ClickHouse/tests/integration/test_role/test.py

import pytest
from helpers.cluster import ClickHouseCluster
from helpers.test_tools import TSV
import re

cluster = ClickHouseCluster(__file__)
instance = cluster.add_instance('instance')


@pytest.fixture(scope="module", autouse=True)
def started_cluster():
    try:
        cluster.start()
        
        instance.query("CREATE TABLE test_table(x UInt32, y UInt32) ENGINE = MergeTree ORDER BY tuple()")
        instance.query("INSERT INTO test_table VALUES (1,5), (2,10)")

        yield cluster

    finally:
        cluster.shutdown()


@pytest.fixture(autouse=True)
def cleanup_after_test():
    try:
        yield
    finally:
        instance.query("DROP USER IF EXISTS A, B")
        instance.query("DROP ROLE IF EXISTS R1, R2")


def test_create_role():
    instance.query("CREATE USER A")
    instance.query('CREATE ROLE R1')

    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')
    
    instance.query('GRANT SELECT ON test_table TO R1')
    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')

    instance.query('GRANT R1 TO A')
    assert instance.query("SELECT * FROM test_table", user='A') == "1\t5\n2\t10\n"

    instance.query('REVOKE R1 FROM A')
    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')


def test_grant_role_to_role():
    instance.query("CREATE USER A")
    instance.query('CREATE ROLE R1')
    instance.query('CREATE ROLE R2')

    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')
    
    instance.query('GRANT R1 TO A')
    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')
    
    instance.query('GRANT R2 TO R1')
    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')
    
    instance.query('GRANT SELECT ON test_table TO R2')
    assert instance.query("SELECT * FROM test_table", user='A') == "1\t5\n2\t10\n"


def test_combine_privileges():
    instance.query("CREATE USER A ")
    instance.query('CREATE ROLE R1')
    instance.query('CREATE ROLE R2')

    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')
    
    instance.query('GRANT R1 TO A')
    instance.query('GRANT SELECT(x) ON test_table TO R1')
    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')
    assert instance.query("SELECT x FROM test_table", user='A') == "1\n2\n"
    
    instance.query('GRANT SELECT(y) ON test_table TO R2')
    instance.query('GRANT R2 TO A')
    assert instance.query("SELECT * FROM test_table", user='A') == "1\t5\n2\t10\n"


def test_admin_option():
    instance.query("CREATE USER A")
    instance.query("CREATE USER B")
    instance.query('CREATE ROLE R1')

    instance.query('GRANT SELECT ON test_table TO R1')
    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='B')

    instance.query('GRANT R1 TO A')
    assert "Not enough privileges" in instance.query_and_get_error("GRANT R1 TO B", user='A')
    assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='B')

    instance.query('GRANT R1 TO A WITH ADMIN OPTION')
    instance.query("GRANT R1 TO B", user='A')
    assert instance.query("SELECT * FROM test_table", user='B') == "1\t5\n2\t10\n"


def test_revoke_requires_admin_option():
    instance.query("CREATE USER A, B")
    instance.query("CREATE ROLE R1, R2")
    
    instance.query("GRANT R1 TO B")
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"

    expected_error = "necessary to have the role R1 granted"
    assert expected_error in instance.query_and_get_error("REVOKE R1 FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"

    instance.query("GRANT R1 TO A")
    expected_error = "granted, but without ADMIN option"
    assert expected_error in instance.query_and_get_error("REVOKE R1 FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"

    instance.query("GRANT R1 TO A WITH ADMIN OPTION")
    instance.query("REVOKE R1 FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == ""

    instance.query("GRANT R1 TO B")
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"
    instance.query("REVOKE ALL FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == ""

    instance.query("GRANT R1, R2 TO B")
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R1, R2 TO B\n"
    expected_error = "necessary to have the role R2 granted"
    assert expected_error in instance.query_and_get_error("REVOKE ALL FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R1, R2 TO B\n"
    instance.query("REVOKE ALL EXCEPT R2 FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R2 TO B\n"
    instance.query("GRANT R2 TO A WITH ADMIN OPTION")
    instance.query("REVOKE ALL FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == ""

    instance.query("GRANT R1, R2 TO B")
    assert instance.query("SHOW GRANTS FOR B") == "GRANT R1, R2 TO B\n"
    instance.query("REVOKE ALL FROM B", user='A')
    assert instance.query("SHOW GRANTS FOR B") == ""


def test_introspection():
    instance.query("CREATE USER A")
    instance.query("CREATE USER B")
    instance.query('CREATE ROLE R1')
    instance.query('CREATE ROLE R2')
    instance.query('GRANT R1 TO A')
    instance.query('GRANT R2 TO B WITH ADMIN OPTION')
    instance.query('GRANT SELECT ON test.table TO A, R2')
    instance.query('GRANT CREATE ON *.* TO B WITH GRANT OPTION')
    instance.query('REVOKE SELECT(x) ON test.table FROM R2')

    assert instance.query("SHOW ROLES") == TSV([ "R1", "R2" ])
    assert instance.query("SHOW CREATE ROLE R1") == TSV([ "CREATE ROLE R1" ])
    assert instance.query("SHOW CREATE ROLE R2") == TSV([ "CREATE ROLE R2" ])
    assert instance.query("SHOW CREATE ROLES R1, R2") == TSV([ "CREATE ROLE R1", "CREATE ROLE R2" ])
    assert instance.query("SHOW CREATE ROLES") == TSV([ "CREATE ROLE R1", "CREATE ROLE R2" ])

    assert instance.query("SHOW GRANTS FOR A") == TSV([ "GRANT SELECT ON test.table TO A", "GRANT R1 TO A" ])
    assert instance.query("SHOW GRANTS FOR B") == TSV([ "GRANT CREATE ON *.* TO B WITH GRANT OPTION", "GRANT R2 TO B WITH ADMIN OPTION" ])
    assert instance.query("SHOW GRANTS FOR R1") == ""
    assert instance.query("SHOW GRANTS FOR R2") == TSV([ "GRANT SELECT ON test.table TO R2", "REVOKE SELECT(x) ON test.table FROM R2" ])

    assert instance.query("SHOW GRANTS", user='A') == TSV([ "GRANT SELECT ON test.table TO A", "GRANT R1 TO A" ])
    assert instance.query("SHOW GRANTS", user='B') == TSV([ "GRANT CREATE ON *.* TO B WITH GRANT OPTION", "GRANT R2 TO B WITH ADMIN OPTION" ])
    assert instance.query("SHOW CURRENT ROLES", user='A') == TSV([[ "R1", 0, 1 ]])
    assert instance.query("SHOW CURRENT ROLES", user='B') == TSV([[ "R2", 1, 1 ]])
    assert instance.query("SHOW ENABLED ROLES", user='A') == TSV([[ "R1", 0, 1, 1 ]])
    assert instance.query("SHOW ENABLED ROLES", user='B') == TSV([[ "R2", 1, 1, 1 ]])

    expected_access1 = "CREATE ROLE R1\n"\
                       "CREATE ROLE R2\n"
    expected_access2 = "GRANT R1 TO A\n"
    expected_access3 = "GRANT R2 TO B WITH ADMIN OPTION"
    assert expected_access1 in instance.query("SHOW ACCESS")
    assert expected_access2 in instance.query("SHOW ACCESS")
    assert expected_access3 in instance.query("SHOW ACCESS")

    assert instance.query("SELECT name, storage from system.roles WHERE name IN ('R1', 'R2') ORDER BY name") ==\
           TSV([[ "R1", "disk" ],
                [ "R2", "disk" ]])

    assert instance.query("SELECT * from system.grants WHERE user_name IN ('A', 'B') OR role_name IN ('R1', 'R2') ORDER BY user_name, role_name, access_type, grant_option") ==\
           TSV([[ "A",  "\N", "SELECT", "test", "table", "\N", 0, 0 ],
                [ "B",  "\N", "CREATE", "\N",   "\N",    "\N", 0, 1 ],
                [ "\N", "R2", "SELECT", "test", "table", "\N", 0, 0 ],
                [ "\N", "R2", "SELECT", "test", "table", "x",  1, 0 ]])

    assert instance.query("SELECT * from system.role_grants WHERE user_name IN ('A', 'B') OR role_name IN ('R1', 'R2') ORDER BY user_name, role_name, granted_role_name") ==\
           TSV([[ "A", "\N", "R1", 1, 0 ],
                [ "B", "\N", "R2", 1, 1 ]])

    assert instance.query("SELECT * from system.current_roles ORDER BY role_name", user='A') == TSV([[ "R1", 0, 1 ]])
    assert instance.query("SELECT * from system.current_roles ORDER BY role_name", user='B') == TSV([[ "R2", 1, 1 ]])
    assert instance.query("SELECT * from system.enabled_roles ORDER BY role_name", user='A') == TSV([[ "R1", 0, 1, 1 ]])
    assert instance.query("SELECT * from system.enabled_roles ORDER BY role_name", user='B') == TSV([[ "R2", 1, 1, 1 ]])
Add tests. 2020-02-04 01:15:14 +00:00			`import pytest`
			`from helpers.cluster import ClickHouseCluster`
Add system tables for users, roles and grants. 2020-05-12 23:36:39 +00:00			`from helpers.test_tools import TSV`
Add tests. 2020-02-04 01:15:14 +00:00			`import re`

			`cluster = ClickHouseCluster(__file__)`
Enable access management by default for all integration tests. 2020-04-08 00:50:27 +00:00			`instance = cluster.add_instance('instance')`
Add tests. 2020-02-04 01:15:14 +00:00

			`@pytest.fixture(scope="module", autouse=True)`
			`def started_cluster():`
			`try:`
			`cluster.start()`

Add tests for roles. 2020-02-20 04:17:44 +00:00			`instance.query("CREATE TABLE test_table(x UInt32, y UInt32) ENGINE = MergeTree ORDER BY tuple()")`
			`instance.query("INSERT INTO test_table VALUES (1,5), (2,10)")`
Add tests. 2020-02-04 01:15:14 +00:00
			`yield cluster`

			`finally:`
			`cluster.shutdown()`


Add tests for roles. 2020-02-20 04:17:44 +00:00			`@pytest.fixture(autouse=True)`
Split integration test 'test_grant_and_revoke' into two tests. 2020-06-14 22:07:52 +00:00			`def cleanup_after_test():`
Add tests for roles. 2020-02-20 04:17:44 +00:00			`try:`
			`yield`
			`finally:`
			`instance.query("DROP USER IF EXISTS A, B")`
			`instance.query("DROP ROLE IF EXISTS R1, R2")`


			`def test_create_role():`
Add tests for settings profiles. 2020-03-18 14:12:09 +00:00			`instance.query("CREATE USER A")`
Add tests for roles. 2020-02-20 04:17:44 +00:00			`instance.query('CREATE ROLE R1')`

			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`

			`instance.query('GRANT SELECT ON test_table TO R1')`
			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`

			`instance.query('GRANT R1 TO A')`
			`assert instance.query("SELECT * FROM test_table", user='A') == "1\t5\n2\t10\n"`

			`instance.query('REVOKE R1 FROM A')`
			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`


			`def test_grant_role_to_role():`
Add tests for settings profiles. 2020-03-18 14:12:09 +00:00			`instance.query("CREATE USER A")`
Add tests for roles. 2020-02-20 04:17:44 +00:00			`instance.query('CREATE ROLE R1')`
			`instance.query('CREATE ROLE R2')`

			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`

			`instance.query('GRANT R1 TO A')`
			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`

			`instance.query('GRANT R2 TO R1')`
			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`

			`instance.query('GRANT SELECT ON test_table TO R2')`
			`assert instance.query("SELECT * FROM test_table", user='A') == "1\t5\n2\t10\n"`


			`def test_combine_privileges():`
Add tests for settings profiles. 2020-03-18 14:12:09 +00:00			`instance.query("CREATE USER A ")`
Add tests for roles. 2020-02-20 04:17:44 +00:00			`instance.query('CREATE ROLE R1')`
			`instance.query('CREATE ROLE R2')`

			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`

			`instance.query('GRANT R1 TO A')`
			`instance.query('GRANT SELECT(x) ON test_table TO R1')`
			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='A')`
			`assert instance.query("SELECT x FROM test_table", user='A') == "1\n2\n"`

			`instance.query('GRANT SELECT(y) ON test_table TO R2')`
			`instance.query('GRANT R2 TO A')`
			`assert instance.query("SELECT * FROM test_table", user='A') == "1\t5\n2\t10\n"`


			`def test_admin_option():`
Add tests for settings profiles. 2020-03-18 14:12:09 +00:00			`instance.query("CREATE USER A")`
			`instance.query("CREATE USER B")`
Add tests for roles. 2020-02-20 04:17:44 +00:00			`instance.query('CREATE ROLE R1')`

			`instance.query('GRANT SELECT ON test_table TO R1')`
			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='B')`

			`instance.query('GRANT R1 TO A')`
			`assert "Not enough privileges" in instance.query_and_get_error("GRANT R1 TO B", user='A')`
			`assert "Not enough privileges" in instance.query_and_get_error("SELECT * FROM test_table", user='B')`

			`instance.query('GRANT R1 TO A WITH ADMIN OPTION')`
			`instance.query("GRANT R1 TO B", user='A')`
			`assert instance.query("SELECT * FROM test_table", user='B') == "1\t5\n2\t10\n"`
Add system tables for users, roles and grants. 2020-05-12 23:36:39 +00:00

Improve REVOKE command: now it requires only grant/admin option for only access which will be revoked. REVOKE ALL FROM user1 now revokes all granted roles. 2020-07-02 00:09:57 +00:00			`def test_revoke_requires_admin_option():`
			`instance.query("CREATE USER A, B")`
			`instance.query("CREATE ROLE R1, R2")`

			`instance.query("GRANT R1 TO B")`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"`

			`expected_error = "necessary to have the role R1 granted"`
			`assert expected_error in instance.query_and_get_error("REVOKE R1 FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"`

			`instance.query("GRANT R1 TO A")`
			`expected_error = "granted, but without ADMIN option"`
			`assert expected_error in instance.query_and_get_error("REVOKE R1 FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"`

			`instance.query("GRANT R1 TO A WITH ADMIN OPTION")`
			`instance.query("REVOKE R1 FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == ""`

			`instance.query("GRANT R1 TO B")`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R1 TO B\n"`
			`instance.query("REVOKE ALL FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == ""`

			`instance.query("GRANT R1, R2 TO B")`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R1, R2 TO B\n"`
			`expected_error = "necessary to have the role R2 granted"`
			`assert expected_error in instance.query_and_get_error("REVOKE ALL FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R1, R2 TO B\n"`
			`instance.query("REVOKE ALL EXCEPT R2 FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R2 TO B\n"`
			`instance.query("GRANT R2 TO A WITH ADMIN OPTION")`
			`instance.query("REVOKE ALL FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == ""`

			`instance.query("GRANT R1, R2 TO B")`
			`assert instance.query("SHOW GRANTS FOR B") == "GRANT R1, R2 TO B\n"`
			`instance.query("REVOKE ALL FROM B", user='A')`
			`assert instance.query("SHOW GRANTS FOR B") == ""`


Add system tables for users, roles and grants. 2020-05-12 23:36:39 +00:00			`def test_introspection():`
			`instance.query("CREATE USER A")`
			`instance.query("CREATE USER B")`
			`instance.query('CREATE ROLE R1')`
			`instance.query('CREATE ROLE R2')`
			`instance.query('GRANT R1 TO A')`
			`instance.query('GRANT R2 TO B WITH ADMIN OPTION')`
			`instance.query('GRANT SELECT ON test.table TO A, R2')`
			`instance.query('GRANT CREATE ON . TO B WITH GRANT OPTION')`
			`instance.query('REVOKE SELECT(x) ON test.table FROM R2')`

			`assert instance.query("SHOW ROLES") == TSV([ "R1", "R2" ])`
Support multiple users/roles in SHOW CREATE USER(ROLE, etc.) and SHOW GRANTS FOR commands. Support syntax "SHOW CREATE USER ALL" and "SHOW GRANTS FOR ALL". 2020-06-06 07:21:02 +00:00			`assert instance.query("SHOW CREATE ROLE R1") == TSV([ "CREATE ROLE R1" ])`
			`assert instance.query("SHOW CREATE ROLE R2") == TSV([ "CREATE ROLE R2" ])`
			`assert instance.query("SHOW CREATE ROLES R1, R2") == TSV([ "CREATE ROLE R1", "CREATE ROLE R2" ])`
			`assert instance.query("SHOW CREATE ROLES") == TSV([ "CREATE ROLE R1", "CREATE ROLE R2" ])`

Add system tables for users, roles and grants. 2020-05-12 23:36:39 +00:00			`assert instance.query("SHOW GRANTS FOR A") == TSV([ "GRANT SELECT ON test.table TO A", "GRANT R1 TO A" ])`
			`assert instance.query("SHOW GRANTS FOR B") == TSV([ "GRANT CREATE ON . TO B WITH GRANT OPTION", "GRANT R2 TO B WITH ADMIN OPTION" ])`
			`assert instance.query("SHOW GRANTS FOR R1") == ""`
			`assert instance.query("SHOW GRANTS FOR R2") == TSV([ "GRANT SELECT ON test.table TO R2", "REVOKE SELECT(x) ON test.table FROM R2" ])`
Add new command SHOW ACCESS. 2020-06-10 23:08:37 +00:00
Add system tables for users, roles and grants. 2020-05-12 23:36:39 +00:00			`assert instance.query("SHOW GRANTS", user='A') == TSV([ "GRANT SELECT ON test.table TO A", "GRANT R1 TO A" ])`
			`assert instance.query("SHOW GRANTS", user='B') == TSV([ "GRANT CREATE ON . TO B WITH GRANT OPTION", "GRANT R2 TO B WITH ADMIN OPTION" ])`
			`assert instance.query("SHOW CURRENT ROLES", user='A') == TSV([[ "R1", 0, 1 ]])`
			`assert instance.query("SHOW CURRENT ROLES", user='B') == TSV([[ "R2", 1, 1 ]])`
			`assert instance.query("SHOW ENABLED ROLES", user='A') == TSV([[ "R1", 0, 1, 1 ]])`
			`assert instance.query("SHOW ENABLED ROLES", user='B') == TSV([[ "R2", 1, 1, 1 ]])`

Add new command SHOW ACCESS. 2020-06-10 23:08:37 +00:00			`expected_access1 = "CREATE ROLE R1\n"\`
			`"CREATE ROLE R2\n"`
			`expected_access2 = "GRANT R1 TO A\n"`
			`expected_access3 = "GRANT R2 TO B WITH ADMIN OPTION"`
			`assert expected_access1 in instance.query("SHOW ACCESS")`
			`assert expected_access2 in instance.query("SHOW ACCESS")`
			`assert expected_access3 in instance.query("SHOW ACCESS")`

Add system tables for users, roles and grants. 2020-05-12 23:36:39 +00:00			`assert instance.query("SELECT name, storage from system.roles WHERE name IN ('R1', 'R2') ORDER BY name") ==\`
			`TSV([[ "R1", "disk" ],`
			`[ "R2", "disk" ]])`

			`assert instance.query("SELECT * from system.grants WHERE user_name IN ('A', 'B') OR role_name IN ('R1', 'R2') ORDER BY user_name, role_name, access_type, grant_option") ==\`
			`TSV([[ "A", "\N", "SELECT", "test", "table", "\N", 0, 0 ],`
			`[ "B", "\N", "CREATE", "\N", "\N", "\N", 0, 1 ],`
			`[ "\N", "R2", "SELECT", "test", "table", "\N", 0, 0 ],`
			`[ "\N", "R2", "SELECT", "test", "table", "x", 1, 0 ]])`

			`assert instance.query("SELECT * from system.role_grants WHERE user_name IN ('A', 'B') OR role_name IN ('R1', 'R2') ORDER BY user_name, role_name, granted_role_name") ==\`
			`TSV([[ "A", "\N", "R1", 1, 0 ],`
			`[ "B", "\N", "R2", 1, 1 ]])`

			`assert instance.query("SELECT * from system.current_roles ORDER BY role_name", user='A') == TSV([[ "R1", 0, 1 ]])`
			`assert instance.query("SELECT * from system.current_roles ORDER BY role_name", user='B') == TSV([[ "R2", 1, 1 ]])`
			`assert instance.query("SELECT * from system.enabled_roles ORDER BY role_name", user='A') == TSV([[ "R1", 0, 1, 1 ]])`
			`assert instance.query("SELECT * from system.enabled_roles ORDER BY role_name", user='B') == TSV([[ "R2", 1, 1, 1 ]])`