Closed wiebeytec closed 1 week ago
We discussed this in the team, and we have a solution that we would like to try out. We're gonna use schema-tracking to get the list of tables that are available. Any table name that is not present there, we will not check ACLs for them. This will fix the issue for CTEs since those aren't actual tables and we would then skip ACL checks for them.
Overview of the Issue
The name of a CTE is considered a table (object) for the ACL checks. So if you don't approve the CTE name, it fails:
Reproduction Steps
Use this ACL with
vttablet --queryserver-config-strict-table-acl --enforce-tableacl-config --table-acl-config file.json
And run
Result is:
When adding
my_cte
to the permission list, ormy%
it works again.Binary Version
Operating System and Environment details