-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't try to sync Postgres schemas or tables current user has no perms for #10139
Comments
Mentioned in #8405:
|
I'm guessing what's happening with #8045 is that by |
The problem, at least in our use case, is that the user can still see the schema B (as described by @lindsay-stevens in #8045) and all the tables inside them. There is no way in postgres to configure the permissions in a way that hides the schema and tables from users. |
In #8045, by 'do nothing' I meant the user had no permissions for anything in the schema (the schema itself, tables, columns, views, etc). It was a non-public schema so there were no default permissions at play e.g.
As already mentioned, in Postgres it's not possible to hide the catalog. Even if all object permissions are revoked on schemas/tables/columns, if a user can connect to the database then they can 'see' the objects via the
So in terms of this ticket and #8045 Metabase probably should look at permissions as well as the catalog. Postgres has a tidy set of permission inspection functions that could be called on each object found during sync, to determine whether it's active/relevant or not: https://www.postgresql.org/docs/current/functions-info.html#FUNCTIONS-INFO-ACCESS-TABLE
Being able to specify which schemas to sync / ignore would be very useful too, but there's #5500 for that. |
@flyingmachine Point of order: we typically wait to close an issue until the PR that fixes it actually gets merged (I see that #10892 hasn't been merged yet). It's also super helpful if the issue is marked with a Milestone when it gets closed — that's how we know what items to put into release notes. |
This is having a huge negative affect on our metabase usage. We store all our 'end analytics' tables in a single Redshift schema ( Denying It'd be an incredibly useful feature for us to have a whitelist of schemas which are synced, rather than automatically discovering them, if #10892 isn't likely to land anytime soon. |
As far as I know Postgres does not have a way to configure permissions to hide schemas entirely from users. You can revoke their
USAGE
permission of those schemas, but they can still see that it exists.Metabase tries to sync all the schemas it sees, and when some of them fail it results in noisy logs. Everything still works as expected, but the useless error messages clutter things up.
The text was updated successfully, but these errors were encountered: