rbac: add CREATEDATAFLOW privilege for clusters #34711
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
antiguru
force-pushed
the
disallow_render_dataflow
branch
2 times, most recently
from
f1ea53c to
24f24ae
Compare
antiguru
force-pushed
the
disallow_render_dataflow
branch
from
24f24ae to
4522aa7
Compare
antiguru
force-pushed
the
disallow_render_dataflow
branch
from
4522aa7 to
47b9908
Compare
Signed-off-by: Moritz Hoffmann <[email protected]>
This adds a new RBAC privilege called CREATEDATAFLOW that controls
whether a user can execute queries requiring dataflow rendering
(slow path) on a cluster. Users without this privilege can still
execute fast-path queries (constants, index lookups with MFP).
Key changes:
- Add CREATE_DATAFLOW privilege constant ('D', bit 28) to AclMode
- Add CREATEDATAFLOW keyword and privilege parsing
- Add check_create_dataflow_privilege() function in rbac.rs
- Insert privilege check in peek_finish() for slow-path queries
- System clusters and superusers bypass the check
Co-Authored-By: Claude Opus 4.5 <[email protected]>
This migration (v80 to v81) ensures backwards compatibility by granting CREATEDATAFLOW privilege to PUBLIC on all existing clusters during upgrade. This allows users who could previously run queries requiring dataflow rendering to continue doing so after the upgrade. Also updates default privileges so new clusters grant CREATEDATAFLOW to PUBLIC by default. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Instead of defining a local constant, import and use the existing AclMode::CREATE_DATAFLOW constant from mz_repr. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Signed-off-by: Moritz Hoffmann <[email protected]>
Document the new CREATEDATAFLOW privilege which controls whether users can execute queries requiring dataflow rendering on clusters: - Add privilege description explaining when it's needed and use cases - Update GRANT/REVOKE syntax to include CREATEDATAFLOW for clusters - Add to default privileges (PUBLIC gets CREATEDATAFLOW on all clusters) - Add to object privileges table for CLUSTER The privilege is useful in production to restrict users to fast-path queries only, preventing accidental high-latency dataflow rendering. Co-Authored-By: Claude Opus 4.5 <[email protected]>
antiguru
force-pushed
the
disallow_render_dataflow
branch
from
47b9908 to
3b54a9a
Compare
Add expected mz_support=U/other_owner privilege for owner_cluster2 now that default privileges include mz_support USAGE on clusters. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Update RBAC documentation test files to include the new CREATEDATAFLOW privilege in expected test results. The CREATEDATAFLOW privilege is now granted by default to PUBLIC on all clusters, so SHOW PRIVILEGES and SHOW DEFAULT PRIVILEGES output includes this privilege. Files updated: - rbac-cloud/grant_privileges.yml: Add test_results with all expected rows - rbac-cloud/grant_roles.yml: Update test_results with CREATEDATAFLOW - rbac-cloud/show_default_privileges.yml: Add test_results for default privileges - rbac-cloud/show_privileges.yml: Update test_results with CREATEDATAFLOW - rbac-sm/grant_privileges.yml: Add test_results and test_replacements override - rbac-sm/grant_roles.yml: Update test_results with CREATEDATAFLOW - rbac-sm/show_default_privileges.yml: Add test_results for default privileges - rbac-sm/show_privileges.yml: Update test_results with CREATEDATAFLOW Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
CREATEDATAFLOWthat controls whether a user can execute queries requiring dataflow rendering (slow path) on a clusterMotivation
In multi-tenant or cost-sensitive environments, organizations may want to restrict certain users to only execute queries that can be satisfied by existing indexes, preventing them from triggering expensive dataflow rendering operations.
Changes
CREATE_DATAFLOWprivilege constant ('D', bit 28) toAclModeinmz_acl_item.rsCREATEDATAFLOWkeyword and privilege parsing in sql-parsercheck_create_dataflow_privilege()function inrbac.rspeek_finish()for slow-path queriesTest plan
cargo checkpassescargo clippypassescargo test -p mz-repr --lib -- mz_acl)bin/sqllogictest -- test/sqllogictest/createdataflow_privilege.slt)🤖 Generated with Claude Code