This page explains how fine-grained access control works with Cloud Spanner change streams.
For fine-grained access control users, you allow read access to change streams data by using the following grants. Both grants are required.
Grant
SELECT
on the change stream.GRANT SELECT ON CHANGE STREAM CHANGE_STREAM_NAME TO ROLE ROLE_NAME;
Grant
EXECUTE
on the table-valued function (TVF) that is automatically created for the change stream. You use the TVF to perform reads on change stream data.GRANT EXECUTE ON TABLE FUNCTION TABLE_FUNCTION_NAME TO ROLE ROLE_NAME;
For information about change streams TVFs, see Change stream query syntax.
INFORMATION_SCHEMA
tables for change streams
The INFORMATION_SCHEMA.CHANGE_STREAM_PRIVILEGES
table shows database roles and privileges information for change streams.
The rows in this table are filtered based on the current database role's privileges on change streams. This ensures that principals can view only the roles, privileges, and change streams that they have access to.
Row filtering also applies to following change streams-related tables:
GoogleSQL
The system role spanner_info_reader
and its members always see an unfiltered
version of the INFORMATION_SCHEMA
.
Caveats
Because a change stream contains a separate copy of the data from the tracked tables and columns, be careful when granting users access to the change stream. The readers of the change stream can view data changes from the tracked tables and columns, even though they may not have
SELECT
privileges on the tables and columns. Although it's more flexible to be able to set up separate controls on change streams and their tracked tables and columns, be aware of the potential risk, and ensure that you structure roles and privileges accordingly. For example, when revoking theSELECT
privilege on a table from a role, consider whether to also revokeSELECT
on the change stream (and revokeEXECUTE
on the associated table-valued function).If you grant
SELECT
on a change stream that tracks all tables, the grantee will be able to see data changes for any tables added in the future.