mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-12-04 21:42:39 +00:00
82 lines
2.7 KiB
C++
82 lines
2.7 KiB
C++
|
#pragma once
|
||
|
|
||
|
#include <Access/IAccessEntity.h>
|
||
|
|
||
|
|
||
|
namespace DB
|
||
|
{
|
||
|
class Context;
|
||
|
|
||
|
|
||
|
/** Represents a row level security policy for a table.
|
||
|
*/
|
||
|
struct RowPolicy : public IAccessEntity
|
||
|
{
|
||
|
void setDatabase(const String & database_);
|
||
|
void setTableName(const String & table_name_);
|
||
|
void setName(const String & policy_name_) override;
|
||
|
void setFullName(const String & database_, const String & table_name_, const String & policy_name_);
|
||
|
|
||
|
String getDatabase() const { return database; }
|
||
|
String getTableName() const { return table_name; }
|
||
|
String getName() const override { return policy_name; }
|
||
|
|
||
|
struct FullNameParts
|
||
|
{
|
||
|
String database;
|
||
|
String table_name;
|
||
|
String policy_name;
|
||
|
String getFullName() const;
|
||
|
String getFullName(const Context & context) const;
|
||
|
};
|
||
|
|
||
|
/// Filter is a SQL conditional expression used to figure out which rows should be visible
|
||
|
/// for user or available for modification. If the expression returns NULL or false for some rows
|
||
|
/// those rows are silently suppressed.
|
||
|
/// Check is a SQL condition expression used to check whether a row can be written into
|
||
|
/// the table. If the expression returns NULL or false an exception is thrown.
|
||
|
/// If a conditional expression here is empty it means no filtering is applied.
|
||
|
enum ConditionIndex
|
||
|
{
|
||
|
SELECT_FILTER,
|
||
|
INSERT_CHECK,
|
||
|
UPDATE_FILTER,
|
||
|
UPDATE_CHECK,
|
||
|
DELETE_FILTER,
|
||
|
};
|
||
|
static constexpr size_t MAX_CONDITION_INDEX = 5;
|
||
|
static const char * conditionIndexToString(ConditionIndex index);
|
||
|
static const char * conditionIndexToColumnName(ConditionIndex index);
|
||
|
|
||
|
String conditions[MAX_CONDITION_INDEX];
|
||
|
|
||
|
/// Sets that the policy is permissive.
|
||
|
/// A row is only accessible if at least one of the permissive policies passes,
|
||
|
/// in addition to all the restrictive policies.
|
||
|
void setPermissive(bool permissive_ = true) { setRestrictive(!permissive_); }
|
||
|
bool isPermissive() const { return !isRestrictive(); }
|
||
|
|
||
|
/// Sets that the policy is restrictive.
|
||
|
/// A row is only accessible if at least one of the permissive policies passes,
|
||
|
/// in addition to all the restrictive policies.
|
||
|
void setRestrictive(bool restrictive_ = true) { restrictive = restrictive_; }
|
||
|
bool isRestrictive() const { return restrictive; }
|
||
|
|
||
|
bool equal(const IAccessEntity & other) const override;
|
||
|
std::shared_ptr<IAccessEntity> clone() const override { return cloneImpl<RowPolicy>(); }
|
||
|
|
||
|
/// Which roles or users should use this quota.
|
||
|
Strings roles;
|
||
|
bool all_roles = false;
|
||
|
Strings except_roles;
|
||
|
|
||
|
private:
|
||
|
String database;
|
||
|
String table_name;
|
||
|
String policy_name;
|
||
|
bool restrictive = false;
|
||
|
};
|
||
|
|
||
|
using RowPolicyPtr = std::shared_ptr<const RowPolicy>;
|
||
|
}
|