auth: fix cdc vector search indexing permission bug

VECTOR_SEARCH_INDEXING permission didn't work on cdc tables as we mistakenly checked for vector indexes on the cdc table insted of the base. This patch fixes that and adds a test that validates this behavior. Fixes: VECTOR-476 Closes scylladb/scylladb#28050 (cherry picked from commit e2e479f20d) Closes scylladb/scylladb#28068
2026-05-12 19:02:12 +00:00 · 2026-01-08 11:38:39 +01:00
parent 8a833e0400
commit 2dc74d66cd
2 changed files with 32 additions and 1 deletions
--- a/cql3/statements/select_statement.cc
+++ b/cql3/statements/select_statement.cc
@@ -246,7 +246,8 @@ future<> select_statement::check_access(query_processor& qp, const service::clie
        auto& cf_name = s->is_view()
            ? s->view_info()->base_name()
            : (cdc ? cdc->cf_name() : column_family());
-        bool is_vector_indexed = secondary_index::vector_index::has_vector_index(*_schema);
+        const schema_ptr& base_schema = cdc ? cdc : _schema;
+        bool is_vector_indexed = secondary_index::vector_index::has_vector_index(*base_schema);
        co_await state.has_column_family_access(keyspace(), cf_name, auth::permission::SELECT, auth::command_desc::type::OTHER, is_vector_indexed);
    } catch (const data_dictionary::no_such_column_family& e) {
        // Will be validated afterwards.
--- a/test/boost/cql_auth_query_test.cc
+++ b/test/boost/cql_auth_query_test.cc
@@ -410,4 +410,34 @@ SEASTAR_TEST_CASE(select_from_vector_search_system_table) {
            db_config_with_auth());
 }

+// Test that VECTOR_SEARCH_INDEXING permission allows selecting from CDC log table
+// when the base table has a vector index. CDC log tables inherit permissions from
+// their base table, so if the base table allows queries from users with VECTOR_SEARCH_INDEXING
+// permission, the CDC log table should also allow queries from users with that permission.
+SEASTAR_TEST_CASE(select_from_cdc_log_of_vector_indexed_table) {
+    return do_with_cql_env_thread(
+            [](auto&& env) {
+                // Create a table with a vector column and a vector index (which enables CDC)
+                cquery_nofail(env, "CREATE TABLE ks.t (id int PRIMARY KEY, v vector<float, 4>)");
+                cquery_nofail(env, "CREATE CUSTOM INDEX ON ks.t(v) USING 'vector_index'");
+
+                create_user_if_not_exists(env, bob);
+
+                // Without permissions, bob cannot select from the CDC log table
+                with_user(env, bob, [&env] {
+                    BOOST_REQUIRE_EXCEPTION(env.execute_cql("SELECT * FROM ks.t_scylla_cdc_log").get(), exceptions::unauthorized_exception,
+                            exception_predicate::message_contains("User bob has none of the permissions (VECTOR_SEARCH_INDEXING, SELECT) on"));
+                });
+
+                // Grant VECTOR_SEARCH_INDEXING permission
+                cquery_nofail(env, "GRANT VECTOR_SEARCH_INDEXING ON ALL KEYSPACES TO bob");
+
+                // Now bob can select from the CDC log table
+                with_user(env, bob, [&env] {
+                    cquery_nofail(env, "SELECT * FROM ks.t_scylla_cdc_log");
+                });
+            },
+            enable_tablets(db_config_with_auth()));
+}
+
 BOOST_AUTO_TEST_SUITE_END()