Allow non-superusers to run ALTER TABLE REROUTE commands
hlcianfagna opened this issue · comments
Problem Statement
In CrateDB Cloud and other security-sensitive setups, database admins may not routinely have access to the crate
superuser account.
The ALTER TABLE ... REROUTE MOVE SHARD
commands are useful to move around "hot shards" as described in the documentation.
Currently these operations are not allowed even when a user account has AL and DDL permissions at cluster level.
Possible Solutions
- Allow the operations for accounts with certain permissions so that the task can be delegated and run without connecting as
crate
- Cover
REROUTE
use cases in some other way so that manual rerouting is not necessary
Considered Alternatives
Get an admin with access to the CrateDB nodes to connect locally as crate
and run the required commands.
TBD which option to use:
- Let users with
AL
permission execute it - Go alternative path and support
GRANT role crate to ...
, to grant users all superuser privileges (See #16033) - Others?
Imho, users with AL
should be able to execute this. The ability to inherit superuser to a role/user, would be a way to do that, but I believe explicit granting of AL
should also work.
Imho, users with AL should be able to execute this. The ability to inherit superuser to a role/user, would be a way to do that, but I believe explicit granting of AL should also work.
Makes sense to me, as we already allow non-superusers to run ALTER CLUSTER
commands (#11283)
ALTER CLUSTER
is a more "global" command so it's probably logical for users to expect
that they can also run ALTER TABLE REROUTE
with AL privileges.
As discussed, we should allow ALTER TABLE <table> REROUTE...
for DDL privs on the table.
Since you can already do other admin actions with DDL on a table (increase, decrease shards, change settings that affect the shard distribution), it makes sense to also allow REROUTE
.
We decided also to treat this as a bug, as according to our current docs, we allow users to DDL to perform any ALTER TABLE operation
.
Thank you @hlcianfagna for reporting this. It has been addressed as a bug fix and will be available with the next hotfix release.