Skip to content

Fix session based http auth allowed roles#36306

Merged
alex-hunt-materialize merged 3 commits intoMaterializeInc:mainfrom
alex-hunt-materialize:fix_session-based_http_auth_allowed_roles
Apr 29, 2026
Merged

Fix session based http auth allowed roles#36306
alex-hunt-materialize merged 3 commits intoMaterializeInc:mainfrom
alex-hunt-materialize:fix_session-based_http_auth_allowed_roles

Conversation

@alex-hunt-materialize
Copy link
Copy Markdown
Contributor

@alex-hunt-materialize alex-hunt-materialize commented Apr 28, 2026
edited
Loading

Motivation

Fixes https://github.com/MaterializeInc/database-issues/issues/11340

Description

Fix session based http auth allowed roles.

Prevents obtaining a session token for roles not allowed, and prevents using a previously obtained (not sure how this would be possible) session token for a role that is disallowed.

Verification

New http-auth test.

@alex-hunt-materialize alex-hunt-materialize force-pushed the fix_session-based_http_auth_allowed_roles branch from 1619201 to 4add71d Compare April 28, 2026 13:27
@alex-hunt-materialize alex-hunt-materialize force-pushed the fix_session-based_http_auth_allowed_roles branch from 4add71d to c9813e6 Compare April 28, 2026 14:07
@alex-hunt-materialize alex-hunt-materialize force-pushed the fix_session-based_http_auth_allowed_roles branch from c9813e6 to efd8f6c Compare April 28, 2026 14:11
@alex-hunt-materialize
Copy link
Copy Markdown
Contributor Author

alex-hunt-materialize commented Apr 28, 2026

@def- I adapted your #36293 change here. Your second test wasn't testing that they couldn't use the session token, since they shouldn't be able to get one anyway. I'm not sure of any way to test that, since it shouldn't be possible to get a session token now.

@alex-hunt-materialize alex-hunt-materialize marked this pull request as ready for review April 28, 2026 15:01
@alex-hunt-materialize alex-hunt-materialize requested review from a team as code owners April 28, 2026 15:01
mtabebe
mtabebe approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtabebe mtabebe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks for the test

def-
def- reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@def- def- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Otherwise lgtm

Comment thread ci/test/pipeline.template.yml Outdated
agents:
queue: hetzner-aarch64-4cpu-8gb

- id: http-auth
Copy link
Copy Markdown
Contributor

@def- def- Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can probably live in Nightly, I don't expect breaking to be high risk.

Copy link
Copy Markdown
Contributor Author

@alex-hunt-materialize alex-hunt-materialize Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved

@alex-hunt-materialize alex-hunt-materialize enabled auto-merge (squash) April 29, 2026 08:32
@alex-hunt-materialize alex-hunt-materialize merged commit ce10ad4 into MaterializeInc:main Apr 29, 2026
123 checks passed
@alex-hunt-materialize alex-hunt-materialize deleted the fix_session-based_http_auth_allowed_roles branch April 29, 2026 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@def- def- def- left review comments

@mtabebe mtabebe mtabebe approved these changes

@jasonhernandez jasonhernandez Awaiting requested review from jasonhernandez

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alex-hunt-materialize @mtabebe @def-