SHOW TAGS: Shared Tags Require the READ Privilege on the Tag

Attention

This behavior change is in the 2023_05 bundle.

For the current status of the bundle, refer to Bundle History.

The behavior of the SHOW TAGS command with respect to data sharing is as follows:

Previously:

If a data sharing provider shares a schema that stores tags, the consumer can view all of the shared tags using a SHOW TAGS command provided that the role that executes the SHOW TAGS command has the required privileges to access the shared schema.

Currently:

As a consumer, to use the SHOW TAGS command to view shared tags, you must use a role that is granted the READ privilege on each tag. The READ privilege for a tag is new and is only applicable in a data sharing context.

The provider chooses how to grant the READ privilege on the tag to the share:

  • Grant the READ privilege on each tag to the share directly.

    GRANT READ ON TAG mytag TO SHARE myshare;
    
    Copy
  • Grant the READ privilege on the tag to a database role and grant the database role to the share.

    GRANT READ ON TAG mytag TO DATABASE ROLE mydb.dbrole;
    GRANT DATABASE ROLE mydb.dbrole TO SHARE myshare;
    
    Copy

The consumer:

  • Creates a database from the share and grants privileges on the share to account roles (no changes).

  • Grants the database role to an account role (if applicable, no changes).

  • Uses SQL to execute the SHOW TAGS command.

To determine whether you have tags that are affected by the pending behavior, use these commands:

SHOW TAGS IN shared_database;
SHOW TAGS IN shared_schema;
Copy

Ref: 1196

Language: English