems untested.
@@ -147,6 +147,14 @@ pub struct MzAclItem { | |||
} | |||
|
|||
impl MzAclItem { | |||
pub fn empty(grantee: RoleId, grantor: RoleId) -> MzAclItem { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this function tested anywhere?
This commit will update the privilege of an object whenever the
object's owner is updated, in the following ways:
grantor is the new owner.
owner.
Part of #11579
Motivation
This PR adds a known-desirable feature.
Tips for Reviewer
Checklist
$T ⇔ Proto$T
mapping (possibly in a backwards-incompatible way) and therefore is tagged with aT-proto
label.