rbac: add CREATEDATAFLOW privilege for clusters#34711
rbac: add CREATEDATAFLOW privilege for clusters#34711antiguru wants to merge 8 commits intoMaterializeInc:mainfrom
Conversation
antiguru
force-pushed
the
disallow_render_dataflow
branch
2 times, most recently
from
f1ea53c to
24f24ae
Compare
antiguru
force-pushed
the
disallow_render_dataflow
branch
from
24f24ae to
4522aa7
Compare
antiguru
force-pushed
the
disallow_render_dataflow
branch
from
4522aa7 to
47b9908
Compare
Signed-off-by: Moritz Hoffmann <[email protected]>
This adds a new RBAC privilege called CREATEDATAFLOW that controls
whether a user can execute queries requiring dataflow rendering
(slow path) on a cluster. Users without this privilege can still
execute fast-path queries (constants, index lookups with MFP).
Key changes:
- Add CREATE_DATAFLOW privilege constant ('D', bit 28) to AclMode
- Add CREATEDATAFLOW keyword and privilege parsing
- Add check_create_dataflow_privilege() function in rbac.rs
- Insert privilege check in peek_finish() for slow-path queries
- System clusters and superusers bypass the check
Co-Authored-By: Claude Opus 4.5 <[email protected]>
This migration (v80 to v81) ensures backwards compatibility by granting CREATEDATAFLOW privilege to PUBLIC on all existing clusters during upgrade. This allows users who could previously run queries requiring dataflow rendering to continue doing so after the upgrade. Also updates default privileges so new clusters grant CREATEDATAFLOW to PUBLIC by default. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Instead of defining a local constant, import and use the existing AclMode::CREATE_DATAFLOW constant from mz_repr. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Signed-off-by: Moritz Hoffmann <[email protected]>
Document the new CREATEDATAFLOW privilege which controls whether users can execute queries requiring dataflow rendering on clusters: - Add privilege description explaining when it's needed and use cases - Update GRANT/REVOKE syntax to include CREATEDATAFLOW for clusters - Add to default privileges (PUBLIC gets CREATEDATAFLOW on all clusters) - Add to object privileges table for CLUSTER The privilege is useful in production to restrict users to fast-path queries only, preventing accidental high-latency dataflow rendering. Co-Authored-By: Claude Opus 4.5 <[email protected]>
antiguru
force-pushed
the
disallow_render_dataflow
branch
from
47b9908 to
3b54a9a
Compare
Add expected mz_support=U/other_owner privilege for owner_cluster2 now that default privileges include mz_support USAGE on clusters. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Update RBAC documentation test files to include the new CREATEDATAFLOW privilege in expected test results. The CREATEDATAFLOW privilege is now granted by default to PUBLIC on all clusters, so SHOW PRIVILEGES and SHOW DEFAULT PRIVILEGES output includes this privilege. Files updated: - rbac-cloud/grant_privileges.yml: Add test_results with all expected rows - rbac-cloud/grant_roles.yml: Update test_results with CREATEDATAFLOW - rbac-cloud/show_default_privileges.yml: Add test_results for default privileges - rbac-cloud/show_privileges.yml: Update test_results with CREATEDATAFLOW - rbac-sm/grant_privileges.yml: Add test_results and test_replacements override - rbac-sm/grant_roles.yml: Update test_results with CREATEDATAFLOW - rbac-sm/show_default_privileges.yml: Add test_results for default privileges - rbac-sm/show_privileges.yml: Update test_results with CREATEDATAFLOW Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
I've pondered this a bunch and I don't think we get a nice implementation with our current RBAC model. The issue is that adding a Looking at other database, there isn't much precedent to a permission like create-dataflow. SQL server seems to be the closest with negative permissions. In this case, create-dataflow would need to be revoked explicitly in order to prevent someone from creating dataflows. In SQL server, revokes always win over grants. I'm not sure this is the way we should go, but at least it gives us an approach we could evaluate further. |
|
@antiguru getting up to speed and I think the privilege makes sense conceptually, but as you said before the UX would be unpleasant. Have we considered the session variable approach described in https://github.com/MaterializeInc/database-issues/issues/5277#issuecomment-2369684851? |
2 participants
Summary
CREATEDATAFLOWthat controls whether a user can execute queries requiring dataflow rendering (slow path) on a clusterMotivation
In multi-tenant or cost-sensitive environments, organizations may want to restrict certain users to only execute queries that can be satisfied by existing indexes, preventing them from triggering expensive dataflow rendering operations.
Changes
CREATE_DATAFLOWprivilege constant ('D', bit 28) toAclModeinmz_acl_item.rsCREATEDATAFLOWkeyword and privilege parsing in sql-parsercheck_create_dataflow_privilege()function inrbac.rspeek_finish()for slow-path queriesTest plan
cargo checkpassescargo clippypassescargo test -p mz-repr --lib -- mz_acl)bin/sqllogictest -- test/sqllogictest/createdataflow_privilege.slt)🤖 Generated with Claude Code