pg hooks for online table #693
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adding hooks for PG online table. - PreOnlineTableOp_hook - PostOnlineTableOp_hook - OnlineTableSecurityLabel_hook The 3 hooks are all used to bypass the ownership check on an online table. The Pre/Post hooks are used to allow non-online table owner to perform a few DDLs on the table, e.g., CREATE INDEX. - Pre hook will check the DDL type and whether the referenced relation is an online table. If the conditions are met, it will set the session user as the table owner. The rest of the PG code will work since the session is acting as the table owner now. - Post hook will restore the current user to the session user. OnlineTableSecurityLabel_hook is used to allow customers to add who can perform DDL on an online table. By default, the databricks_superuser can. OnlineTableSecurityLabel_hook will check if the session user is one of the roles attached to the online table. If it is, it will allow updating the label to add / remove roles. Otherwise, it will throw the permission error. Why we add them? 1. These 3 hooks are very specific for online table. We don't intend to use them for other purposes. 2. This is also the reason we are not overloading the public hook also. I need to be very specific on the code point where we want to set as table owner. standard_ProcessUtility contains too many stuff. I don't want to make our change generalize to all PG utilities. The extension change is inside https://github.com/databricks-eng/hadron/pull/492
MMeent
approved these changes
Jul 18, 2025
MMeent
pushed a commit
that referenced
this pull request
Aug 4, 2025
* pg hooks for online table (#24) Adding hooks for PG online table. - PreOnlineTableOp_hook - PostOnlineTableOp_hook - OnlineTableSecurityLabel_hook The 3 hooks are all used to bypass the ownership check on an online table. The Pre/Post hooks are used to allow non-online table owner to perform a few DDLs on the table, e.g., CREATE INDEX. - Pre hook will check the DDL type and whether the referenced relation is an online table. If the conditions are met, it will set the session user as the table owner. The rest of the PG code will work since the session is acting as the table owner now. - Post hook will restore the current user to the session user. OnlineTableSecurityLabel_hook is used to allow customers to add who can perform DDL on an online table. By default, the databricks_superuser can. OnlineTableSecurityLabel_hook will check if the session user is one of the roles attached to the online table. If it is, it will allow updating the label to add / remove roles. Otherwise, it will throw the permission error. Why we add them? 1. These 3 hooks are very specific for online table. We don't intend to use them for other purposes. 2. This is also the reason we are not overloading the public hook also. I need to be very specific on the code point where we want to set as table owner. standard_ProcessUtility contains too many stuff. I don't want to make our change generalize to all PG utilities. The extension change is inside https://github.com/databricks-eng/hadron/pull/492 * First pass of review. --------- Co-authored-by: Haoyu Huang <haoyu.huang@databricks.com>
MMeent
pushed a commit
that referenced
this pull request
Aug 6, 2025
* pg hooks for online table (#24) Adding hooks for PG online table. - PreOnlineTableOp_hook - PostOnlineTableOp_hook - OnlineTableSecurityLabel_hook The 3 hooks are all used to bypass the ownership check on an online table. The Pre/Post hooks are used to allow non-online table owner to perform a few DDLs on the table, e.g., CREATE INDEX. - Pre hook will check the DDL type and whether the referenced relation is an online table. If the conditions are met, it will set the session user as the table owner. The rest of the PG code will work since the session is acting as the table owner now. - Post hook will restore the current user to the session user. OnlineTableSecurityLabel_hook is used to allow customers to add who can perform DDL on an online table. By default, the databricks_superuser can. OnlineTableSecurityLabel_hook will check if the session user is one of the roles attached to the online table. If it is, it will allow updating the label to add / remove roles. Otherwise, it will throw the permission error. Why we add them? 1. These 3 hooks are very specific for online table. We don't intend to use them for other purposes. 2. This is also the reason we are not overloading the public hook also. I need to be very specific on the code point where we want to set as table owner. standard_ProcessUtility contains too many stuff. I don't want to make our change generalize to all PG utilities. The extension change is inside https://github.com/databricks-eng/hadron/pull/492 * First pass of review. --------- Co-authored-by: Haoyu Huang <haoyu.huang@databricks.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding hooks for PG online table.
The 3 hooks are all used to bypass the ownership check on an online table.
The Pre/Post hooks are used to allow non-online table owner to perform a few DDLs on the table, e.g., CREATE INDEX.
OnlineTableSecurityLabel_hook is used to allow customers to add who can perform DDL on an online table. By default, the databricks_superuser can. OnlineTableSecurityLabel_hook will check if the session user is one of the roles attached to the online table. If it is, it will allow updating the label to add / remove roles. Otherwise, it will throw the permission error.
Why we add them?