Skip to content
This repository has been archived by the owner on Jan 17, 2025. It is now read-only.

All ACL access will be revoked in the future #117

Open
olivermeyer opened this issue Feb 27, 2023 · 3 comments
Open

All ACL access will be revoked in the future #117

olivermeyer opened this issue Feb 27, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@olivermeyer
Copy link
Contributor

Hi,

I found out from AWS support that all access to ACLs will be revoked from Redshift, as they consider this to be internal information and don't want users to access it directly. This will break the provider, as it relies heavily on ACLs for grants and default privileges.

I asked them for alternatives, and they exist:

  • svv_relation_privileges, svv_schema_privileges, svv_database_privileges and so on for table/schema/database/etc privileges
  • svv_default_privileges for default privileges

They didn't tell me exactly when access will be revoked.

I'm not familiar with Go at all so I can't rewrite the whole thing, but I checked the readDatabaseGrants function to see what changes are required, and it seems doable with something like this:

func readDatabaseGrants(db *DBConnection, d *schema.ResourceData) error {
	var identityType, identityName, query string
	var databaseCreate, databaseTemp bool

	_, isUser := d.GetOk(grantUserAttr)

	if isUser {
		identityType = "user"
		identityName = d.Get(grantUserAttr).(string)
	} else {
		identityType = "group"
		identityName = d.Get(grantGroupAttr).(string)
	}

	query = `
SELECT privilege_type
FROM svv_database_privileges
WHERE
    database_name=$1
    AND identity_type=$2
    AND identity_name=$3
`

	queryArgs := []interface{}{db.client.databaseName, identityType, identityName}

...
}

Everything below that line would have to be updated, since the query now returns a list of privileges for that database and identity, and that's the part I can't do.

@winglot
Copy link
Member

winglot commented Mar 2, 2023

Hi,
thanks for the heads up. I will reach out to our AWS TAM to get the exact date and schedule the necessary work.

@winglot winglot added the enhancement New feature or request label Mar 2, 2023
@sworisbreathing
Copy link
Contributor

hi @winglot did you ever hear back from your TAM about this? This is the first I've heard of it.

@olivermeyer do you recall if AWS support pointed you to any documentation or announcement about it?

@sworisbreathing
Copy link
Contributor

FWIW I've been working on a pretty significant rewrite of the provider codebase over the past few weeks. I've been looking into the grant stuff over the past couple days and I think I'm going to have to introduce a breaking change (which would trigger a major version bump) to grants. I was really hoping to avoid it and make everything transparent to the end user, but there've been so many changes to the permission model in Redshift over the past couple years (i.e. roles-which-are-not-postgres-roles, assume-role permission, model permissions, etc) that I don't think the existing redshift_grant resource can easily support.

StevenKGER pushed a commit to dbsystel/terraform-provider-redshift that referenced this issue Oct 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants