Skip to content

Add support for protected roles#29

Open
joelynch wants to merge 1 commit into
v25.8.24.21-lts-aivenfrom
joelynch/protected-role-258
Open

Add support for protected roles#29
joelynch wants to merge 1 commit into
v25.8.24.21-lts-aivenfrom
joelynch/protected-role-258

Conversation

@joelynch

@joelynch joelynch commented Jun 11, 2026

Copy link
Copy Markdown

Extends the existing protected-entity mechanism (the per-entity Protected flag plus the PROTECTED_ACCESS_MANAGEMENT global privilege, SQL keyword PROTECTED) to ROLE entities. A role marked PROTECTED can only be created, altered, renamed, replaced, dropped, moved between storages, or have its grants changed by a principal holding PROTECTED_ACCESS_MANAGEMENT. This lets service-managed roles exist as real SQL roles that ordinary cluster users cannot remove or tamper with.

Role-specific changes:

  • Role: add a protected_flag member, an isProtected() override, and include the flag in equal().
  • ASTCreateRoleQuery / ParserCreateRoleQuery: carry and parse the PROTECTED keyword on CREATE ROLE and [NOT] PROTECTED on ALTER ROLE, and round-trip it in formatImpl.
  • InterpreterCreateRoleQuery: require PROTECTED_ACCESS_MANAGEMENT when the statement sets PROTECTED; before any ON CLUSTER dispatch, read the existing role (ALTER and CREATE OR REPLACE) and require the privilege when the existing or new role is protected; re-check atomically via the insertOrReplace CheckFunc as defense-in-depth.
  • InterpreterShowCreateAccessEntityQuery: emit PROTECTED so the flag survives SHOW CREATE, ZooKeeper replication and backup/restore.
  • InterpreterMoveAccessEntityQuery: require the privilege when moving a protected role between storages.

The storage-layer CheckFunc plumbing and the DROP and GRANT/REVOKE interpreters are entity-agnostic and already key off isProtected(), so DROP ROLE and GRANT/REVOKE on a protected role are covered without further changes.

Changelog category (leave one):

  • New Feature
  • Experimental Feature
  • Improvement
  • Performance Improvement
  • Backward Incompatible Change
  • Build/Testing/Packaging Improvement
  • Documentation (changelog entry is not required)
  • Critical Bug Fix (crash, data loss, RBAC) or LOGICAL_ERROR
  • Bug Fix (user-visible misbehavior in an official stable release)
  • CI Fix or Improvement (changelog entry is not required)
  • Not for changelog (changelog entry is not required)

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

...

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

@joelynch @claude
Add support for protected roles
827d8eb 
Extends the existing protected-entity mechanism (the per-entity
`Protected` flag plus the `PROTECTED_ACCESS_MANAGEMENT` global
privilege, SQL keyword `PROTECTED`) to ROLE entities. A role marked
`PROTECTED` can only be created, altered, renamed, replaced, dropped,
moved between storages, or have its grants changed by a principal
holding `PROTECTED_ACCESS_MANAGEMENT`. This lets service-managed roles
exist as real SQL roles that ordinary cluster users cannot remove or
tamper with.

Role-specific changes:
- Role: add a `protected_flag` member, an `isProtected()` override, and
  include the flag in `equal()`.
- ASTCreateRoleQuery / ParserCreateRoleQuery: carry and parse the
  `PROTECTED` keyword on CREATE ROLE and `[NOT] PROTECTED` on ALTER ROLE,
  and round-trip it in `formatImpl`.
- InterpreterCreateRoleQuery: require `PROTECTED_ACCESS_MANAGEMENT` when
  the statement sets `PROTECTED`; before any ON CLUSTER dispatch, read
  the existing role (ALTER and CREATE OR REPLACE) and require the
  privilege when the existing or new role is protected; re-check
  atomically via the `insertOrReplace` CheckFunc as defense-in-depth.
- InterpreterShowCreateAccessEntityQuery: emit `PROTECTED` so the flag
  survives SHOW CREATE, ZooKeeper replication and backup/restore.
- InterpreterMoveAccessEntityQuery: require the privilege when moving a
  protected role between storages.

The storage-layer CheckFunc plumbing and the DROP and GRANT/REVOKE
interpreters are entity-agnostic and already key off `isProtected()`,
so DROP ROLE and GRANT/REVOKE on a protected role are covered without
further changes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@joelynch joelynch marked this pull request as ready for review June 11, 2026 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joelynch