Summary

Issue Type: Feature Enhancement / Security

Description:

The current system employs coarse-grained permission management for CONNECTION objects, lacking fine-grained control. To enhance security and manageability, we propose implementing Role-Based Access Control (RBAC) mechanisms to enforce permission constraints on CONNECTION creation, usage, and administration. This feature delivers flexible permission configurations to meet enterprise-grade requirements for data pipeline security governance.

Key Changes:

1. New Configuration Parameter: Introduces enable_experimental_connection_rbac_check to toggle RBAC permission verification for connections. Disabled by default for backward compatibility.
2. Global Privileges: Adds CREATE CONNECTION and ACCESS CONNECTION global privileges governing connection creation and unrestricted usage rights respectively.
3. Granular Permission Syntax: Supports granting USAGE and OWNERSHIP privileges on specific connections.
4. Ownership Model: Implements OWNERSHIP semantics, allowing privileged users/roles to perform arbitrary DDL operations on connections.
5. Permission Verification Logic: Explicitly defines SUPER privilege requirements for non-owners executing DDL operations.

Detailed Design & Implementation:

1. New System Parameter

• Parameter: enable_experimental_connection_rbac_check
• Default: false (disabled)
• Behavior:
• When false: Skips RBAC checks for CONNECTION operations (legacy behavior).
• When true: Enforces RBAC verification for all CONNECTION operations (create/use/DDL).

2. Global Privilege Types

• CREATE CONNECTION:

• Description: Grants create permission for any CONNECTION.

• Syntax Example: GRANT CREATE CONNECTION ON *.* TO ROLE/USER

• Effect: Authorized entities may execute CREATE CONNECTION without database/table-specific privileges.

• ACCESS CONNECTION:

• Description: Grants unrestricted usage rights for all connections.

• Syntax Example: GRANT ACCESS CONNECTION ON *.* TO ROLE/USER

• Effect: Authorized entities may utilize any existing CONNECTION regardless of object-specific USAGE permissions.

3. Supported Permission Syntax

• Global Create Privilege: GRANT CREATE CONNECTION ON *.* TO ROLE/USER
• Global Usage Privilege: GRANT ACCESS CONNECTION ON *.* TO ROLE/USER
• Connection-Specific Usage: GRANT USAGE ON CONNECTION <connection_name> TO ROLE/USER
• Effect: Grants usage rights for the specified connection.
• Connection Ownership Transfer: GRANT OWNERSHIP ON CONNECTION <connection_name> TO ROLE
• Effect: Assigns full DDL privileges for the target connection.

4. Connection Ownership Semantics

• Users inheriting a role with OWNERSHIP on a CONNECTION are designated as its owners.
• Owners may execute all DDL operations, including but not limited to:
• DROP CONNECTION <connection_name>
• SHOW CREATE CONNECTION <connection_name>
• (Future DDL extensions)

5. DDL Privilege Requirements for Non-Owners

• Users lacking OWNERSHIP on a CONNECTION must possess SUPER privileges to execute DDL operations (e.g., DROP, SHOW CREATE).
• When RBAC is enabled, SHOW CONNECTIONS shall only display connections where the user has either:
• USAGE or OWNERSHIP privileges, OR
• Global ACCESS CONNECTION ON *.* or SUPER privileges.

Compatibility & Impact:

• Backward Compatibility: Default disabled state (enable_experimental_connection_rbac_check=false) ensures zero behavior changes post-upgrade.
• Progressive Adoption: Organizations may manually enable the feature when ready.

Acceptance Criteria:

1. The enable_experimental_connection_rbac_check parameter correctly persists and controls RBAC enforcement.
2. GRANT CREATE CONNECTION ON *.* enables successful connection creation.
3. GRANT ACCESS CONNECTION ON *.* permits unrestricted connection usage.
4. GRANT USAGE ON CONNECTION <name> restricts usage to specified connections.
5. GRANT OWNERSHIP ON CONNECTION <name> authorizes full DDL control (e.g., DROP).
6. With RBAC enabled, non-owners without SUPER privileges cannot execute DDL on unowned connections.
7. SHOW CONNECTIONS properly filters visible connections under RBAC.
8. REVOKE operations function correctly for all new privilege types.