Add originalUser and authenticatedUser as selectors available for resource group selection #24662
+566
−100
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Copilot reviewed 26 out of 26 changed files in this pull request and generated no comments.
xkrogen
force-pushed
the
xkrogen/resourcegroup-selectors-original-authenticated-user
branch
3 times, most recently
from
5d25e2c to
f3dfb32
Compare
|
Had trouble getting the Oracle Flyway DB migration tests to run on my local so it took a few tries on CI to get that to pass. But it should be ready for review now! |
…ource group selection
xkrogen
force-pushed
the
xkrogen/resourcegroup-selectors-original-authenticated-user
branch
from
36d8949 to
9217288
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the original user and authenticated user as selectors that can be used in resource group selection, allowing for more flexible selection of resource groups based on additional context about the user's identity.
Additional context and related issues
Currently, resource group selection can take into account the current session user, but doesn't have a way to select based on the original user or authenticated user. In some setups, in may be desirable for resource group selection to be based on these additional metadata, rather than only the current user.
For original user, one sample use case is when
SET SESSION AUTHORIZATIONis used to change the current user for purposes of gaining access to a different set of resources (for example, a table that is accessible by the impersonated user, but not the original user). In this case, it can be desirable to still perform resource group selection based on the original user. For example, let us say that access to widely used tablet_foois only granted to useru_foo. Many users will impersonateu_footo get access tot_foo, and if resource group selection is performed on the impersonated user, they will all share the same resource group, potentially causing contention. It may be desirable to instead perform resource group selection based on the original user to avoid such contention.For authenticated user, a sample use case may be to identify all queries originating from a certain platform or service. If that platform/service has the ability to impersonate other users for authorization purposes, it may still be desirable to execute all queries in a dedicated resource group.
Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(X) Release notes are required, with the following suggested text: