fix: bypass access control for materialization transforms#66390
fix: bypass access control for materialization transforms#66390a-lider wants to merge 3 commits into
Conversation
Let trusted endpoint materialization transforms resolve warehouse HogQL sources when running without a request user.
a-lider
changed the title
|
Reviews (1): Last reviewed commit: "fix(endpoints): bypass access control fo..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| # Userless endpoint materialization transform; bypass warehouse HogQL access control so | ||
| # the transformed query can resolve source warehouse tables/views before materialization. | ||
| bypass_warehouse_access_control=True, |
There was a problem hiding this comment.
There is no test that verifies _print_materialized_hogql (or build_endpoint_hogql) succeeds when warehouse access control is enabled and no user is present. A future refactor that removes or negates this flag would silently reintroduce the failure with no test catching it.
A targeted test in test_endpoint_materialization.py could mock Database.create_for to assert it is called with bypass_warehouse_access_control=True, or mock HogQLDatabaseSources.is_hogql_warehouse_access_control_enabled to True and confirm the materialization pipeline still returns a valid HogQL string.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
There was a problem hiding this comment.
added test_materialization_transform_compiles_warehouse_table_without_user_context
|
Retaining stamphog approval — delta since last review classified as |
![veria-ai[bot]](https://avatars.githubusercontent.com/in/1723776?s=60&v=4){kind=small}
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 1 · PR risk: 0/10 |
github-actions
Bot
dismissed
their stale review
New commits pushed (delta classified non_trivial_delta) — stamphog approval dismissed; re-review running automatically.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
No showstoppers. The PR fixes a security gap by threading user context through the materialization pipeline so warehouse ACL is enforced for user-triggered operations, while Temporal's userless internal rebuilds use an explicit bypass flag. The inline review concerns (all marked outdated) were addressed in the current diff, tests cover both enforcement and bypass paths.
2 participants
Problem
Endpoint materialization transforms run without a request user. If HogQL resolution needs warehouse tables/views in that trusted background path, resolving with normal request-scoped access control can fail because there is no user context.
Observed examples in Error tracking include the endpoint materialization transform stack under ResolutionError: Unknown table web_vitals_mv. That issue also contains older non-materialization occurrences, so this PR targets the materialization-transform path specifically.
Changes
Set
bypass_warehouse_access_control=Truewhile compiling HogQL for endpoint materialization transforms.How did you test this code?
Tests
Automatic notifications
Docs update
No