Feature/network policy sql

doc/user/content/sql/system-catalog/mz_internal.md

@@ -745,6 +745,10 @@ The `mz_network_policy_rules` table contains a row for each network policy rule.
 | `address`        | [`text`]   | The address the rule will take action on.                                                              |
 | `direction`      | [`text`]   | The direction of traffic the rule applies to. `ingress` is the only supported direction.               |
 
+## `mz_show_network_policies`
+
+The `mz_show_show_network_policies` view contains a row for each network policy in the system.
+
 ## `mz_show_all_privileges`
 
 The `mz_show_all_privileges` view contains a row for each privilege granted
@@ -1266,6 +1270,7 @@ The `mz_webhook_sources` table contains a row for each webhook source in the sys
 <!-- RELATION_SPEC_UNDOCUMENTED mz_internal.mz_show_databases -->
 <!-- RELATION_SPEC_UNDOCUMENTED mz_internal.mz_show_indexes -->
 <!-- RELATION_SPEC_UNDOCUMENTED mz_internal.mz_show_materialized_views -->
+<!-- RELATION_SPEC_UNDOCUMENTED mz_internal.mz_show_network_policies -->
 <!-- RELATION_SPEC_UNDOCUMENTED mz_internal.mz_show_roles -->
 <!-- RELATION_SPEC_UNDOCUMENTED mz_internal.mz_show_schemas -->
 <!-- RELATION_SPEC_UNDOCUMENTED mz_internal.mz_show_secrets -->

doc/user/content/sql/types/mz_aclitem.md

@@ -26,17 +26,18 @@ is `<grantee>=<privileges>/<grantor>`.
 
 A list of all privileges and their abbreviations are below:
 
-| Privilege       | Description                                                                                    | Abbreviation      | Applicable Object Types                       |
-|-----------------|------------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------|
-| `SELECT`        | Allows reading rows from an object.                                                            | r(”read”)         | Table, View, Materialized View, Source        |
-| `INSERT`        | Allows inserting into an object.                                                               | a(”append”)       | Table                                         |
-| `UPDATE`        | Allows updating an object (requires SELECT if a read is necessary).                            | w(”write”)        | Table                                         |
-| `DELETE`        | Allows deleting from an object (requires SELECT if a read is necessary).                       | d                 | Table                                         |
-| `CREATE`        | Allows creating a new object within another object.                                            | C                 | Database, Schema, Cluster                     |
-| `USAGE`         | Allows using an object or looking up members of an object.                                     | U                 | Database, Schema, Connection, Secret, Cluster |
-| `CREATEROLE`    | Allows creating, altering, deleting roles and the ability to grant and revoke role membership. | R("Role")         | System                                        |
-| `CREATEDB`      | Allows creating databases.                                                                     | B("dataBase")     | System                                        |
-| `CREATECLUSTER` | Allows creating clusters.                                                                      | N("compute Node") | System                                        |
+| Privilege             | Description                                                                                    | Abbreviation        | Applicable Object Types                       |
+|-----------------------|------------------------------------------------------------------------------------------------|---------------------|-----------------------------------------------|
+| `SELECT`              | Allows reading rows from an object.                                                            | r(”read”)           | Table, View, Materialized View, Source        |
+| `INSERT`              | Allows inserting into an object.                                                               | a(”append”)         | Table                                         |
+| `UPDATE`              | Allows updating an object (requires SELECT if a read is necessary).                            | w(”write”)          | Table                                         |
+| `DELETE`              | Allows deleting from an object (requires SELECT if a read is necessary).                       | d                   | Table                                         |
+| `CREATE`              | Allows creating a new object within another object.                                            | C                   | Database, Schema, Cluster                     |
+| `USAGE`               | Allows using an object or looking up members of an object.                                     | U                   | Database, Schema, Connection, Secret, Cluster |
+| `CREATEROLE`          | Allows creating, altering, deleting roles and the ability to grant and revoke role membership. | R("Role")           | System                                        |
+| `CREATEDB`            | Allows creating databases.                                                                     | B("dataBase")       | System                                        |
+| `CREATECLUSTER`       | Allows creating clusters.                                                                      | N("compute Node")   | System                                        |
+| `CREATENETWORKPOLICY` | Allows creating network policies.                                                              | P("network Policy") | System                                        |
 
 The `CREATEROLE` privilege is very powerful. It allows roles to grant and revoke membership in
 other roles, even if it doesn't have explicit membership in those roles. As a consequence, any role

doc/user/sql-grammar/sql-grammar.bnf

@@ -84,7 +84,7 @@ comment_on ::=
   'COMMENT ON' (
     'CLUSTER' | 'CLUSTER REPLICA' | 'COLUMN' | 'CONNECTION' | 'DATABASE' | 'FUNCTION' |
     'INDEX' | 'MATERIALIZED VIEW' | 'ROLE' | 'SCHEMA' | 'SECRET' | 'SINK' | 'SOURCE' |
-    'TABLE' | 'TYPE' | 'VIEW'
+    'TABLE' | 'TYPE' | 'VIEW' | 'NETWORK POLICY'
   ) object_name 'IS' ( string_literal | 'NULL' )
 commit ::=
   'COMMIT'

src/adapter/src/catalog.rs

@@ -1672,6 +1672,16 @@ impl SessionCatalog for ConnCatalog<'_> {
         }
     }
 
+    fn resolve_network_policy(
+        &self,
+        policy_name: &str,
+    ) -> Result<&dyn mz_sql::catalog::CatalogNetworkPolicy, SqlCatalogError> {
+        match self.state.try_get_network_policy_by_name(policy_name) {
+            Some(policy) => Ok(policy),
+            None => Err(SqlCatalogError::UnknownNetworkPolicy(policy_name.into())),
+        }
+    }
+
     fn try_get_role(&self, id: &RoleId) -> Option<&dyn CatalogRole> {
         Some(self.state.roles_by_id.get(id)?)
     }

src/adapter/src/catalog/state.rs

@@ -375,13 +375,10 @@ impl CatalogState {
                         seen,
                     ));
                 }
-                id @ ObjectId::Role(_) => {
-                    let unseen = seen.insert(id.clone());
-                    if unseen {
-                        dependents.push(id.clone());
-                    }
+                ObjectId::NetworkPolicy(id) => {
+                    dependents.extend_from_slice(&self.network_policy_dependents(*id, seen));
                 }
-                id @ ObjectId::NetworkPolicy(_) => {
+                id @ ObjectId::Role(_) => {
                     let unseen = seen.insert(id.clone());
                     if unseen {
                         dependents.push(id.clone());
@@ -399,7 +396,7 @@ impl CatalogState {
     /// itself.
     ///
     /// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
-    /// earlier in the list than the roots. This is particularly userful for the order to drop
+    /// earlier in the list than the roots. This is particularly useful for the order to drop
     /// objects.
     fn cluster_dependents(
         &self,
@@ -430,7 +427,7 @@ impl CatalogState {
     /// itself.
     ///
     /// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
-    /// earlier in the list than the roots. This is particularly userful for the order to drop
+    /// earlier in the list than the roots. This is particularly useful for the order to drop
     /// objects.
     pub(super) fn cluster_replica_dependents(
         &self,
@@ -451,7 +448,7 @@ impl CatalogState {
     /// itself.
     ///
     /// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
-    /// earlier in the list than the roots. This is particularly userful for the order to drop
+    /// earlier in the list than the roots. This is particularly useful for the order to drop
     /// objects.
     fn database_dependents(
         &self,
@@ -481,7 +478,7 @@ impl CatalogState {
     /// itself.
     ///
     /// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
-    /// earlier in the list than the roots. This is particularly userful for the order to drop
+    /// earlier in the list than the roots. This is particularly useful for the order to drop
     /// objects.
     fn schema_dependents(
         &self,
@@ -507,7 +504,7 @@ impl CatalogState {
     /// itself.
     ///
     /// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
-    /// earlier in the list than the roots. This is particularly userful for the order to drop
+    /// earlier in the list than the roots. This is particularly useful for the order to drop
     /// objects.
     pub(super) fn item_dependents(
         &self,
@@ -533,6 +530,24 @@ impl CatalogState {
         dependents
     }
 
+    /// Returns all the IDs of all objects that depend on `network_policy_id`, including `network_policy_id`
+    /// itself.
+    ///
+    /// The order is guaranteed to be in reverse dependency order, i.e. the leafs will appear
+    /// earlier in the list than the roots. This is particularly useful for the order to drop
+    /// objects.
+    pub(super) fn network_policy_dependents(
+        &self,
+        network_policy_id: NetworkPolicyId,
+        _seen: &mut BTreeSet<ObjectId>,
+    ) -> Vec<ObjectId> {
+        let object_id = ObjectId::NetworkPolicy(network_policy_id);
+        // Currently network policies have no dependents
+        // when we add the ability for users or sources/sinks to have policies
+        // this method will need to be updated.
+        vec![object_id]
+    }
+
     /// Indicates whether the indicated item is considered stable or not.
     ///
     /// Only stable items can be used as dependencies of other catalog items.
@@ -721,6 +736,15 @@ impl CatalogState {
             .map(|id| &self.roles_by_id[id])
     }
 
+    pub(super) fn try_get_network_policy_by_name(
+        &self,
+        policy_name: &str,
+    ) -> Option<&NetworkPolicy> {
+        self.network_policies_by_name
+            .get(policy_name)
+            .map(|id| &self.network_policies_by_id[id])
+    }
+
     pub(crate) fn collect_role_membership(&self, id: &RoleId) -> BTreeSet<RoleId> {
         let mut membership = BTreeSet::new();
         let mut queue = VecDeque::from(vec![id]);