ClickHouse/src/Interpreters/InterpreterGrantQuery.cpp

#include <Interpreters/InterpreterGrantQuery.h>
#include <Parsers/ASTGrantQuery.h>
#include <Parsers/ASTRolesOrUsersSet.h>
#include <Interpreters/Context.h>
#include <Interpreters/DDLWorker.h>
#include <Access/AccessControlManager.h>
#include <Access/ContextAccess.h>
#include <Access/RolesOrUsersSet.h>
#include <Access/User.h>
#include <Access/Role.h>
#include <boost/range/algorithm/copy.hpp>


namespace DB
{
namespace
{
    template <typename T>
    void updateFromQueryImpl(T & grantee, const ASTGrantQuery & query, const std::vector<UUID> & roles_from_query)
    {
        using Kind = ASTGrantQuery::Kind;
        if (!query.access_rights_elements.empty())
        {
            if (query.kind == Kind::GRANT)
            {
                if (query.grant_option)
                    grantee.access.grantWithGrantOption(query.access_rights_elements);
                else
                    grantee.access.grant(query.access_rights_elements);
            }
            else
            {
                if (query.grant_option)
                    grantee.access.revokeGrantOption(query.access_rights_elements);
                else
                    grantee.access.revoke(query.access_rights_elements);
            }
        }

        if (!roles_from_query.empty())
        {
            if (query.kind == Kind::GRANT)
            {
                if (query.admin_option)
                    grantee.granted_roles.grantWithAdminOption(roles_from_query);
                else
                    grantee.granted_roles.grant(roles_from_query);
            }
            else
            {
                if (query.admin_option)
                    grantee.granted_roles.revokeAdminOption(roles_from_query);
                else
                    grantee.granted_roles.revoke(roles_from_query);

                if constexpr (std::is_same_v<T, User>)
                {
                    for (const UUID & role_from_query : roles_from_query)
                        grantee.default_roles.ids.erase(role_from_query);
                }
            }
        }
    }
}


BlockIO InterpreterGrantQuery::execute()
{
    auto & query = query_ptr->as<ASTGrantQuery &>();
    query.replaceCurrentUserTagWithName(context.getUserName());
    auto access = context.getAccess();
    auto & access_control = context.getAccessControlManager();

    std::vector<UUID> roles_from_query;
    if (query.roles)
    {
        roles_from_query = RolesOrUsersSet{*query.roles, access_control}.getMatchingIDs(access_control);
        for (const UUID & role_from_query : roles_from_query)
            access->checkAdminOption(role_from_query);
    }

    if (!query.cluster.empty())
        return executeDDLQueryOnCluster(query_ptr, context, query.access_rights_elements, true);

    query.replaceEmptyDatabaseWithCurrent(context.getCurrentDatabase());
    access->checkGrantOption(query.access_rights_elements);

    std::vector<UUID> to_roles = RolesOrUsersSet{*query.to_roles, access_control, context.getUserID()}.getMatchingIDs(access_control);

    auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr
    {
        auto clone = entity->clone();
        if (auto user = typeid_cast<std::shared_ptr<User>>(clone))
        {
            updateFromQueryImpl(*user, query, roles_from_query);
            return user;
        }
        else if (auto role = typeid_cast<std::shared_ptr<Role>>(clone))
        {
            updateFromQueryImpl(*role, query, roles_from_query);
            return role;
        }
        else
            return entity;
    };

    access_control.update(to_roles, update_func);

    return {};
}


void InterpreterGrantQuery::updateUserFromQuery(User & user, const ASTGrantQuery & query)
{
    std::vector<UUID> roles_from_query;
    if (query.roles)
        roles_from_query = RolesOrUsersSet{*query.roles}.getMatchingIDs();
    updateFromQueryImpl(user, query, roles_from_query);
}


void InterpreterGrantQuery::updateRoleFromQuery(Role & role, const ASTGrantQuery & query)
{
    std::vector<UUID> roles_from_query;
    if (query.roles)
        roles_from_query = RolesOrUsersSet{*query.roles}.getMatchingIDs();
    updateFromQueryImpl(role, query, roles_from_query);
}

}
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`#include <Interpreters/InterpreterGrantQuery.h>`
			`#include <Parsers/ASTGrantQuery.h>`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`#include <Parsers/ASTRolesOrUsersSet.h>`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`#include <Interpreters/Context.h>`
Implement "ON CLUSTER" clause for access control SQL. 2020-04-05 23:03:20 +00:00			`#include <Interpreters/DDLWorker.h>`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`#include <Access/AccessControlManager.h>`
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`#include <Access/ContextAccess.h>`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`#include <Access/RolesOrUsersSet.h>`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`#include <Access/User.h>`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`#include <Access/Role.h>`
			`#include <boost/range/algorithm/copy.hpp>`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00

			`namespace DB`
			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`namespace`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`template <typename T>`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`void updateFromQueryImpl(T & grantee, const ASTGrantQuery & query, const std::vector<UUID> & roles_from_query)`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`{`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`using Kind = ASTGrantQuery::Kind;`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`if (!query.access_rights_elements.empty())`
			`{`
			`if (query.kind == Kind::GRANT)`
			`{`
			`if (query.grant_option)`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`grantee.access.grantWithGrantOption(query.access_rights_elements);`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`else`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`grantee.access.grant(query.access_rights_elements);`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`}`
			`else`
			`{`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`if (query.grant_option)`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`grantee.access.revokeGrantOption(query.access_rights_elements);`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`else`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`grantee.access.revoke(query.access_rights_elements);`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`}`
			`}`

Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`if (!roles_from_query.empty())`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`{`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`if (query.kind == Kind::GRANT)`
			`{`
			`if (query.admin_option)`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`grantee.granted_roles.grantWithAdminOption(roles_from_query);`
			`else`
			`grantee.granted_roles.grant(roles_from_query);`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`}`
			`else`
			`{`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`if (query.admin_option)`
			`grantee.granted_roles.revokeAdminOption(roles_from_query);`
			`else`
			`grantee.granted_roles.revoke(roles_from_query);`

			`if constexpr (std::is_same_v<T, User>)`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`{`
Refactoring of getting information about access rights. 2020-04-20 22:07:00 +00:00			`for (const UUID & role_from_query : roles_from_query)`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`grantee.default_roles.ids.erase(role_from_query);`
Implement SQL queries for creating and controlling roles. 2020-02-17 02:59:56 +00:00			`}`
			`}`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`}`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`
			`}`


			`BlockIO InterpreterGrantQuery::execute()`
			`{`
Implement "ON CLUSTER" clause for access control SQL. 2020-04-05 23:03:20 +00:00			`auto & query = query_ptr->as<ASTGrantQuery &>();`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`query.replaceCurrentUserTagWithName(context.getUserName());`
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`auto access = context.getAccess();`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`auto & access_control = context.getAccessControlManager();`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
			`std::vector<UUID> roles_from_query;`
			`if (query.roles)`
			`{`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`roles_from_query = RolesOrUsersSet{*query.roles, access_control}.getMatchingIDs(access_control);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`for (const UUID & role_from_query : roles_from_query)`
Mass rename: AccessRightsContext -> ContextAccess, QuotaContext -> EnabledQuota, RoleContext -> EnabledRoles, and so on. 2020-03-07 17:37:38 +00:00			`access->checkAdminOption(role_from_query);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`

Implement "ON CLUSTER" clause for access control SQL. 2020-04-05 23:03:20 +00:00			`if (!query.cluster.empty())`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`return executeDDLQueryOnCluster(query_ptr, context, query.access_rights_elements, true);`

			`query.replaceEmptyDatabaseWithCurrent(context.getCurrentDatabase());`
			`access->checkGrantOption(query.access_rights_elements);`
Implement "ON CLUSTER" clause for access control SQL. 2020-04-05 23:03:20 +00:00
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`std::vector<UUID> to_roles = RolesOrUsersSet{*query.to_roles, access_control, context.getUserID()}.getMatchingIDs(access_control);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
			`auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr`
			`{`
			`auto clone = entity->clone();`
			`if (auto user = typeid_cast<std::shared_ptr<User>>(clone))`
			`{`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`updateFromQueryImpl(*user, query, roles_from_query);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`return user;`
			`}`
			`else if (auto role = typeid_cast<std::shared_ptr<Role>>(clone))`
			`{`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`updateFromQueryImpl(*role, query, roles_from_query);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`return role;`
			`}`
			`else`
			`return entity;`
Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`};`

Add class GenericRoleSet to represent a set of IDs of users and roles. 2020-02-10 02:26:56 +00:00			`access_control.update(to_roles, update_func);`

Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`return {};`
			`}`

Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00
			`void InterpreterGrantQuery::updateUserFromQuery(User & user, const ASTGrantQuery & query)`
			`{`
			`std::vector<UUID> roles_from_query;`
			`if (query.roles)`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`roles_from_query = RolesOrUsersSet{*query.roles}.getMatchingIDs();`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`updateFromQueryImpl(user, query, roles_from_query);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`


			`void InterpreterGrantQuery::updateRoleFromQuery(Role & role, const ASTGrantQuery & query)`
			`{`
			`std::vector<UUID> roles_from_query;`
			`if (query.roles)`
Rename ExtendedRoleSet => RolesOrUsersSet. 2020-05-30 20:10:45 +00:00			`roles_from_query = RolesOrUsersSet{*query.roles}.getMatchingIDs();`
Fix partial revokes (complex cases). 2020-06-20 22:44:52 +00:00			`updateFromQueryImpl(role, query, roles_from_query);`
Add attach mode to access-controlling SQL. 2020-02-21 19:27:12 +00:00			`}`

Implement SQL queries to manipulate users and grants. 2020-02-04 22:37:04 +00:00			`}`