Skip to content

feat(elasticsearch): add statement type ACL support#19251

Open
h3n4l wants to merge 1 commit intomainfrom
feat/elasticsearch-statement-type-acl
Open

feat(elasticsearch): add statement type ACL support#19251
h3n4l wants to merge 1 commit intomainfrom
feat/elasticsearch-statement-type-acl

Conversation

@h3n4l
Copy link
Member

@h3n4l h3n4l commented Feb 5, 2026

Summary

Enable ACL control for ElasticSearch statement types in Bytebase's SQL Editor. This allows administrators to restrict users based on operation type (read-only, DML, DDL).

  • Add SplitMultiSQL to split REST API requests into individual statements
  • Add GetQuerySpan to classify requests by HTTP method and URL pattern
  • Add ClassifyRequest with comprehensive endpoint classification
  • Enable EngineSupportQueryNewACL for ELASTICSEARCH engine

Classification Rules

QueryType Permission ElasticSearch Operations
Select bb.sql.select GET, HEAD, POST to read-only endpoints (_search, _count, _sql, etc.)
DML bb.sql.dml Document operations (_doc, _bulk, _update, _delete_by_query, etc.)
DDL bb.sql.ddl Index/schema operations (create/delete index, _mapping, templates, etc.)
Explain bb.sql.explain Explain API (_explain)
SelectInfoSchema bb.sql.info Cluster/node metadata (_cat/, _cluster/, _nodes/*)

Test plan

  • Unit tests for query type classification (47 test cases)
  • Unit tests for statement splitting (6 test cases)
  • All existing elasticsearch parser tests pass
  • Linter passes
  • Build succeeds

🤖 Generated with Claude Code

@h3n4l h3n4l requested a review from a team as a code owner February 5, 2026 10:17
@cla-bot cla-bot bot added the cla-signed label Feb 5, 2026
@h3n4l @claude
feat(elasticsearch): add statement type ACL support
4a6e892 
Enable ACL control for ElasticSearch statement types in Bytebase's SQL
Editor. This allows administrators to restrict users based on operation
type (read-only, DML, DDL).

Changes:
- Add SplitMultiSQL to split REST API requests into individual statements
- Add GetQuerySpan to classify requests by HTTP method and URL pattern
- Add ClassifyRequest with comprehensive endpoint classification
- Enable EngineSupportQueryNewACL for ELASTICSEARCH engine

Classification rules:
- GET/HEAD -> Select (read-only)
- GET _cat/, _cluster/, _nodes/ -> SelectInfoSchema
- POST _search, _count, _sql, etc. -> Select (read-only)
- POST _explain -> Explain
- POST/PUT/DELETE _doc, _bulk, etc. -> DML (document operations)
- PUT/DELETE index, _mapping, etc. -> DDL (schema operations)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@h3n4l h3n4l force-pushed the feat/elasticsearch-statement-type-acl branch from 092c9cf to 4a6e892 Compare February 5, 2026 10:20
d-bytebase
d-bytebase approved these changes Feb 5, 2026
View reviewed changes
backend/plugin/parser/elasticsearch/query_type_test.go
},
{
name: "POST async search submit",
method: "POST",
Copy link
Collaborator

@d-bytebase d-bytebase Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yaml test data preferred

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ecmadao ecmadao ecmadao approved these changes

@d-bytebase d-bytebase d-bytebase approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@h3n4l @ecmadao @d-bytebase