feat(rbac): RBAC support Sequence object (#18423)

* feat(rbac): RBAC support Sequence object

1.   **New Configuration Parameter:** Introduces `enable_experimental_sequence_rbac_check` to toggle RBAC permission verification for sequences.   Disabled by default for backward compatibility.
2.   **Global Privileges:** Adds `CREATE SEQUENCE` and `ACCESS SEQUENCE` global privileges governing sequence creation and unrestricted usage rights respectively.
3.   **Ownership Model:** Implements `OWNERSHIP` semantics, allowing privileged users/roles to perform arbitrary DDL operations on sequences.
4.   **Show grants on sequence <sequence_name>.**

* fix test

* fix ci

* fix ci

* fix ci

* QueryEnv add UserInfo

Author: TCeason

Cargo.lock

@@ -60,6 +60,10 @@ pub enum OwnershipObject {
     Connection {
         name: String,
     },
+
+    Sequence {
+        name: String,
+    },
 }
 
 impl OwnershipObject {
@@ -90,6 +94,7 @@ impl fmt::Display for OwnershipObject {
             OwnershipObject::Stage { name } => write!(f, "STAGE {name}"),
             OwnershipObject::Warehouse { id } => write!(f, "WAREHOUSE {id}"),
             OwnershipObject::Connection { name } => write!(f, "CONNECTION {name}"),
+            OwnershipObject::Sequence { name } => write!(f, "SEQUENCE {name}"),
         }
     }
 }
@@ -131,6 +136,7 @@ impl KeyCodec for OwnershipObject {
             OwnershipObject::UDF { name } => b.push_raw("udf-by-name").push_str(name),
             OwnershipObject::Warehouse { id } => b.push_raw("warehouse-by-id").push_str(id),
             OwnershipObject::Connection { name } => b.push_raw("connection-by-name").push_str(name),
+            OwnershipObject::Sequence { name } => b.push_raw("sequence-by-name").push_str(name),
         }
     }
 
@@ -185,6 +191,10 @@ impl KeyCodec for OwnershipObject {
                 let name = p.next_str()?;
                 Ok(OwnershipObject::Connection { name })
             }
+            "sequence-by-name" => {
+                let name = p.next_str()?;
+                Ok(OwnershipObject::Sequence { name })
+            }
             _ => Err(kvapi::KeyError::InvalidSegment {
                 i: p.index(),
                 expect: "database-by-id|database-by-catalog-id|table-by-id|table-by-catalog-id|stage-by-name|udf-by-name|warehouse-by-id|connection-by-name"

src/meta/app/src/principal/ownership_object.rs

@@ -61,6 +61,7 @@ pub enum GrantObject {
     Stage(String),
     Warehouse(String),
     Connection(String),
+    Sequence(String),
 }
 
 impl GrantObject {
@@ -95,6 +96,7 @@ impl GrantObject {
             (GrantObject::UDF(udf), GrantObject::UDF(rudf)) => udf == rudf,
             (GrantObject::Warehouse(w), GrantObject::Warehouse(rw)) => w == rw,
             (GrantObject::Connection(c), GrantObject::Connection(rc)) => c == rc,
+            (GrantObject::Sequence(s), GrantObject::Sequence(rs)) => s == rs,
             _ => false,
         }
     }
@@ -121,6 +123,9 @@ impl GrantObject {
             GrantObject::Connection(_) => {
                 UserPrivilegeSet::available_privileges_on_connection(available_ownership)
             }
+            GrantObject::Sequence(_) => {
+                UserPrivilegeSet::available_privileges_on_sequence(available_ownership)
+            }
         }
     }
 
@@ -130,6 +135,7 @@ impl GrantObject {
             | GrantObject::Stage(_)
             | GrantObject::UDF(_)
             | GrantObject::Warehouse(_)
+            | GrantObject::Sequence(_)
             | GrantObject::Connection(_) => None,
             GrantObject::Database(cat, _) | GrantObject::DatabaseById(cat, _) => Some(cat.clone()),
             GrantObject::Table(cat, _, _) | GrantObject::TableById(cat, _, _) => Some(cat.clone()),
@@ -153,6 +159,7 @@ impl fmt::Display for GrantObject {
             GrantObject::Stage(stage) => write!(f, "STAGE {stage}"),
             GrantObject::Warehouse(w) => write!(f, "WAREHOUSE {w}"),
             GrantObject::Connection(c) => write!(f, "CONNECTION {c}"),
+            GrantObject::Sequence(s) => write!(f, "SEQUENCE {s}"),
         }
     }
 }

src/meta/app/src/principal/user_grant.rs

@@ -82,6 +82,10 @@ pub enum UserPrivilegeType {
     CreateConnection = 1 << 22,
     // Privilege to Access Connection
     AccessConnection = 1 << 23,
+    // Privilege to Create Sequence
+    CreateSequence = 1 << 24,
+    // Privilege to Access Sequence
+    AccessSequence = 1 << 25,
     // Discard Privilege Type
     Set = 1 << 4,
 }
@@ -141,6 +145,8 @@ impl Display for UserPrivilegeType {
             UserPrivilegeType::CreateWarehouse => "CREATE WAREHOUSE",
             UserPrivilegeType::CreateConnection => "CREATE CONNECTION",
             UserPrivilegeType::AccessConnection => "ACCESS CONNECTION",
+            UserPrivilegeType::CreateSequence => "CREATE SEQUENCE",
+            UserPrivilegeType::AccessSequence => "ACCESS SEQUENCE",
         })
     }
 }
@@ -187,6 +193,12 @@ impl From<databend_common_ast::ast::UserPrivilegeType> for UserPrivilegeType {
             databend_common_ast::ast::UserPrivilegeType::AccessConnection => {
                 UserPrivilegeType::AccessConnection
             }
+            databend_common_ast::ast::UserPrivilegeType::CreateSequence => {
+                UserPrivilegeType::CreateSequence
+            }
+            databend_common_ast::ast::UserPrivilegeType::AccessSequence => {
+                UserPrivilegeType::AccessSequence
+            }
             databend_common_ast::ast::UserPrivilegeType::Set => UserPrivilegeType::Set,
         }
     }
@@ -222,12 +234,14 @@ impl UserPrivilegeSet {
         let udf_privs_without_ownership = Self::available_privileges_on_udf(false);
         let wh_privs_without_ownership = Self::available_privileges_on_warehouse(false);
         let connection_privs_without_ownership = Self::available_privileges_on_connection(false);
-        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateWarehouse | CreateConnection });
+        let seq_privs_without_ownership = Self::available_privileges_on_sequence(false);
+        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateWarehouse | CreateConnection | CreateSequence });
         (database_privs.privileges
             | privs
             | stage_privs_without_ownership.privileges
             | wh_privs_without_ownership.privileges
             | connection_privs_without_ownership.privileges
+            | seq_privs_without_ownership.privileges
             | udf_privs_without_ownership.privileges)
             .into()
     }
@@ -275,6 +289,14 @@ impl UserPrivilegeSet {
         }
     }
 
+    pub fn available_privileges_on_sequence(available_ownership: bool) -> Self {
+        if available_ownership {
+            make_bitflags!(UserPrivilegeType::{ AccessSequence | Ownership }).into()
+        } else {
+            make_bitflags!(UserPrivilegeType::{ AccessSequence }).into()
+        }
+    }
+
     pub fn available_privileges_on_udf(available_ownership: bool) -> Self {
         if available_ownership {
             make_bitflags!(UserPrivilegeType::{ Usage | Ownership }).into()

src/meta/app/src/principal/user_privilege.rs

@@ -94,6 +94,9 @@ impl FromToProto for mt::principal::OwnershipObject {
             pb::ownership_object::Object::Connection(
                 pb::ownership_object::OwnershipConnectionObject { connection },
             ) => Ok(mt::principal::OwnershipObject::Connection { name: connection }),
+            pb::ownership_object::Object::Sequence(
+                pb::ownership_object::OwnershipSequenceObject { sequence },
+            ) => Ok(mt::principal::OwnershipObject::Sequence { name: sequence }),
         }
     }
 
@@ -141,6 +144,13 @@ impl FromToProto for mt::principal::OwnershipObject {
                     },
                 ))
             }
+            mt::principal::OwnershipObject::Sequence { name } => {
+                Some(pb::ownership_object::Object::Sequence(
+                    pb::ownership_object::OwnershipSequenceObject {
+                        sequence: name.clone(),
+                    },
+                ))
+            }
         };
         Ok(pb::OwnershipObject {
             ver: VER,

src/meta/proto-conv/src/ownership_from_to_protobuf_impl.rs

@@ -197,6 +197,9 @@ impl FromToProto for mt::principal::GrantObject {
             pb::grant_object::Object::Connection(pb::grant_object::GrantConnectionObject {
                 connection,
             }) => Ok(mt::principal::GrantObject::Connection(connection)),
+            pb::grant_object::Object::Sequence(pb::grant_object::GrantSequenceObject {
+                sequence,
+            }) => Ok(mt::principal::GrantObject::Sequence(sequence)),
         }
     }
 
@@ -249,6 +252,11 @@ impl FromToProto for mt::principal::GrantObject {
                     connection: c.clone(),
                 }),
             ),
+            mt::principal::GrantObject::Sequence(s) => Some(pb::grant_object::Object::Sequence(
+                pb::grant_object::GrantSequenceObject {
+                    sequence: s.clone(),
+                },
+            )),
         };
         Ok(pb::GrantObject {
             ver: VER,

src/meta/proto-conv/src/user_from_to_protobuf_impl.rs

@@ -168,6 +168,7 @@ const META_CHANGE_LOG: &[(u64, &str)] = &[
     (136, "2025-07-17: Add: Task"),
     (137, "2025-07-22: Add: GrantConnectionObject and UserPrivilegeType AccessConnection, AccessConnection"),
     (138, "2025-07-23: Add: TableStatistics add index size"),
+    (139, "2025-07-25: Add: Grant/OwnershipSequenceObject and UserPrivilegeType AccessSequence, AccessSequence"),
     // Dear developer:
     //      If you're gonna add a new metadata version, you'll have to add a test for it.
     //      You could just copy an existing test file(e.g., `../tests/it/v024_table_meta.rs`)

src/meta/proto-conv/src/util.rs

@@ -130,3 +130,4 @@ mod v135_udf_immutable;
 mod v136_add_task;
 mod v137_add_grant_object_connection;
 mod v138_table_statistics;
+mod v139_add_grant_ownership_object_sequence;

src/meta/proto-conv/tests/it/main.rs

@@ -0,0 +1,97 @@
+// Copyright 2023 Datafuse Labs.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use std::collections::HashSet;
+
+use chrono::DateTime;
+use chrono::Utc;
+use databend_common_meta_app as mt;
+use databend_common_meta_app::principal::OwnershipObject;
+use databend_common_meta_app::principal::UserGrantSet;
+use databend_common_meta_app::principal::UserPrivilegeType;
+use enumflags2::make_bitflags;
+use fastrace::func_name;
+
+use crate::common;
+
+// These bytes are built when a new version in introduced,
+// and are kept for backward compatibility test.
+//
+// *************************************************************
+// * These messages should never be updated,                   *
+// * only be added when a new version is added,                *
+// * or be removed when an old version is no longer supported. *
+// *************************************************************
+//
+
+#[test]
+fn test_decode_v139_grant_object() -> anyhow::Result<()> {
+    let role_info_v139 = vec![
+        10, 2, 114, 49, 18, 86, 10, 23, 10, 9, 10, 0, 160, 6, 139, 1, 168, 6, 24, 16, 128, 128,
+        128, 8, 160, 6, 139, 1, 168, 6, 24, 10, 27, 10, 13, 82, 4, 10, 2, 115, 49, 160, 6, 139, 1,
+        168, 6, 24, 16, 128, 128, 128, 16, 160, 6, 139, 1, 168, 6, 24, 10, 23, 10, 9, 10, 0, 160,
+        6, 139, 1, 168, 6, 24, 16, 254, 255, 191, 31, 160, 6, 139, 1, 168, 6, 24, 160, 6, 139, 1,
+        168, 6, 24, 26, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48,
+        48, 32, 85, 84, 67, 34, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48,
+        58, 48, 48, 32, 85, 84, 67, 160, 6, 139, 1, 168, 6, 24,
+    ];
+
+    let want = || mt::principal::RoleInfo {
+        name: "r1".to_string(),
+        grants: UserGrantSet::new(
+            vec![
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Global,
+                    make_bitflags!(UserPrivilegeType::{CreateSequence}),
+                ),
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Sequence("s1".to_string()),
+                    make_bitflags!(UserPrivilegeType::{AccessSequence}),
+                ),
+                // test new global privilege CreateSequence, AccessConnection
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Global,
+                    make_bitflags!(UserPrivilegeType::{Create | Select | Insert | Update | Delete | Drop | Alter | Super | CreateUser | DropUser | CreateRole | DropRole | Grant | CreateStage | Set | CreateDataMask | Ownership | Read | Write | CreateWarehouse | CreateConnection | AccessConnection | CreateSequence | AccessSequence }),
+                ),
+            ],
+            HashSet::new(),
+        ),
+        created_on: DateTime::<Utc>::default(),
+        update_on: DateTime::<Utc>::default(),
+    };
+
+    common::test_pb_from_to(func_name!(), want())?;
+    common::test_load_old(func_name!(), role_info_v139.as_slice(), 139, want())?;
+
+    Ok(())
+}
+
+#[test]
+fn test_decode_v139_ownership() -> anyhow::Result<()> {
+    let ownership_info_v139 = vec![
+        10, 2, 114, 49, 18, 13, 58, 4, 10, 2, 115, 49, 160, 6, 139, 1, 168, 6, 24, 160, 6, 139, 1,
+        168, 6, 24,
+    ];
+
+    let want = || mt::principal::OwnershipInfo {
+        role: "r1".to_string(),
+        object: OwnershipObject::Sequence {
+            name: "s1".to_string(),
+        },
+    };
+    common::test_pb_from_to(func_name!(), want())?;
+    common::test_load_old(func_name!(), ownership_info_v139.as_slice(), 139, want())?;
+
+    Ok(())
+}

src/meta/proto-conv/tests/it/v139_add_grant_ownership_object_sequence.rs

@@ -54,12 +54,17 @@ message OwnershipObject {
     string connection = 1;
   }
 
+  message OwnershipSequenceObject {
+    string sequence = 1;
+  }
+
   oneof object {
     OwnershipDatabaseObject database = 1;
     OwnershipTableObject table = 2;
     OwnershipUdfObject udf = 3;
     OwnershipStageObject stage = 4;
     OwnershipWarehouseObject warehouse = 5;
     OwnershipConnectionObject connection = 6;
+    OwnershipSequenceObject sequence = 7;
   }
 }