ALTER NETWORK POLICY (Cloud)
Available for Materialize Cloud only
ALTER NETWORK POLICY alters an existing network policy. Network policies are
part of Materialize’s framework for access control.
Changes to a network policy will only affect new connections and will not terminate active connections.
Syntax
ALTER NETWORK POLICY <name> SET (
RULES (
<rule_name> (action='allow', direction='ingress', address=<address>)
[, ...]
)
)
;
| Syntax element | Description |
|---|---|
<name> |
The name of the network policy to modify. |
<rule_name> |
The name for the network policy rule. Must be unique within the network policy. |
<address> |
The Classless Inter-Domain Routing (CIDR) block to which the rule applies. |
Details
Pre-installed network policy
When you enable a Materialize region, a default network policy named default
will be pre-installed. This policy has a wide open ingress rule allow 0.0.0.0/0. You can modify or drop this network policy at any time.
NOTE: The default value for the
network_policy session parameter is default.
Before dropping the default network policy, a superuser (i.e. Organization Admin) must run ALTER SYSTEM SET network_policy to
change the default value.
Lockout prevention
To prevent lockout, the IP of the active user is validated against the policy changes requested. This prevents users from modifying network policies in a way that could lock them out of the system.
Privileges
The privileges required to execute this statement are:
- Ownership of the network policy.
Examples
CREATE NETWORK POLICY office_access_policy (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32')
)
);
ALTER NETWORK POLICY office_access_policy SET (
RULES (
new_york (action='allow', direction='ingress',address='1.2.3.4/28'),
minnesota (action='allow',direction='ingress',address='2.3.4.5/32'),
boston (action='allow',direction='ingress',address='4.5.6.7/32')
)
);
ALTER SYSTEM SET network_policy = office_access_policy;