From f45bf4c6cf902fca833ba39b16ade48657104953 Mon Sep 17 00:00:00 2001 From: Joseph Koshakow Date: Tue, 17 Oct 2023 03:32:10 -0400 Subject: [PATCH] rbac: Update view owner privilege docs (#22425) This commit updates the docs that specify the necessary privileges of a view owner. Materialize has the following two properties: - Whether a role is a superuser is associated with an active database connection/session and it is not persisted anywhere in Materialize. - In order for someone to query a view, the view owner must have the necessary privileges to execute the view definition. As a consequence of these two facts, if a superuser creates a view, then they must explicitly be granted the privileges to execute the view definition. When another user tries to query the view, there's no way to know that the view owner is a superuser and shouldn't need explicit privileges. --- doc/user/content/sql/copy-to.md | 3 ++- doc/user/content/sql/delete.md | 3 ++- doc/user/content/sql/insert.md | 3 ++- doc/user/content/sql/select.md | 3 ++- doc/user/content/sql/subscribe.md | 3 ++- doc/user/content/sql/update.md | 3 ++- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/doc/user/content/sql/copy-to.md b/doc/user/content/sql/copy-to.md index 13d934f282bf1..bc1d47fd6dd3c 100644 --- a/doc/user/content/sql/copy-to.md +++ b/doc/user/content/sql/copy-to.md @@ -45,6 +45,7 @@ The privileges required to execute this statement are: - `USAGE` privileges on the schemas that all relations and types in the query are contained in. - `SELECT` privileges on all relations in the query. - NOTE: if any item is a view, then the view owner must also have the necessary privileges to - execute the view definition. + execute the view definition. Even if the view owner is an admin, they still must explicitly be + granted the necessary privileges. - `USAGE` privileges on all types used in the query. - `USAGE` privileges on the active cluster. diff --git a/doc/user/content/sql/delete.md b/doc/user/content/sql/delete.md index 420ed16e3ea9a..bc4e7ac377527 100644 --- a/doc/user/content/sql/delete.md +++ b/doc/user/content/sql/delete.md @@ -76,7 +76,8 @@ The privileges required to execute this statement are: - `DELETE` privileges on `table_name`. - `SELECT` privileges on all relations in the query. - NOTE: if any item is a view, then the view owner must also have the necessary privileges to - execute the view definition. + execute the view definition. Even if the view owner is an admin, they still must explicitly be + granted the necessary privileges. - `USAGE` privileges on all types used in the query. - `USAGE` privileges on the active cluster. diff --git a/doc/user/content/sql/insert.md b/doc/user/content/sql/insert.md index 29ccf02965b5e..d55e13a033d6b 100644 --- a/doc/user/content/sql/insert.md +++ b/doc/user/content/sql/insert.md @@ -101,7 +101,8 @@ The privileges required to execute this statement are: - `INSERT` privileges on `table_name`. - `SELECT` privileges on all relations in the query. - NOTE: if any item is a view, then the view owner must also have the necessary privileges to - execute the view definition. + execute the view definition. Even if the view owner is an admin, they still must explicitly be + granted the necessary privileges. - `USAGE` privileges on all types used in the query. - `USAGE` privileges on the active cluster. diff --git a/doc/user/content/sql/select.md b/doc/user/content/sql/select.md index 2fbab73e450f2..4c2766de05289 100644 --- a/doc/user/content/sql/select.md +++ b/doc/user/content/sql/select.md @@ -236,7 +236,8 @@ The privileges required to execute this statement are: - `USAGE` privileges on the schemas that all relations and types in the query are contained in. - `SELECT` privileges on all relations in the query. - NOTE: if any item is a view, then the view owner must also have the necessary privileges to - execute the view definition. + execute the view definition. Even if the view owner is an admin, they still must explicitly be + granted the necessary privileges. - `USAGE` privileges on all types used in the query. - `USAGE` privileges on the active cluster. diff --git a/doc/user/content/sql/subscribe.md b/doc/user/content/sql/subscribe.md index 83a2094274d8c..e5ff37c5f55dc 100644 --- a/doc/user/content/sql/subscribe.md +++ b/doc/user/content/sql/subscribe.md @@ -526,6 +526,7 @@ The privileges required to execute this statement are: - `USAGE` privileges on the schemas that all relations and types in the query are contained in. - `SELECT` privileges on all relations in the query. - NOTE: if any item is a view, then the view owner must also have the necessary privileges to - execute the view definition. + execute the view definition. Even if the view owner is an admin, they still must explicitly be + granted the necessary privileges. - `USAGE` privileges on all types used in the query. - `USAGE` privileges on the active cluster. diff --git a/doc/user/content/sql/update.md b/doc/user/content/sql/update.md index a1dd21c1a1e4a..5b7271796c85f 100644 --- a/doc/user/content/sql/update.md +++ b/doc/user/content/sql/update.md @@ -61,7 +61,8 @@ The privileges required to execute this statement are: - `UPDATE` privileges on `table_name`. - `SELECT` privileges on all relations in the query. - NOTE: if any item is a view, then the view owner must also have the necessary privileges to - execute the view definition. + execute the view definition. Even if the view owner is an admin, they still must explicitly be + granted the necessary privileges. - `USAGE` privileges on all types used in the query. - `USAGE` privileges on the active cluster.