Add a cluster setting to prevent GRANT OPTION from being passed down #124376
Labels
A-sql-privileges
SQL privilege handling and permission checks.
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
T-sql-foundations
SQL Foundations Team (formerly SQL Schema + SQL Sessions)
Projects
Users granted a privilege with WITH GRANT OPTION can in turn grant that privilege to others. The owner of an object implicitly has the GRANT OPTION for all privileges, and the GRANT OPTION is inherited through role memberships. This behavior is not always desireable for customers looking to exercise strict control over how privileges are inherited. We should add a cluster setting to prevent this behavior.
Something like:
SET CLUSTER SETTING sql.auth.disable_grant_option_inheritance='true';
Jira issue: CRDB-38851
Epic CRDB-37763
The text was updated successfully, but these errors were encountered: