rust
/
Materialize


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167
							# Copyright Materialize, Inc. and contributors. All rights reserved.
#
# Use of this software is governed by the Business Source License
# included in the LICENSE file at the root of this repository.
#
# As of the Change Date specified in that file, in accordance with
# the Business Source License, use of this software will be governed
# by the Apache License, Version 2.0.

# Tests that assert the privileges that are assumed to be always granted to
# the mz_support user.

statement ok
CREATE TABLE t (a INT)

simple conn=mz_support,user=mz_support
SET CLUSTER TO quickstart
----
COMPLETE 0

# The mz_support user cannot execute `SELECT ...` commands.
simple conn=mz_support,user=mz_support
SELECT * FROM t
----
db error: ERROR: permission denied for TABLE "materialize.public.t"
DETAIL: The 'mz_support' role needs SELECT privileges on TABLE "materialize.public.t"

# The mz_support user cannot execute `INSERT ...` commands.
simple conn=mz_support,user=mz_support
INSERT INTO t VALUES (42)
----
db error: ERROR: permission denied for TABLE "materialize.public.t"
DETAIL: The 'mz_support' role needs INSERT privileges on TABLE "materialize.public.t"

# The mz_support user cannot execute `UPDATE ...` commands.
simple conn=mz_support,user=mz_support
UPDATE t SET a = 5
----
db error: ERROR: permission denied for TABLE "materialize.public.t"
DETAIL: The 'mz_support' role needs UPDATE privileges on TABLE "materialize.public.t"

# The mz_support user cannot execute `DELETE ...` commands.
simple conn=mz_support,user=mz_support
DELETE FROM t WHERE a IS NOT NULL
----
db error: ERROR: permission denied for TABLE "materialize.public.t"
DETAIL: The 'mz_support' role needs DELETE privileges on TABLE "materialize.public.t"

# The mz_support user cannot execute create objects.
simple conn=mz_support,user=mz_support
CREATE VIEW vv AS SELECT 66
----
db error: ERROR: permission denied for SCHEMA "materialize.public"
DETAIL: The 'mz_support' role needs CREATE privileges on SCHEMA "materialize.public"

# The mz_support user can SHOW public system vars.
simple conn=mz_support,user=mz_support
SHOW max_tables;
----
100
COMPLETE 1

# The mz_support user can SHOW internal system vars.
simple conn=mz_support,user=mz_support
SHOW log_filter;
----
warn
COMPLETE 1

# The mz_support user cannot ALTER SYSTEM SET public system vars.
simple conn=mz_support,user=mz_support
ALTER SYSTEM SET max_tables = 1234;
----
db error: ERROR: permission denied to alter system
DETAIL: You must be the 'mz_system' role

# The mz_support user cannot ALTER SYSTEM SET internal system vars.
simple conn=mz_support,user=mz_support
ALTER SYSTEM SET log_filter = 'error';
----
db error: ERROR: permission denied to alter system
DETAIL: You must be the 'mz_system' role

# The mz_support user cannot ALTER SYSTEM RESET public system vars.
simple conn=mz_support,user=mz_support
ALTER SYSTEM RESET max_tables;
----
db error: ERROR: permission denied to alter system
DETAIL: You must be the 'mz_system' role

# The mz_support user cannot ALTER SYSTEM RESET internal system vars.
simple conn=mz_support,user=mz_support
ALTER SYSTEM RESET log_filter;
----
db error: ERROR: permission denied to alter system
DETAIL: You must be the 'mz_system' role

# The mz_support user cannot query the un-redacted statement log tables
simple conn=mz_support,user=mz_support
SELECT count(*) >= 0 FROM mz_internal.mz_statement_execution_history
----
db error: ERROR: permission denied for SOURCE "mz_internal.mz_statement_execution_history"
DETAIL: The 'mz_support' role needs SELECT privileges on SOURCE "mz_internal.mz_statement_execution_history"

simple conn=mz_support,user=mz_support
SELECT count(*) >= 0 FROM mz_internal.mz_sql_text
----
db error: ERROR: permission denied for SOURCE "mz_internal.mz_sql_text"
DETAIL: The 'mz_support' role needs SELECT privileges on SOURCE "mz_internal.mz_sql_text"

# It _can_ query the bowdlerized tables
simple conn=mz_support,user=mz_support
SELECT count(*) >= 0 FROM mz_internal.mz_sql_text_redacted
----
t
COMPLETE 1

simple conn=mz_support,user=mz_support
SELECT count(*) >= 0 FROM mz_internal.mz_statement_execution_history_redacted
----
t
COMPLETE 1

# Can use explain schema
simple conn=mz_system,user=mz_system
ALTER SYSTEM SET enable_connection_validation_syntax TO true;
----
COMPLETE 0

simple conn=mz_system,user=mz_system
CREATE CONNECTION kafka_conn TO KAFKA (BROKER 'localhost:9092', SECURITY PROTOCOL PLAINTEXT) WITH (VALIDATE = false);
----
COMPLETE 0

simple conn=mz_system,user=mz_system
CREATE CONNECTION IF NOT EXISTS csr_conn TO CONFLUENT SCHEMA REGISTRY (URL 'https://google.com') WITH (VALIDATE = false);
----
COMPLETE 0

simple multiline,conn=mz_support,user=mz_support
EXPLAIN VALUE SCHEMA FOR CREATE SINK sink FROM t INTO KAFKA CONNECTION kafka_conn (TOPIC 'topic') KEY (a) NOT ENFORCED FORMAT AVRO USING CONFLUENT SCHEMA REGISTRY CONNECTION csr_conn ENVELOPE UPSERT;
----
{
  "type": "record",
  "name": "envelope",
  "fields": [
    {
      "name": "a",
      "type": [
        "null",
        "int"
      ]
    }
  ]
}
EOF
COMPLETE 1

simple conn=mz_system,user=mz_system
DROP CONNECTION kafka_conn;
----
COMPLETE 0

simple conn=mz_system,user=mz_system
DROP CONNECTION csr_conn;
----
COMPLETE 0