ALTER NETWORK POLICY
PREVIEW
This feature is in
private preview.
It is under active development and may have stability or performance issues.
It isn't subject to our backwards compatibility guarantees.
To enable this feature in your Materialize region, contact our team.
To enable this feature in your Materialize region, contact our team.
ALTER NETWORK POLICY alters an existing network policy. Network policies are
part of Materialize’s framework for access control.
Changes to a network policy will only affect new connections and will not terminate active connections.
Syntax
network_policy_rule
Field |
Value | Description |
|---|---|---|
| name | text |
A name for the Network Policy. |
RULES |
text[] |
A comma-separated list of Network Policy Rules. |
Network policy rule options
Field |
Value | Description |
|---|---|---|
| name | text |
A name for the network policy rule. Must be unique within the network policy. |
ACTION |
text |
The action to take for this rule. ALLOW is the only valid option. |
DIRECTION |
text |
The direction of traffic the rule applies to. INGRESS is the only valid option. |
ADDRESS |
text |
The Classless Inter-Domain Routing (CIDR) block the rule will be applied to. |
Details
Pre-installed network policy
When you enable a Materialize region, a default network policy named default
will be pre-installed. This policy has a wide open ingress rule allow 0.0.0.0/0. You can modify or drop this network policy at any time.
NOTE: The default value for the
network_policy session parameter is default.
Before dropping the default network policy, a superuser (i.e. Organization Admin) must run ALTER SYSTEM SET network_policy to
change the default value.
Lockout prevention
To prevent lockout, the IP of the active user is validated against the policy changes requested. This prevents users from modifying network policies in a way that could lock them out of the system.
Privileges
The privileges required to execute this statement are:
- Ownership of the network policy.
Examples
CREATE NETWORK POLICY office_access_policy (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32')
)
);
ALTER NETWORK POLICY office_access_policy SET (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32'),
boston (action='allow',direction='ingress',address='4.5.6.7/32')
)
);
ALTER SYSTEM SET network_policy = office_access_policy;