v.25.7New Feature
Introduced two new access types: READ and
Introduced two new access types:READandWRITEfor sources and deprecates all previous access types related to sources. BeforeGRANT S3 ON *.* TO user, now:GRANT READ, WRITE ON S3 TO user. This also allows to separateREADandWRITEpermissions for sources, e.g.:GRANT READ ON * TO user,GRANT WRITE ON S3 TO user. The feature is controlled by a settingaccess_control_improvements.enable_read_write_grantsand disabled by default. #73659 (pufit).
Why it matters
This feature solves the problem of coarse-grained source permissions by allowing users to separately grantREAD and WRITE access. It improves security and flexibility in managing source permissions by enabling distinct control over read and write operations.How to use it
Enable the feature via the settingaccess_control_improvements.enable_read_write_grants (disabled by default). Then use the new syntax to grant permissions, for example:GRANT READ ON * TO user;
GRANT WRITE ON S3 TO user;This replaces the previous form such as
GRANT S3 ON . TO user.Related resources
- Pull Request #73659
- Introduced two new access types: READ and WRITE for sources and deprecates all previous access types related to sources. Before `GRANT S3 ON *.* TO user`, now: `GRANT READ, WRITE ON S3 TO user`. This also allows to separate `READ` and `WRITE` permissions for sources, e.g.: `GRANT READ ON * TO user`, `GRANT WRITE ON S3 TO user`. The feature is controlled by a setting `access_control_improvements.enable_read_write_grants` and disabled by default.