Skip to content

Commit

Permalink
Add filesystem access control documentation for procedure rules
Browse files Browse the repository at this point in the history
  • Loading branch information
codesorcery authored and mosabua committed Feb 29, 2024
1 parent 7dddd03 commit f5d3348
Showing 1 changed file with 61 additions and 0 deletions.
61 changes: 61 additions & 0 deletions docs/src/main/sphinx/security/file-system-access-control.md
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,67 @@ any catalog, and allows all users to create, drop, and execute functions (includ
}
```

(system-file-procedure-rules)=
#### Procedure rules

These rules control the ability of a user to execute procedures.

Procedures are used for administrative operations on a specific catalog, such as
registering external tables or flushing the connector's cache. Available
procedures are detailed in the connector documentation pages.

When procedure rules are present, the authorization is based on the first
matching rule, processed from top to bottom. If no rules match, the
authorization is denied. If procedure rules are not present, only procedures in
`system.builtin` can be executed.

Each procedure rule is composed of the following fields:

- `user` (optional): regular expression to match against user name.
Defaults to `.*`.
- `role` (optional): regular expression to match against role names.
Defaults to `.*`.
- `group` (optional): regular expression to match against group names.
Defaults to `.*`.
- `catalog` (optional): regular expression to match against catalog name.
Defaults to `.*`.
- `schema` (optional): regular expression to match against schema name.
Defaults to `.*`.
- `procedure` (optional): regular expression to match against procedure names.
Defaults to `.*`.
- `privileges` (required): zero or more of `EXECUTE`, `GRANT_EXECUTE`.

The following example allows the `admin` user to execute and grant execution
rights to call `register_table` and `unregister_table` in the `system` schema of
a catalog called `delta`, that uses the [Delta Lake
connector](/connector/delta-lake). It allows all users to execute the
`delta.sytem.vacuum` procedure.

```json
{
"procedures": [
{
"user": "admin",
"catalog": "delta",
"schema": "system",
"procedure": "register_table|unregister_table",
"privileges": [
"EXECUTE",
"GRANT_EXECUTE"
]
},
{
"catalog": "delta",
"schema": "system",
"procedure": "vacuum",
"privileges": [
"EXECUTE"
]
}
]
}
```

(verify-rules)=

#### Verify configuration
Expand Down

0 comments on commit f5d3348

Please sign in to comment.