databendlabs
diff --git a/‎src/meta/api/src/catalog_api.rs‎
Lines changed: 1 addition & 0 deletions b/‎src/meta/api/src/catalog_api.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/meta/api/src/dictionary_api.rs‎
Lines changed: 1 addition & 0 deletions b/‎src/meta/api/src/dictionary_api.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/meta/api/src/index_api.rs‎
Lines changed: 1 addition & 0 deletions b/‎src/meta/api/src/index_api.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/meta/api/src/name_id_value_api.rs‎
Lines changed: 12 additions & 2 deletions b/‎src/meta/api/src/name_id_value_api.rs‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎src/meta/app/src/principal/ownership_object.rs‎
Lines changed: 12 additions & 0 deletions b/‎src/meta/app/src/principal/ownership_object.rs‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/meta/app/src/principal/tenant_ownership_object_ident.rs‎
Lines changed: 13 additions & 0 deletions b/‎src/meta/app/src/principal/tenant_ownership_object_ident.rs‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎src/meta/app/src/principal/user_grant.rs‎
Lines changed: 7 additions & 0 deletions b/‎src/meta/app/src/principal/user_grant.rs‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/meta/app/src/principal/user_privilege.rs‎
Lines changed: 21 additions & 1 deletion b/‎src/meta/app/src/principal/user_privilege.rs‎
Lines changed: 21 additions & 1 deletion
diff --git a/‎src/meta/proto-conv/src/ownership_from_to_protobuf_impl.rs‎
Lines changed: 10 additions & 0 deletions b/‎src/meta/proto-conv/src/ownership_from_to_protobuf_impl.rs‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/meta/proto-conv/src/user_from_to_protobuf_impl.rs‎
Lines changed: 6 additions & 0 deletions b/‎src/meta/proto-conv/src/user_from_to_protobuf_impl.rs‎
Lines changed: 6 additions & 0 deletions
@@ -71,6 +71,7 @@ where
                     )]
                 },
                 |_, _| Ok(vec![]),
+                |_, _| {},
             )
             .await?;
 
 
@@ -73,6 +73,7 @@ where
                 false,
                 |_| vec![],
                 |_, _| Ok(vec![]),
+                |_, _| {},
             )
             .await?;
 
 
@@ -110,6 +110,7 @@ where
                     mark_index_as_deleted(name_ident.tenant(), value.table_id, *index_id)
                         .map(|(k, v)| vec![(k, v)])
                 },
+                |_, _| {},
             )
             .await?;
 
 
@@ -65,7 +65,7 @@ where
     IdRsc: TenantResource + Send + Sync + 'static,
     IdRsc::ValueType: FromToProto + Send + Sync + 'static,
 {
-    /// Create a two level `name -> id -> value` mapping.
+    /// Create a two level `name -> id -> value` mapping with cleanup support for old resources.
     ///
     /// `associated_records` is used to generate additional key-values to add or remove along with the main operation.
     /// Such operations do not have any condition constraints.
@@ -76,17 +76,25 @@ where
     ///
     /// If there is already a `name_ident` exists, return the existing id in a `Ok(Err(exist))`.
     /// Otherwise, create `name -> id -> value` and returns the created id in a `Ok(Ok(created))`.
-    async fn create_id_value<A, M>(
+    ///
+    /// `on_override_fn` is called with the old id and txn when override_exist is true and an existing
+    /// resource is being replaced. It can add custom operations to the transaction.
+    ///
+    /// This eliminates the need for callers to manually handle cleanup logic after the fact.
+    /// For example, when a procedure is dropped by `override_exist`, `__fd_object_owners/tenant1/procedure-by-id/<procedure_id>` will be delete
+    async fn create_id_value<A, M, O>(
         &self,
         name_ident: &K,
         value: &IdRsc::ValueType,
         override_exist: bool,
         associated_records: A,
         mark_delete_records: M,
+        on_override_fn: O,
     ) -> Result<Result<DataId<IdRsc>, SeqV<DataId<IdRsc>>>, MetaTxnError>
     where
         A: Fn(DataId<IdRsc>) -> Vec<(String, Vec<u8>)> + Send,
         M: Fn(DataId<IdRsc>, &IdRsc::ValueType) -> Result<Vec<(String, Vec<u8>)>, MetaError> + Send,
+        O: Fn(DataId<IdRsc>, &mut TxnRequest) + Send,
     {
         debug!(name_ident :? =name_ident; "NameIdValueApi: {}", func_name!());
 
@@ -124,6 +132,8 @@ where
                         for (k, v) in kvs {
                             txn.if_then.push(TxnOp::put(k, v));
                         }
+                        // Apply override function if provided
+                        on_override_fn(seq_id.data, &mut txn);
                     } else {
                         return Ok(Err(seq_id));
                     }
 
@@ -64,6 +64,10 @@ pub enum OwnershipObject {
     Sequence {
         name: String,
     },
+
+    Procedure {
+        procedure_id: u64,
+    },
 }
 
 impl OwnershipObject {
@@ -95,6 +99,7 @@ impl fmt::Display for OwnershipObject {
             OwnershipObject::Warehouse { id } => write!(f, "WAREHOUSE {id}"),
             OwnershipObject::Connection { name } => write!(f, "CONNECTION {name}"),
             OwnershipObject::Sequence { name } => write!(f, "SEQUENCE {name}"),
+            OwnershipObject::Procedure { procedure_id } => write!(f, "PROCEDURE {procedure_id}"),
         }
     }
 }
@@ -137,6 +142,9 @@ impl KeyCodec for OwnershipObject {
             OwnershipObject::Warehouse { id } => b.push_raw("warehouse-by-id").push_str(id),
             OwnershipObject::Connection { name } => b.push_raw("connection-by-name").push_str(name),
             OwnershipObject::Sequence { name } => b.push_raw("sequence-by-name").push_str(name),
+            OwnershipObject::Procedure { procedure_id } => {
+                b.push_raw("procedure-by-id").push_u64(*procedure_id)
+            }
         }
     }
 
@@ -195,6 +203,10 @@ impl KeyCodec for OwnershipObject {
                 let name = p.next_str()?;
                 Ok(OwnershipObject::Sequence { name })
             }
+            "procedure-by-id" => {
+                let procedure_id = p.next_u64()?;
+                Ok(OwnershipObject::Procedure { procedure_id })
+            }
             _ => Err(kvapi::KeyError::InvalidSegment {
                 i: p.index(),
                 expect: "database-by-id|database-by-catalog-id|table-by-id|table-by-catalog-id|stage-by-name|udf-by-name|warehouse-by-id|connection-by-name"
 
@@ -288,6 +288,19 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_ownership_procedure_list_key() {
+        use databend_common_meta_kvapi::kvapi::Key;
+        let obj = OwnershipObject::Procedure { procedure_id: 1 };
+
+        let ident = TenantOwnershipObjectIdent::new(Tenant::new_literal("tenant1"), obj);
+        let dir_name = kvapi::DirName::new(ident);
+        assert_eq!(
+            dir_name.to_string_key(),
+            "__fd_object_owners/tenant1/procedure-by-id"
+        );
+    }
+
     #[test]
     fn test_tenant_ownership_object_with_key_space() {
         // TODO(xp): implement this test
 
@@ -62,6 +62,7 @@ pub enum GrantObject {
     Warehouse(String),
     Connection(String),
     Sequence(String),
+    Procedure(u64),
 }
 
 impl GrantObject {
@@ -97,6 +98,7 @@ impl GrantObject {
             (GrantObject::Warehouse(w), GrantObject::Warehouse(rw)) => w == rw,
             (GrantObject::Connection(c), GrantObject::Connection(rc)) => c == rc,
             (GrantObject::Sequence(s), GrantObject::Sequence(rs)) => s == rs,
+            (GrantObject::Procedure(p), GrantObject::Procedure(rp)) => p == rp,
             _ => false,
         }
     }
@@ -126,6 +128,9 @@ impl GrantObject {
             GrantObject::Sequence(_) => {
                 UserPrivilegeSet::available_privileges_on_sequence(available_ownership)
             }
+            GrantObject::Procedure(_) => {
+                UserPrivilegeSet::available_privileges_on_procedure(available_ownership)
+            }
         }
     }
 
@@ -136,6 +141,7 @@ impl GrantObject {
             | GrantObject::UDF(_)
             | GrantObject::Warehouse(_)
             | GrantObject::Sequence(_)
+            | GrantObject::Procedure(_)
             | GrantObject::Connection(_) => None,
             GrantObject::Database(cat, _) | GrantObject::DatabaseById(cat, _) => Some(cat.clone()),
             GrantObject::Table(cat, _, _) | GrantObject::TableById(cat, _, _) => Some(cat.clone()),
@@ -160,6 +166,7 @@ impl fmt::Display for GrantObject {
             GrantObject::Warehouse(w) => write!(f, "WAREHOUSE {w}"),
             GrantObject::Connection(c) => write!(f, "CONNECTION {c}"),
             GrantObject::Sequence(s) => write!(f, "SEQUENCE {s}"),
+            GrantObject::Procedure(p) => write!(f, "PROCEDURE {p}"),
         }
     }
 }
 
@@ -86,6 +86,10 @@ pub enum UserPrivilegeType {
     CreateSequence = 1 << 24,
     // Privilege to Access Sequence
     AccessSequence = 1 << 25,
+    // Privilege to Create Procedure
+    CreateProcedure = 1 << 26,
+    // Privilege to Access Procedure
+    AccessProcedure = 1 << 27,
     // Discard Privilege Type
     Set = 1 << 4,
 }
@@ -147,6 +151,8 @@ impl Display for UserPrivilegeType {
             UserPrivilegeType::AccessConnection => "ACCESS CONNECTION",
             UserPrivilegeType::CreateSequence => "CREATE SEQUENCE",
             UserPrivilegeType::AccessSequence => "ACCESS SEQUENCE",
+            UserPrivilegeType::CreateProcedure => "CREATE PROCEDURE",
+            UserPrivilegeType::AccessProcedure => "ACCESS PROCEDURE",
         })
     }
 }
@@ -199,6 +205,12 @@ impl From<databend_common_ast::ast::UserPrivilegeType> for UserPrivilegeType {
             databend_common_ast::ast::UserPrivilegeType::AccessSequence => {
                 UserPrivilegeType::AccessSequence
             }
+            databend_common_ast::ast::UserPrivilegeType::CreateProcedure => {
+                UserPrivilegeType::CreateProcedure
+            }
+            databend_common_ast::ast::UserPrivilegeType::AccessProcedure => {
+                UserPrivilegeType::AccessProcedure
+            }
             databend_common_ast::ast::UserPrivilegeType::Set => UserPrivilegeType::Set,
         }
     }
@@ -235,7 +247,7 @@ impl UserPrivilegeSet {
         let wh_privs_without_ownership = Self::available_privileges_on_warehouse(false);
         let connection_privs_without_ownership = Self::available_privileges_on_connection(false);
         let seq_privs_without_ownership = Self::available_privileges_on_sequence(false);
-        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateWarehouse | CreateConnection | CreateSequence });
+        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateWarehouse | CreateConnection | CreateSequence | CreateProcedure });
         (database_privs.privileges
             | privs
             | stage_privs_without_ownership.privileges
@@ -297,6 +309,14 @@ impl UserPrivilegeSet {
         }
     }
 
+    pub fn available_privileges_on_procedure(available_ownership: bool) -> Self {
+        if available_ownership {
+            make_bitflags!(UserPrivilegeType::{ AccessProcedure | Ownership }).into()
+        } else {
+            make_bitflags!(UserPrivilegeType::{ AccessProcedure }).into()
+        }
+    }
+
     pub fn available_privileges_on_udf(available_ownership: bool) -> Self {
         if available_ownership {
             make_bitflags!(UserPrivilegeType::{ Usage | Ownership }).into()
 
@@ -97,6 +97,9 @@ impl FromToProto for mt::principal::OwnershipObject {
             pb::ownership_object::Object::Sequence(
                 pb::ownership_object::OwnershipSequenceObject { sequence },
             ) => Ok(mt::principal::OwnershipObject::Sequence { name: sequence }),
+            pb::ownership_object::Object::Procedure(
+                pb::ownership_object::OwnershipProcedureObject { procedure_id },
+            ) => Ok(mt::principal::OwnershipObject::Procedure { procedure_id }),
         }
     }
 
@@ -151,6 +154,13 @@ impl FromToProto for mt::principal::OwnershipObject {
                     },
                 ))
             }
+            mt::principal::OwnershipObject::Procedure { procedure_id } => {
+                Some(pb::ownership_object::Object::Procedure(
+                    pb::ownership_object::OwnershipProcedureObject {
+                        procedure_id: *procedure_id,
+                    },
+                ))
+            }
         };
         Ok(pb::OwnershipObject {
             ver: VER,
 
@@ -200,6 +200,9 @@ impl FromToProto for mt::principal::GrantObject {
             pb::grant_object::Object::Sequence(pb::grant_object::GrantSequenceObject {
                 sequence,
             }) => Ok(mt::principal::GrantObject::Sequence(sequence)),
+            pb::grant_object::Object::Procedure(pb::grant_object::GrantProcedureObject {
+                procedure_id,
+            }) => Ok(mt::principal::GrantObject::Procedure(procedure_id)),
         }
     }
 
@@ -257,6 +260,9 @@ impl FromToProto for mt::principal::GrantObject {
                     sequence: s.clone(),
                 },
             )),
+            mt::principal::GrantObject::Procedure(p) => Some(pb::grant_object::Object::Procedure(
+                pb::grant_object::GrantProcedureObject { procedure_id: *p },
+            )),
         };
         Ok(pb::GrantObject {
             ver: VER,
Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,7 @@ where`
`71`	`71`	`)]`
`72`	`72`	`},`
`73`	`73`	`\|_, _\| Ok(vec![]),`
	`74`	`+ \|_, _\| {},`
`74`	`75`	`)`
`75`	`76`	`.await?;`
`76`	`77`
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,7 @@ where`
`73`	`73`	`false,`
`74`	`74`	`\|_\| vec![],`
`75`	`75`	`\|_, _\| Ok(vec![]),`
	`76`	`+ \|_, _\| {},`
`76`	`77`	`)`
`77`	`78`	`.await?;`
`78`	`79`
Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ where`
`110`	`110`	`mark_index_as_deleted(name_ident.tenant(), value.table_id, *index_id)`
`111`	`111`	`.map(\|(k, v)\| vec![(k, v)])`
`112`	`112`	`},`
	`113`	`+ \|_, _\| {},`
`113`	`114`	`)`
`114`	`115`	`.await?;`
`115`	`116`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,10 @@ pub enum OwnershipObject {`
`64`	`64`	`Sequence {`
`65`	`65`	`name: String,`
`66`	`66`	`},`
	`67`	`+`
	`68`	`+ Procedure {`
	`69`	`+ procedure_id: u64,`
	`70`	`+ },`
`67`	`71`	`}`
`68`	`72`
`69`	`73`	`impl OwnershipObject {`
`@@ -95,6 +99,7 @@ impl fmt::Display for OwnershipObject {`
`95`	`99`	`OwnershipObject::Warehouse { id } => write!(f, "WAREHOUSE {id}"),`
`96`	`100`	`OwnershipObject::Connection { name } => write!(f, "CONNECTION {name}"),`
`97`	`101`	`OwnershipObject::Sequence { name } => write!(f, "SEQUENCE {name}"),`
	`102`	`+ OwnershipObject::Procedure { procedure_id } => write!(f, "PROCEDURE {procedure_id}"),`
`98`	`103`	`}`
`99`	`104`	`}`
`100`	`105`	`}`
`@@ -137,6 +142,9 @@ impl KeyCodec for OwnershipObject {`
`137`	`142`	`OwnershipObject::Warehouse { id } => b.push_raw("warehouse-by-id").push_str(id),`
`138`	`143`	`OwnershipObject::Connection { name } => b.push_raw("connection-by-name").push_str(name),`
`139`	`144`	`OwnershipObject::Sequence { name } => b.push_raw("sequence-by-name").push_str(name),`
	`145`	`+ OwnershipObject::Procedure { procedure_id } => {`
	`146`	`+ b.push_raw("procedure-by-id").push_u64(*procedure_id)`
	`147`	`+ }`
`140`	`148`	`}`
`141`	`149`	`}`
`142`	`150`
`@@ -195,6 +203,10 @@ impl KeyCodec for OwnershipObject {`
`195`	`203`	`let name = p.next_str()?;`
`196`	`204`	`Ok(OwnershipObject::Sequence { name })`
`197`	`205`	`}`
	`206`	`+ "procedure-by-id" => {`
	`207`	`+ let procedure_id = p.next_u64()?;`
	`208`	`+ Ok(OwnershipObject::Procedure { procedure_id })`
	`209`	`+ }`
`198`	`210`	`_ => Err(kvapi::KeyError::InvalidSegment {`
`199`	`211`	`i: p.index(),`
`200`	`212`	`expect: "database-by-id\|database-by-catalog-id\|table-by-id\|table-by-catalog-id\|stage-by-name\|udf-by-name\|warehouse-by-id\|connection-by-name"`
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ pub enum GrantObject {`
`62`	`62`	`Warehouse(String),`
`63`	`63`	`Connection(String),`
`64`	`64`	`Sequence(String),`
	`65`	`+ Procedure(u64),`
`65`	`66`	`}`
`66`	`67`
`67`	`68`	`impl GrantObject {`
`@@ -97,6 +98,7 @@ impl GrantObject {`
`97`	`98`	`(GrantObject::Warehouse(w), GrantObject::Warehouse(rw)) => w == rw,`
`98`	`99`	`(GrantObject::Connection(c), GrantObject::Connection(rc)) => c == rc,`
`99`	`100`	`(GrantObject::Sequence(s), GrantObject::Sequence(rs)) => s == rs,`
	`101`	`+ (GrantObject::Procedure(p), GrantObject::Procedure(rp)) => p == rp,`
`100`	`102`	`_ => false,`
`101`	`103`	`}`
`102`	`104`	`}`
`@@ -126,6 +128,9 @@ impl GrantObject {`
`126`	`128`	`GrantObject::Sequence(_) => {`
`127`	`129`	`UserPrivilegeSet::available_privileges_on_sequence(available_ownership)`
`128`	`130`	`}`
	`131`	`+ GrantObject::Procedure(_) => {`
	`132`	`+ UserPrivilegeSet::available_privileges_on_procedure(available_ownership)`
	`133`	`+ }`
`129`	`134`	`}`
`130`	`135`	`}`
`131`	`136`
`@@ -136,6 +141,7 @@ impl GrantObject {`
`136`	`141`	`\| GrantObject::UDF(_)`
`137`	`142`	`\| GrantObject::Warehouse(_)`
`138`	`143`	`\| GrantObject::Sequence(_)`
	`144`	`+ \| GrantObject::Procedure(_)`
`139`	`145`	`\| GrantObject::Connection(_) => None,`
`140`	`146`	`GrantObject::Database(cat, _) \| GrantObject::DatabaseById(cat, _) => Some(cat.clone()),`
`141`	`147`	`GrantObject::Table(cat, _, _) \| GrantObject::TableById(cat, _, _) => Some(cat.clone()),`
`@@ -160,6 +166,7 @@ impl fmt::Display for GrantObject {`
`160`	`166`	`GrantObject::Warehouse(w) => write!(f, "WAREHOUSE {w}"),`
`161`	`167`	`GrantObject::Connection(c) => write!(f, "CONNECTION {c}"),`
`162`	`168`	`GrantObject::Sequence(s) => write!(f, "SEQUENCE {s}"),`
	`169`	`+ GrantObject::Procedure(p) => write!(f, "PROCEDURE {p}"),`
`163`	`170`	`}`
`164`	`171`	`}`
`165`	`172`	`}`