mirror of
https://github.com/scylladb/scylladb.git
synced 2026-05-29 19:21:01 +00:00
f9ff475dfb
This patch adds a requirement for the "SELECT" permission on a table to run a GetRecords on it (the DynamoDB Streams API, i.e., CDC). The grant is checked on the *CDC log table* - not on the base table, which allows giving a role the ability to read the base but not is change stream, or vice versa. The operations ListStreams, DescribeStreams, GetShardIterators do not require any permissions to run - they do not read any data, and are (in my opinion) similar in spirit to DescribeTable, so I think it's fine not to require any permissions for them. A test is also added. Signed-off-by: Nadav Har'El <nyh@scylladb.com>