Giters

crate / crate

CrateDB is a distributed and scalable SQL database for storing and analyzing massive amounts of data in near real-time, even with complex queries. It is PostgreSQL-compatible, and based on Lucene.

Home Page:https://cratedb.com/product

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Allow non-superusers to run ALTER TABLE REROUTE commands

hlcianfagna opened this issue · comments

commented

Problem Statement

In CrateDB Cloud and other security-sensitive setups, database admins may not routinely have access to the crate superuser account.
The ALTER TABLE ... REROUTE MOVE SHARD commands are useful to move around "hot shards" as described in the documentation.
Currently these operations are not allowed even when a user account has AL and DDL permissions at cluster level.

Possible Solutions

  • Allow the operations for accounts with certain permissions so that the task can be delegated and run without connecting as crate
  • Cover REROUTE use cases in some other way so that manual rerouting is not necessary

Considered Alternatives

Get an admin with access to the CrateDB nodes to connect locally as crate and run the required commands.

commented

TBD which option to use:

  • Let users with AL permission execute it
  • Go alternative path and support GRANT role crate to ..., to grant users all superuser privileges (See #16033)
  • Others?
commented

Imho, users with AL should be able to execute this. The ability to inherit superuser to a role/user, would be a way to do that, but I believe explicit granting of AL should also work.

commented

Imho, users with AL should be able to execute this. The ability to inherit superuser to a role/user, would be a way to do that, but I believe explicit granting of AL should also work.

Makes sense to me, as we already allow non-superusers to run ALTER CLUSTER commands (#11283)

ALTER CLUSTER is a more "global" command so it's probably logical for users to expect
that they can also run ALTER TABLE REROUTE with AL privileges.

commented

As discussed, we should allow ALTER TABLE <table> REROUTE... for DDL privs on the table.
Since you can already do other admin actions with DDL on a table (increase, decrease shards, change settings that affect the shard distribution), it makes sense to also allow REROUTE.

We decided also to treat this as a bug, as according to our current docs, we allow users to DDL to perform any ALTER TABLE operation.

commented

Thank you @hlcianfagna for reporting this. It has been addressed as a bug fix and will be available with the next hotfix release.