mcp: skip auto-route when role lacks USAGE on the data product's cluster#36731
mcp: skip auto-route when role lacks USAGE on the data product's cluster#36731bobbyiliev wants to merge 4 commits into
Conversation
| // cluster only when the role has `USAGE` on it; without `USAGE` the | ||
| // `SET CLUSTER` would succeed but the subsequent `SELECT` would fail | ||
| // with a `permission denied`, so we leave the read on the session | ||
| // default — slower (no index) but correct. |
There was a problem hiding this comment.
so we leave the read on the session
// default — slower (no index) but correct
I'm a bit worried that this implicit fallback would lead to silent RBAC problems, where the symptom is just slow queries, but people (and agents) wouldn't realize that there is an RBAC problem. So, maybe we'd want to fail the call in this case? And then if an agent really wants to execute on a cluster that has no index, then it could still do it with an explicit override.
There was a problem hiding this comment.
Good call @ggevay, done. It now fails with a clear ClusterPrivilegeMissing error naming the cluster, and the agent can pass an explicit cluster override to read elsewhere if it really wants to.
def-
left a comment
def-
left a comment
There was a problem hiding this comment.
Thanks Bobby, test change looks reasonable
3 participants
Follow-up to #36619 (comment)