risingwave_frontend/handler/
alter_owner.rs

1// Copyright 2025 RisingWave Labs
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15use std::sync::Arc;
16
17use pgwire::pg_response::StatementType;
18use risingwave_common::acl::AclMode;
19use risingwave_common::catalog::{DEFAULT_SUPER_USER_FOR_ADMIN, is_reserved_admin_user};
20use risingwave_pb::ddl_service::alter_owner_request::Object;
21use risingwave_pb::user::grant_privilege;
22use risingwave_sqlparser::ast::{Ident, ObjectName};
23
24use super::{HandlerArgs, RwPgResponse};
25use crate::Binder;
26use crate::catalog::root_catalog::SchemaPath;
27use crate::catalog::{CatalogError, OwnedByUserCatalog};
28use crate::error::ErrorCode::PermissionDenied;
29use crate::error::Result;
30use crate::session::SessionImpl;
31use crate::user::user_catalog::UserCatalog;
32
33pub fn check_schema_create_privilege(
34    session: &Arc<SessionImpl>,
35    new_owner: &UserCatalog,
36    schema_id: u32,
37) -> Result<()> {
38    if session.is_super_user() {
39        return Ok(());
40    }
41    if !new_owner.is_super
42        && !new_owner.has_privilege(
43            &grant_privilege::Object::SchemaId(schema_id),
44            AclMode::Create,
45        )
46    {
47        return Err(PermissionDenied(
48            "Require new owner to have create privilege on the object.".to_owned(),
49        )
50        .into());
51    }
52    Ok(())
53}
54
55pub async fn handle_alter_owner(
56    handler_args: HandlerArgs,
57    obj_name: ObjectName,
58    new_owner_name: Ident,
59    stmt_type: StatementType,
60) -> Result<RwPgResponse> {
61    let session = handler_args.session;
62    let db_name = &session.database();
63    let (schema_name, real_obj_name) =
64        Binder::resolve_schema_qualified_name(db_name, obj_name.clone())?;
65    let search_path = session.config().search_path();
66    let user_name = &session.user_name();
67    let schema_path = SchemaPath::new(schema_name.as_deref(), &search_path, user_name);
68
69    let new_owner_name = Binder::resolve_user_name(vec![new_owner_name].into())?;
70    let (object, owner_id) = {
71        let catalog_reader = session.env().catalog_reader().read_guard();
72        let user_reader = session.env().user_info_reader().read_guard();
73        let new_owner = user_reader
74            .get_user_by_name(&new_owner_name)
75            .ok_or(CatalogError::NotFound("user", new_owner_name))?;
76        if is_reserved_admin_user(&new_owner.name) {
77            return Err(PermissionDenied(
78                format!("{} is reserved for admin", DEFAULT_SUPER_USER_FOR_ADMIN).to_owned(),
79            )
80            .into());
81        }
82        let owner_id = new_owner.id;
83        (
84            match stmt_type {
85                StatementType::ALTER_TABLE | StatementType::ALTER_MATERIALIZED_VIEW => {
86                    let (table, schema_name) = catalog_reader.get_created_table_by_name(
87                        db_name,
88                        schema_path,
89                        &real_obj_name,
90                    )?;
91                    session.check_privilege_for_drop_alter(schema_name, &**table)?;
92                    let schema_id = catalog_reader
93                        .get_schema_by_name(db_name, schema_name)?
94                        .id();
95                    check_schema_create_privilege(&session, new_owner, schema_id)?;
96                    if table.owner() == owner_id {
97                        return Ok(RwPgResponse::empty_result(stmt_type));
98                    }
99                    Object::TableId(table.id.table_id)
100                }
101                StatementType::ALTER_VIEW => {
102                    let (view, schema_name) =
103                        catalog_reader.get_view_by_name(db_name, schema_path, &real_obj_name)?;
104                    session.check_privilege_for_drop_alter(schema_name, &**view)?;
105                    let schema_id = catalog_reader
106                        .get_schema_by_name(db_name, schema_name)?
107                        .id();
108                    check_schema_create_privilege(&session, new_owner, schema_id)?;
109                    if view.owner() == owner_id {
110                        return Ok(RwPgResponse::empty_result(stmt_type));
111                    }
112                    Object::ViewId(view.id)
113                }
114                StatementType::ALTER_SOURCE => {
115                    let (source, schema_name) =
116                        catalog_reader.get_source_by_name(db_name, schema_path, &real_obj_name)?;
117                    session.check_privilege_for_drop_alter(schema_name, &**source)?;
118                    let schema_id = catalog_reader
119                        .get_schema_by_name(db_name, schema_name)?
120                        .id();
121                    check_schema_create_privilege(&session, new_owner, schema_id)?;
122                    if source.owner() == owner_id {
123                        return Ok(RwPgResponse::empty_result(stmt_type));
124                    }
125                    Object::SourceId(source.id)
126                }
127                StatementType::ALTER_SINK => {
128                    let (sink, schema_name) =
129                        catalog_reader.get_sink_by_name(db_name, schema_path, &real_obj_name)?;
130                    session.check_privilege_for_drop_alter(schema_name, &**sink)?;
131                    let schema_id = catalog_reader
132                        .get_schema_by_name(db_name, schema_name)?
133                        .id();
134                    check_schema_create_privilege(&session, new_owner, schema_id)?;
135                    if sink.owner() == owner_id {
136                        return Ok(RwPgResponse::empty_result(stmt_type));
137                    }
138                    Object::SinkId(sink.id.sink_id)
139                }
140                StatementType::ALTER_SUBSCRIPTION => {
141                    let (subscription, schema_name) = catalog_reader.get_subscription_by_name(
142                        db_name,
143                        schema_path,
144                        &real_obj_name,
145                    )?;
146                    session.check_privilege_for_drop_alter(schema_name, &**subscription)?;
147                    let schema_id = catalog_reader
148                        .get_schema_by_name(db_name, schema_name)?
149                        .id();
150                    check_schema_create_privilege(&session, new_owner, schema_id)?;
151                    if subscription.owner() == owner_id {
152                        return Ok(RwPgResponse::empty_result(stmt_type));
153                    }
154                    Object::SubscriptionId(subscription.id.subscription_id)
155                }
156                StatementType::ALTER_DATABASE => {
157                    let database = catalog_reader.get_database_by_name(&obj_name.real_value())?;
158                    session.check_privilege_for_drop_alter_db_schema(database)?;
159                    if database.owner() == owner_id {
160                        return Ok(RwPgResponse::empty_result(stmt_type));
161                    }
162                    Object::DatabaseId(database.id())
163                }
164                StatementType::ALTER_SCHEMA => {
165                    let schema =
166                        catalog_reader.get_schema_by_name(db_name, &obj_name.real_value())?;
167                    session.check_privilege_for_drop_alter_db_schema(schema)?;
168                    if schema.owner() == owner_id {
169                        return Ok(RwPgResponse::empty_result(stmt_type));
170                    }
171                    Object::SchemaId(schema.id())
172                }
173                StatementType::ALTER_CONNECTION => {
174                    let (connection, schema_name) = catalog_reader.get_connection_by_name(
175                        db_name,
176                        schema_path,
177                        &real_obj_name,
178                    )?;
179                    session.check_privilege_for_drop_alter(schema_name, &**connection)?;
180                    if connection.owner() == owner_id {
181                        return Ok(RwPgResponse::empty_result(stmt_type));
182                    }
183                    Object::ConnectionId(connection.id)
184                }
185                _ => unreachable!(),
186            },
187            owner_id,
188        )
189    };
190
191    let catalog_writer = session.catalog_writer()?;
192    catalog_writer.alter_owner(object, owner_id).await?;
193
194    Ok(RwPgResponse::empty_result(stmt_type))
195}
risingwave_frontend/handler/alter_owner.rs

risingwave_frontend/handler/
alter_owner.rs
