Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account for columns on Postgres without SELECT permission #2405

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Account for columns on Postgres without SELECT permission #2405

wants to merge 7 commits into from

Conversation

Amogh-Bharadwaj
Copy link
Contributor

@Amogh-Bharadwaj Amogh-Bharadwaj commented Dec 30, 2024
edited
Loading

We currently require all columns to be SELECT-able in a table for it to be synced. However, if a user is excluding columns from a table, it is a valid expectation that SELECT permissions would not be required for those excluded columns.

This PR takes a crack at supporting this use-case.

It involves:

  • Passing column exclusion information to getTableSchema
  • Passing column exclusion information to CheckSourceTables in validate_mirror.go

It also adds a new E2E test and a utility function for it which grants only selected columns SELECT privileges

serprex
serprex reviewed Dec 30, 2024
View reviewed changes
flow/shared/postgres.go Outdated Show resolved Hide resolved
heavycrystal
heavycrystal reviewed Dec 30, 2024
View reviewed changes
flow/connectors/core.go Show resolved Hide resolved
flow/connectors/postgres/postgres.go Outdated Show resolved Hide resolved
flow/connectors/postgres/postgres.go Show resolved Hide resolved
flow/e2e/congen.go Outdated Show resolved Hide resolved
@Amogh-Bharadwaj
Copy link
Contributor Author

Functionally tested

serprex
serprex reviewed Dec 31, 2024
View reviewed changes
flow/connectors/postgres/validate.go
@@ -25,10 +26,26 @@ func (c *PostgresConnector) CheckSourceTables(ctx context.Context,
var row pgx.Row
tableArr = append(tableArr, fmt.Sprintf(`(%s::text,%s::text)`,
QuoteLiteral(parsedTable.Schema), QuoteLiteral(parsedTable.Table)))

selectedColumnsStr := "*"
if _, ok := excludedColumnsMap[parsedTable.Schema+"."+parsedTable.Table]; ok {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is always going to be a pain, since we parsed req.ConnectionConfigs.TableMappings for tableNames while excludedColumnsMap is built on the raw strings from req.ConnectionConfigs.TableMappings. So you can't really use parsedTable.String() but that's what you'd want if you were going to properly handle cases like "sch.e""ma"."ta.b""le" which parses to sch.e"ma.ta.b"le

serprex
serprex reviewed Dec 31, 2024
View reviewed changes
flow/shared/postgres.go
func ConstructExcludedColumnsList(tableMappings []*protos.TableMapping) map[string][]string {
excludedColumns := make(map[string][]string)
for _, tm := range tableMappings {
excludedColumns[tm.SourceTableIdentifier] = slices.Clone(tm.Exclude)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
excludedColumns[tm.SourceTableIdentifier] = slices.Clone(tm.Exclude)
excludedColumns[tm.SourceTableIdentifier] = tm.Exclude

Exclude should never be mutated (I mean should as in people should not do that, code today does not do that, because doing that would be bad)

serprex
serprex reviewed Dec 31, 2024
View reviewed changes
flow/e2e/congen.go

// 1. Revoke all permissions on the table
if _, err := conn.Exec(context.Background(),
fmt.Sprintf("REVOKE ALL ON TABLE %s.%s FROM postgres", schemaTable.Schema, schemaTable.Table)); err != nil {
Copy link
Contributor

@serprex serprex Dec 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fmt.Sprintf("REVOKE ALL ON TABLE %s.%s FROM postgres", schemaTable.Schema, schemaTable.Table)); err != nil {
fmt.Sprintf("REVOKE ALL ON TABLE %s FROM postgres", schemaTable)); err != nil {

should be done throughout

serprex
serprex reviewed Dec 31, 2024
View reviewed changes
flow/e2e/clickhouse/peer_flow_ch_test.go
dstTableName := "test_unprivileged_columns_dst"

_, err := s.Conn().Exec(context.Background(), fmt.Sprintf(`
CREATE TABLE IF NOT EXISTS %s (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should include some oddly named columns (apostrophes etc), including in the set of excluded columns

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heavycrystal heavycrystal heavycrystal left review comments

@serprex serprex serprex left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Amogh-Bharadwaj @serprex @heavycrystal