fix(schema): degrade gracefully when system.dictionaries SELECT is denied#57
Merged
Merged
Conversation
…nied loadSchemaLineage read system.dictionaries via the throwing queryJson, so a low-privilege user (e.g. a demo/OAuth role with SHOW grants but no SELECT ON system.dictionaries) hit Code 497 ACCESS_DENIED and the entire schema/lineage graph failed to render. Switch that read to the best-effort tryQueryData helper, matching how system.data_skipping_indices (loadSchemaCards) and system.parts (loadTableDetail) already degrade: a denied/missing system.dictionaries now yields no dictionary edges instead of aborting the graph. system.tables/system.columns already work for such users via their implicit SHOW TABLES/COLUMNS privileges, so the graph now draws with no grant change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01YDq48xZSSAreCbtaq83uVm
Explain that the lineage graph works with no extra grants (the implicit SELECT from SHOW TABLES/COLUMNS covers system.tables/columns, row-filtered to accessible DBs), and that SELECT on system.dictionaries / data_skipping_indices / parts only buys fidelity (dictionary edges, skip-index badges, per-partition detail). Adds a no-degrade grant snippet and notes secrets stay masked. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01YDq48xZSSAreCbtaq83uVm
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The schema/lineage graph hard-fails for low-privilege users.
loadSchemaLineagereadsystem.dictionariesthrough the throwingqueryJson, so a user withSHOWgrants but noSELECT ON system.dictionaries(e.g. the antalyademo/demoand Google-OAuth roles) hitCode 497 ACCESS_DENIEDand the entire graph failed to render.Verified live on antalya as
demo/demo:system.tablesandsystem.columnsalready work for such users (implicit via theirSHOW TABLES/SHOW COLUMNSprivileges), butsystem.dictionaries,system.data_skipping_indices, andsystem.partsall 497. The latter two already degraded gracefully viatryQueryData;system.dictionarieswas the lone throwing read that aborted the whole graph.Fix
Switch the
system.dictionariesread to the best-efforttryQueryDatahelper, matchingloadSchemaCards(system.data_skipping_indices) andloadTableDetail(system.parts). A denied/missingsystem.dictionariesnow yields no dictionary edges instead of aborting — so the graph draws with no grant change required on the cluster.Test
Added a
loadSchemaLineagetest that returnsACCESS_DENIEDforsystem.dictionariesand asserts the tables still load anddictionaries === []. Full suite: 1003 passing, per-file coverage gate held.🤖 Generated with Claude Code
https://claude.ai/code/session_01YDq48xZSSAreCbtaq83uVm