feat: object warehouse support rbac #17262
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
pr-feature
TCeason
force-pushed
the
warehouse_rbac
branch
2 times, most recently
from
61ebeb4 to
f6f2812
Compare
|
Need to add compatibility tests. |
TCeason
force-pushed
the
warehouse_rbac
branch
from
f6f2812 to
80e5079
Compare
|
Does this affect the cloud warehouse's operations? |
drmingdrmer
approved these changes
Jan 13, 2025
There was a problem hiding this comment.
Reviewed 21 of 21 files at r1, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @TCeason)
No. Now it only control warehouse operator plan. Cloud warehouse need to support these plan. |
TCeason
force-pushed
the
warehouse_rbac
branch
3 times, most recently
from
62afcd1 to
7640dfa
Compare
drmingdrmer
approved these changes
Jan 13, 2025
There was a problem hiding this comment.
Reviewed 3 of 3 files at r2, all commit messages.
Reviewable status:
TCeason
force-pushed
the
warehouse_rbac
branch
4 times, most recently
from
af24458 to
feee99b
Compare
Docker Image for PR
|
TCeason
force-pushed
the
warehouse_rbac
branch
from
c4935fc to
644eff4
Compare
TCeason
added
ci-cloud
Docker Image for PR
|
Test on local:Test Steps: 1. Root User Operations: -- Create a role named 'role_a'
create role role_a;
-- Grant the privilege to create warehouses to 'role_a' on all databases and schemas
grant create warehouse on *.* to role role_a;
-- Grant the privilege to create databases to 'role_a' on all databases and schemas
grant create database on *.* to role role_a;
-- Create user 'a' with password '123' and set the default role to 'role_a'
create user a identified by '123' with default_role='role_a';
-- Grant the role 'role_a' to user 'a'
grant role role_a to a;
-- Create user 'b' with password '123'
create user b identified by '123';2. User 'a' Operations: -- Create a database named 'a'
create database a;
-- Create a table 't' with an integer column 'id' in database 'a'
create table a.t(id int);
-- Insert a row with value 1 into table 'a.t'
insert into a.t values(1);
-- Select all data from table 'a.t'
select * from a.t;
-- Create a warehouse named 'w1' with warehouse size 1
create warehouse w1 with warehouse_size = 1;
-- Use the warehouse 'w1'
use warehouse w1;
-- Show grants on warehouse 'w1'
show grants on warehouse w1;
-- Rename warehouse 'w1' to 'w1_rename'
RENAME WAREHOUSE w1 TO w1_rename;3. User 'a' Logout/Login Operations: -- After Logout and Login as user 'a'
-- Show all available warehouses
show warehouses;
-- Show grants on the renamed warehouse 'w1_rename'
show grants on warehouse w1_rename;
-- Show grants for the current user
show grants;
-- Show grants for the role 'role_a'
show grants for role role_a;4. User 'b' Operations: -- As user 'b'
-- Show all available warehouses (expect empty result)
show warehouses; -- Expected: empty
-- Attempt to use warehouse 'w1' (expect failure with error code 2406)
use warehouse w1; -- Expected: failure (Error 2406)
-- Attempt to use the renamed warehouse 'w1_rename' (expect failure with error code 1063)
use warehouse w1_rename; -- Expected: failure (Error 1063)Main Query Information:
-- As user 'a'
use warehouse w1_rename;
show grants;Expected Output for 5. Successful Operations for User 'a': -- Ensure the following operations for user 'a' are successful
-- Use database 'a'
use a;
-- Select all data from table 'a.t'
select * from a.t;
-- Insert a new row with value 2 into table 'a.t'
insert into a.t values(2);
-- Create a database named 'b'
create database b;
-- Create a table 't' with an integer column 'id' in database 'b'
create table b.t(id int);
-- Insert a row with value 1 into table 'b.t'
insert into b.t values(1);
-- Select all data from table 'b.t'
select * from b.t; |
|
Cloud warehouse does not use same logic with databend-query? cc @flaneur2020 @everpcpc |
TCeason
commented
Feb 14, 2025
| self.validate_warehouse_ownership(plan.warehouse.clone(), identity).await.transpose()?; | ||
| } | ||
| Plan::CreateWarehouse(_) => { | ||
| // only current role has global level create warehouse privilege, it will pass |
There was a problem hiding this comment.
Maybe only support_forward_warehouse_request need to check create warehouse privilege? cc @flaneur2020 @zhang2014
note: only support_forward_warehouse_request will apply warehouse rbac. Now only support SystemResourcesManagement
TCeason
force-pushed
the
warehouse_rbac
branch
from
0780aee to
1384889
Compare
TCeason
force-pushed
the
warehouse_rbac
branch
from
15740bb to
81b8d88
Compare
TCeason
commented
Feb 14, 2025
TCeason
force-pushed
the
warehouse_rbac
branch
from
b13e777 to
c7da95e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I hereby agree to the terms of the CLA available at: https://docs.databend.com/dev/policies/cla/
Summary
DRAFT
Tests
Type of change
This change is