Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow TRUNCATE grant for groups on table #92

Closed
remi-faydide-finalcad opened this issue Nov 2, 2022 · 2 comments
Closed

Allow TRUNCATE grant for groups on table #92

remi-faydide-finalcad opened this issue Nov 2, 2022 · 2 comments

Comments

@remi-faydide-finalcad
Copy link

Goal

When I try to implement grant privilege including truncate I have the following error

Error: Invalid privileges list [select truncate update insert delete] for object of type table

  on redshift_queries.tf line 82, in resource "redshift_grant" "data_group_tables":
  82: resource "redshift_grant" "data_group_tables" {

If I comment the truncate privilege, everything goes fine.

Part of my code where I have the issue

# create data group
resource "redshift_group" "data_group" {
  depends_on = [aws_redshift_cluster.redshift_cluster]
  name       = "DATA_USERS"
  users = [
    redshift_user.data_user.name
  ]
}

# Init tables if needed
resource "aws_redshiftdata_statement" "init_tables" {
  depends_on         = [redshift_schema.schema]
  for_each           = local.sql_table_list
  cluster_identifier = aws_redshift_cluster.redshift_cluster.cluster_identifier
  database           = aws_redshift_cluster.redshift_cluster.database_name
  db_user            = aws_redshift_cluster.redshift_cluster.master_username
  statement_name     = replace(each.value.file_name, ".sql", "")
  sql                = file("templates/${each.value.file_name}")
}

# add grant on tables
resource "redshift_grant" "data_group_tables" {
  for_each    = aws_redshiftdata_statement.init_tables
  group       = redshift_group.data_group.name
  schema      = redshift_schema.schema.name
  object_type = "table"
  objects     = [each.key]
  privileges = [
    "select",
    "insert",
    "delete",
    "truncate",
    "update"
  ]
}

Part of the solution (I guess)

After searching a bit in the code, I found that the error comes from the validatePrivileges function from the helpers.go file (L169 for the case "TABLE")

There are probably other stuff to do but I don't have really the time to investigate for now.

AWS doc

Part of the doc for the truncate privilege

Thank you for your feedback
@remi-faydide-finalcad
Copy link
Author

⬆️ anyone please ?

@winglot
Copy link
Member

winglot commented Jan 17, 2023

Hi,
according to the documentation at https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html, the TRUNCATE privilege is only supported for roles in the form of GRANT TRUNCATE TABLE TO <role name>. The provider currently only supports users and groups, no support for roles/rbac.

I will close the issue in favor of #87 which is a feature request for RBAC/Roles support in the provider.

@winglot winglot closed this as completed Jan 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@winglot @remi-faydide-finalcad