sql: add CONTROLCHANGEFEED role option #52869
Conversation
solongordon
requested review from
RichardJCai,
a team and
pbardea
and removed request for
a team
Fixes cockroachdb#52869 Release note (sql change): Introduced a new CONTROLCHANGEFEED role option. This grants non-admin roles the ability to create new changefeeds, as long as they have SELECT privileges on the target table. It can be conferred via `ALTER ROLE <role> CONTROLCHANGEFEED` and revoked via `ALTER ROLE <role> CONTROLCHANGEFEED`.
solongordon
force-pushed
the
controlchangefeed
branch
from
6c8ff62 to
b7de527
Compare
|
This change is |
There was a problem hiding this comment.
ALTER ROLE NOCONTROLCHANGEFEED to revoke instead of ALTER ROLE CONTROLCHANGEFEED in the commit message
Reviewed 1 of 7 files at r1.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @pbardea, @RichardJCai, and @solongordon)
pkg/ccl/changefeedccl/changefeed_test.go, line 2002 at r1 (raw file):
stmt = `CREATE CHANGEFEED FOR d.foo` } privErr := `user testuser does not have CONTROLCHANGEFEED privilege`
Does it make sense to turn this function into a logic test?
pkg/sql/authorization.go, line 70 at r1 (raw file):
// HasRoleOption converts the roleoption to its SQL column name and checks if // the user belongs to a role where the roleprivilege has value true. Only // works on checking the "positive version" of the privilege. Requires a valid
I updated this in my PR but "positive version" doesn't actually make sense. I changed the function header to
// HasRoleOption converts the roleoption to it's SQL column name and
// checks if the user belongs to a role where the roleprivilege has value true.
// Requires a valid transaction to be open.
// This check should be done on the version of the privilege that is stored in
// the role options table.
// Example: CREATEROLE instead of NOCREATEROLE. NOLOGIN instead of LOGIN.
but didn't add it to the AuthorizationAccessor interface so I think it'll have to be updated here as well.
pkg/sql/parser/sql.y, line 6252 at r1 (raw file):
| NOCONTROLCHANGEFEED { $$.val = tree.KVOption{Key: tree.Name($1), Value: nil}
tabs here, I also just noticed NOCREATEROLE, LOGIN and NOLOGIN are tab spaced as well.
I need to change my goland to convert tabs to spaces for the .y file format as well
solongordon
force-pushed
the
controlchangefeed
branch
from
b7de527 to
a8f4147
Compare
There was a problem hiding this comment.
Oops, fixed the release note.
Reviewable status:
pkg/ccl/changefeedccl/changefeed_test.go, line 2002 at r1 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
Does it make sense to turn this function into a logic test?
That seems like a reasonable improvement. Done.
pkg/sql/authorization.go, line 70 at r1 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
I updated this in my PR but "positive version" doesn't actually make sense. I changed the function header to
// HasRoleOption converts the roleoption to it's SQL column name and
// checks if the user belongs to a role where the roleprivilege has value true.
// Requires a valid transaction to be open.
// This check should be done on the version of the privilege that is stored in
// the role options table.
// Example: CREATEROLE instead of NOCREATEROLE. NOLOGIN instead of LOGIN.but didn't add it to the AuthorizationAccessor interface so I think it'll have to be updated here as well.
Yeah, I'll fix this once I rebase on your CONTROLJOB PR.
pkg/sql/parser/sql.y, line 6252 at r1 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
tabs here, I also just noticed NOCREATEROLE, LOGIN and NOLOGIN are tab spaced as well.
I need to change my goland to convert tabs to spaces for the .y file format as well
Ack, you infected me! I'll do a find/replace on this whole part of the file.
solongordon
force-pushed
the
controlchangefeed
branch
from
a8f4147 to
2b765fa
Compare
solongordon
force-pushed
the
controlchangefeed
branch
from
2b765fa to
b2a0cca
Compare
There was a problem hiding this comment.
LGTM
Reviewable status:
|
bors r+ |
|
Merge conflict. |
Fixes cockroachdb#52869 Release note (sql change): Introduced a new CONTROLCHANGEFEED role option. This grants non-admin roles the ability to create new changefeeds, as long as they have SELECT privileges on the target table. It can be conferred via `ALTER ROLE <role> CONTROLCHANGEFEED` and revoked via `ALTER ROLE <role> NOCONTROLCHANGEFEED`.
solongordon
force-pushed
the
controlchangefeed
branch
from
b2a0cca to
7af2dda
Compare
|
bors r+ |
|
Build failed: |
|
bors r+ |
|
Build failed: |
|
bors r+ |
52869: sql: add CONTROLCHANGEFEED role option r=solongordon a=solongordon Fixes #52869 Release note (sql change): Introduced a new CONTROLCHANGEFEED role option. This grants non-admin roles the ability to create new changefeeds, as long as they have SELECT privileges on the target table. It can be conferred via `ALTER ROLE <role> CONTROLCHANGEFEED` and revoked via `ALTER ROLE <role> NOCONTROLCHANGEFEED`. Co-authored-by: Solon Gordon <[email protected]>
|
Build failed: |
|
A different test fails every time... 😞 bors r+ |
52869: sql: add CONTROLCHANGEFEED role option r=solongordon a=solongordon Fixes #52869 Release note (sql change): Introduced a new CONTROLCHANGEFEED role option. This grants non-admin roles the ability to create new changefeeds, as long as they have SELECT privileges on the target table. It can be conferred via `ALTER ROLE <role> CONTROLCHANGEFEED` and revoked via `ALTER ROLE <role> NOCONTROLCHANGEFEED`. Co-authored-by: Solon Gordon <[email protected]>
|
Build failed: |
|
bors r+ |
|
Build failed: |
|
bors r+ |
|
Build failed: |
|
bors r+ |
|
Build succeeded: |
Fixes #52869
Release note (sql change): Introduced a new CONTROLCHANGEFEED role
option. This grants non-admin roles the ability to create new
changefeeds, as long as they have SELECT privileges on the target table.
It can be conferred via
ALTER ROLE <role> CONTROLCHANGEFEEDandrevoked via
ALTER ROLE <role> NOCONTROLCHANGEFEED.