fix(frontend): harden SHOW object visibility#25571
Closed
tabVersion wants to merge 1 commit intomainfrom
Closed
Conversation
tabVersion
added
user-facing-changes
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens RisingWave frontend metadata exposure by making SHOW commands and connection parameter rendering respect object-level visibility (ACLs), preventing users with only schema USAGE from enumerating hidden object names or secret references.
Changes:
- Switch several
SHOW <objects>list handlers to use ACL-aware schema iterators (tables, views, mviews, sources, sinks, subscriptions, secrets, connections, functions). - Route
SHOW COLUMNS/SHOW INDEXESthrough the normal batch binder path (instead of system binder) to block known-name probing for hidden relations; add explicit visibility checks for sink/view columns while preserving system-view introspection. - Redact secret references in connection output (both
SHOW CONNECTIONSandrw_catalog.rw_connections) when the user can see the connection but not the referenced secret; add SLT coverage.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/frontend/src/handler/show.rs | Makes SHOW object listings ACL-aware; hardens SHOW COLUMNS/SHOW INDEXES; integrates connection secret-ref redaction. |
| src/frontend/src/handler/create_connection.rs | Adds connection param formatter that conditionally redacts secret refs based on user visibility. |
| src/frontend/src/catalog/system_catalog/rw_catalog/rw_connections.rs | Applies the same secret-ref redaction to rw_catalog.rw_connections. |
| e2e_test/ddl/show_object_privilege.slt | Adds end-to-end SLT coverage for hidden object listing/probing and secret-ref redaction. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tabVersion
force-pushed
the
ralph/show-object-visibility-hardening
branch
from
cb661aa to
5bd48e0
Compare
tabVersion
commented
May 7, 2026
Contributor
Author
tabVersion
left a comment
tabVersion
left a comment
There was a problem hiding this comment.
Found one CI-blocking issue in the new SLT fixture.
tabVersion
force-pushed
the
ralph/show-object-visibility-hardening
branch
from
5bd48e0 to
0901f89
Compare
Make SHOW object lists and known-name metadata probes honor object visibility, and redact hidden secret refs in connection output. Move connector-backed SHOW visibility coverage into source/sink/connection e2e suites so the DDL metadata-only test does not depend on external schema registry validation or madsim secret materialization. Constraint: User requested the approved SHOW object visibility hardening plan. Confidence: high Scope-risk: narrow Directive: Avoid leaking unauthorized object and secret names through SHOW commands. Tested: git diff --check -- e2e_test/ddl/show_object_privilege.slt e2e_test/source_inline/connection/schema_registry.slt e2e_test/source_inline/kafka/secret_dep.slt e2e_test/sink/blackhole_sink.slt Tested: cargo fmt --all -- --check Tested: cargo check -p risingwave_frontend Not-tested: local SLT because no RisingWave server is running on 127.0.0.1:4566. Co-authored-by: OmX <omx@oh-my-codex.dev>
tabVersion
force-pushed
the
ralph/show-object-visibility-hardening
branch
from
0901f89 to
dcc251d
Compare
| ) -> Result<Vec<Arc<IndexCatalog>>> { | ||
| let mut binder = Binder::new_for_system(session); | ||
| let mut binder = Binder::new_for_batch(session); | ||
| let relation = binder.bind_relation_by_name(&table_name, None, None, false)?; |
Contributor
Author
|
Closing this PR in favor of #25584. GitHub's synthetic |
This was referenced May 7, 2026
This was referenced May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.
What's changed and what's your intention?
This PR hardens user-visible
SHOWmetadata surfaces so a user with schema visibility alone cannot enumerate object names or secret references that they do not have object-level privilege for.Changes:
SHOWobject-list handlers to ACL-aware schema iterators:SHOW TABLESSHOW INTERNAL TABLESSHOW VIEWSSHOW MATERIALIZED VIEWSSHOW SOURCESSHOW SINKSSHOW SUBSCRIPTIONSSHOW SECRETSSHOW CONNECTIONSSHOW FUNCTIONSSHOW COLUMNS FROM <table/source>andSHOW INDEXES FROM <table>use the normal batch binder path instead of the system binder path, avoiding known-name metadata probing for hidden relations.SHOW COLUMNS FROM <sink/view>while preserving system-view column introspection.SECRET <redacted>instead ofSECRET schema.secret_name.rw_catalog.rw_connections.Current limitation / follow-up:
rw_catalog.rw_sourceswas identified as a separate system-catalog surface that can still need visibility/secret-reference hardening. Iceberg-related catalog views should also be triaged in a follow-up pass.Checklist
Documentation
Release note
RisingWave now avoids exposing unauthorized object names through
SHOWobject-list commands and known-nameSHOW COLUMNS/SHOW INDEXESprobes. Visible connection metadata also redacts referenced secret names when the user cannot independently see the secret.Local verification
Passed:
cargo fmt --all -- --checkcargo check -p risingwave_frontendgit diff --check -- src/frontend/src/handler/show.rs src/frontend/src/handler/create_connection.rs src/frontend/src/catalog/system_catalog/rw_catalog/rw_connections.rs e2e_test/ddl/show_object_privilege.sltAttempted but blocked locally:
./risedev dfailed because local Java is 17 while the Maven build requires target release 21 (Fatal error compiling: error: invalid target release: 21)../risedev slt './e2e_test/ddl/show_object_privilege.slt'then failed because no RisingWave server was running (Connection refused (os error 61)).