2020-07-10 10:18:52 +00:00
import pytest
from helpers . cluster import ClickHouseCluster
from helpers . test_tools import TSV
cluster = ClickHouseCluster ( __file__ )
2023-02-07 12:01:15 +00:00
instance = cluster . add_instance (
" instance " ,
user_configs = [
" configs/users.d/users.xml " ,
] ,
)
2020-07-10 10:18:52 +00:00
@pytest.fixture ( scope = " module " , autouse = True )
def start_cluster ( ) :
try :
cluster . start ( )
2020-09-16 04:26:10 +00:00
2020-07-10 10:18:52 +00:00
instance . query ( " CREATE DATABASE test " )
2022-03-22 16:39:58 +00:00
instance . query (
" CREATE TABLE test.table(x UInt32, y UInt32) ENGINE = MergeTree ORDER BY tuple() "
)
2023-04-11 23:55:59 +00:00
instance . query (
" CREATE TABLE test.table2(x UInt32, y UInt32) ENGINE = MergeTree ORDER BY tuple() "
)
2020-07-10 10:18:52 +00:00
instance . query ( " INSERT INTO test.table VALUES (1,5), (2,10) " )
2020-09-16 04:26:10 +00:00
2020-07-10 10:18:52 +00:00
yield cluster
finally :
cluster . shutdown ( )
@pytest.fixture ( autouse = True )
def cleanup_after_test ( ) :
try :
yield
finally :
2021-03-11 13:44:00 +00:00
instance . query ( " DROP USER IF EXISTS A, B, C " )
2020-07-10 11:34:51 +00:00
instance . query ( " DROP TABLE IF EXISTS test.view_1 " )
2020-07-10 10:18:52 +00:00
2020-07-10 11:34:51 +00:00
def test_smoke ( ) :
2020-07-10 10:18:52 +00:00
instance . query ( " CREATE USER A " )
2022-03-22 16:39:58 +00:00
assert " Not enough privileges " in instance . query_and_get_error (
" SELECT * FROM test.table " , user = " A "
)
2020-09-16 04:26:10 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT SELECT ON test.table TO A " )
assert instance . query ( " SELECT * FROM test.table " , user = " A " ) == " 1 \t 5 \n 2 \t 10 \n "
2020-07-10 10:18:52 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " REVOKE SELECT ON test.table FROM A " )
assert " Not enough privileges " in instance . query_and_get_error (
" SELECT * FROM test.table " , user = " A "
)
2020-07-10 10:18:52 +00:00
def test_grant_option ( ) :
instance . query ( " CREATE USER A " )
instance . query ( " CREATE USER B " )
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT SELECT ON test.table TO A " )
assert instance . query ( " SELECT * FROM test.table " , user = " A " ) == " 1 \t 5 \n 2 \t 10 \n "
assert " Not enough privileges " in instance . query_and_get_error (
" GRANT SELECT ON test.table TO B " , user = " A "
)
2020-09-16 04:26:10 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT SELECT ON test.table TO A WITH GRANT OPTION " )
instance . query ( " GRANT SELECT ON test.table TO B " , user = " A " )
assert instance . query ( " SELECT * FROM test.table " , user = " B " ) == " 1 \t 5 \n 2 \t 10 \n "
2020-07-10 10:18:52 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " REVOKE SELECT ON test.table FROM A, B " )
2020-07-10 10:18:52 +00:00
def test_revoke_requires_grant_option ( ) :
instance . query ( " CREATE USER A " )
instance . query ( " CREATE USER B " )
2020-09-16 04:26:10 +00:00
2020-07-10 10:18:52 +00:00
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
expected_error = " Not enough privileges "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" REVOKE SELECT ON test.table FROM B " , user = " A "
)
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
instance . query ( " GRANT SELECT ON test.table TO A " )
expected_error = " privileges have been granted, but without grant option "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" REVOKE SELECT ON test.table FROM B " , user = " A "
)
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
instance . query ( " GRANT SELECT ON test.table TO A WITH GRANT OPTION " )
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
2022-03-22 16:39:58 +00:00
instance . query ( " REVOKE SELECT ON test.table FROM B " , user = " A " )
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " "
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
2022-03-22 16:39:58 +00:00
instance . query ( " REVOKE SELECT ON test.* FROM B " , user = " A " )
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " "
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
2022-03-22 16:39:58 +00:00
instance . query ( " REVOKE ALL ON test.* FROM B " , user = " A " )
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " "
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
2022-03-22 16:39:58 +00:00
instance . query ( " REVOKE ALL ON *.* FROM B " , user = " A " )
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " "
instance . query ( " REVOKE GRANT OPTION FOR ALL ON *.* FROM A " )
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
expected_error = " privileges have been granted, but without grant option "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" REVOKE SELECT ON test.table FROM B " , user = " A "
)
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
instance . query ( " GRANT SELECT ON test.* TO A WITH GRANT OPTION " )
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == " GRANT SELECT ON test.table TO B \n "
2022-03-22 16:39:58 +00:00
instance . query ( " REVOKE SELECT ON test.table FROM B " , user = " A " )
2020-07-10 10:18:52 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " "
2021-03-11 13:44:00 +00:00
def test_allowed_grantees ( ) :
instance . query ( " CREATE USER A " )
instance . query ( " CREATE USER B " )
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT SELECT ON test.table TO A WITH GRANT OPTION " )
instance . query ( " GRANT SELECT ON test.table TO B " , user = " A " )
assert instance . query ( " SELECT * FROM test.table " , user = " B " ) == " 1 \t 5 \n 2 \t 10 \n "
instance . query ( " REVOKE SELECT ON test.table FROM B " , user = " A " )
2021-03-11 13:44:00 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " ALTER USER A GRANTEES NONE " )
2021-03-11 13:44:00 +00:00
expected_error = " user `B` is not allowed as grantee "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" GRANT SELECT ON test.table TO B " , user = " A "
)
instance . query ( " ALTER USER A GRANTEES ANY EXCEPT B " )
assert (
instance . query ( " SHOW CREATE USER A " ) == " CREATE USER A GRANTEES ANY EXCEPT B \n "
)
2021-03-11 13:44:00 +00:00
expected_error = " user `B` is not allowed as grantee "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" GRANT SELECT ON test.table TO B " , user = " A "
)
2021-03-11 13:44:00 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " ALTER USER A GRANTEES B " )
instance . query ( " GRANT SELECT ON test.table TO B " , user = " A " )
assert instance . query ( " SELECT * FROM test.table " , user = " B " ) == " 1 \t 5 \n 2 \t 10 \n "
instance . query ( " REVOKE SELECT ON test.table FROM B " , user = " A " )
2021-03-11 13:44:00 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " ALTER USER A GRANTEES ANY " )
assert instance . query ( " SHOW CREATE USER A " ) == " CREATE USER A \n "
instance . query ( " GRANT SELECT ON test.table TO B " , user = " A " )
assert instance . query ( " SELECT * FROM test.table " , user = " B " ) == " 1 \t 5 \n 2 \t 10 \n "
2021-03-11 13:44:00 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " ALTER USER A GRANTEES NONE " )
2021-03-11 13:44:00 +00:00
expected_error = " user `B` is not allowed as grantee "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" REVOKE SELECT ON test.table FROM B " , user = " A "
)
2021-03-11 13:44:00 +00:00
instance . query ( " CREATE USER C GRANTEES ANY EXCEPT C " )
2022-03-22 16:39:58 +00:00
assert (
instance . query ( " SHOW CREATE USER C " ) == " CREATE USER C GRANTEES ANY EXCEPT C \n "
)
instance . query ( " GRANT SELECT ON test.table TO C WITH GRANT OPTION " )
assert instance . query ( " SELECT * FROM test.table " , user = " C " ) == " 1 \t 5 \n 2 \t 10 \n "
2021-03-11 13:44:00 +00:00
expected_error = " user `C` is not allowed as grantee "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" REVOKE SELECT ON test.table FROM C " , user = " C "
)
2021-03-11 13:44:00 +00:00
2020-08-21 22:37:01 +00:00
def test_grant_all_on_table ( ) :
instance . query ( " CREATE USER A, B " )
instance . query ( " GRANT ALL ON test.table TO A WITH GRANT OPTION " )
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT ALL ON test.table TO B " , user = " A " )
assert (
instance . query ( " SHOW GRANTS FOR B " )
== " GRANT SHOW TABLES, SHOW COLUMNS, SHOW DICTIONARIES, SELECT, INSERT, ALTER TABLE, ALTER VIEW, CREATE TABLE, CREATE VIEW, CREATE DICTIONARY, "
2023-03-21 12:14:26 +00:00
" DROP TABLE, DROP VIEW, DROP DICTIONARY, UNDROP TABLE, TRUNCATE, OPTIMIZE, BACKUP, CREATE ROW POLICY, ALTER ROW POLICY, DROP ROW POLICY, SHOW ROW POLICIES, "
2022-03-22 16:39:58 +00:00
" SYSTEM MERGES, SYSTEM TTL MERGES, SYSTEM FETCHES, SYSTEM MOVES, SYSTEM SENDS, SYSTEM REPLICATION QUEUES, SYSTEM DROP REPLICA, SYSTEM SYNC REPLICA, "
2022-12-14 01:36:03 +00:00
" SYSTEM RESTART REPLICA, SYSTEM RESTORE REPLICA, SYSTEM WAIT LOADING PARTS, SYSTEM FLUSH DISTRIBUTED, dictGet ON test.table TO B \n "
2022-03-22 16:39:58 +00:00
)
instance . query ( " REVOKE ALL ON test.table FROM B " , user = " A " )
2020-08-21 22:37:01 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == " "
2020-07-10 11:34:51 +00:00
def test_implicit_show_grants ( ) :
instance . query ( " CREATE USER A " )
2022-03-22 16:39:58 +00:00
assert (
instance . query (
" select count() FROM system.databases WHERE name= ' test ' " , user = " A "
)
== " 0 \n "
)
assert (
instance . query (
" select count() FROM system.tables WHERE database= ' test ' AND name= ' table ' " ,
user = " A " ,
)
== " 0 \n "
)
assert (
instance . query (
" select count() FROM system.columns WHERE database= ' test ' AND table= ' table ' " ,
user = " A " ,
)
== " 0 \n "
)
2020-07-10 11:34:51 +00:00
instance . query ( " GRANT SELECT(x) ON test.table TO A " )
assert instance . query ( " SHOW GRANTS FOR A " ) == " GRANT SELECT(x) ON test.table TO A \n "
2022-03-22 16:39:58 +00:00
assert (
instance . query (
" select count() FROM system.databases WHERE name= ' test ' " , user = " A "
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.tables WHERE database= ' test ' AND name= ' table ' " ,
user = " A " ,
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.columns WHERE database= ' test ' AND table= ' table ' " ,
user = " A " ,
)
== " 1 \n "
)
2020-07-10 11:34:51 +00:00
instance . query ( " GRANT SELECT ON test.table TO A " )
assert instance . query ( " SHOW GRANTS FOR A " ) == " GRANT SELECT ON test.table TO A \n "
2022-03-22 16:39:58 +00:00
assert (
instance . query (
" select count() FROM system.databases WHERE name= ' test ' " , user = " A "
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.tables WHERE database= ' test ' AND name= ' table ' " ,
user = " A " ,
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.columns WHERE database= ' test ' AND table= ' table ' " ,
user = " A " ,
)
== " 2 \n "
)
2020-07-10 11:34:51 +00:00
instance . query ( " GRANT SELECT ON test.* TO A " )
assert instance . query ( " SHOW GRANTS FOR A " ) == " GRANT SELECT ON test.* TO A \n "
2022-03-22 16:39:58 +00:00
assert (
instance . query (
" select count() FROM system.databases WHERE name= ' test ' " , user = " A "
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.tables WHERE database= ' test ' AND name= ' table ' " ,
user = " A " ,
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.columns WHERE database= ' test ' AND table= ' table ' " ,
user = " A " ,
)
== " 2 \n "
)
2020-07-10 11:34:51 +00:00
instance . query ( " GRANT SELECT ON *.* TO A " )
assert instance . query ( " SHOW GRANTS FOR A " ) == " GRANT SELECT ON *.* TO A \n "
2022-03-22 16:39:58 +00:00
assert (
instance . query (
" select count() FROM system.databases WHERE name= ' test ' " , user = " A "
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.tables WHERE database= ' test ' AND name= ' table ' " ,
user = " A " ,
)
== " 1 \n "
)
assert (
instance . query (
" select count() FROM system.columns WHERE database= ' test ' AND table= ' table ' " ,
user = " A " ,
)
== " 2 \n "
)
2020-07-10 11:34:51 +00:00
instance . query ( " REVOKE ALL ON *.* FROM A " )
2022-03-22 16:39:58 +00:00
assert (
instance . query (
" select count() FROM system.databases WHERE name= ' test ' " , user = " A "
)
== " 0 \n "
)
assert (
instance . query (
" select count() FROM system.tables WHERE database= ' test ' AND name= ' table ' " ,
user = " A " ,
)
== " 0 \n "
)
assert (
instance . query (
" select count() FROM system.columns WHERE database= ' test ' AND table= ' table ' " ,
user = " A " ,
)
== " 0 \n "
)
2020-07-10 11:34:51 +00:00
def test_implicit_create_view_grant ( ) :
instance . query ( " CREATE USER A " )
expected_error = " Not enough privileges "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" CREATE VIEW test.view_1 AS SELECT 1 " , user = " A "
)
2020-07-10 11:34:51 +00:00
instance . query ( " GRANT CREATE TABLE ON test.* TO A " )
instance . query ( " CREATE VIEW test.view_1 AS SELECT 1 " , user = " A " )
assert instance . query ( " SELECT * FROM test.view_1 " ) == " 1 \n "
instance . query ( " REVOKE CREATE TABLE ON test.* FROM A " )
instance . query ( " DROP TABLE test.view_1 " )
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" CREATE VIEW test.view_1 AS SELECT 1 " , user = " A "
)
2020-07-10 11:34:51 +00:00
2022-06-13 22:09:51 +00:00
# check grant option
instance . query ( " CREATE USER B " )
expected_error = " Not enough privileges "
assert expected_error in instance . query_and_get_error (
" GRANT CREATE VIEW ON test.* TO B " , user = " A "
)
instance . query ( " GRANT CREATE TABLE ON test.* TO A WITH GRANT OPTION " )
instance . query ( " GRANT CREATE VIEW ON test.* TO B " , user = " A " )
instance . query ( " CREATE VIEW test.view_2 AS SELECT 1 " , user = " B " )
assert instance . query ( " SELECT * FROM test.view_2 " ) == " 1 \n "
2020-07-10 11:34:51 +00:00
def test_implicit_create_temporary_table_grant ( ) :
instance . query ( " CREATE USER A " )
expected_error = " Not enough privileges "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" CREATE TEMPORARY TABLE tmp(name String) " , user = " A "
)
2020-07-10 11:34:51 +00:00
instance . query ( " GRANT CREATE TABLE ON test.* TO A " )
instance . query ( " CREATE TEMPORARY TABLE tmp(name String) " , user = " A " )
instance . query ( " REVOKE CREATE TABLE ON *.* FROM A " )
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error (
" CREATE TEMPORARY TABLE tmp(name String) " , user = " A "
)
2020-07-10 11:34:51 +00:00
2020-07-10 10:18:52 +00:00
def test_introspection ( ) :
instance . query ( " CREATE USER A " )
instance . query ( " CREATE USER B " )
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT SELECT ON test.table TO A " )
instance . query ( " GRANT CREATE ON *.* TO B WITH GRANT OPTION " )
2020-07-10 10:18:52 +00:00
2020-09-16 04:26:10 +00:00
assert instance . query ( " SHOW USERS " ) == TSV ( [ " A " , " B " , " default " ] )
assert instance . query ( " SHOW CREATE USERS A " ) == TSV ( [ " CREATE USER A " ] )
assert instance . query ( " SHOW CREATE USERS B " ) == TSV ( [ " CREATE USER B " ] )
2022-03-22 16:39:58 +00:00
assert instance . query ( " SHOW CREATE USERS A,B " ) == TSV (
[ " CREATE USER A " , " CREATE USER B " ]
)
assert instance . query ( " SHOW CREATE USERS " ) == TSV (
[
" CREATE USER A " ,
" CREATE USER B " ,
" CREATE USER default IDENTIFIED WITH plaintext_password SETTINGS PROFILE default " ,
]
)
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[ " GRANT SELECT ON test.table TO A " ]
)
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT CREATE ON *.* TO B WITH GRANT OPTION " ]
2023-03-03 13:04:32 +00:00
)
assert instance . query ( " SHOW GRANTS FOR default " ) == TSV (
[ " GRANT ALL ON *.* TO default WITH GRANT OPTION " ]
2022-03-22 16:39:58 +00:00
)
2020-09-16 04:26:10 +00:00
assert instance . query ( " SHOW GRANTS FOR A,B " ) == TSV (
2022-03-22 16:39:58 +00:00
[
" GRANT SELECT ON test.table TO A " ,
" GRANT CREATE ON *.* TO B WITH GRANT OPTION " ,
]
)
2020-09-16 04:26:10 +00:00
assert instance . query ( " SHOW GRANTS FOR B,A " ) == TSV (
2022-03-22 16:39:58 +00:00
[
" GRANT SELECT ON test.table TO A " ,
" GRANT CREATE ON *.* TO B WITH GRANT OPTION " ,
]
)
2020-09-16 04:26:10 +00:00
assert instance . query ( " SHOW GRANTS FOR ALL " ) == TSV (
2022-03-22 16:39:58 +00:00
[
" GRANT SELECT ON test.table TO A " ,
" GRANT CREATE ON *.* TO B WITH GRANT OPTION " ,
" GRANT ALL ON *.* TO default WITH GRANT OPTION " ,
]
)
assert instance . query ( " SHOW GRANTS " , user = " A " ) == TSV (
[ " GRANT SELECT ON test.table TO A " ]
)
assert instance . query ( " SHOW GRANTS " , user = " B " ) == TSV (
[ " GRANT CREATE ON *.* TO B WITH GRANT OPTION " ]
)
assert instance . query ( " SHOW GRANTS FOR ALL " , user = " A " ) == TSV (
[ " GRANT SELECT ON test.table TO A " ]
)
assert instance . query ( " SHOW GRANTS FOR ALL " , user = " B " ) == TSV (
[ " GRANT CREATE ON *.* TO B WITH GRANT OPTION " ]
)
assert instance . query ( " SHOW GRANTS FOR ALL " ) == TSV (
[
" GRANT SELECT ON test.table TO A " ,
" GRANT CREATE ON *.* TO B WITH GRANT OPTION " ,
" GRANT ALL ON *.* TO default WITH GRANT OPTION " ,
]
)
2022-02-01 12:55:24 +00:00
expected_error = " necessary to have grant SHOW USERS "
2022-03-22 16:39:58 +00:00
assert expected_error in instance . query_and_get_error ( " SHOW GRANTS FOR B " , user = " A " )
expected_access1 = (
" CREATE USER A \n "
" CREATE USER B \n "
" CREATE USER default IDENTIFIED WITH plaintext_password SETTINGS PROFILE default "
)
expected_access2 = (
" GRANT SELECT ON test.table TO A \n "
" GRANT CREATE ON *.* TO B WITH GRANT OPTION \n "
" GRANT ALL ON *.* TO default WITH GRANT OPTION \n "
)
2020-07-10 10:18:52 +00:00
assert expected_access1 in instance . query ( " SHOW ACCESS " )
assert expected_access2 in instance . query ( " SHOW ACCESS " )
2020-09-16 04:26:10 +00:00
assert instance . query (
2022-03-22 16:39:58 +00:00
" SELECT name, storage, auth_type, auth_params, host_ip, host_names, host_names_regexp, host_names_like, default_roles_all, default_roles_list, default_roles_except from system.users WHERE name IN ( ' A ' , ' B ' ) ORDER BY name "
) == TSV (
[
[
" A " ,
" local directory " ,
" no_password " ,
" {} " ,
" [ ' ::/0 ' ] " ,
" [] " ,
" [] " ,
" [] " ,
1 ,
" [] " ,
" [] " ,
] ,
[
" B " ,
" local directory " ,
" no_password " ,
" {} " ,
" [ ' ::/0 ' ] " ,
" [] " ,
" [] " ,
" [] " ,
1 ,
" [] " ,
" [] " ,
] ,
]
)
2020-09-16 04:26:10 +00:00
assert instance . query (
2022-03-22 16:39:58 +00:00
" SELECT * from system.grants WHERE user_name IN ( ' A ' , ' B ' ) ORDER BY user_name, access_type, grant_option "
) == TSV (
[
[ " A " , " \\ N " , " SELECT " , " test " , " table " , " \\ N " , 0 , 0 ] ,
[ " B " , " \\ N " , " CREATE " , " \\ N " , " \\ N " , " \\ N " , 0 , 1 ] ,
]
)
2020-07-10 10:18:52 +00:00
def test_current_database ( ) :
instance . query ( " CREATE USER A " )
instance . query ( " GRANT SELECT ON table TO A " , database = " test " )
2020-09-16 04:26:10 +00:00
2022-03-22 16:39:58 +00:00
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[ " GRANT SELECT ON test.table TO A " ]
)
assert instance . query ( " SHOW GRANTS FOR A " , database = " test " ) == TSV (
[ " GRANT SELECT ON test.table TO A " ]
)
2020-09-16 04:26:10 +00:00
2022-03-22 16:39:58 +00:00
assert instance . query ( " SELECT * FROM test.table " , user = " A " ) == " 1 \t 5 \n 2 \t 10 \n "
assert (
instance . query ( " SELECT * FROM table " , user = " A " , database = " test " )
== " 1 \t 5 \n 2 \t 10 \n "
)
2020-07-10 10:18:52 +00:00
2022-03-22 16:39:58 +00:00
instance . query (
" CREATE TABLE default.table(x UInt32, y UInt32) ENGINE = MergeTree ORDER BY tuple() "
)
assert " Not enough privileges " in instance . query_and_get_error (
" SELECT * FROM table " , user = " A "
)
2021-08-10 14:06:22 +00:00
def test_grant_with_replace_option ( ) :
instance . query ( " CREATE USER A " )
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT SELECT ON test.table TO A " )
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[ " GRANT SELECT ON test.table TO A " ]
)
2021-08-10 14:06:22 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT INSERT ON test.table TO A WITH REPLACE OPTION " )
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[ " GRANT INSERT ON test.table TO A " ]
)
2021-08-10 14:06:22 +00:00
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT NONE ON *.* TO A WITH REPLACE OPTION " )
2021-08-10 14:06:22 +00:00
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV ( [ ] )
2022-03-22 16:39:58 +00:00
instance . query ( " CREATE USER B " )
instance . query ( " GRANT SELECT ON test.table TO B " )
2021-08-10 14:06:22 +00:00
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV ( [ ] )
2022-03-22 16:39:58 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT SELECT ON test.table TO B " ]
)
expected_error = (
" it ' s necessary to have grant INSERT ON test.table WITH GRANT OPTION "
)
assert expected_error in instance . query_and_get_error (
" GRANT INSERT ON test.table TO B WITH REPLACE OPTION " , user = " A "
)
2021-08-10 14:06:22 +00:00
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV ( [ ] )
2022-03-22 16:39:58 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT SELECT ON test.table TO B " ]
)
2021-08-10 14:06:22 +00:00
instance . query ( " GRANT INSERT ON test.table TO A WITH GRANT OPTION " )
2022-03-22 16:39:58 +00:00
expected_error = (
" it ' s necessary to have grant SELECT ON test.table WITH GRANT OPTION "
)
assert expected_error in instance . query_and_get_error (
" GRANT INSERT ON test.table TO B WITH REPLACE OPTION " , user = " A "
)
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[ " GRANT INSERT ON test.table TO A WITH GRANT OPTION " ]
)
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT SELECT ON test.table TO B " ]
)
2021-08-10 14:06:22 +00:00
instance . query ( " GRANT SELECT ON test.table TO A WITH GRANT OPTION " )
2022-03-22 16:39:58 +00:00
instance . query ( " GRANT INSERT ON test.table TO B WITH REPLACE OPTION " , user = " A " )
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[ " GRANT SELECT, INSERT ON test.table TO A WITH GRANT OPTION " ]
)
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT INSERT ON test.table TO B " ]
)
2023-04-05 00:43:15 +00:00
def test_grant_current_grants ( ) :
instance . query ( " CREATE USER A " )
2023-04-05 01:00:27 +00:00
instance . query (
" GRANT SELECT, CREATE TABLE, CREATE VIEW ON test.* TO A WITH GRANT OPTION "
)
2023-04-05 00:43:15 +00:00
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[ " GRANT SELECT, CREATE TABLE, CREATE VIEW ON test.* TO A WITH GRANT OPTION " ]
)
instance . query ( " CREATE USER B " )
2023-04-13 00:28:17 +00:00
instance . query ( " GRANT CURRENT GRANTS ON *.* TO B " , user = " A " )
2023-04-05 00:43:15 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT SELECT, CREATE TABLE, CREATE VIEW ON test.* TO B " ]
)
instance . query ( " CREATE USER C " )
instance . query ( " GRANT CURRENT GRANTS(CREATE ON test.*) TO C " , user = " A " )
assert instance . query ( " SHOW GRANTS FOR C " ) == TSV (
[ " GRANT CREATE TABLE, CREATE VIEW ON test.* TO C " ]
)
2023-04-06 02:52:48 +00:00
2023-04-11 23:55:59 +00:00
instance . query ( " DROP USER IF EXISTS C " )
instance . query ( " CREATE USER C " )
instance . query ( " GRANT CURRENT GRANTS(NONE ON *.*) TO C " , user = " A " )
assert instance . query ( " SHOW GRANTS FOR C " ) == TSV ( [ ] )
2023-04-06 02:52:48 +00:00
def test_grant_current_grants_with_partial_revoke ( ) :
instance . query ( " CREATE USER A " )
instance . query ( " GRANT CREATE TABLE ON *.* TO A " )
2023-04-11 23:55:59 +00:00
instance . query ( " REVOKE CREATE TABLE ON test.* FROM A " )
instance . query ( " GRANT CREATE TABLE ON test.table TO A WITH GRANT OPTION " )
2023-04-06 02:52:48 +00:00
instance . query ( " GRANT SELECT ON *.* TO A WITH GRANT OPTION " )
instance . query ( " REVOKE SELECT ON test.* FROM A " )
instance . query ( " GRANT SELECT ON test.table TO A WITH GRANT OPTION " )
2023-04-11 23:55:59 +00:00
instance . query ( " GRANT SELECT ON test.table2 TO A " )
2023-04-06 02:52:48 +00:00
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[
" GRANT CREATE TABLE ON *.* TO A " ,
" GRANT SELECT ON *.* TO A WITH GRANT OPTION " ,
2023-04-11 23:55:59 +00:00
" REVOKE SELECT, CREATE TABLE ON test.* FROM A " ,
" GRANT SELECT, CREATE TABLE ON test.table TO A WITH GRANT OPTION " ,
" GRANT SELECT ON test.table2 TO A " ,
2023-04-06 02:52:48 +00:00
]
)
instance . query ( " CREATE USER B " )
2023-04-13 00:28:17 +00:00
instance . query ( " GRANT CURRENT GRANTS ON *.* TO B " , user = " A " )
2023-04-06 02:52:48 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[
" GRANT SELECT ON *.* TO B " ,
" REVOKE SELECT ON test.* FROM B " ,
2023-04-11 23:55:59 +00:00
" GRANT SELECT, CREATE TABLE ON test.table TO B " ,
]
)
instance . query ( " DROP USER IF EXISTS B " )
instance . query ( " CREATE USER B " )
2023-04-13 00:28:17 +00:00
instance . query ( " GRANT CURRENT GRANTS ON *.* TO B WITH GRANT OPTION " , user = " A " )
2023-04-11 23:55:59 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[
" GRANT SELECT ON *.* TO B WITH GRANT OPTION " ,
" REVOKE SELECT ON test.* FROM B " ,
" GRANT SELECT, CREATE TABLE ON test.table TO B WITH GRANT OPTION " ,
]
)
instance . query ( " DROP USER IF EXISTS C " )
instance . query ( " CREATE USER C " )
instance . query ( " GRANT SELECT ON test.* TO B " )
2023-04-13 00:28:17 +00:00
instance . query ( " GRANT CURRENT GRANTS ON *.* TO C " , user = " B " )
2023-04-11 23:55:59 +00:00
assert instance . query ( " SHOW GRANTS FOR C " ) == TSV (
[
" GRANT SELECT ON *.* TO C " ,
" GRANT CREATE TABLE ON test.table TO C " ,
2023-04-06 02:52:48 +00:00
]
)
2023-04-13 00:28:17 +00:00
instance . query ( " DROP USER IF EXISTS B " )
instance . query ( " CREATE USER B " )
instance . query ( " GRANT CURRENT GRANTS ON test.* TO B WITH GRANT OPTION " , user = " A " )
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[
" GRANT SELECT, CREATE TABLE ON test.table TO B WITH GRANT OPTION " ,
]
)
2023-04-06 02:52:48 +00:00
def test_current_grants_override ( ) :
instance . query ( " CREATE USER A " )
instance . query ( " GRANT SELECT ON *.* TO A WITH GRANT OPTION " )
instance . query ( " REVOKE SELECT ON test.* FROM A " )
assert instance . query ( " SHOW GRANTS FOR A " ) == TSV (
[
" GRANT SELECT ON *.* TO A WITH GRANT OPTION " ,
" REVOKE SELECT ON test.* FROM A " ,
]
)
instance . query ( " CREATE USER B " )
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT SELECT ON test.table TO B " ]
)
2023-04-13 00:28:17 +00:00
instance . query ( " GRANT CURRENT GRANTS ON *.* TO B " , user = " A " )
2023-04-06 02:52:48 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[
" GRANT SELECT ON *.* TO B " ,
" REVOKE SELECT ON test.* FROM B " ,
" GRANT SELECT ON test.table TO B " ,
]
)
2023-04-11 23:55:59 +00:00
instance . query ( " DROP USER IF EXISTS B " )
instance . query ( " CREATE USER B " )
instance . query ( " GRANT SELECT ON test.table TO B " )
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[ " GRANT SELECT ON test.table TO B " ]
)
2023-04-13 00:28:17 +00:00
instance . query ( " GRANT CURRENT GRANTS ON *.* TO B WITH REPLACE OPTION " , user = " A " )
2023-04-11 23:55:59 +00:00
assert instance . query ( " SHOW GRANTS FOR B " ) == TSV (
[
" GRANT SELECT ON *.* TO B " ,
" REVOKE SELECT ON test.* FROM B " ,
]
)
