ClickHouse/src/Interpreters/InterpreterCreateRowPolicyQuery.cpp

#include <Interpreters/InterpreterCreateRowPolicyQuery.h>
#include <Parsers/ASTCreateRowPolicyQuery.h>
#include <Parsers/ASTRowPolicyName.h>
#include <Parsers/ASTRolesOrUsersSet.h>
#include <Parsers/formatAST.h>
#include <Interpreters/Context.h>
#include <Interpreters/executeDDLQueryOnCluster.h>
#include <Access/AccessControlManager.h>
#include <Access/AccessFlags.h>
#include <boost/range/algorithm/sort.hpp>


namespace DB
{
namespace
{
    void updateRowPolicyFromQueryImpl(
        RowPolicy & policy,
        const ASTCreateRowPolicyQuery & query,
        const RowPolicy::NameParts & override_name,
        const std::optional<RolesOrUsersSet> & override_to_roles)
    {
        if (!override_name.empty())
            policy.setNameParts(override_name);
        else if (!query.new_short_name.empty())
            policy.setShortName(query.new_short_name);
        else if (query.names->name_parts.size() == 1)
            policy.setNameParts(query.names->name_parts.front());

        if (query.is_restrictive)
            policy.setRestrictive(*query.is_restrictive);

        for (const auto & [condition_type, condition] : query.conditions)
            policy.conditions[condition_type] = condition ? serializeAST(*condition) : String{};

        if (override_to_roles)
            policy.to_roles = *override_to_roles;
        else if (query.roles)
            policy.to_roles = *query.roles;
    }
}


BlockIO InterpreterCreateRowPolicyQuery::execute()
{
    auto & query = query_ptr->as<ASTCreateRowPolicyQuery &>();
    auto & access_control = context.getAccessControlManager();
    context.checkAccess(query.alter ? AccessType::ALTER_ROW_POLICY : AccessType::CREATE_ROW_POLICY);

    if (!query.cluster.empty())
    {
        query.replaceCurrentUserTagWithName(context.getUserName());
        return executeDDLQueryOnCluster(query_ptr, context);
    }

    assert(query.names->cluster.empty());
    std::optional<RolesOrUsersSet> roles_from_query;
    if (query.roles)
        roles_from_query = RolesOrUsersSet{*query.roles, access_control, context.getUserID()};

    query.replaceEmptyDatabaseWithCurrent(context.getCurrentDatabase());

    if (query.alter)
    {
        auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr
        {
            auto updated_policy = typeid_cast<std::shared_ptr<RowPolicy>>(entity->clone());
            updateRowPolicyFromQueryImpl(*updated_policy, query, {}, roles_from_query);
            return updated_policy;
        };
        Strings names = query.names->toStrings();
        if (query.if_exists)
        {
            auto ids = access_control.find<RowPolicy>(names);
            access_control.tryUpdate(ids, update_func);
        }
        else
            access_control.update(access_control.getIDs<RowPolicy>(names), update_func);
    }
    else
    {
        std::vector<AccessEntityPtr> new_policies;
        for (const auto & name_parts : query.names->name_parts)
        {
            auto new_policy = std::make_shared<RowPolicy>();
            updateRowPolicyFromQueryImpl(*new_policy, query, name_parts, roles_from_query);
            new_policies.emplace_back(std::move(new_policy));
        }

        if (query.if_not_exists)
            access_control.tryInsert(new_policies);
        else if (query.or_replace)
            access_control.insertOrReplace(new_policies);
        else
            access_control.insert(new_policies);
    }

    return {};
}


void InterpreterCreateRowPolicyQuery::updateRowPolicyFromQuery(RowPolicy & policy, const ASTCreateRowPolicyQuery & query)
{
    updateRowPolicyFromQueryImpl(policy, query, {}, {});
}

}
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`#include <Interpreters/InterpreterCreateRowPolicyQuery.h>`
			`#include <Parsers/ASTCreateRowPolicyQuery.h>`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`#include <Parsers/ASTRowPolicyName.h>`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`#include <Parsers/ASTRolesOrUsersSet.h>`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`#include <Parsers/formatAST.h>`
			`#include <Interpreters/Context.h>`
split DDLWorker.cpp 2020-11-03 13:47:26 +00:00			`#include <Interpreters/executeDDLQueryOnCluster.h>`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`#include <Access/AccessControlManager.h>`
Rewrite the User class to be controlled by AccessControlManager. 2020-01-26 09:49:53 +00:00			`#include <Access/AccessFlags.h>`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`#include <boost/range/algorithm/sort.hpp>`


			`namespace DB`
			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`namespace`
			`{`
			`void updateRowPolicyFromQueryImpl(`
			`RowPolicy & policy,`
			`const ASTCreateRowPolicyQuery & query,`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`const RowPolicy::NameParts & override_name,`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`const std::optional<RolesOrUsersSet> & override_to_roles)`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`{`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`if (!override_name.empty())`
			`policy.setNameParts(override_name);`
			`else if (!query.new_short_name.empty())`
			`policy.setShortName(query.new_short_name);`
			`else if (query.names->name_parts.size() == 1)`
			`policy.setNameParts(query.names->name_parts.front());`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
			`if (query.is_restrictive)`
			`policy.setRestrictive(*query.is_restrictive);`

Slightly improve syntax of CREATE POLICY. Also rename column source=>storage in table system.row_policies. 2020-06-05 18:56:33 +00:00			`for (const auto & [condition_type, condition] : query.conditions)`
			`policy.conditions[condition_type] = condition ? serializeAST(*condition) : String{};`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`if (override_to_roles)`
			`policy.to_roles = *override_to_roles;`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`else if (query.roles)`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`policy.to_roles = *query.roles;`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`
			`}`


Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`BlockIO InterpreterCreateRowPolicyQuery::execute()`
			`{`
Implement "ON CLUSTER" clause for access control SQL. 2020-04-05 23:03:20 +00:00			`auto & query = query_ptr->as<ASTCreateRowPolicyQuery &>();`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`auto & access_control = context.getAccessControlManager();`
Rename sql command "CREATE POLICY" -> "CREATE ROW POLICY", "CREATE POLICY" is now an alias. 2020-04-02 18:31:59 +00:00			`context.checkAccess(query.alter ? AccessType::ALTER_ROW_POLICY : AccessType::CREATE_ROW_POLICY);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00
Implement "ON CLUSTER" clause for access control SQL. 2020-04-05 23:03:20 +00:00			`if (!query.cluster.empty())`
			`{`
			`query.replaceCurrentUserTagWithName(context.getUserName());`
			`return executeDDLQueryOnCluster(query_ptr, context);`
			`}`

Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`assert(query.names->cluster.empty());`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`std::optional<RolesOrUsersSet> roles_from_query;`
Add class GenericRoleSet to represent a set of IDs of users and roles. 2020-02-10 02:26:56 +00:00			`if (query.roles)`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`roles_from_query = RolesOrUsersSet{*query.roles, access_control, context.getUserID()};`
Add class GenericRoleSet to represent a set of IDs of users and roles. 2020-02-10 02:26:56 +00:00
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`query.replaceEmptyDatabaseWithCurrent(context.getCurrentDatabase());`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`if (query.alter)`
			`{`
			`auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr`
			`{`
			`auto updated_policy = typeid_cast<std::shared_ptr<RowPolicy>>(entity->clone());`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`updateRowPolicyFromQueryImpl(*updated_policy, query, {}, roles_from_query);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`return updated_policy;`
			`};`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`Strings names = query.names->toStrings();`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`if (query.if_exists)`
			`{`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`auto ids = access_control.find<RowPolicy>(names);`
			`access_control.tryUpdate(ids, update_func);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`}`
			`else`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`access_control.update(access_control.getIDs<RowPolicy>(names), update_func);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`}`
			`else`
			`{`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`std::vector<AccessEntityPtr> new_policies;`
			`for (const auto & name_parts : query.names->name_parts)`
			`{`
			`auto new_policy = std::make_shared<RowPolicy>();`
			`updateRowPolicyFromQueryImpl(*new_policy, query, name_parts, roles_from_query);`
			`new_policies.emplace_back(std::move(new_policy));`
			`}`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00
			`if (query.if_not_exists)`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`access_control.tryInsert(new_policies);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`else if (query.or_replace)`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`access_control.insertOrReplace(new_policies);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`else`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`access_control.insert(new_policies);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`}`

			`return {};`
			`}`


Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`void InterpreterCreateRowPolicyQuery::updateRowPolicyFromQuery(RowPolicy & policy, const ASTCreateRowPolicyQuery & query)`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`{`
Support for multiple names in one CREATE/ALTER command. 2020-05-30 14:18:08 +00:00			`updateRowPolicyFromQueryImpl(policy, query, {}, {});`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`}`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`}`