Skip to content
This repository has been archived by the owner on Jan 17, 2025. It is now read-only.

Allow TRUNCATE grant for groups on table #92

Closed
remi-faydide-finalcad opened this issue Nov 2, 2022 · 2 comments
Closed

Allow TRUNCATE grant for groups on table #92

remi-faydide-finalcad opened this issue Nov 2, 2022 · 2 comments

Comments

@remi-faydide-finalcad
Copy link

Goal

When I try to implement grant privilege including truncate I have the following error

Error: Invalid privileges list [select truncate update insert delete] for object of type table

  on redshift_queries.tf line 82, in resource "redshift_grant" "data_group_tables":
  82: resource "redshift_grant" "data_group_tables" {

If I comment the truncate privilege, everything goes fine.

Part of my code where I have the issue

# create data group
resource "redshift_group" "data_group" {
  depends_on = [aws_redshift_cluster.redshift_cluster]
  name       = "DATA_USERS"
  users = [
    redshift_user.data_user.name
  ]
}

# Init tables if needed
resource "aws_redshiftdata_statement" "init_tables" {
  depends_on         = [redshift_schema.schema]
  for_each           = local.sql_table_list
  cluster_identifier = aws_redshift_cluster.redshift_cluster.cluster_identifier
  database           = aws_redshift_cluster.redshift_cluster.database_name
  db_user            = aws_redshift_cluster.redshift_cluster.master_username
  statement_name     = replace(each.value.file_name, ".sql", "")
  sql                = file("templates/${each.value.file_name}")
}

# add grant on tables
resource "redshift_grant" "data_group_tables" {
  for_each    = aws_redshiftdata_statement.init_tables
  group       = redshift_group.data_group.name
  schema      = redshift_schema.schema.name
  object_type = "table"
  objects     = [each.key]
  privileges = [
    "select",
    "insert",
    "delete",
    "truncate",
    "update"
  ]
}

Part of the solution (I guess)

After searching a bit in the code, I found that the error comes from the validatePrivileges function from the helpers.go file (L169 for the case "TABLE")

There are probably other stuff to do but I don't have really the time to investigate for now.

AWS doc

Part of the doc for the truncate privilege

Thank you for your feedback

@remi-faydide-finalcad
Copy link
Author

⬆️ anyone please ?

@winglot
Copy link
Member

winglot commented Jan 17, 2023

Hi,
according to the documentation at https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html, the TRUNCATE privilege is only supported for roles in the form of GRANT TRUNCATE TABLE TO <role name>. The provider currently only supports users and groups, no support for roles/rbac.

I will close the issue in favor of #87 which is a feature request for RBAC/Roles support in the provider.

@winglot winglot closed this as completed Jan 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants