2020-03-07 17:37:38 +00:00
|
|
|
#include <Access/ContextAccess.h>
|
2021-11-02 11:06:20 +00:00
|
|
|
#include <Access/AccessControl.h>
|
2020-03-07 17:37:38 +00:00
|
|
|
#include <Access/EnabledRoles.h>
|
|
|
|
#include <Access/EnabledRowPolicies.h>
|
|
|
|
#include <Access/EnabledQuota.h>
|
2020-05-08 12:50:45 +00:00
|
|
|
#include <Access/QuotaUsage.h>
|
2020-03-07 17:37:38 +00:00
|
|
|
#include <Access/User.h>
|
2022-06-01 14:49:26 +00:00
|
|
|
#include <Access/Role.h>
|
2020-03-07 17:37:38 +00:00
|
|
|
#include <Access/EnabledRolesInfo.h>
|
2020-03-04 22:27:03 +00:00
|
|
|
#include <Access/EnabledSettings.h>
|
2021-07-22 16:07:03 +00:00
|
|
|
#include <Access/SettingsProfilesInfo.h>
|
2020-03-07 17:37:38 +00:00
|
|
|
#include <Interpreters/DatabaseCatalog.h>
|
|
|
|
#include <Common/Exception.h>
|
|
|
|
#include <Common/quoteString.h>
|
|
|
|
#include <Core/Settings.h>
|
|
|
|
#include <IO/WriteHelpers.h>
|
|
|
|
#include <Poco/Logger.h>
|
2022-04-27 15:05:45 +00:00
|
|
|
#include <Common/logger_useful.h>
|
2020-03-07 17:37:38 +00:00
|
|
|
#include <boost/algorithm/string/join.hpp>
|
|
|
|
#include <boost/range/algorithm/set_algorithm.hpp>
|
2022-05-08 17:01:47 +00:00
|
|
|
#include <cassert>
|
2020-03-07 17:37:38 +00:00
|
|
|
|
|
|
|
|
|
|
|
namespace DB
|
|
|
|
{
|
|
|
|
namespace ErrorCodes
|
|
|
|
{
|
|
|
|
extern const int ACCESS_DENIED;
|
|
|
|
extern const int READONLY;
|
|
|
|
extern const int QUERY_IS_PROHIBITED;
|
|
|
|
extern const int FUNCTION_NOT_ALLOWED;
|
|
|
|
extern const int UNKNOWN_USER;
|
2022-06-02 13:27:32 +00:00
|
|
|
extern const int LOGICAL_ERROR;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
namespace
|
|
|
|
{
|
2020-07-07 10:00:49 +00:00
|
|
|
AccessRights mixAccessRightsFromUserAndRoles(const User & user, const EnabledRolesInfo & roles_info)
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-07-07 10:00:49 +00:00
|
|
|
AccessRights res = user.access;
|
|
|
|
res.makeUnion(roles_info.access);
|
2020-07-02 00:09:57 +00:00
|
|
|
return res;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2022-07-07 17:17:07 +00:00
|
|
|
AccessRights addImplicitAccessRights(const AccessRights & access, const AccessControl & access_control)
|
2020-07-07 10:00:49 +00:00
|
|
|
{
|
2022-07-07 17:17:07 +00:00
|
|
|
AccessFlags max_flags;
|
|
|
|
|
|
|
|
auto modifier = [&](const AccessFlags & flags,
|
|
|
|
const AccessFlags & min_flags_with_children,
|
|
|
|
const AccessFlags & max_flags_with_children,
|
|
|
|
std::string_view database,
|
|
|
|
std::string_view table,
|
|
|
|
std::string_view column,
|
|
|
|
bool /* grant_option */) -> AccessFlags
|
2020-07-07 10:00:49 +00:00
|
|
|
{
|
|
|
|
size_t level = !database.empty() + !table.empty() + !column.empty();
|
|
|
|
AccessFlags res = flags;
|
|
|
|
|
|
|
|
/// CREATE_TABLE => CREATE_VIEW, DROP_TABLE => DROP_VIEW, ALTER_TABLE => ALTER_VIEW
|
|
|
|
static const AccessFlags create_table = AccessType::CREATE_TABLE;
|
|
|
|
static const AccessFlags create_view = AccessType::CREATE_VIEW;
|
|
|
|
static const AccessFlags drop_table = AccessType::DROP_TABLE;
|
|
|
|
static const AccessFlags drop_view = AccessType::DROP_VIEW;
|
|
|
|
static const AccessFlags alter_table = AccessType::ALTER_TABLE;
|
|
|
|
static const AccessFlags alter_view = AccessType::ALTER_VIEW;
|
|
|
|
|
|
|
|
if (res & create_table)
|
|
|
|
res |= create_view;
|
|
|
|
|
|
|
|
if (res & drop_table)
|
|
|
|
res |= drop_view;
|
|
|
|
|
|
|
|
if (res & alter_table)
|
|
|
|
res |= alter_view;
|
|
|
|
|
2020-10-26 19:12:40 +00:00
|
|
|
/// CREATE TABLE (on any database/table) => CREATE_TEMPORARY_TABLE (global)
|
2020-07-07 10:00:49 +00:00
|
|
|
static const AccessFlags create_temporary_table = AccessType::CREATE_TEMPORARY_TABLE;
|
|
|
|
if ((level == 0) && (max_flags_with_children & create_table))
|
|
|
|
res |= create_temporary_table;
|
|
|
|
|
|
|
|
/// ALTER_TTL => ALTER_MATERIALIZE_TTL
|
|
|
|
static const AccessFlags alter_ttl = AccessType::ALTER_TTL;
|
|
|
|
static const AccessFlags alter_materialize_ttl = AccessType::ALTER_MATERIALIZE_TTL;
|
|
|
|
if (res & alter_ttl)
|
|
|
|
res |= alter_materialize_ttl;
|
|
|
|
|
|
|
|
/// RELOAD_DICTIONARY (global) => RELOAD_EMBEDDED_DICTIONARIES (global)
|
|
|
|
static const AccessFlags reload_dictionary = AccessType::SYSTEM_RELOAD_DICTIONARY;
|
|
|
|
static const AccessFlags reload_embedded_dictionaries = AccessType::SYSTEM_RELOAD_EMBEDDED_DICTIONARIES;
|
|
|
|
if ((level == 0) && (min_flags_with_children & reload_dictionary))
|
|
|
|
res |= reload_embedded_dictionaries;
|
|
|
|
|
|
|
|
/// any column flag => SHOW_COLUMNS => SHOW_TABLES => SHOW_DATABASES
|
|
|
|
/// any table flag => SHOW_TABLES => SHOW_DATABASES
|
|
|
|
/// any dictionary flag => SHOW_DICTIONARIES => SHOW_DATABASES
|
|
|
|
/// any database flag => SHOW_DATABASES
|
|
|
|
static const AccessFlags show_columns = AccessType::SHOW_COLUMNS;
|
|
|
|
static const AccessFlags show_tables = AccessType::SHOW_TABLES;
|
|
|
|
static const AccessFlags show_dictionaries = AccessType::SHOW_DICTIONARIES;
|
|
|
|
static const AccessFlags show_tables_or_dictionaries = show_tables | show_dictionaries;
|
|
|
|
static const AccessFlags show_databases = AccessType::SHOW_DATABASES;
|
|
|
|
|
|
|
|
if (res & AccessFlags::allColumnFlags())
|
|
|
|
res |= show_columns;
|
|
|
|
|
|
|
|
if ((res & AccessFlags::allTableFlags())
|
|
|
|
|| (level <= 2 && (res & show_columns))
|
|
|
|
|| (level == 2 && (max_flags_with_children & show_columns)))
|
|
|
|
{
|
|
|
|
res |= show_tables;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (res & AccessFlags::allDictionaryFlags())
|
|
|
|
res |= show_dictionaries;
|
|
|
|
|
|
|
|
if ((res & AccessFlags::allDatabaseFlags())
|
|
|
|
|| (level <= 1 && (res & show_tables_or_dictionaries))
|
|
|
|
|| (level == 1 && (max_flags_with_children & show_tables_or_dictionaries)))
|
|
|
|
{
|
|
|
|
res |= show_databases;
|
|
|
|
}
|
|
|
|
|
2022-07-10 13:15:51 +00:00
|
|
|
max_flags |= res;
|
2022-07-07 17:17:07 +00:00
|
|
|
|
2020-07-07 10:00:49 +00:00
|
|
|
return res;
|
|
|
|
};
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
AccessRights res = access;
|
|
|
|
res.modifyFlags(modifier);
|
2020-07-07 10:00:49 +00:00
|
|
|
|
2022-07-10 13:15:51 +00:00
|
|
|
/// If "select_from_system_db_requires_grant" is enabled we provide implicit grants only for a few tables in the system database.
|
2022-07-07 17:17:07 +00:00
|
|
|
if (access_control.doesSelectFromSystemDatabaseRequireGrant())
|
|
|
|
{
|
2022-07-10 13:15:51 +00:00
|
|
|
const char * always_accessible_tables[] = {
|
|
|
|
/// Constant tables
|
|
|
|
"one",
|
|
|
|
|
|
|
|
/// "numbers", "numbers_mt", "zeros", "zeros_mt" were excluded because they can generate lots of values and
|
|
|
|
/// that can decrease performance in some cases.
|
|
|
|
|
|
|
|
"contributors",
|
|
|
|
"licenses",
|
|
|
|
"time_zones",
|
|
|
|
"collations",
|
|
|
|
|
|
|
|
"formats",
|
|
|
|
"privileges",
|
|
|
|
"data_type_families",
|
|
|
|
"table_engines",
|
|
|
|
"table_functions",
|
|
|
|
"aggregate_function_combinators",
|
|
|
|
|
|
|
|
"functions", /// Can contain user-defined functions
|
|
|
|
|
|
|
|
/// The following tables hide some rows if the current user doesn't have corresponding SHOW privileges.
|
|
|
|
"databases",
|
|
|
|
"tables",
|
|
|
|
"columns",
|
|
|
|
|
|
|
|
/// Specific to the current session
|
|
|
|
"settings",
|
|
|
|
"current_roles",
|
|
|
|
"enabled_roles",
|
|
|
|
"quota_usage"
|
|
|
|
};
|
|
|
|
|
|
|
|
for (const auto * table_name : always_accessible_tables)
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::SYSTEM_DATABASE, table_name);
|
2022-07-07 17:17:07 +00:00
|
|
|
|
|
|
|
if (max_flags.contains(AccessType::SHOW_USERS))
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::SYSTEM_DATABASE, "users");
|
2022-07-10 13:15:51 +00:00
|
|
|
|
2022-07-07 17:17:07 +00:00
|
|
|
if (max_flags.contains(AccessType::SHOW_ROLES))
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::SYSTEM_DATABASE, "roles");
|
|
|
|
|
|
|
|
if (max_flags.contains(AccessType::SHOW_ROW_POLICIES))
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::SYSTEM_DATABASE, "row_policies");
|
|
|
|
|
|
|
|
if (max_flags.contains(AccessType::SHOW_SETTINGS_PROFILES))
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::SYSTEM_DATABASE, "settings_profiles");
|
|
|
|
|
|
|
|
if (max_flags.contains(AccessType::SHOW_QUOTAS))
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::SYSTEM_DATABASE, "quotas");
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::SYSTEM_DATABASE);
|
|
|
|
}
|
|
|
|
|
2022-07-10 13:15:51 +00:00
|
|
|
/// If "select_from_information_schema_requires_grant" is enabled we don't provide implicit grants for the information_schema database.
|
|
|
|
if (!access_control.doesSelectFromInformationSchemaRequireGrant())
|
2022-07-07 17:17:07 +00:00
|
|
|
{
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::INFORMATION_SCHEMA);
|
|
|
|
res.grant(AccessType::SELECT, DatabaseCatalog::INFORMATION_SCHEMA_UPPERCASE);
|
|
|
|
}
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
return res;
|
2020-07-02 00:09:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
std::array<UUID, 1> to_array(const UUID & id)
|
|
|
|
{
|
|
|
|
std::array<UUID, 1> ids;
|
|
|
|
ids[0] = id;
|
|
|
|
return ids;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
2020-12-08 14:24:32 +00:00
|
|
|
|
|
|
|
/// Helper for using in templates.
|
|
|
|
std::string_view getDatabase() { return {}; }
|
|
|
|
|
|
|
|
template <typename... OtherArgs>
|
2022-07-14 16:11:35 +00:00
|
|
|
std::string_view getDatabase(std::string_view arg1, const OtherArgs &...) { return arg1; }
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-11-02 11:06:20 +00:00
|
|
|
ContextAccess::ContextAccess(const AccessControl & access_control_, const Params & params_)
|
|
|
|
: access_control(&access_control_)
|
2020-03-07 17:37:38 +00:00
|
|
|
, params(params_)
|
|
|
|
{
|
2022-01-10 02:31:55 +00:00
|
|
|
}
|
2021-05-17 07:03:26 +00:00
|
|
|
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2022-05-16 18:43:55 +00:00
|
|
|
ContextAccess::~ContextAccess()
|
|
|
|
{
|
|
|
|
enabled_settings.reset();
|
|
|
|
enabled_quota.reset();
|
|
|
|
enabled_row_policies.reset();
|
|
|
|
access_with_implicit.reset();
|
|
|
|
access.reset();
|
|
|
|
roles_info.reset();
|
|
|
|
subscription_for_roles_changes.reset();
|
|
|
|
enabled_roles.reset();
|
|
|
|
subscription_for_user_change.reset();
|
|
|
|
user.reset();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2022-01-12 08:43:28 +00:00
|
|
|
void ContextAccess::initialize()
|
2022-01-10 02:31:55 +00:00
|
|
|
{
|
2022-01-12 09:01:58 +00:00
|
|
|
std::lock_guard lock{mutex};
|
2022-01-10 02:31:55 +00:00
|
|
|
subscription_for_user_change = access_control->subscribeForChanges(
|
2022-01-12 07:35:40 +00:00
|
|
|
*params.user_id, [weak_ptr = weak_from_this()](const UUID &, const AccessEntityPtr & entity)
|
2022-01-10 02:31:55 +00:00
|
|
|
{
|
2022-01-12 07:35:40 +00:00
|
|
|
auto ptr = weak_ptr.lock();
|
2022-01-14 10:04:55 +00:00
|
|
|
if (!ptr)
|
2022-01-12 07:35:40 +00:00
|
|
|
return;
|
2022-01-10 02:31:55 +00:00
|
|
|
UserPtr changed_user = entity ? typeid_cast<UserPtr>(entity) : nullptr;
|
2022-01-12 09:03:55 +00:00
|
|
|
std::lock_guard lock2{ptr->mutex};
|
2022-01-12 07:35:40 +00:00
|
|
|
ptr->setUser(changed_user);
|
2022-01-10 02:31:55 +00:00
|
|
|
});
|
2022-01-12 08:46:39 +00:00
|
|
|
setUser(access_control->read<User>(*params.user_id));
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void ContextAccess::setUser(const UserPtr & user_) const
|
|
|
|
{
|
|
|
|
user = user_;
|
|
|
|
if (!user)
|
|
|
|
{
|
|
|
|
/// User has been dropped.
|
2022-06-01 14:49:26 +00:00
|
|
|
user_was_dropped = true;
|
2020-03-07 17:37:38 +00:00
|
|
|
subscription_for_user_change = {};
|
|
|
|
subscription_for_roles_changes = {};
|
2021-07-15 08:55:51 +00:00
|
|
|
access = nullptr;
|
|
|
|
access_with_implicit = nullptr;
|
2020-03-07 17:37:38 +00:00
|
|
|
enabled_roles = nullptr;
|
|
|
|
roles_info = nullptr;
|
|
|
|
enabled_row_policies = nullptr;
|
|
|
|
enabled_quota = nullptr;
|
2020-03-04 22:27:03 +00:00
|
|
|
enabled_settings = nullptr;
|
2020-03-07 17:37:38 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
user_name = user->getName();
|
|
|
|
trace_log = &Poco::Logger::get("ContextAccess (" + user_name + ")");
|
|
|
|
|
2021-02-26 22:37:00 +00:00
|
|
|
std::vector<UUID> current_roles, current_roles_with_admin_option;
|
2020-03-07 17:37:38 +00:00
|
|
|
if (params.use_default_roles)
|
|
|
|
{
|
2021-02-26 22:37:00 +00:00
|
|
|
current_roles = user->granted_roles.findGranted(user->default_roles);
|
|
|
|
current_roles_with_admin_option = user->granted_roles.findGrantedWithAdminOption(user->default_roles);
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2021-02-26 22:37:00 +00:00
|
|
|
current_roles = user->granted_roles.findGranted(params.current_roles);
|
|
|
|
current_roles_with_admin_option = user->granted_roles.findGrantedWithAdminOption(params.current_roles);
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2021-05-17 07:03:26 +00:00
|
|
|
subscription_for_roles_changes.reset();
|
2021-11-02 11:06:20 +00:00
|
|
|
enabled_roles = access_control->getEnabledRoles(current_roles, current_roles_with_admin_option);
|
2020-03-07 17:37:38 +00:00
|
|
|
subscription_for_roles_changes = enabled_roles->subscribeForChanges([this](const std::shared_ptr<const EnabledRolesInfo> & roles_info_)
|
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
|
|
|
setRolesInfo(roles_info_);
|
|
|
|
});
|
|
|
|
|
|
|
|
setRolesInfo(enabled_roles->getRolesInfo());
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void ContextAccess::setRolesInfo(const std::shared_ptr<const EnabledRolesInfo> & roles_info_) const
|
|
|
|
{
|
|
|
|
assert(roles_info_);
|
|
|
|
roles_info = roles_info_;
|
2021-11-02 11:06:20 +00:00
|
|
|
enabled_row_policies = access_control->getEnabledRowPolicies(
|
2020-12-01 21:07:20 +00:00
|
|
|
*params.user_id, roles_info->enabled_roles);
|
2021-11-02 11:06:20 +00:00
|
|
|
enabled_quota = access_control->getEnabledQuota(
|
2020-12-01 21:07:20 +00:00
|
|
|
*params.user_id, user_name, roles_info->enabled_roles, params.address, params.forwarded_address, params.quota_key);
|
2021-11-02 11:06:20 +00:00
|
|
|
enabled_settings = access_control->getEnabledSettings(
|
2020-12-01 21:07:20 +00:00
|
|
|
*params.user_id, user->settings, roles_info->enabled_roles, roles_info->settings_from_enabled_roles);
|
2020-07-02 00:09:57 +00:00
|
|
|
calculateAccessRights();
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-07-02 00:09:57 +00:00
|
|
|
void ContextAccess::calculateAccessRights() const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
access = std::make_shared<AccessRights>(mixAccessRightsFromUserAndRoles(*user, *roles_info));
|
2022-07-07 17:17:07 +00:00
|
|
|
access_with_implicit = std::make_shared<AccessRights>(addImplicitAccessRights(*access, *access_control));
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2020-06-20 22:44:52 +00:00
|
|
|
if (trace_log)
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
|
|
|
if (roles_info && !roles_info->getCurrentRolesNames().empty())
|
|
|
|
{
|
2020-05-23 22:24:01 +00:00
|
|
|
LOG_TRACE(trace_log, "Current_roles: {}, enabled_roles: {}",
|
2020-05-23 17:52:11 +00:00
|
|
|
boost::algorithm::join(roles_info->getCurrentRolesNames(), ", "),
|
|
|
|
boost::algorithm::join(roles_info->getEnabledRolesNames(), ", "));
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
2020-06-20 22:44:52 +00:00
|
|
|
LOG_TRACE(trace_log, "Settings: readonly={}, allow_ddl={}, allow_introspection_functions={}", params.readonly, params.allow_ddl, params.allow_introspection);
|
2020-07-02 00:09:57 +00:00
|
|
|
LOG_TRACE(trace_log, "List of all grants: {}", access->toString());
|
2020-12-08 14:24:32 +00:00
|
|
|
LOG_TRACE(trace_log, "List of all grants including implicit: {}", access_with_implicit->toString());
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
UserPtr ContextAccess::getUser() const
|
2022-05-25 18:17:49 +00:00
|
|
|
{
|
|
|
|
auto res = tryGetUser();
|
|
|
|
|
|
|
|
if (likely(res))
|
|
|
|
return res;
|
|
|
|
|
2022-06-01 14:49:26 +00:00
|
|
|
if (user_was_dropped)
|
|
|
|
throw Exception(ErrorCodes::UNKNOWN_USER, "User has been dropped");
|
|
|
|
|
|
|
|
throw Exception(ErrorCodes::LOGICAL_ERROR, "No user in current context, it's a bug");
|
2022-05-25 18:17:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
UserPtr ContextAccess::tryGetUser() const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
|
|
|
return user;
|
|
|
|
}
|
|
|
|
|
|
|
|
String ContextAccess::getUserName() const
|
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
|
|
|
return user_name;
|
|
|
|
}
|
|
|
|
|
|
|
|
std::shared_ptr<const EnabledRolesInfo> ContextAccess::getRolesInfo() const
|
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (roles_info)
|
|
|
|
return roles_info;
|
|
|
|
static const auto no_roles = std::make_shared<EnabledRolesInfo>();
|
|
|
|
return no_roles;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2020-05-07 02:45:27 +00:00
|
|
|
std::shared_ptr<const EnabledRowPolicies> ContextAccess::getEnabledRowPolicies() const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (enabled_row_policies)
|
|
|
|
return enabled_row_policies;
|
|
|
|
static const auto no_row_policies = std::make_shared<EnabledRowPolicies>();
|
|
|
|
return no_row_policies;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2022-10-24 07:58:14 +00:00
|
|
|
RowPolicyFilterPtr ContextAccess::getRowPolicyFilter(const String & database, const String & table_name, RowPolicyFilterType filter_type, RowPolicyFilterPtr combine_with_filter) const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (enabled_row_policies)
|
2022-08-02 10:45:06 +00:00
|
|
|
return enabled_row_policies->getFilter(database, table_name, filter_type, combine_with_filter);
|
|
|
|
return combine_with_filter;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
std::shared_ptr<const EnabledQuota> ContextAccess::getQuota() const
|
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (enabled_quota)
|
|
|
|
return enabled_quota;
|
|
|
|
static const auto unlimited_quota = EnabledQuota::getUnlimitedQuota();
|
|
|
|
return unlimited_quota;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-05-08 12:50:45 +00:00
|
|
|
std::optional<QuotaUsage> ContextAccess::getQuotaUsage() const
|
2020-04-10 22:23:27 +00:00
|
|
|
{
|
2020-05-08 12:50:45 +00:00
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (enabled_quota)
|
|
|
|
return enabled_quota->getUsage();
|
|
|
|
return {};
|
2020-04-10 22:23:27 +00:00
|
|
|
}
|
|
|
|
|
2022-08-28 19:15:15 +00:00
|
|
|
|
2020-03-07 17:37:38 +00:00
|
|
|
std::shared_ptr<const ContextAccess> ContextAccess::getFullAccess()
|
2020-04-10 22:23:27 +00:00
|
|
|
{
|
2020-03-07 17:37:38 +00:00
|
|
|
static const std::shared_ptr<const ContextAccess> res = []
|
|
|
|
{
|
2022-08-30 08:06:42 +00:00
|
|
|
auto full_access = std::make_shared<ContextAccess>();
|
2020-12-08 14:24:32 +00:00
|
|
|
full_access->is_full_access = true;
|
2020-06-20 22:44:52 +00:00
|
|
|
full_access->access = std::make_shared<AccessRights>(AccessRights::getFullAccess());
|
2022-07-07 17:17:07 +00:00
|
|
|
full_access->access_with_implicit = full_access->access;
|
2020-03-07 17:37:38 +00:00
|
|
|
return full_access;
|
|
|
|
}();
|
|
|
|
return res;
|
2020-04-10 22:23:27 +00:00
|
|
|
}
|
|
|
|
|
2022-08-28 19:15:15 +00:00
|
|
|
|
2021-07-22 16:07:03 +00:00
|
|
|
SettingsChanges ContextAccess::getDefaultSettings() const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-03-04 22:27:03 +00:00
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (enabled_settings)
|
2021-07-22 16:07:03 +00:00
|
|
|
{
|
|
|
|
if (auto info = enabled_settings->getInfo())
|
|
|
|
return info->settings;
|
|
|
|
}
|
|
|
|
return {};
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-07-22 16:07:03 +00:00
|
|
|
std::shared_ptr<const SettingsProfilesInfo> ContextAccess::getDefaultProfileInfo() const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-03-04 22:27:03 +00:00
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (enabled_settings)
|
2021-07-22 16:07:03 +00:00
|
|
|
return enabled_settings->getInfo();
|
2021-11-02 11:06:20 +00:00
|
|
|
static const auto everything_by_default = std::make_shared<SettingsProfilesInfo>(*access_control);
|
2021-07-22 16:07:03 +00:00
|
|
|
return everything_by_default;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
std::shared_ptr<const AccessRights> ContextAccess::getAccessRights() const
|
2020-06-20 22:44:52 +00:00
|
|
|
{
|
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (access)
|
|
|
|
return access;
|
|
|
|
static const auto nothing_granted = std::make_shared<AccessRights>();
|
|
|
|
return nothing_granted;
|
2020-06-20 22:44:52 +00:00
|
|
|
}
|
2020-03-07 17:37:38 +00:00
|
|
|
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
std::shared_ptr<const AccessRights> ContextAccess::getAccessRightsWithImplicit() const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
std::lock_guard lock{mutex};
|
2021-07-15 08:55:51 +00:00
|
|
|
if (access_with_implicit)
|
|
|
|
return access_with_implicit;
|
|
|
|
static const auto nothing_granted = std::make_shared<AccessRights>();
|
|
|
|
return nothing_granted;
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
|
|
|
|
template <bool throw_if_denied, bool grant_option, typename... Args>
|
2022-03-30 08:32:49 +00:00
|
|
|
bool ContextAccess::checkAccessImplHelper(AccessFlags flags, const Args &... args) const
|
2020-06-20 22:44:52 +00:00
|
|
|
{
|
2022-11-09 20:01:05 +00:00
|
|
|
if (user_was_dropped)
|
|
|
|
{
|
|
|
|
/// If the current user has been dropped we always throw an exception (even if `throw_if_denied` is false)
|
|
|
|
/// because dropping of the current user is considered as a situation which is exceptional enough to stop
|
|
|
|
/// query execution.
|
2023-01-23 21:13:58 +00:00
|
|
|
throw Exception(ErrorCodes::UNKNOWN_USER, "{}: User has been dropped", getUserName());
|
2022-11-09 20:01:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (is_full_access)
|
|
|
|
return true;
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
auto access_granted = [&]
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
if (trace_log)
|
2021-02-26 22:37:00 +00:00
|
|
|
LOG_TRACE(trace_log, "Access granted: {}{}", (AccessRightsElement{flags, args...}.toStringWithoutOptions()),
|
2020-12-08 14:24:32 +00:00
|
|
|
(grant_option ? " WITH GRANT OPTION" : ""));
|
|
|
|
return true;
|
|
|
|
};
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2023-01-25 20:16:42 +00:00
|
|
|
auto access_denied = [&]<typename... FmtArgs>(int error_code [[maybe_unused]],
|
|
|
|
FormatStringHelper<String, FmtArgs...> fmt_string [[maybe_unused]],
|
|
|
|
FmtArgs && ...fmt_args [[maybe_unused]])
|
2020-06-20 22:44:52 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
if (trace_log)
|
2021-02-26 22:37:00 +00:00
|
|
|
LOG_TRACE(trace_log, "Access denied: {}{}", (AccessRightsElement{flags, args...}.toStringWithoutOptions()),
|
2020-12-08 14:24:32 +00:00
|
|
|
(grant_option ? " WITH GRANT OPTION" : ""));
|
|
|
|
if constexpr (throw_if_denied)
|
2023-01-25 20:16:42 +00:00
|
|
|
throw Exception(error_code, std::move(fmt_string), getUserName(), std::forward<FmtArgs>(fmt_args)...);
|
2020-12-08 14:24:32 +00:00
|
|
|
return false;
|
2020-06-20 22:44:52 +00:00
|
|
|
};
|
2020-03-22 21:40:32 +00:00
|
|
|
|
2022-03-30 08:32:49 +00:00
|
|
|
if (flags & AccessType::CLUSTER && !access_control->doesOnClusterQueriesRequireClusterGrant())
|
|
|
|
flags &= ~AccessType::CLUSTER;
|
|
|
|
|
2022-07-01 10:18:09 +00:00
|
|
|
if (!flags)
|
2022-07-10 00:51:31 +00:00
|
|
|
return true;
|
2020-03-22 21:40:32 +00:00
|
|
|
|
2023-02-15 15:59:43 +00:00
|
|
|
const auto parameter_type = flags.getParameterType();
|
|
|
|
if (parameter_type == AccessFlags::NONE)
|
|
|
|
{
|
|
|
|
/// Access to temporary tables is controlled in an unusual way, not like normal tables.
|
|
|
|
/// Creating of temporary tables is controlled by AccessType::CREATE_TEMPORARY_TABLES grant,
|
|
|
|
/// and other grants are considered as always given.
|
|
|
|
/// The DatabaseCatalog class won't resolve StorageID for temporary tables
|
|
|
|
/// which shouldn't be accessed.
|
|
|
|
if (getDatabase(args...) == DatabaseCatalog::TEMPORARY_DATABASE)
|
|
|
|
return access_granted();
|
|
|
|
}
|
2020-12-08 14:24:32 +00:00
|
|
|
|
|
|
|
auto acs = getAccessRightsWithImplicit();
|
|
|
|
bool granted;
|
|
|
|
if constexpr (grant_option)
|
|
|
|
granted = acs->hasGrantOption(flags, args...);
|
|
|
|
else
|
|
|
|
granted = acs->isGranted(flags, args...);
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
if (!granted)
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
if (grant_option && acs->isGranted(flags, args...))
|
|
|
|
{
|
2023-01-25 20:16:42 +00:00
|
|
|
return access_denied(ErrorCodes::ACCESS_DENIED,
|
|
|
|
"{}: Not enough privileges. "
|
2020-12-08 14:24:32 +00:00
|
|
|
"The required privileges have been granted, but without grant option. "
|
2023-01-25 20:16:42 +00:00
|
|
|
"To execute this query it's necessary to have grant {} WITH GRANT OPTION",
|
|
|
|
AccessRightsElement{flags, args...}.toStringWithoutOptions());
|
2020-12-08 14:24:32 +00:00
|
|
|
}
|
|
|
|
|
2023-01-25 20:16:42 +00:00
|
|
|
return access_denied(ErrorCodes::ACCESS_DENIED,
|
|
|
|
"{}: Not enough privileges. To execute this query it's necessary to have grant {}",
|
|
|
|
AccessRightsElement{flags, args...}.toStringWithoutOptions() + (grant_option ? " WITH GRANT OPTION" : ""));
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
struct PrecalculatedFlags
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
const AccessFlags table_ddl = AccessType::CREATE_DATABASE | AccessType::CREATE_TABLE | AccessType::CREATE_VIEW
|
|
|
|
| AccessType::ALTER_TABLE | AccessType::ALTER_VIEW | AccessType::DROP_DATABASE | AccessType::DROP_TABLE | AccessType::DROP_VIEW
|
|
|
|
| AccessType::TRUNCATE;
|
|
|
|
|
|
|
|
const AccessFlags dictionary_ddl = AccessType::CREATE_DICTIONARY | AccessType::DROP_DICTIONARY;
|
2022-02-10 19:31:02 +00:00
|
|
|
const AccessFlags function_ddl = AccessType::CREATE_FUNCTION | AccessType::DROP_FUNCTION;
|
2020-12-08 14:24:32 +00:00
|
|
|
const AccessFlags table_and_dictionary_ddl = table_ddl | dictionary_ddl;
|
2022-05-31 15:23:41 +00:00
|
|
|
const AccessFlags table_and_dictionary_and_function_ddl = table_ddl | dictionary_ddl | function_ddl;
|
2020-12-08 14:24:32 +00:00
|
|
|
const AccessFlags write_table_access = AccessType::INSERT | AccessType::OPTIMIZE;
|
|
|
|
const AccessFlags write_dcl_access = AccessType::ACCESS_MANAGEMENT - AccessType::SHOW_ACCESS;
|
|
|
|
|
2022-05-31 15:23:41 +00:00
|
|
|
const AccessFlags not_readonly_flags = write_table_access | table_and_dictionary_and_function_ddl | write_dcl_access | AccessType::SYSTEM | AccessType::KILL_QUERY;
|
2020-12-08 14:24:32 +00:00
|
|
|
const AccessFlags not_readonly_1_flags = AccessType::CREATE_TEMPORARY_TABLE;
|
|
|
|
|
2022-02-10 19:31:02 +00:00
|
|
|
const AccessFlags ddl_flags = table_ddl | dictionary_ddl | function_ddl;
|
2020-12-08 14:24:32 +00:00
|
|
|
const AccessFlags introspection_flags = AccessType::INTROSPECTION;
|
|
|
|
};
|
|
|
|
static const PrecalculatedFlags precalc;
|
2020-06-20 22:44:52 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
if (params.readonly)
|
|
|
|
{
|
|
|
|
if constexpr (grant_option)
|
2023-01-25 20:16:42 +00:00
|
|
|
return access_denied(ErrorCodes::READONLY, "{}: Cannot change grants in readonly mode.");
|
2020-12-08 14:24:32 +00:00
|
|
|
if ((flags & precalc.not_readonly_flags) ||
|
|
|
|
((params.readonly == 1) && (flags & precalc.not_readonly_1_flags)))
|
2020-06-20 22:44:52 +00:00
|
|
|
{
|
|
|
|
if (params.interface == ClientInfo::Interface::HTTP && params.http_method == ClientInfo::HTTPMethod::GET)
|
2020-12-08 14:24:32 +00:00
|
|
|
{
|
2023-01-25 20:16:42 +00:00
|
|
|
return access_denied(ErrorCodes::READONLY,
|
|
|
|
"{}: Cannot execute query in readonly mode. "
|
|
|
|
"For queries over HTTP, method GET implies readonly. "
|
|
|
|
"You should use method POST for modifying queries");
|
2020-12-08 14:24:32 +00:00
|
|
|
}
|
2020-06-20 22:44:52 +00:00
|
|
|
else
|
2023-01-25 20:16:42 +00:00
|
|
|
return access_denied(ErrorCodes::READONLY, "{}: Cannot execute query in readonly mode");
|
2020-06-20 22:44:52 +00:00
|
|
|
}
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2020-12-08 18:09:13 +00:00
|
|
|
if (!params.allow_ddl && !grant_option)
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
if (flags & precalc.ddl_flags)
|
2023-01-25 20:16:42 +00:00
|
|
|
return access_denied(ErrorCodes::QUERY_IS_PROHIBITED,
|
|
|
|
"Cannot execute query. DDL queries are prohibited for the user {}");
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2020-12-08 18:07:50 +00:00
|
|
|
if (!params.allow_introspection && !grant_option)
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2020-12-08 14:24:32 +00:00
|
|
|
if (flags & precalc.introspection_flags)
|
2023-01-25 20:16:42 +00:00
|
|
|
return access_denied(ErrorCodes::FUNCTION_NOT_ALLOWED, "{}: Introspection functions are disabled, "
|
|
|
|
"because setting 'allow_introspection_functions' is set to 0");
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
return access_granted();
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|
|
|
|
|
2021-02-26 22:37:00 +00:00
|
|
|
template <bool throw_if_denied, bool grant_option>
|
|
|
|
bool ContextAccess::checkAccessImpl(const AccessFlags & flags) const
|
|
|
|
{
|
|
|
|
return checkAccessImplHelper<throw_if_denied, grant_option>(flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied, bool grant_option, typename... Args>
|
2022-07-14 16:11:35 +00:00
|
|
|
bool ContextAccess::checkAccessImpl(const AccessFlags & flags, std::string_view database, const Args &... args) const
|
2021-02-26 22:37:00 +00:00
|
|
|
{
|
|
|
|
return checkAccessImplHelper<throw_if_denied, grant_option>(flags, database.empty() ? params.current_database : database, args...);
|
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied, bool grant_option>
|
|
|
|
bool ContextAccess::checkAccessImplHelper(const AccessRightsElement & element) const
|
|
|
|
{
|
|
|
|
assert(!element.grant_option || grant_option);
|
2023-02-15 15:59:43 +00:00
|
|
|
if (!element.any_global_with_parameter)
|
|
|
|
return checkAccessImpl<throw_if_denied, grant_option>(element.access_flags, element.parameter);
|
2023-02-09 14:52:11 +00:00
|
|
|
else if (element.any_database)
|
2021-02-26 22:37:00 +00:00
|
|
|
return checkAccessImpl<throw_if_denied, grant_option>(element.access_flags);
|
|
|
|
else if (element.any_table)
|
|
|
|
return checkAccessImpl<throw_if_denied, grant_option>(element.access_flags, element.database);
|
|
|
|
else if (element.any_column)
|
|
|
|
return checkAccessImpl<throw_if_denied, grant_option>(element.access_flags, element.database, element.table);
|
|
|
|
else
|
|
|
|
return checkAccessImpl<throw_if_denied, grant_option>(element.access_flags, element.database, element.table, element.columns);
|
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied, bool grant_option>
|
|
|
|
bool ContextAccess::checkAccessImpl(const AccessRightsElement & element) const
|
|
|
|
{
|
|
|
|
if constexpr (grant_option)
|
|
|
|
{
|
|
|
|
return checkAccessImplHelper<throw_if_denied, true>(element);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
if (element.grant_option)
|
|
|
|
return checkAccessImplHelper<throw_if_denied, true>(element);
|
|
|
|
else
|
|
|
|
return checkAccessImplHelper<throw_if_denied, false>(element);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied, bool grant_option>
|
|
|
|
bool ContextAccess::checkAccessImpl(const AccessRightsElements & elements) const
|
|
|
|
{
|
|
|
|
for (const auto & element : elements)
|
|
|
|
if (!checkAccessImpl<throw_if_denied, grant_option>(element))
|
|
|
|
return false;
|
|
|
|
return true;
|
|
|
|
}
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
bool ContextAccess::isGranted(const AccessFlags & flags) const { return checkAccessImpl<false, false>(flags); }
|
2022-07-14 16:11:35 +00:00
|
|
|
bool ContextAccess::isGranted(const AccessFlags & flags, std::string_view database) const { return checkAccessImpl<false, false>(flags, database); }
|
|
|
|
bool ContextAccess::isGranted(const AccessFlags & flags, std::string_view database, std::string_view table) const { return checkAccessImpl<false, false>(flags, database, table); }
|
|
|
|
bool ContextAccess::isGranted(const AccessFlags & flags, std::string_view database, std::string_view table, std::string_view column) const { return checkAccessImpl<false, false>(flags, database, table, column); }
|
|
|
|
bool ContextAccess::isGranted(const AccessFlags & flags, std::string_view database, std::string_view table, const std::vector<std::string_view> & columns) const { return checkAccessImpl<false, false>(flags, database, table, columns); }
|
|
|
|
bool ContextAccess::isGranted(const AccessFlags & flags, std::string_view database, std::string_view table, const Strings & columns) const { return checkAccessImpl<false, false>(flags, database, table, columns); }
|
2020-12-08 14:24:32 +00:00
|
|
|
bool ContextAccess::isGranted(const AccessRightsElement & element) const { return checkAccessImpl<false, false>(element); }
|
|
|
|
bool ContextAccess::isGranted(const AccessRightsElements & elements) const { return checkAccessImpl<false, false>(elements); }
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
bool ContextAccess::hasGrantOption(const AccessFlags & flags) const { return checkAccessImpl<false, true>(flags); }
|
2022-07-14 16:11:35 +00:00
|
|
|
bool ContextAccess::hasGrantOption(const AccessFlags & flags, std::string_view database) const { return checkAccessImpl<false, true>(flags, database); }
|
|
|
|
bool ContextAccess::hasGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table) const { return checkAccessImpl<false, true>(flags, database, table); }
|
|
|
|
bool ContextAccess::hasGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table, std::string_view column) const { return checkAccessImpl<false, true>(flags, database, table, column); }
|
|
|
|
bool ContextAccess::hasGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table, const std::vector<std::string_view> & columns) const { return checkAccessImpl<false, true>(flags, database, table, columns); }
|
|
|
|
bool ContextAccess::hasGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table, const Strings & columns) const { return checkAccessImpl<false, true>(flags, database, table, columns); }
|
2020-12-08 14:24:32 +00:00
|
|
|
bool ContextAccess::hasGrantOption(const AccessRightsElement & element) const { return checkAccessImpl<false, true>(element); }
|
|
|
|
bool ContextAccess::hasGrantOption(const AccessRightsElements & elements) const { return checkAccessImpl<false, true>(elements); }
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
void ContextAccess::checkAccess(const AccessFlags & flags) const { checkAccessImpl<true, false>(flags); }
|
2022-07-14 16:11:35 +00:00
|
|
|
void ContextAccess::checkAccess(const AccessFlags & flags, std::string_view database) const { checkAccessImpl<true, false>(flags, database); }
|
|
|
|
void ContextAccess::checkAccess(const AccessFlags & flags, std::string_view database, std::string_view table) const { checkAccessImpl<true, false>(flags, database, table); }
|
|
|
|
void ContextAccess::checkAccess(const AccessFlags & flags, std::string_view database, std::string_view table, std::string_view column) const { checkAccessImpl<true, false>(flags, database, table, column); }
|
|
|
|
void ContextAccess::checkAccess(const AccessFlags & flags, std::string_view database, std::string_view table, const std::vector<std::string_view> & columns) const { checkAccessImpl<true, false>(flags, database, table, columns); }
|
|
|
|
void ContextAccess::checkAccess(const AccessFlags & flags, std::string_view database, std::string_view table, const Strings & columns) const { checkAccessImpl<true, false>(flags, database, table, columns); }
|
2020-12-08 14:24:32 +00:00
|
|
|
void ContextAccess::checkAccess(const AccessRightsElement & element) const { checkAccessImpl<true, false>(element); }
|
|
|
|
void ContextAccess::checkAccess(const AccessRightsElements & elements) const { checkAccessImpl<true, false>(elements); }
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
void ContextAccess::checkGrantOption(const AccessFlags & flags) const { checkAccessImpl<true, true>(flags); }
|
2022-07-14 16:11:35 +00:00
|
|
|
void ContextAccess::checkGrantOption(const AccessFlags & flags, std::string_view database) const { checkAccessImpl<true, true>(flags, database); }
|
|
|
|
void ContextAccess::checkGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table) const { checkAccessImpl<true, true>(flags, database, table); }
|
|
|
|
void ContextAccess::checkGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table, std::string_view column) const { checkAccessImpl<true, true>(flags, database, table, column); }
|
|
|
|
void ContextAccess::checkGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table, const std::vector<std::string_view> & columns) const { checkAccessImpl<true, true>(flags, database, table, columns); }
|
|
|
|
void ContextAccess::checkGrantOption(const AccessFlags & flags, std::string_view database, std::string_view table, const Strings & columns) const { checkAccessImpl<true, true>(flags, database, table, columns); }
|
2020-12-08 14:24:32 +00:00
|
|
|
void ContextAccess::checkGrantOption(const AccessRightsElement & element) const { checkAccessImpl<true, true>(element); }
|
|
|
|
void ContextAccess::checkGrantOption(const AccessRightsElements & elements) const { checkAccessImpl<true, true>(elements); }
|
2020-10-12 18:29:02 +00:00
|
|
|
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
template <bool throw_if_denied, typename Container, typename GetNameFunction>
|
2021-02-26 22:37:00 +00:00
|
|
|
bool ContextAccess::checkAdminOptionImplHelper(const Container & role_ids, const GetNameFunction & get_name_function) const
|
2020-03-07 17:37:38 +00:00
|
|
|
{
|
2023-01-25 20:16:42 +00:00
|
|
|
auto show_error = []<typename... FmtArgs>(int error_code [[maybe_unused]],
|
|
|
|
FormatStringHelper<FmtArgs...> fmt_string [[maybe_unused]],
|
|
|
|
FmtArgs && ...fmt_args [[maybe_unused]])
|
2020-12-08 14:24:32 +00:00
|
|
|
{
|
|
|
|
if constexpr (throw_if_denied)
|
2023-01-25 20:16:42 +00:00
|
|
|
throw Exception(error_code, std::move(fmt_string), std::forward<FmtArgs>(fmt_args)...);
|
|
|
|
return false;
|
2020-12-08 14:24:32 +00:00
|
|
|
};
|
2020-05-08 12:50:45 +00:00
|
|
|
|
2022-07-01 10:18:09 +00:00
|
|
|
if (is_full_access)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
if (user_was_dropped)
|
2020-12-08 14:24:32 +00:00
|
|
|
{
|
2023-01-25 20:16:42 +00:00
|
|
|
show_error(ErrorCodes::UNKNOWN_USER, "User has been dropped");
|
2020-12-08 14:24:32 +00:00
|
|
|
return false;
|
|
|
|
}
|
2020-03-07 17:37:38 +00:00
|
|
|
|
2022-07-01 10:18:09 +00:00
|
|
|
if (!std::size(role_ids))
|
|
|
|
return true;
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
if (isGranted(AccessType::ROLE_ADMIN))
|
|
|
|
return true;
|
2020-03-04 22:27:03 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
auto info = getRolesInfo();
|
|
|
|
size_t i = 0;
|
|
|
|
for (auto it = std::begin(role_ids); it != std::end(role_ids); ++it, ++i)
|
|
|
|
{
|
|
|
|
const UUID & role_id = *it;
|
2021-07-15 08:55:51 +00:00
|
|
|
if (info->enabled_roles_with_admin_option.count(role_id))
|
2020-12-08 14:24:32 +00:00
|
|
|
continue;
|
2020-03-04 22:27:03 +00:00
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
if (throw_if_denied)
|
|
|
|
{
|
|
|
|
auto role_name = get_name_function(role_id, i);
|
|
|
|
if (!role_name)
|
|
|
|
role_name = "ID {" + toString(role_id) + "}";
|
|
|
|
|
2021-07-15 08:55:51 +00:00
|
|
|
if (info->enabled_roles.count(role_id))
|
2023-01-25 20:16:42 +00:00
|
|
|
show_error(ErrorCodes::ACCESS_DENIED,
|
|
|
|
"Not enough privileges. "
|
|
|
|
"Role {} is granted, but without ADMIN option. "
|
|
|
|
"To execute this query it's necessary to have the role {} granted with ADMIN option.",
|
|
|
|
backQuote(*role_name), backQuoteIfNeed(*role_name));
|
2020-12-08 14:24:32 +00:00
|
|
|
else
|
2023-01-25 20:16:42 +00:00
|
|
|
show_error(ErrorCodes::ACCESS_DENIED, "Not enough privileges. "
|
|
|
|
"To execute this query it's necessary to have the role {} granted with ADMIN option.",
|
|
|
|
backQuoteIfNeed(*role_name));
|
2020-12-08 14:24:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
2020-03-04 22:27:03 +00:00
|
|
|
}
|
|
|
|
|
2021-02-26 22:37:00 +00:00
|
|
|
template <bool throw_if_denied>
|
|
|
|
bool ContextAccess::checkAdminOptionImpl(const UUID & role_id) const
|
|
|
|
{
|
2021-11-02 11:06:20 +00:00
|
|
|
return checkAdminOptionImplHelper<throw_if_denied>(to_array(role_id), [this](const UUID & id, size_t) { return access_control->tryReadName(id); });
|
2021-02-26 22:37:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied>
|
|
|
|
bool ContextAccess::checkAdminOptionImpl(const UUID & role_id, const String & role_name) const
|
|
|
|
{
|
|
|
|
return checkAdminOptionImplHelper<throw_if_denied>(to_array(role_id), [&role_name](const UUID &, size_t) { return std::optional<String>{role_name}; });
|
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied>
|
|
|
|
bool ContextAccess::checkAdminOptionImpl(const UUID & role_id, const std::unordered_map<UUID, String> & names_of_roles) const
|
|
|
|
{
|
|
|
|
return checkAdminOptionImplHelper<throw_if_denied>(to_array(role_id), [&names_of_roles](const UUID & id, size_t) { auto it = names_of_roles.find(id); return (it != names_of_roles.end()) ? it->second : std::optional<String>{}; });
|
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied>
|
|
|
|
bool ContextAccess::checkAdminOptionImpl(const std::vector<UUID> & role_ids) const
|
|
|
|
{
|
2021-11-02 11:06:20 +00:00
|
|
|
return checkAdminOptionImplHelper<throw_if_denied>(role_ids, [this](const UUID & id, size_t) { return access_control->tryReadName(id); });
|
2021-02-26 22:37:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied>
|
|
|
|
bool ContextAccess::checkAdminOptionImpl(const std::vector<UUID> & role_ids, const Strings & names_of_roles) const
|
|
|
|
{
|
|
|
|
return checkAdminOptionImplHelper<throw_if_denied>(role_ids, [&names_of_roles](const UUID &, size_t i) { return std::optional<String>{names_of_roles[i]}; });
|
|
|
|
}
|
|
|
|
|
|
|
|
template <bool throw_if_denied>
|
|
|
|
bool ContextAccess::checkAdminOptionImpl(const std::vector<UUID> & role_ids, const std::unordered_map<UUID, String> & names_of_roles) const
|
|
|
|
{
|
|
|
|
return checkAdminOptionImplHelper<throw_if_denied>(role_ids, [&names_of_roles](const UUID & id, size_t) { auto it = names_of_roles.find(id); return (it != names_of_roles.end()) ? it->second : std::optional<String>{}; });
|
|
|
|
}
|
|
|
|
|
2020-12-08 14:24:32 +00:00
|
|
|
bool ContextAccess::hasAdminOption(const UUID & role_id) const { return checkAdminOptionImpl<false>(role_id); }
|
|
|
|
bool ContextAccess::hasAdminOption(const UUID & role_id, const String & role_name) const { return checkAdminOptionImpl<false>(role_id, role_name); }
|
|
|
|
bool ContextAccess::hasAdminOption(const UUID & role_id, const std::unordered_map<UUID, String> & names_of_roles) const { return checkAdminOptionImpl<false>(role_id, names_of_roles); }
|
|
|
|
bool ContextAccess::hasAdminOption(const std::vector<UUID> & role_ids) const { return checkAdminOptionImpl<false>(role_ids); }
|
|
|
|
bool ContextAccess::hasAdminOption(const std::vector<UUID> & role_ids, const Strings & names_of_roles) const { return checkAdminOptionImpl<false>(role_ids, names_of_roles); }
|
|
|
|
bool ContextAccess::hasAdminOption(const std::vector<UUID> & role_ids, const std::unordered_map<UUID, String> & names_of_roles) const { return checkAdminOptionImpl<false>(role_ids, names_of_roles); }
|
|
|
|
|
|
|
|
void ContextAccess::checkAdminOption(const UUID & role_id) const { checkAdminOptionImpl<true>(role_id); }
|
|
|
|
void ContextAccess::checkAdminOption(const UUID & role_id, const String & role_name) const { checkAdminOptionImpl<true>(role_id, role_name); }
|
|
|
|
void ContextAccess::checkAdminOption(const UUID & role_id, const std::unordered_map<UUID, String> & names_of_roles) const { checkAdminOptionImpl<true>(role_id, names_of_roles); }
|
|
|
|
void ContextAccess::checkAdminOption(const std::vector<UUID> & role_ids) const { checkAdminOptionImpl<true>(role_ids); }
|
|
|
|
void ContextAccess::checkAdminOption(const std::vector<UUID> & role_ids, const Strings & names_of_roles) const { checkAdminOptionImpl<true>(role_ids, names_of_roles); }
|
|
|
|
void ContextAccess::checkAdminOption(const std::vector<UUID> & role_ids, const std::unordered_map<UUID, String> & names_of_roles) const { checkAdminOptionImpl<true>(role_ids, names_of_roles); }
|
|
|
|
|
2022-06-01 14:49:26 +00:00
|
|
|
|
|
|
|
void ContextAccess::checkGranteeIsAllowed(const UUID & grantee_id, const IAccessEntity & grantee) const
|
|
|
|
{
|
|
|
|
if (is_full_access)
|
|
|
|
return;
|
|
|
|
|
|
|
|
auto current_user = getUser();
|
|
|
|
if (!current_user->grantees.match(grantee_id))
|
2023-01-23 21:13:58 +00:00
|
|
|
throw Exception(ErrorCodes::ACCESS_DENIED, "{} is not allowed as grantee", grantee.formatTypeWithName());
|
2022-06-01 14:49:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void ContextAccess::checkGranteesAreAllowed(const std::vector<UUID> & grantee_ids) const
|
|
|
|
{
|
|
|
|
if (is_full_access)
|
|
|
|
return;
|
|
|
|
|
|
|
|
auto current_user = getUser();
|
|
|
|
if (current_user->grantees == RolesOrUsersSet::AllTag{})
|
|
|
|
return;
|
|
|
|
|
|
|
|
for (const auto & id : grantee_ids)
|
|
|
|
{
|
|
|
|
auto entity = access_control->tryRead(id);
|
|
|
|
if (auto role_entity = typeid_cast<RolePtr>(entity))
|
|
|
|
checkGranteeIsAllowed(id, *role_entity);
|
|
|
|
else if (auto user_entity = typeid_cast<UserPtr>(entity))
|
|
|
|
checkGranteeIsAllowed(id, *user_entity);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-07 17:37:38 +00:00
|
|
|
}
|