Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Restricting users which VSchemas can do Online VSchema DDL #15225

Open
GenLN opened this issue Feb 14, 2024 · 1 comment
Open

Feature Request: Restricting users which VSchemas can do Online VSchema DDL #15225

GenLN opened this issue Feb 14, 2024 · 1 comment
Labels
Component: Query Serving Type: Feature Request

Comments

@GenLN
Copy link

GenLN commented Feb 14, 2024

Feature Description

Enable vtgates when defined keyspaces-to-watch to have read/write and not read-only connection, this way user can be restricted by only these keyspaces that vtgates see.

Or enable some kind of user access restriction on VSchema level.

Use Case(s)

I will post part of conversation from slack channel and also link to thread.

Let me be precise of what i'm trying to achieve.

In Vitess there isn't option available to hide keyspaces from the user which doesn't need to be seen or to work with without using keyspaces-to-watch to restrict it. There is users permission levels assigned by keyspace on table names or prefixes (% for all) (readers,writers,admins) through ACLs, which restrict access to keyspaces for the user. User without any permission on keyspace, can see this keyspace, can show tables from the keyspace, but can't query it.

If I need user1 to have access to keyspaces k1 and k2 but not to k3...7, I will restrict it using ACLs, so he cant see data in those keyspaces. Further if I want to assign user1 vschema_ddl_authorized_users I do that by passing an argument to vtgate. So if this is vtgate without keyspaces-to-watch it's not going to have issue read-only connection, and the user would be able to do Online VSchema DDL. But this way user1 can do Online VSchema DDL to any vschema on cluster. It's not restricted by ACLs to make these changes to only allowed keyspaces he have access. I found on your github similar question: How to restrict user to which vschema he can do Online VSchema DDL, someone was mention that user can be restricted by keyspaces-to-watch argument on to vtgate which will be able to do stuff only for these keyspaces. But implementing this way a user restriction to keyspaces for VSchema DDL results in read-only connection from vtgate as you stated

if they run with non-empty keyspaces-to-watch flag, then they will automatically create a read-only connection.

So there isn't a way to explicitly restrict user on to which VSchemas can do Online DDL.
Either it can change all VSchemas or none?
@GenLN GenLN added Needs Triage This issue needs to be correctly labelled and triaged Type: Feature Request labels Feb 14, 2024
@mattlord mattlord added Component: Query Serving and removed Needs Triage This issue needs to be correctly labelled and triaged labels Mar 11, 2024
@mattlord
Copy link
Contributor

/cc @vitessio/query-serving

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Query Serving Type: Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattlord @GenLN