ClickHouse/src/Interpreters/InterpreterCreateRowPolicyQuery.cpp

#include <Interpreters/InterpreterCreateRowPolicyQuery.h>
#include <Parsers/ASTCreateRowPolicyQuery.h>
#include <Parsers/ASTExtendedRoleSet.h>
#include <Parsers/formatAST.h>
#include <Interpreters/Context.h>
#include <Access/AccessControlManager.h>
#include <Access/AccessFlags.h>
#include <boost/range/algorithm/sort.hpp>


namespace DB
{
namespace ErrorCodes
{
    extern const int LOGICAL_ERROR;
}

namespace
{
    const String & checkCurrentDatabase(const String & current_database)
    {
        if (current_database.empty())
            throw Exception("No current database", ErrorCodes::LOGICAL_ERROR);
        return current_database;
    }

    void updateRowPolicyFromQueryImpl(
        RowPolicy & policy,
        const ASTCreateRowPolicyQuery & query,
        const std::optional<ExtendedRoleSet> & roles_from_query = {},
        const String & current_database = {})
    {
        if (query.alter)
        {
            if (!query.new_policy_name.empty())
                policy.setName(query.new_policy_name);
        }
        else
        {
            policy.setDatabase(!query.name_parts.database.empty() ? query.name_parts.database : checkCurrentDatabase(current_database));
            policy.setTableName(query.name_parts.table_name);
            policy.setName(query.name_parts.policy_name);
        }

        if (query.is_restrictive)
            policy.setRestrictive(*query.is_restrictive);

        for (const auto & [index, condition] : query.conditions)
            policy.conditions[index] = condition ? serializeAST(*condition) : String{};

        const ExtendedRoleSet * roles = nullptr;
        std::optional<ExtendedRoleSet> temp_role_set;
        if (roles_from_query)
            roles = &*roles_from_query;
        else if (query.roles)
            roles = &temp_role_set.emplace(*query.roles);

        if (roles)
            policy.to_roles = *roles;
    }
}


BlockIO InterpreterCreateRowPolicyQuery::execute()
{
    const auto & query = query_ptr->as<const ASTCreateRowPolicyQuery &>();
    auto & access_control = context.getAccessControlManager();
    context.checkAccess(query.alter ? AccessType::ALTER_POLICY : AccessType::CREATE_POLICY);

    std::optional<ExtendedRoleSet> roles_from_query;
    if (query.roles)
        roles_from_query = ExtendedRoleSet{*query.roles, access_control, context.getUserID()};

    const String current_database = context.getCurrentDatabase();

    if (query.alter)
    {
        auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr
        {
            auto updated_policy = typeid_cast<std::shared_ptr<RowPolicy>>(entity->clone());
            updateRowPolicyFromQueryImpl(*updated_policy, query, roles_from_query, current_database);
            return updated_policy;
        };
        String full_name = query.name_parts.getFullName(context);
        if (query.if_exists)
        {
            if (auto id = access_control.find<RowPolicy>(full_name))
                access_control.tryUpdate(*id, update_func);
        }
        else
            access_control.update(access_control.getID<RowPolicy>(full_name), update_func);
    }
    else
    {
        auto new_policy = std::make_shared<RowPolicy>();
        updateRowPolicyFromQueryImpl(*new_policy, query, roles_from_query, current_database);

        if (query.if_not_exists)
            access_control.tryInsert(new_policy);
        else if (query.or_replace)
            access_control.insertOrReplace(new_policy);
        else
            access_control.insert(new_policy);
    }

    return {};
}


void InterpreterCreateRowPolicyQuery::updateRowPolicyFromQuery(RowPolicy & policy, const ASTCreateRowPolicyQuery & query)
{
    updateRowPolicyFromQueryImpl(policy, query);
}

}
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`#include <Interpreters/InterpreterCreateRowPolicyQuery.h>`
			`#include <Parsers/ASTCreateRowPolicyQuery.h>`
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`#include <Parsers/ASTExtendedRoleSet.h>`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`#include <Parsers/formatAST.h>`
			`#include <Interpreters/Context.h>`
			`#include <Access/AccessControlManager.h>`
Rewrite the User class to be controlled by AccessControlManager. 2020-01-26 09:49:53 +00:00			`#include <Access/AccessFlags.h>`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`#include <boost/range/algorithm/sort.hpp>`


			`namespace DB`
			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`namespace ErrorCodes`
			`{`
			`extern const int LOGICAL_ERROR;`
			`}`

			`namespace`
			`{`
			`const String & checkCurrentDatabase(const String & current_database)`
			`{`
			`if (current_database.empty())`
			`throw Exception("No current database", ErrorCodes::LOGICAL_ERROR);`
			`return current_database;`
			`}`

			`void updateRowPolicyFromQueryImpl(`
			`RowPolicy & policy,`
			`const ASTCreateRowPolicyQuery & query,`
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`const std::optional<ExtendedRoleSet> & roles_from_query = {},`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`const String & current_database = {})`
			`{`
			`if (query.alter)`
			`{`
			`if (!query.new_policy_name.empty())`
			`policy.setName(query.new_policy_name);`
			`}`
			`else`
			`{`
			`policy.setDatabase(!query.name_parts.database.empty() ? query.name_parts.database : checkCurrentDatabase(current_database));`
			`policy.setTableName(query.name_parts.table_name);`
			`policy.setName(query.name_parts.policy_name);`
			`}`

			`if (query.is_restrictive)`
			`policy.setRestrictive(*query.is_restrictive);`

			`for (const auto & [index, condition] : query.conditions)`
			`policy.conditions[index] = condition ? serializeAST(*condition) : String{};`

Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`const ExtendedRoleSet * roles = nullptr;`
			`std::optional<ExtendedRoleSet> temp_role_set;`
Fix parsing list of roles in commands CREATE USER, CREATE ROW POLICY, CREATE QUOTA. 2020-02-27 20:55:16 +00:00			`if (roles_from_query)`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`roles = &*roles_from_query;`
			`else if (query.roles)`
			`roles = &temp_role_set.emplace(*query.roles);`

			`if (roles)`
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`policy.to_roles = *roles;`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`
			`}`


Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`BlockIO InterpreterCreateRowPolicyQuery::execute()`
			`{`
			`const auto & query = query_ptr->as<const ASTCreateRowPolicyQuery &>();`
			`auto & access_control = context.getAccessControlManager();`
Check access rights via new interface. 2020-01-24 16:20:36 +00:00			`context.checkAccess(query.alter ? AccessType::ALTER_POLICY : AccessType::CREATE_POLICY);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`std::optional<ExtendedRoleSet> roles_from_query;`
Add class GenericRoleSet to represent a set of IDs of users and roles. 2020-02-10 02:26:56 +00:00			`if (query.roles)`
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`roles_from_query = ExtendedRoleSet{*query.roles, access_control, context.getUserID()};`
Add class GenericRoleSet to represent a set of IDs of users and roles. 2020-02-10 02:26:56 +00:00
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`const String current_database = context.getCurrentDatabase();`

Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`if (query.alter)`
			`{`
			`auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr`
			`{`
			`auto updated_policy = typeid_cast<std::shared_ptr<RowPolicy>>(entity->clone());`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`updateRowPolicyFromQueryImpl(*updated_policy, query, roles_from_query, current_database);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`return updated_policy;`
			`};`
			`String full_name = query.name_parts.getFullName(context);`
			`if (query.if_exists)`
			`{`
			`if (auto id = access_control.find<RowPolicy>(full_name))`
			`access_control.tryUpdate(*id, update_func);`
			`}`
			`else`
			`access_control.update(access_control.getID<RowPolicy>(full_name), update_func);`
			`}`
			`else`
			`{`
			`auto new_policy = std::make_shared<RowPolicy>();`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`updateRowPolicyFromQueryImpl(*new_policy, query, roles_from_query, current_database);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00
			`if (query.if_not_exists)`
			`access_control.tryInsert(new_policy);`
			`else if (query.or_replace)`
			`access_control.insertOrReplace(new_policy);`
			`else`
			`access_control.insert(new_policy);`
			`}`

			`return {};`
			`}`


Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`void InterpreterCreateRowPolicyQuery::updateRowPolicyFromQuery(RowPolicy & policy, const ASTCreateRowPolicyQuery & query)`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`updateRowPolicyFromQueryImpl(policy, query);`
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`}`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
Add DCL to manage row policies. 2019-11-29 17:22:56 +00:00			`}`