-
Notifications
You must be signed in to change notification settings - Fork 752
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fine-grained user privilege on database & table #2894
Comments
/assignme |
If we follow the MySQL way, Role has privileges, the securable object is |
How do you like to store these |
it'd prefered to stored as a ordered flat kv format, like
so we can list an user's grants in a prefix scan, and can drop a grant individually. but in the eariler days, a big
and it would not get very big in the near future (i cant imagine how to manage a 20+ grants configs🤔) the cons of the big JSON is that we have to deserialize the object, make modifications, and write back. |
The firs one would be better to me 🤔 |
@drmingdrmer could we make it'd be nice to have some transactional guarantee on it |
Hmmm... not a big deal. |
Summary
Currently we have got an UserPrivilege in the metastore, however it do not have the infomation on database & table yet.
We can allowing user grant privileges(like Select / Create) on a database or table.
Related: #2703 #2797
thoughts on the user grants management
we may add a struct called
GrantSet
or something else, which contains a list ofGrantEntry
, it can be used both in user and role. theSHOW GRANTS
statement directly dumps the list of theGrantSet
:a
GrantEntry
has three levels: Global, Database and Table. the grant level is determined by theON
part in theGRANT
statement.each
GrantEntry
is identified by theON
andTO
parts in the statement, like ("*.*", "jeffery", "localhost"), ("db1.*", "jeffery", "localhost"). if two grant statements have the same identifier, then the privileges should be merged into oneGrant
item:on checking an operation's privilege, we can get all the current user's grant set from the metasrv, and filter grant set by (user, database/table, hostname), the API might looks like this:
please note that the grant set of the current session CAN NOT directly determined by the current user & hostname, because the active grant set may be changed by executing
USE ROLE
(which limits one user's effective grant set) in the current session.this API would not change after adding RBAC: what we get is the set of effective grant set of the current user, adding an role to an user would affect this user's grant set at last, the API caller could not care about roles at all. this is why the api in session called
get_effective_grant_set
.onDROP TABLE/DATABASE
, the relevantGrantEntry
of ALL the users needs get droped altogether. (needs some more investigation on it)any suggestion is welcomed!
Steps
database
.table
#2901drop grants on database/table is getting dropped(seems mysql do not drop the relevant grants after dropping a database)The text was updated successfully, but these errors were encountered: