You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2022/11/15 18:20:19 UTC

[GitHub] [beam] nuggetwheat opened a new pull request, #24177: Strip FGAC database role from changestreams metadata requests

nuggetwheat opened a new pull request, #24177:
URL: https://github.com/apache/beam/pull/24177

   To support fine-grained access control (FGAC) for Spanner Change Streams, we've added a database role to the Spanner config.  When the user sets the database role, Spanner will verify that the role has appropriate permissions to, for example, read the change stream.  Since Spanner Change Streams are split into multiple partitions that are read independently, Beam stores partition read progress information into a metadata database table.  This table is created by the Beam framework and is transparent to the user.  However, the Spanner Config that the user creates is not only used to access the primary database that contains the change stream, but it is also used to access the metadata database.  This is problematic when the user specifies a database role because the role is used to access the metadata table and since it hasn't been granted access to the table, the operation fails with an error like the following:
   ```
   PERMISSION_DENIED: Role test_role does not have required privileges on table CDC_Partitions_Metadata_testdbchangestreams_580294176_5b5541dd_ebd9_4b68_8053_7978b9448a02
   ```
   This commit fixes the problem by stripping the database role from the metadata Spanner Config used to access the metadata tables.
   R: @pabloem 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] pabloem commented on pull request #24177: Strip FGAC database role from changestreams metadata requests

Posted by GitBox <gi...@apache.org>.

pabloem commented on PR #24177:
URL: https://github.com/apache/beam/pull/24177#issuecomment-1315910247

   Run Java PreCommit


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] pabloem merged pull request #24177: Strip FGAC database role from changestreams metadata requests

Posted by GitBox <gi...@apache.org>.

pabloem merged PR #24177:
URL: https://github.com/apache/beam/pull/24177


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] pabloem commented on pull request #24177: Strip FGAC database role from changestreams metadata requests

Posted by GitBox <gi...@apache.org>.

pabloem commented on PR #24177:
URL: https://github.com/apache/beam/pull/24177#issuecomment-1315755588

   LGTM!
   Thanks. This makes sense to me.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] pabloem commented on pull request #24177: Strip FGAC database role from changestreams metadata requests

Posted by GitBox <gi...@apache.org>.

pabloem commented on PR #24177:
URL: https://github.com/apache/beam/pull/24177#issuecomment-1315756599

   I'll merge once we get passing tests.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] github-actions[bot] commented on pull request #24177: Strip FGAC database role from changestreams metadata requests

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #24177:
URL: https://github.com/apache/beam/pull/24177#issuecomment-1315742957

   Assigning reviewers. If you would like to opt out of this review, comment `assign to next reviewer`:
   
   R: @kennknowles for label java.
   R: @ahmedabu98 for label io.
   
   Available commands:
   - `stop reviewer notifications` - opt out of the automated review tooling
   - `remind me after tests pass` - tag the comment author after tests pass
   - `waiting on author` - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)
   
   The PR bot will only process comments in the main thread (not review comments).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org