2019-11-17 11:57:02 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
|
|
#include <Access/IAccessEntity.h>
|
2020-03-07 17:37:38 +00:00
|
|
|
#include <Access/ExtendedRoleSet.h>
|
2019-11-17 11:57:02 +00:00
|
|
|
|
|
|
|
|
|
|
|
namespace DB
|
|
|
|
{
|
|
|
|
class Context;
|
|
|
|
|
|
|
|
|
|
|
|
/** Represents a row level security policy for a table.
|
|
|
|
*/
|
|
|
|
struct RowPolicy : public IAccessEntity
|
|
|
|
{
|
|
|
|
void setDatabase(const String & database_);
|
|
|
|
void setTableName(const String & table_name_);
|
|
|
|
void setName(const String & policy_name_) override;
|
|
|
|
void setFullName(const String & database_, const String & table_name_, const String & policy_name_);
|
|
|
|
|
|
|
|
String getDatabase() const { return database; }
|
|
|
|
String getTableName() const { return table_name; }
|
|
|
|
String getName() const override { return policy_name; }
|
|
|
|
|
|
|
|
struct FullNameParts
|
|
|
|
{
|
|
|
|
String database;
|
|
|
|
String table_name;
|
|
|
|
String policy_name;
|
|
|
|
String getFullName() const;
|
|
|
|
String getFullName(const Context & context) const;
|
|
|
|
};
|
|
|
|
|
|
|
|
/// Filter is a SQL conditional expression used to figure out which rows should be visible
|
|
|
|
/// for user or available for modification. If the expression returns NULL or false for some rows
|
|
|
|
/// those rows are silently suppressed.
|
|
|
|
/// Check is a SQL condition expression used to check whether a row can be written into
|
|
|
|
/// the table. If the expression returns NULL or false an exception is thrown.
|
|
|
|
/// If a conditional expression here is empty it means no filtering is applied.
|
2020-03-07 17:37:38 +00:00
|
|
|
enum ConditionType
|
2019-11-17 11:57:02 +00:00
|
|
|
{
|
|
|
|
SELECT_FILTER,
|
|
|
|
INSERT_CHECK,
|
|
|
|
UPDATE_FILTER,
|
|
|
|
UPDATE_CHECK,
|
|
|
|
DELETE_FILTER,
|
2020-05-02 16:05:01 +00:00
|
|
|
|
|
|
|
MAX_CONDITION_TYPE
|
2019-11-17 11:57:02 +00:00
|
|
|
};
|
2020-03-07 17:37:38 +00:00
|
|
|
static const char * conditionTypeToString(ConditionType index);
|
|
|
|
static const char * conditionTypeToColumnName(ConditionType index);
|
2019-11-17 11:57:02 +00:00
|
|
|
|
2020-03-07 17:37:38 +00:00
|
|
|
String conditions[MAX_CONDITION_TYPE];
|
2019-11-17 11:57:02 +00:00
|
|
|
|
|
|
|
/// Sets that the policy is permissive.
|
|
|
|
/// A row is only accessible if at least one of the permissive policies passes,
|
|
|
|
/// in addition to all the restrictive policies.
|
|
|
|
void setPermissive(bool permissive_ = true) { setRestrictive(!permissive_); }
|
|
|
|
bool isPermissive() const { return !isRestrictive(); }
|
|
|
|
|
|
|
|
/// Sets that the policy is restrictive.
|
|
|
|
/// A row is only accessible if at least one of the permissive policies passes,
|
|
|
|
/// in addition to all the restrictive policies.
|
|
|
|
void setRestrictive(bool restrictive_ = true) { restrictive = restrictive_; }
|
|
|
|
bool isRestrictive() const { return restrictive; }
|
|
|
|
|
|
|
|
bool equal(const IAccessEntity & other) const override;
|
|
|
|
std::shared_ptr<IAccessEntity> clone() const override { return cloneImpl<RowPolicy>(); }
|
|
|
|
|
2020-02-10 02:26:56 +00:00
|
|
|
/// Which roles or users should use this row policy.
|
2020-03-07 17:37:38 +00:00
|
|
|
ExtendedRoleSet to_roles;
|
2019-11-17 11:57:02 +00:00
|
|
|
|
|
|
|
private:
|
|
|
|
String database;
|
|
|
|
String table_name;
|
|
|
|
String policy_name;
|
|
|
|
bool restrictive = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
using RowPolicyPtr = std::shared_ptr<const RowPolicy>;
|
|
|
|
}
|