Skip to content

feat: column privileges #589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 6, 2023
Merged

feat: column privileges #589

merged 1 commit into from
Jul 6, 2023

Conversation

soedirgo
Copy link
Member

@soedirgo soedirgo commented Jun 20, 2023
edited
Loading

Add /column-privileges endpoint to list, grant, revoke column privileges.

Modified from information_schema.column_privileges. We try to be as close as possible to the view definition, obtained from:

select pg_get_viewdef('information_schema.column_privileges');

The main differences are:

Caveat: column privileges are intertwined with table privileges in that table privileges override column privileges. E.g. if we do:

grant all on mytable to myrole;

Then myrole is granted privileges for ALL columns. Likewise, if we do:

grant all (id) on mytable to myrole;                                        
revoke all on mytable from myrole;

Then the grant on the id column is revoked.

This is unlike how grants for schemas and tables interact, where you need privileges for BOTH the schema the table is in AND the table itself in order to access the table.

Example output:

Request:

GET /column-privileges

Response:

[
  {
    "column_id": "12345.1",
    "relation_schema": "public"
    "relation_name": "mytable",
    "column_name": "mycolumn",
    "privileges": [
      {
        "grantee": "postgres",
        "grantor": "postgres",
        "is_grantable": false,
        "privilege_type": "INSERT",
      },
      ...
    ],
  },
  ...
]

Request:

POST /column-privileges
[
  {
    "column_id": "11111.1",
    "grantee": "postgres",
    "privilege_type": "ALL"
  },
  {
    "column_id": "22222.2",
    "grantee": "postgres",
    "privilege_type": "ALL"
  }
]

Response:

[
  {
    "column_id": "11111.1",
    "relation_schema": "public"
    "relation_name": "t1",
    "column_name": "col",
    "privileges": [...]
  },
  {
    "column_id": "22222.2",
    "relation_schema": "public",
    "relation_name": "t2",
    "column_name": "col",
    "privileges": [...]
  }
]

Request:

DELETE /table-privileges
[
  {
    "column_id": "11111.1",
    "grantee": "postgres",
    "privilege_type": "ALL"
  },
  {
    "column_id": "22222.2",
    "grantee": "postgres",
    "privilege_type": "ALL"
  }
]

Response:

[
  {
    "column_id": "11111.1",
    "relation_schema": "public"
    "relation_name": "t1",
    "column_name": "col",
    "privileges": []
  },
  {
    "relation_id": "22222.2",
    "relation_schema": "public",
    "relation_name": "t2",
    "column_name": "col",
    "privileges": []
  }
]

@soedirgo soedirgo requested review from a team as code owners June 20, 2023 07:55
@soedirgo soedirgo mentioned this pull request Jul 5, 2023
Closed
5 tasks
alaister
alaister approved these changes Jul 6, 2023
View reviewed changes
Copy link
Member

@alaister alaister left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Base automatically changed from feat/table-privileges to master July 6, 2023 07:13
@soedirgo soedirgo merged commit 27c9325 into master Jul 6, 2023
@soedirgo soedirgo deleted the feat/column-privileges branch July 6, 2023 07:13
@alaister alaister mentioned this pull request Jul 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alaister alaister alaister approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@soedirgo @alaister