risingwave_frontend/handler/
alter_owner.rs

1// Copyright 2025 RisingWave Labs
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15use std::sync::Arc;
16
17use pgwire::pg_response::StatementType;
18use risingwave_common::acl::AclMode;
19use risingwave_common::catalog::{DEFAULT_SUPER_USER_FOR_ADMIN, is_reserved_admin_user};
20use risingwave_pb::ddl_service::alter_owner_request::Object;
21use risingwave_pb::user::grant_privilege;
22use risingwave_sqlparser::ast::{Ident, ObjectName};
23
24use super::{HandlerArgs, RwPgResponse};
25use crate::Binder;
26use crate::catalog::root_catalog::SchemaPath;
27use crate::catalog::{CatalogError, OwnedByUserCatalog};
28use crate::error::ErrorCode::PermissionDenied;
29use crate::error::Result;
30use crate::session::SessionImpl;
31use crate::user::user_catalog::UserCatalog;
32
33pub fn check_schema_create_privilege(
34    session: &Arc<SessionImpl>,
35    new_owner: &UserCatalog,
36    schema_id: u32,
37) -> Result<()> {
38    if session.is_super_user() {
39        return Ok(());
40    }
41    if !new_owner.is_super
42        && !new_owner.has_privilege(
43            &grant_privilege::Object::SchemaId(schema_id),
44            AclMode::Create,
45        )
46    {
47        return Err(PermissionDenied(
48            "Require new owner to have create privilege on the object.".to_owned(),
49        )
50        .into());
51    }
52    Ok(())
53}
54
55pub async fn handle_alter_owner(
56    handler_args: HandlerArgs,
57    obj_name: ObjectName,
58    new_owner_name: Ident,
59    stmt_type: StatementType,
60) -> Result<RwPgResponse> {
61    let session = handler_args.session;
62    let db_name = &session.database();
63    let (schema_name, real_obj_name) = Binder::resolve_schema_qualified_name(db_name, &obj_name)?;
64    let search_path = session.config().search_path();
65    let user_name = &session.user_name();
66    let schema_path = SchemaPath::new(schema_name.as_deref(), &search_path, user_name);
67
68    let new_owner_name = Binder::resolve_user_name(vec![new_owner_name].into())?;
69    let (object, owner_id) = {
70        let catalog_reader = session.env().catalog_reader().read_guard();
71        let user_reader = session.env().user_info_reader().read_guard();
72        let new_owner = user_reader
73            .get_user_by_name(&new_owner_name)
74            .ok_or(CatalogError::NotFound("user", new_owner_name))?;
75        if is_reserved_admin_user(&new_owner.name) {
76            return Err(PermissionDenied(
77                format!("{} is reserved for admin", DEFAULT_SUPER_USER_FOR_ADMIN).to_owned(),
78            )
79            .into());
80        }
81        let owner_id = new_owner.id;
82        (
83            match stmt_type {
84                StatementType::ALTER_TABLE | StatementType::ALTER_MATERIALIZED_VIEW => {
85                    let (table, schema_name) = catalog_reader.get_created_table_by_name(
86                        db_name,
87                        schema_path,
88                        &real_obj_name,
89                    )?;
90                    session.check_privilege_for_drop_alter(schema_name, &**table)?;
91                    let schema_id = catalog_reader
92                        .get_schema_by_name(db_name, schema_name)?
93                        .id();
94                    check_schema_create_privilege(&session, new_owner, schema_id)?;
95                    if table.owner() == owner_id {
96                        return Ok(RwPgResponse::empty_result(stmt_type));
97                    }
98                    Object::TableId(table.id.table_id)
99                }
100                StatementType::ALTER_VIEW => {
101                    let (view, schema_name) =
102                        catalog_reader.get_view_by_name(db_name, schema_path, &real_obj_name)?;
103                    session.check_privilege_for_drop_alter(schema_name, &**view)?;
104                    let schema_id = catalog_reader
105                        .get_schema_by_name(db_name, schema_name)?
106                        .id();
107                    check_schema_create_privilege(&session, new_owner, schema_id)?;
108                    if view.owner() == owner_id {
109                        return Ok(RwPgResponse::empty_result(stmt_type));
110                    }
111                    Object::ViewId(view.id)
112                }
113                StatementType::ALTER_SOURCE => {
114                    let (source, schema_name) =
115                        catalog_reader.get_source_by_name(db_name, schema_path, &real_obj_name)?;
116                    session.check_privilege_for_drop_alter(schema_name, &**source)?;
117                    let schema_id = catalog_reader
118                        .get_schema_by_name(db_name, schema_name)?
119                        .id();
120                    check_schema_create_privilege(&session, new_owner, schema_id)?;
121                    if source.owner() == owner_id {
122                        return Ok(RwPgResponse::empty_result(stmt_type));
123                    }
124                    Object::SourceId(source.id)
125                }
126                StatementType::ALTER_SINK => {
127                    let (sink, schema_name) = catalog_reader.get_created_sink_by_name(
128                        db_name,
129                        schema_path,
130                        &real_obj_name,
131                    )?;
132                    session.check_privilege_for_drop_alter(schema_name, &**sink)?;
133                    let schema_id = catalog_reader
134                        .get_schema_by_name(db_name, schema_name)?
135                        .id();
136                    check_schema_create_privilege(&session, new_owner, schema_id)?;
137                    if sink.owner() == owner_id {
138                        return Ok(RwPgResponse::empty_result(stmt_type));
139                    }
140                    Object::SinkId(sink.id.sink_id)
141                }
142                StatementType::ALTER_SUBSCRIPTION => {
143                    let (subscription, schema_name) = catalog_reader.get_subscription_by_name(
144                        db_name,
145                        schema_path,
146                        &real_obj_name,
147                    )?;
148                    session.check_privilege_for_drop_alter(schema_name, &**subscription)?;
149                    let schema_id = catalog_reader
150                        .get_schema_by_name(db_name, schema_name)?
151                        .id();
152                    check_schema_create_privilege(&session, new_owner, schema_id)?;
153                    if subscription.owner() == owner_id {
154                        return Ok(RwPgResponse::empty_result(stmt_type));
155                    }
156                    Object::SubscriptionId(subscription.id.subscription_id)
157                }
158                StatementType::ALTER_DATABASE => {
159                    let database = catalog_reader.get_database_by_name(&obj_name.real_value())?;
160                    session.check_privilege_for_drop_alter_db_schema(database)?;
161                    if database.owner() == owner_id {
162                        return Ok(RwPgResponse::empty_result(stmt_type));
163                    }
164                    Object::DatabaseId(database.id())
165                }
166                StatementType::ALTER_SCHEMA => {
167                    let schema =
168                        catalog_reader.get_schema_by_name(db_name, &obj_name.real_value())?;
169                    session.check_privilege_for_drop_alter_db_schema(schema)?;
170                    if schema.owner() == owner_id {
171                        return Ok(RwPgResponse::empty_result(stmt_type));
172                    }
173                    Object::SchemaId(schema.id())
174                }
175                StatementType::ALTER_CONNECTION => {
176                    let (connection, schema_name) = catalog_reader.get_connection_by_name(
177                        db_name,
178                        schema_path,
179                        &real_obj_name,
180                    )?;
181                    session.check_privilege_for_drop_alter(schema_name, &**connection)?;
182                    if connection.owner() == owner_id {
183                        return Ok(RwPgResponse::empty_result(stmt_type));
184                    }
185                    Object::ConnectionId(connection.id)
186                }
187                _ => unreachable!(),
188            },
189            owner_id,
190        )
191    };
192
193    let catalog_writer = session.catalog_writer()?;
194    catalog_writer.alter_owner(object, owner_id).await?;
195
196    Ok(RwPgResponse::empty_result(stmt_type))
197}
risingwave_frontend/handler/alter_owner.rs

risingwave_frontend/handler/
alter_owner.rs
