Fine-grained access control for change streams

Stay organized with collections Save and categorize content based on your preferences.

This page explains how fine-grained access control works with Cloud Spanner change streams.

For fine-grained access control users, you allow read access to change streams data by using the following grants. Both grants are required.

  • Grant SELECT on the change stream.

    GRANT SELECT ON CHANGE STREAM CHANGE_STREAM_NAME TO ROLE ROLE_NAME;
    
  • Grant EXECUTE on the table-valued function (TVF) that is automatically created for the change stream. You use the TVF to perform reads on change stream data.

    GRANT EXECUTE ON TABLE FUNCTION TABLE_FUNCTION_NAME TO ROLE ROLE_NAME;
    

    For information about change streams TVFs, see Change stream query syntax.

INFORMATION_SCHEMA tables for change streams

The INFORMATION_SCHEMA.CHANGE_STREAM_PRIVILEGES table shows database roles and privileges information for change streams.

The rows in this table are filtered based on the current database role's privileges on change streams. This ensures that principals can view only the roles, privileges, and change streams that they have access to.

Row filtering also applies to following change streams-related tables:

The system role spanner_info_reader and its members always see an unfiltered version of the INFORMATION_SCHEMA.

Caveats

  • Because a change stream contains a separate copy of the data from the tracked tables and columns, be careful when granting users access to the change stream. The readers of the change stream can view data changes from the tracked tables and columns, even though they may not have SELECT privileges on the tables and columns. Although it's more flexible to be able to set up separate controls on change streams and their tracked tables and columns, be aware of the potential risk, and ensure that you structure roles and privileges accordingly. For example, when revoking the SELECT privilege on a table from a role, consider whether to also revoke SELECT on the change stream (and revoke EXECUTE on the associated table-valued function).

  • If you grant SELECT on a change stream that tracks all tables, the grantee will be able to see data changes for any tables added in the future.

More information