async fn rbac_active(
client: &Client,
emulator: bool,
) -> Result<bool, ConnectionError>Expand description
Whether RBAC is enforced on the connected cluster.
Both the global enable_rbac_checks and the session-level
enable_session_rbac_checks must be on for grants and role membership
checks to have any effect. When either is off Materialize allows any role
to do anything, so callers that gate behavior on RBAC use this to decide
whether the role/grant machinery is meaningful. See
https://materialize.com/docs/security/self-managed/access-control/#enabling-rbac.
Whether the role/grant machinery is active for this operation.
Emulator profiles force this off even when the server reports RBAC on: the
single-user emulator has no use for the materialize_* roles, and setup’s
superuser/ownership gates would only get in the way. When emulator is
false this is exactly is_rbac_enabled.