Skip to content

Commit

Permalink
add network policy create/alter/drop/comment
Browse files Browse the repository at this point in the history
  • Loading branch information
@jubrad
jubrad committed Oct 31, 2024
1 parent 3fb8492 commit d15206a
Show file tree
Hide file tree
Showing 54 changed files with 11,575 additions and 11,750 deletions.
23 changes: 12 additions & 11 deletions doc/user/content/sql/types/mz_aclitem.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,18 @@ is `<grantee>=<privileges>/<grantor>`.

A list of all privileges and their abbreviations are below:

| Privilege | Description | Abbreviation | Applicable Object Types |
|-----------------|------------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------|
| `SELECT` | Allows reading rows from an object. | r(”read”) | Table, View, Materialized View, Source |
| `INSERT` | Allows inserting into an object. | a(”append”) | Table |
| `UPDATE` | Allows updating an object (requires SELECT if a read is necessary). | w(”write”) | Table |
| `DELETE` | Allows deleting from an object (requires SELECT if a read is necessary). | d | Table |
| `CREATE` | Allows creating a new object within another object. | C | Database, Schema, Cluster |
| `USAGE` | Allows using an object or looking up members of an object. | U | Database, Schema, Connection, Secret, Cluster |
| `CREATEROLE` | Allows creating, altering, deleting roles and the ability to grant and revoke role membership. | R("Role") | System |
| `CREATEDB` | Allows creating databases. | B("dataBase") | System |
| `CREATECLUSTER` | Allows creating clusters. | N("compute Node") | System |
| Privilege | Description | Abbreviation | Applicable Object Types |
|-----------------------|------------------------------------------------------------------------------------------------|---------------------|-----------------------------------------------|
| `SELECT` | Allows reading rows from an object. | r(”read”) | Table, View, Materialized View, Source |
| `INSERT` | Allows inserting into an object. | a(”append”) | Table |
| `UPDATE` | Allows updating an object (requires SELECT if a read is necessary). | w(”write”) | Table |
| `DELETE` | Allows deleting from an object (requires SELECT if a read is necessary). | d | Table |
| `CREATE` | Allows creating a new object within another object. | C | Database, Schema, Cluster |
| `USAGE` | Allows using an object or looking up members of an object. | U | Database, Schema, Connection, Secret, Cluster |
| `CREATEROLE` | Allows creating, altering, deleting roles and the ability to grant and revoke role membership. | R("Role") | System |
| `CREATEDB` | Allows creating databases. | B("dataBase") | System |
| `CREATECLUSTER` | Allows creating clusters. | N("compute Node") | System |
| `CREATENETWORKPOLICY` | Allows creating network policies. | P("network Policy") | System |

The `CREATEROLE` privilege is very powerful. It allows roles to grant and revoke membership in
other roles, even if it doesn't have explicit membership in those roles. As a consequence, any role
Expand Down
28 changes: 18 additions & 10 deletions doc/user/layouts/partials/sql-grammar/comment-on.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion doc/user/sql-grammar/sql-grammar.bnf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ comment_on ::=
'COMMENT ON' (
'CLUSTER' | 'CLUSTER REPLICA' | 'COLUMN' | 'CONNECTION' | 'DATABASE' | 'FUNCTION' |
'INDEX' | 'MATERIALIZED VIEW' | 'ROLE' | 'SCHEMA' | 'SECRET' | 'SINK' | 'SOURCE' |
'TABLE' | 'TYPE' | 'VIEW'
'TABLE' | 'TYPE' | 'VIEW' | 'NETWORK POLICY'
) object_name 'IS' ( string_literal | 'NULL' )
commit ::=
'COMMIT'
Expand Down
10 changes: 10 additions & 0 deletions src/adapter/src/catalog.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1673,6 +1673,16 @@ impl SessionCatalog for ConnCatalog<'_> {
}
}

fn resolve_network_policy(
&self,
policy_name: &str,
) -> Result<&dyn mz_sql::catalog::CatalogNetworkPolicy, SqlCatalogError> {
match self.state.try_get_network_policy_by_name(policy_name) {
Some(policy) => Ok(policy),
None => Err(SqlCatalogError::UnknownNetworkPolicy(policy_name.into())),
}
}

fn try_get_role(&self, id: &RoleId) -> Option<&dyn CatalogRole> {
Some(self.state.roles_by_id.get(id)?)
}
Expand Down
46 changes: 35 additions & 11 deletions src/adapter/src/catalog/state.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -375,13 +375,10 @@ impl CatalogState {
seen,
));
}
id @ ObjectId::Role(_) => {
let unseen = seen.insert(id.clone());
if unseen {
dependents.push(id.clone());
}
ObjectId::NetworkPolicy(id) => {
dependents.extend_from_slice(&self.network_policy_dependents(*id, seen));
}
id @ ObjectId::NetworkPolicy(_) => {
id @ ObjectId::Role(_) => {
let unseen = seen.insert(id.clone());
if unseen {
dependents.push(id.clone());
Expand All @@ -399,7 +396,7 @@ impl CatalogState {
/// itself.
///
/// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
/// earlier in the list than the roots. This is particularly userful for the order to drop
/// earlier in the list than the roots. This is particularly useful for the order to drop
/// objects.
fn cluster_dependents(
&self,
Expand Down Expand Up @@ -430,7 +427,7 @@ impl CatalogState {
/// itself.
///
/// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
/// earlier in the list than the roots. This is particularly userful for the order to drop
/// earlier in the list than the roots. This is particularly useful for the order to drop
/// objects.
pub(super) fn cluster_replica_dependents(
&self,
Expand All @@ -451,7 +448,7 @@ impl CatalogState {
/// itself.
///
/// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
/// earlier in the list than the roots. This is particularly userful for the order to drop
/// earlier in the list than the roots. This is particularly useful for the order to drop
/// objects.
fn database_dependents(
&self,
Expand Down Expand Up @@ -481,7 +478,7 @@ impl CatalogState {
/// itself.
///
/// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
/// earlier in the list than the roots. This is particularly userful for the order to drop
/// earlier in the list than the roots. This is particularly useful for the order to drop
/// objects.
fn schema_dependents(
&self,
Expand All @@ -507,7 +504,7 @@ impl CatalogState {
/// itself.
///
/// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
/// earlier in the list than the roots. This is particularly userful for the order to drop
/// earlier in the list than the roots. This is particularly useful for the order to drop
/// objects.
pub(super) fn item_dependents(
&self,
Expand All @@ -533,6 +530,24 @@ impl CatalogState {
dependents
}

/// Returns all the IDs of all objects that depend on `network_policy_id`, including `network_policy_id`
/// itself.
///
/// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
/// earlier in the list than the roots. This is particularly useful for the order to drop
/// objects.
pub(super) fn network_policy_dependents(
&self,
network_policy_id: NetworkPolicyId,
_seen: &mut BTreeSet<ObjectId>,
) -> Vec<ObjectId> {
let object_id = ObjectId::NetworkPolicy(network_policy_id);
// Currently network policies have no dependents
// when we add the ability for users or sources/sinks to have policies
// this method will need to be updated.
vec![object_id]
}

/// Indicates whether the indicated item is considered stable or not.
///
/// Only stable items can be used as dependencies of other catalog items.
Expand Down Expand Up @@ -721,6 +736,15 @@ impl CatalogState {
.map(|id| &self.roles_by_id[id])
}

pub(super) fn try_get_network_policy_by_name(
&self,
policy_name: &str,
) -> Option<&NetworkPolicy> {
self.network_policies_by_name
.get(policy_name)
.map(|id| &self.network_policies_by_id[id])
}

pub(crate) fn collect_role_membership(&self, id: &RoleId) -> BTreeSet<RoleId> {
let mut membership = BTreeSet::new();
let mut queue = VecDeque::from(vec![id]);
Expand Down
Loading

0 comments on commit d15206a

Please sign in to comment.