Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[colocation] Implement GRANT/REVOKE for Tablegroups. #5087

Closed
vvkgopalan opened this issue Jul 15, 2020 · 0 comments
Closed

[colocation] Implement GRANT/REVOKE for Tablegroups. #5087

vvkgopalan opened this issue Jul 15, 2020 · 0 comments
Assignees
@vvkgopalan
Labels
area/ysql Yugabyte SQL (YSQL)

Comments

@vvkgopalan
Copy link
Contributor

In implementing tablegroups to address #4525, it will be necessary to support giving users fine-grained control over RBAC through supporting GRANT & REVOKE for tablegroups.
@vvkgopalan vvkgopalan self-assigned this Jul 15, 2020
@vvkgopalan vvkgopalan added the area/ysql Yugabyte SQL (YSQL) label Jul 15, 2020
vvkgopalan added a commit that referenced this issue Jul 30, 2020
@vvkgopalan
[#5087, #5160][YSQL] GRANT/REVOKE/ALTER DEFAULT PRIVILEGES for tableg…
b4505ac 
…roups

Summary:
For grant/revoke:
Implemented GRANT / REVOKE for tablegroups. The following rights are available for
tablegroups: (ACL_CREATE). When a user has create rights on a tablegroup, they are able to create
tables within that tablegroup. Alternatively, they can do so by default if they are the owner of
that tablegroup or are a superuser. Usage is as follows:

```
GRANT { CREATE | ALL [PRIVILEGES] } ON TABLEGROUP tablegroup_name TO grant_role_spec [WITH GRANT
OPTION]

REVOKE [GRANT OPTION FOR] { CREATE | ALL [PRIVILEGES] } ON TABLEGROUP tablegroup_name FROM { [GROUP]
role_name | PUBLIC } [CASCADE | RESTRICT]
```

For alter default privileges:
At a per-database level (not per-schema as tablegroups can contain tables from multiple
schemas), a user (with sufficient privs) can define the default access privileges for all future
tablegroups and grant it to a user / role. The default access privs for non-superuser / non-owner of
a tablegroup are ACL_NO_RIGHTS. Users/roles can be granted ACL_CREATE on tablegroups which allows
them to create tables / indexes on tables they own in that tablegroup.

Usage is as follows:

```
ALTER DEFAULT PRIVILEGES GRANT { CREATE | ALL [PRIVILEGES] } ON TABLEGROUPS TO grant_role_spec [WITH
GRANT OPTION]

ALTER DEFAULT PRIVILEGSE REVOKE { CREATE | ALL [PRIVILEGES] } ON TABLEGROUPS FROM grant_role_spec
[CASCADE | RESTRICT]
```

Test Plan:
Updated the yb_tablegroup_permissions test as part of the tablegroup test suite. Can be run as
follows:
```
./yb_build.sh --java-test org.yb.pgsql.TestPgRegressTablegroup
```

Reviewers: jason, nicolas, neha

Reviewed By: neha

Subscribers: neha, yql

Differential Revision: https://phabricator.dev.yugabyte.com/D8958
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vvkgopalan vvkgopalan

Labels
area/ysql Yugabyte SQL (YSQL)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vvkgopalan