This page explains how fine-grained access control works with Cloud Spanner change streams.
For fine-grained access control users, you allow read access to change streams data by using the following grants. Both grants are required.
SELECTon the change stream.
GRANT SELECT ON CHANGE STREAM CHANGE_STREAM_NAME TO ROLE ROLE_NAME;
EXECUTEon the table-valued function (TVF) that is automatically created for the change stream. You use the TVF to perform reads on change stream data.
GRANT EXECUTE ON TABLE FUNCTION TABLE_FUNCTION_NAME TO ROLE ROLE_NAME;
For information about change streams TVFs, see Change stream query syntax.
INFORMATION_SCHEMA tables for change streams
table shows database roles and privileges information for change streams.
The rows in this table are filtered based on the current database role's privileges on change streams. This ensures that principals can view only the roles, privileges, and change streams that they have access to.
Row filtering also applies to following change streams-related tables:
The system role
spanner_info_reader and its members always see an unfiltered
version of the
Because a change stream contains a separate copy of the data from the tracked tables and columns, be careful when granting users access to the change stream. The readers of the change stream can view data changes from the tracked tables and columns, even though they may not have
SELECTprivileges on the tables and columns. Although it's more flexible to be able to set up separate controls on change streams and their tracked tables and columns, be aware of the potential risk, and ensure that you structure roles and privileges accordingly. For example, when revoking the
SELECTprivilege on a table from a role, consider whether to also revoke
SELECTon the change stream (and revoke
EXECUTEon the associated table-valued function).
If you grant
SELECTon a change stream that tracks all tables, the grantee will be able to see data changes for any tables added in the future.