Skip to content

[security] Require ALL permission to modify ACLs #3679

Description

@loserwang1024

Search before asking

  • I searched in the issues and found nothing similar.

Description

Currently, ALTER permission is used for creating and dropping ACLs, but its semantics are ambiguous here. ALTER should represent modifying database or table definitions/configuration, not managing authorization rules.

ACL modification controls access permissions themselves, so it should require a stronger and clearer permission. This issue proposes changing ACL create/drop authorization from ALTER to ALL, and updating related tests, docs, and upgrade notes.

Willingness to contribute

  • I'm willing to submit a PR!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions