DISCUSS: Don't modify the root user on table create #5699
Conversation
|
I thought that a user could make it such that root does not have permissions on objects. For example:
I don't think at this point root can scan the tables in that namespace or do anything with them unless user1 gives root those permissions. Am I mis-remembering? |
ddanielr
force-pushed
the
bugfix/dont-modify-root-user
branch
2 times, most recently
from
fbdc7f6 to
e81b3f5
Compare
You're not mis-remembering but it's not even based on the separate namespace. The root user has no ability to scan user-created tables even if the root user has I added a test in 119d21f to prove that the root user cannot scan a user created table in the default namespace. This caused the test I added to fail since the root user is now able to scan the user-created table so I then updated the test to pass in e81b3f5. This draft PR was created to try and answer why a root user's permission objects change when a root client session is taking the output of a previous Currently, if the root user is creating tables, then it is automatically granted read permissions on those tables. This seems like a tedious amount of work and made me question what is the purpose of I looked at the documentation but didn't see anything that called out the specific permissions and their desired goals. I don't think these changes should be merged in, but rather used to discuss if this permissions model is expected. This is in support of adding an easier ability to restore the configuration from the current output of |
ddanielr
changed the title
|
@ddanielr - Thanks for the context, that helps. It sounds like the root cause of the issue then might be that the correct user is not logged in when running the |
|
Would being able to run command as another user in the shell be help for this situation? |
|
The intended behavior is that the root user (or any user granted "SYSTEM" permission does not automatically get additional privileges to read/write/alter user tables). This follows the principle of least privilege, where the root user (or a delegated user with "SYSTEM" permission) has permissions to administer the system, but does not automatically have permission to do things to user data. As a privileged user, the root user (or delegate) can grant themselves permissions, but that is intentionally a second step. This limits the harm a privileged user can do unintentionally to user data. This follows conventions in traditional RDBMS systems where the root/system user does not automatically have read/write/alter table permissions for a user's table in a database. |
Adds a test to verify that the root user is unable to scan a user created table in a namespace where the root user has SYSTEM level permissions.
When a table is created by a user that has the SYSTEM permission there is no need to add additional per-table permissions to that user Likewise, if the user has the SYSTEM permission, then table actions should be allowed.
ddanielr
force-pushed
the
bugfix/dont-modify-root-user
branch
from
e81b3f5 to
bcc0f7e
Compare
4 participants
There is no need to add additional permissions to the root user since that user already has system privileges.
Confirms this works as expected with uno. Need to add tests.