ClickHouse/src/Interpreters/InterpreterShowGrantsQuery.cpp

#include <Interpreters/InterpreterShowGrantsQuery.h>
#include <Parsers/ASTShowGrantsQuery.h>
#include <Parsers/ASTGrantQuery.h>
#include <Parsers/ASTRolesOrUsersSet.h>
#include <Parsers/formatAST.h>
#include <Interpreters/Context.h>
#include <Columns/ColumnString.h>
#include <DataStreams/OneBlockInputStream.h>
#include <DataTypes/DataTypeString.h>
#include <Access/AccessControlManager.h>
#include <Access/User.h>
#include <Access/Role.h>
#include <Access/RolesOrUsersSet.h>
#include <boost/range/algorithm/sort.hpp>
#include <boost/range/algorithm_ext/push_back.hpp>


namespace DB
{
namespace ErrorCodes
{
    extern const int LOGICAL_ERROR;
}

namespace
{
    template <typename T>
    ASTs getGrantQueriesImpl(
        const T & grantee,
        const AccessControlManager * manager /* not used if attach_mode == true */,
        bool attach_mode = false)
    {
        ASTs res;

        std::shared_ptr<ASTRolesOrUsersSet> to_roles = std::make_shared<ASTRolesOrUsersSet>();
        to_roles->names.push_back(grantee.getName());

        std::shared_ptr<ASTGrantQuery> current_query = nullptr;

        auto elements = grantee.access.getElements();
        for (const auto & element : elements)
        {
            if (current_query)
            {
                const auto & prev_element = current_query->access_rights_elements.back();
                bool continue_using_current_query = (element.database == prev_element.database)
                    && (element.any_database == prev_element.any_database) && (element.table == prev_element.table)
                    && (element.any_table == prev_element.any_table) && (element.grant_option == current_query->grant_option)
                    && (element.kind == current_query->kind);
                if (!continue_using_current_query)
                    current_query = nullptr;
            }

            if (!current_query)
            {
                current_query = std::make_shared<ASTGrantQuery>();
                current_query->kind = element.kind;
                current_query->attach = attach_mode;
                current_query->grant_option = element.grant_option;
                current_query->to_roles = to_roles;
                res.push_back(current_query);
            }

            current_query->access_rights_elements.emplace_back(std::move(element));
        }

        auto grants_roles = grantee.granted_roles.getGrants();

        for (bool admin_option : {false, true})
        {
            const auto & roles = admin_option ? grants_roles.grants_with_admin_option : grants_roles.grants;
            if (roles.empty())
                continue;

            auto grant_query = std::make_shared<ASTGrantQuery>();
            using Kind = ASTGrantQuery::Kind;
            grant_query->kind = Kind::GRANT;
            grant_query->attach = attach_mode;
            grant_query->admin_option = admin_option;
            grant_query->to_roles = to_roles;
            if (attach_mode)
                grant_query->roles = RolesOrUsersSet{roles}.toAST();
            else
                grant_query->roles = RolesOrUsersSet{roles}.toASTWithNames(*manager);
            res.push_back(std::move(grant_query));
        }

        return res;
    }

    ASTs getGrantQueriesImpl(
        const IAccessEntity & entity,
        const AccessControlManager * manager /* not used if attach_mode == true */,
        bool attach_mode = false)
    {
        if (const User * user = typeid_cast<const User *>(&entity))
            return getGrantQueriesImpl(*user, manager, attach_mode);
        if (const Role * role = typeid_cast<const Role *>(&entity))
            return getGrantQueriesImpl(*role, manager, attach_mode);
        throw Exception(entity.outputTypeAndName() + " is expected to be user or role", ErrorCodes::LOGICAL_ERROR);
    }

}


BlockIO InterpreterShowGrantsQuery::execute()
{
    BlockIO res;
    res.in = executeImpl();
    return res;
}


BlockInputStreamPtr InterpreterShowGrantsQuery::executeImpl()
{
    /// Build a create query.
    ASTs grant_queries = getGrantQueries();

    /// Build the result column.
    MutableColumnPtr column = ColumnString::create();
    std::stringstream grant_ss;
    for (const auto & grant_query : grant_queries)
    {
        grant_ss.str("");
        formatAST(*grant_query, grant_ss, false, true);
        column->insert(grant_ss.str());
    }

    /// Prepare description of the result column.
    std::stringstream desc_ss;
    const auto & show_query = query_ptr->as<const ASTShowGrantsQuery &>();
    formatAST(show_query, desc_ss, false, true);
    String desc = desc_ss.str();
    String prefix = "SHOW ";
    if (desc.starts_with(prefix))
        desc = desc.substr(prefix.length()); /// `desc` always starts with "SHOW ", so we can trim this prefix.

    return std::make_shared<OneBlockInputStream>(Block{{std::move(column), std::make_shared<DataTypeString>(), desc}});
}


std::vector<AccessEntityPtr> InterpreterShowGrantsQuery::getEntities() const
{
    const auto & show_query = query_ptr->as<ASTShowGrantsQuery &>();
    const auto & access_control = context.getAccessControlManager();
    auto ids = RolesOrUsersSet{*show_query.for_roles, access_control, context.getUserID()}.getMatchingIDs(access_control);

    std::vector<AccessEntityPtr> entities;
    for (const auto & id : ids)
    {
        auto entity = access_control.tryRead(id);
        if (entity)
            entities.push_back(entity);
    }

    boost::range::sort(entities, IAccessEntity::LessByTypeAndName{});
    return entities;
}


ASTs InterpreterShowGrantsQuery::getGrantQueries() const
{
    auto entities = getEntities();
    const auto & access_control = context.getAccessControlManager();

    ASTs grant_queries;
    for (const auto & entity : entities)
        boost::range::push_back(grant_queries, getGrantQueries(*entity, access_control));

    return grant_queries;
}


ASTs InterpreterShowGrantsQuery::getGrantQueries(const IAccessEntity & user_or_role, const AccessControlManager & access_control)
{
    return getGrantQueriesImpl(user_or_role, &access_control, false);
}


ASTs InterpreterShowGrantsQuery::getAttachGrantQueries(const IAccessEntity & user_or_role)
{
    return getGrantQueriesImpl(user_or_role, nullptr, true);
}

}
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`#include <Interpreters/InterpreterShowGrantsQuery.h>`
			`#include <Parsers/ASTShowGrantsQuery.h>`
			`#include <Parsers/ASTGrantQuery.h>`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`#include <Parsers/ASTRolesOrUsersSet.h>`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`#include <Parsers/formatAST.h>`
			`#include <Interpreters/Context.h>`
			`#include <Columns/ColumnString.h>`
			`#include <DataStreams/OneBlockInputStream.h>`
			`#include <DataTypes/DataTypeString.h>`
			`#include <Access/AccessControlManager.h>`
			`#include <Access/User.h>`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`#include <Access/Role.h>`
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`#include <Access/RolesOrUsersSet.h>`
			`#include <boost/range/algorithm/sort.hpp>`
			`#include <boost/range/algorithm_ext/push_back.hpp>`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00

			`namespace DB`
			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`namespace ErrorCodes`
			`{`
			`extern const int LOGICAL_ERROR;`
			`}`

Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`namespace`
			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`template <typename T>`
			`ASTs getGrantQueriesImpl(`
			`const T & grantee,`
			`const AccessControlManager * manager /* not used if attach_mode == true */,`
			`bool attach_mode = false)`
			`{`
			`ASTs res;`

Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`std::shared_ptr<ASTRolesOrUsersSet> to_roles = std::make_shared<ASTRolesOrUsersSet>();`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`to_roles->names.push_back(grantee.getName());`

Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`std::shared_ptr<ASTGrantQuery> current_query = nullptr;`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`auto elements = grantee.access.getElements();`
			`for (const auto & element : elements)`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`{`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`if (current_query)`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`{`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`const auto & prev_element = current_query->access_rights_elements.back();`
			`bool continue_using_current_query = (element.database == prev_element.database)`
			`&& (element.any_database == prev_element.any_database) && (element.table == prev_element.table)`
			`&& (element.any_table == prev_element.any_table) && (element.grant_option == current_query->grant_option)`
			`&& (element.kind == current_query->kind);`
			`if (!continue_using_current_query)`
			`current_query = nullptr;`
			`}`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`if (!current_query)`
			`{`
			`current_query = std::make_shared<ASTGrantQuery>();`
			`current_query->kind = element.kind;`
			`current_query->attach = attach_mode;`
			`current_query->grant_option = element.grant_option;`
			`current_query->to_roles = to_roles;`
			`res.push_back(current_query);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00
			`current_query->access_rights_elements.emplace_back(std::move(element));`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`

Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`auto grants_roles = grantee.granted_roles.getGrants();`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`for (bool admin_option : {false, true})`
			`{`
			`const auto & roles = admin_option ? grants_roles.grants_with_admin_option : grants_roles.grants;`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`if (roles.empty())`
			`continue;`

			`auto grant_query = std::make_shared<ASTGrantQuery>();`
			`using Kind = ASTGrantQuery::Kind;`
			`grant_query->kind = Kind::GRANT;`
			`grant_query->attach = attach_mode;`
			`grant_query->admin_option = admin_option;`
			`grant_query->to_roles = to_roles;`
			`if (attach_mode)`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`grant_query->roles = RolesOrUsersSet{roles}.toAST();`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`else`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`grant_query->roles = RolesOrUsersSet{roles}.toASTWithNames(*manager);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`res.push_back(std::move(grant_query));`
			`}`

			`return res;`
			`}`

			`ASTs getGrantQueriesImpl(`
			`const IAccessEntity & entity,`
			`const AccessControlManager * manager /* not used if attach_mode == true */,`
			`bool attach_mode = false)`
			`{`
			`if (const User * user = typeid_cast<const User *>(&entity))`
			`return getGrantQueriesImpl(*user, manager, attach_mode);`
			`if (const Role * role = typeid_cast<const Role *>(&entity))`
			`return getGrantQueriesImpl(*role, manager, attach_mode);`
Use enum Type instead of std::type_index to represent the type of IAccessEntity. This change simplifies handling of access entities in access storages. 2020-05-03 03:12:03 +00:00			`throw Exception(entity.outputTypeAndName() + " is expected to be user or role", ErrorCodes::LOGICAL_ERROR);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`

Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`}`


			`BlockIO InterpreterShowGrantsQuery::execute()`
			`{`
			`BlockIO res;`
			`res.in = executeImpl();`
			`return res;`
			`}`


			`BlockInputStreamPtr InterpreterShowGrantsQuery::executeImpl()`
			`{`
			`/// Build a create query.`
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`ASTs grant_queries = getGrantQueries();`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00
			`/// Build the result column.`
			`MutableColumnPtr column = ColumnString::create();`
			`std::stringstream grant_ss;`
			`for (const auto & grant_query : grant_queries)`
			`{`
			`grant_ss.str("");`
			`formatAST(*grant_query, grant_ss, false, true);`
			`column->insert(grant_ss.str());`
			`}`

			`/// Prepare description of the result column.`
			`std::stringstream desc_ss;`
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`const auto & show_query = query_ptr->as<const ASTShowGrantsQuery &>();`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`formatAST(show_query, desc_ss, false, true);`
			`String desc = desc_ss.str();`
			`String prefix = "SHOW ";`
			`if (desc.starts_with(prefix))`
			desc = desc.substr(prefix.length()); /// `desc` always starts with "SHOW ", so we can trim this prefix.

			`return std::make_shared<OneBlockInputStream>(Block{{std::move(column), std::make_shared<DataTypeString>(), desc}});`
			`}`


Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`std::vector<AccessEntityPtr> InterpreterShowGrantsQuery::getEntities() const`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`{`
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`const auto & show_query = query_ptr->as<ASTShowGrantsQuery &>();`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`const auto & access_control = context.getAccessControlManager();`
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`auto ids = RolesOrUsersSet{*show_query.for_roles, access_control, context.getUserID()}.getMatchingIDs(access_control);`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`std::vector<AccessEntityPtr> entities;`
			`for (const auto & id : ids)`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`{`
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`auto entity = access_control.tryRead(id);`
			`if (entity)`
			`entities.push_back(entity);`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`}`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`boost::range::sort(entities, IAccessEntity::LessByTypeAndName{});`
			`return entities;`
			`}`


			`ASTs InterpreterShowGrantsQuery::getGrantQueries() const`
			`{`
			`auto entities = getEntities();`
			`const auto & access_control = context.getAccessControlManager();`

			`ASTs grant_queries;`
			`for (const auto & entity : entities)`
			`boost::range::push_back(grant_queries, getGrantQueries(*entity, access_control));`

			`return grant_queries;`
			`}`


			`ASTs InterpreterShowGrantsQuery::getGrantQueries(const IAccessEntity & user_or_role, const AccessControlManager & access_control)`
			`{`
			`return getGrantQueriesImpl(user_or_role, &access_control, false);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`ASTs InterpreterShowGrantsQuery::getAttachGrantQueries(const IAccessEntity & user_or_role)`
			`{`
			`return getGrantQueriesImpl(user_or_role, nullptr, true);`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`}`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`}`