ClickHouse/dbms/src/Interpreters/InterpreterGrantQuery.cpp

#include <Interpreters/InterpreterGrantQuery.h>
#include <Parsers/ASTGrantQuery.h>
#include <Parsers/ASTRoleList.h>
#include <Interpreters/Context.h>
#include <Access/AccessControlManager.h>
#include <Access/AccessRightsContext.h>
#include <Access/User.h>


namespace DB
{
BlockIO InterpreterGrantQuery::execute()
{
    const auto & query = query_ptr->as<const ASTGrantQuery &>();
    auto & access_control = context.getAccessControlManager();
    context.getAccessRights()->checkGrantOption(query.access_rights_elements);

    using Kind = ASTGrantQuery::Kind;

    if (query.to_roles->all_roles)
        throw Exception(
            "Cannot " + String((query.kind == Kind::GRANT) ? "GRANT to" : "REVOKE from") + " ALL", ErrorCodes::NOT_IMPLEMENTED);

    String current_database = context.getCurrentDatabase();

    auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr
    {
        auto updated_user = typeid_cast<std::shared_ptr<User>>(entity->clone());
        if (query.kind == Kind::GRANT)
        {
            updated_user->access.grant(query.access_rights_elements, current_database);
            if (query.grant_option)
                updated_user->access_with_grant_option.grant(query.access_rights_elements, current_database);
        }
        else if (context.getSettingsRef().partial_revokes)
        {
            updated_user->access_with_grant_option.partialRevoke(query.access_rights_elements, current_database);
            if (!query.grant_option)
                updated_user->access.partialRevoke(query.access_rights_elements, current_database);
        }
        else
        {
            updated_user->access_with_grant_option.revoke(query.access_rights_elements, current_database);
            if (!query.grant_option)
                updated_user->access.revoke(query.access_rights_elements, current_database);
        }
        return updated_user;
    };

    std::vector<UUID> ids = access_control.getIDs<User>(query.to_roles->roles);
    if (query.to_roles->current_user)
        ids.push_back(context.getUserID());
    access_control.update(ids, update_func);
    return {};
}

}
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`#include <Interpreters/InterpreterGrantQuery.h>`
			`#include <Parsers/ASTGrantQuery.h>`
			`#include <Parsers/ASTRoleList.h>`
			`#include <Interpreters/Context.h>`
			`#include <Access/AccessControlManager.h>`
			`#include <Access/AccessRightsContext.h>`
			`#include <Access/User.h>`


			`namespace DB`
			`{`
			`BlockIO InterpreterGrantQuery::execute()`
			`{`
			`const auto & query = query_ptr->as<const ASTGrantQuery &>();`
			`auto & access_control = context.getAccessControlManager();`
			`context.getAccessRights()->checkGrantOption(query.access_rights_elements);`

			`using Kind = ASTGrantQuery::Kind;`

			`if (query.to_roles->all_roles)`
			`throw Exception(`
			`"Cannot " + String((query.kind == Kind::GRANT) ? "GRANT to" : "REVOKE from") + " ALL", ErrorCodes::NOT_IMPLEMENTED);`

			`String current_database = context.getCurrentDatabase();`

			`auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr`
			`{`
			`auto updated_user = typeid_cast<std::shared_ptr<User>>(entity->clone());`
			`if (query.kind == Kind::GRANT)`
			`{`
			`updated_user->access.grant(query.access_rights_elements, current_database);`
			`if (query.grant_option)`
			`updated_user->access_with_grant_option.grant(query.access_rights_elements, current_database);`
			`}`
Implement partial revokes. 2020-02-05 03:17:43 +00:00			`else if (context.getSettingsRef().partial_revokes)`
			`{`
			`updated_user->access_with_grant_option.partialRevoke(query.access_rights_elements, current_database);`
			`if (!query.grant_option)`
			`updated_user->access.partialRevoke(query.access_rights_elements, current_database);`
			`}`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`else`
			`{`
			`updated_user->access_with_grant_option.revoke(query.access_rights_elements, current_database);`
			`if (!query.grant_option)`
			`updated_user->access.revoke(query.access_rights_elements, current_database);`
			`}`
			`return updated_user;`
			`};`

			`std::vector<UUID> ids = access_control.getIDs<User>(query.to_roles->roles);`
			`if (query.to_roles->current_user)`
			`ids.push_back(context.getUserID());`
			`access_control.update(ids, update_func);`
			`return {};`
			`}`

			`}`