feat(rbac): RBAC support connection object #18382
Draft
+895
−104
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
pr-feature
TCeason
force-pushed
the
connection_ownership
branch
2 times, most recently
from
88e3397 to
765bd2b
Compare
Test on local:Test Steps: In main version1. Root User Operations: -- Create a role named 'role_a'
create role role_a;
create user a identified by '123' with default_role='role_a';
grant role role_a to a;
create user b identified by '123';
create connection c1 storage_type = 's3' access_key_id ='minioadmin' secret_access_key ='minioadmin' ENDPOINT_URL='http://127.0.0.1:9900';
create connection c2 storage_type = 's3' access_key_id ='22' secret_access_key ='22' ENDPOINT_URL='http://127.0.0.1:9900';
create connection c3 storage_type = 's3' access_key_id ='33' secret_access_key ='33' ENDPOINT_URL='http://127.0.0.1:9900';
In pr versionset global enable_experimental_connection_privilege_check=1;
grant access connection on connection c1 to role role_a;
grant ownership on connection c2 to role role_a;2. User 'a' Operations: show connections;
╭──────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ name │ storage_type │ storage_params │
│ String │ String │ String │
├────────┼──────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ 'c1' │ 's3' │ 'access_key_id=******min endpoint_url=******900 secret_access_key=******min' │
│ 'c2' │ 's3' │ 'access_key_id=22 endpoint_url=******900 secret_access_key=22' │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────╯
desc connection c1;
╭──────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ name │ storage_type │ storage_params │
│ String │ String │ String │
├────────┼──────────────┼──────────────────────────────────────────────────────────────────────────────┤
│ 'c1' │ 's3' │ 'access_key_id=******min endpoint_url=******900 secret_access_key=******min' │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────╯
desc connection c2;
╭────────────────────────────────────────────────────────────────────────────────────────╮
│ name │ storage_type │ storage_params │
│ String │ String │ String │
├────────┼──────────────┼────────────────────────────────────────────────────────────────┤
│ 'c2' │ 's3' │ 'access_key_id=22 endpoint_url=******900 secret_access_key=22' │
╰────────────────────────────────────────────────────────────────────────────────────────╯
show grants for role role_a;
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ privileges │ object_name │ object_id │ grant_to │ name │ grants │
│ String │ String │ Nullable(String) │ String │ String │ String │
├─────────────┼─────────────────────┼──────────────────┼──────────┼──────────┼─────────────────────────────────────────────────────────────────────┤
│ 'ALL' │ 'c1' │ NULL │ 'ROLE' │ 'role_a' │ 'GRANT ALL ON CONNECTION c1 TO ROLE `role_a`' │
│ 'OWNERSHIP' │ 'c2' │ NULL │ 'ROLE' │ 'role_a' │ 'GRANT OWNERSHIP ON CONNECTION c2 TO ROLE `role_a`' │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
show grants on connection c1;
╭────────────────────────────────────────────────────────────────────────────────────────────╮
│ privileges │ object_name │ object_id │ grant_to │ name │ grants │
│ String │ String │ Nullable(String) │ String │ String │ String │
├─────────────────────┼─────────────┼──────────────────┼──────────┼─────────────────┼────────┤
│ 'ACCESS CONNECTION' │ 'c1' │ NULL │ 'ROLE' │ 'role_a' │ '' │
│ 'OWNERSHIP' │ 'c1' │ NULL │ 'ROLE' │ 'account_admin' │ '' │
╰────────────────────────────────────────────────────────────────────────────────────────────╯
show grants on connection c2;
╭─────────────────────────────────────────────────────────────────────────────╮
│ privileges │ object_name │ object_id │ grant_to │ name │ grants │
│ String │ String │ Nullable(String) │ String │ String │ String │
├─────────────┼─────────────┼──────────────────┼──────────┼──────────┼────────┤
│ 'OWNERSHIP' │ 'c2' │ NULL │ 'ROLE' │ 'role_a' │ '' │
╰─────────────────────────────────────────────────────────────────────────────╯2. User 'b' Operations: Rollback mainUser 'a' Operations: User 'b' Operations: |
1. **New Configuration Parameter:** Introduces `enable_experimental_connection_rbac_check` to toggle RBAC permission verification for connections. Disabled by default for backward compatibility. 2. **Global Privileges:** Adds `CREATE CONNECTION` and `ACCESS CONNECTION` global privileges governing connection creation and unrestricted usage rights respectively. 3. **Ownership Model:** Implements `OWNERSHIP` semantics, allowing privileged users/roles to perform arbitrary DDL operations on connections. 4. **Show grants on connection <connection_name>.
TCeason
force-pushed
the
connection_ownership
branch
from
765bd2b to
e711230
Compare
drmingdrmer
reviewed
Jul 18, 2025
There was a problem hiding this comment.
Reviewed 12 of 34 files at r1.
Reviewable status: 12 of 40 files reviewed, 3 unresolved discussions
src/meta/proto-conv/tests/it/v136_add_grant_object_connection.rs line 86 at r2 (raw file):
mt::principal::GrantObject::Stage("s1".to_string()), make_bitflags!(UserPrivilegeType::{Write}), ),
You do not actually need these entries to be tested right?
Code quote:
mt::principal::GrantEntry::new(
mt::principal::GrantObject::Global,
make_bitflags!(UserPrivilegeType::{CreateConnection}),
),
mt::principal::GrantEntry::new(
mt::principal::GrantObject::Connection("c1".to_string()),
make_bitflags!(UserPrivilegeType::{AccessConnection}),
),
mt::principal::GrantEntry::new(
mt::principal::GrantObject::Database("default".to_string(), "db".to_string()),
make_bitflags!(UserPrivilegeType::{Create}),
),
mt::principal::GrantEntry::new(
mt::principal::GrantObject::Table(
"default".to_string(),
"db".to_string(),
"tb".to_string(),
),
make_bitflags!(UserPrivilegeType::{Create}),
),
mt::principal::GrantEntry::new(
mt::principal::GrantObject::UDF("f1".to_string()),
make_bitflags!(UserPrivilegeType::{Usage}),
),
mt::principal::GrantEntry::new(
mt::principal::GrantObject::Stage("s1".to_string()),
make_bitflags!(UserPrivilegeType::{Write}),
),src/meta/proto-conv/tests/it/v136_add_grant_object_connection.rs line 116 at r2 (raw file):
object: OwnershipObject::Connection { name: "c1".to_string(), },
I see that there are two protobuf types modified but only one of them is tested. Is it as expected?
Code quote:
object: OwnershipObject::Connection {
name: "c1".to_string(),
},src/meta/protos/proto/ownership.proto line 55 at r2 (raw file):
message OwnershipConnectionObject { string connection = 1; }
is this indent correct?
Code quote:
message OwnershipConnectionObject {
string connection = 1;
}
drmingdrmer
approved these changes
Jul 18, 2025
There was a problem hiding this comment.
Reviewed 3 of 6 files at r3, all commit messages.
Reviewable status: 12 of 40 files reviewed, 1 unresolved discussion (waiting on @TCeason)
TCeason
force-pushed
the
connection_ownership
branch
from
2c7a22c to
3188930
Compare
TCeason
force-pushed
the
connection_ownership
branch
from
3188930 to
b80e8b1
Compare
|
Compatibility tests are involved in ci and locally, and whether it is necessary to deploy to the cloud test environment cc @BohuTANG |
youngsofun
approved these changes
Jul 21, 2025
|
I found a user incompatibility issue. It has been converted to draft first. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I hereby agree to the terms of the CLA available at: https://docs.databend.com/dev/policies/cla/
Summary
enable_experimental_connection_rbac_checkto toggle RBAC permission verification for connections. Disabled by default for backward compatibility.CREATE CONNECTIONandACCESS CONNECTIONglobal privileges governing connection creation and unrestricted usage rights respectively.OWNERSHIPsemantics, allowing privileged users/roles to perform arbitrary DDL operations on connections.For more detailed information, please refer to the issue content
Tests
Type of change
This change is