2020-02-04 22:37:04 +00:00
|
|
|
#include <Interpreters/InterpreterGrantQuery.h>
|
|
|
|
|
#include <Parsers/ASTGrantQuery.h>
|
|
|
|
|
#include <Interpreters/Context.h>
|
|
|
|
|
#include <Access/AccessControlManager.h>
|
|
|
|
|
#include <Access/AccessRightsContext.h>
|
2020-02-10 02:26:56 +00:00
|
|
|
#include <Access/GenericRoleSet.h>
|
2020-02-04 22:37:04 +00:00
|
|
|
#include <Access/User.h>
|
2020-02-17 02:59:56 +00:00
|
|
|
#include <Access/Role.h>
|
|
|
|
|
#include <boost/range/algorithm/copy.hpp>
|
2020-02-04 22:37:04 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace DB
|
|
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
namespace
|
2020-02-04 22:37:04 +00:00
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
template <typename T>
|
2020-03-05 17:02:11 +00:00
|
|
|
void updateFromQueryImpl(T & grantee, const ASTGrantQuery & query, const std::vector<UUID> & roles_from_query, const String & current_database)
|
2020-02-04 22:37:04 +00:00
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
using Kind = ASTGrantQuery::Kind;
|
2020-02-17 02:59:56 +00:00
|
|
|
if (!query.access_rights_elements.empty())
|
|
|
|
|
{
|
|
|
|
|
if (query.kind == Kind::GRANT)
|
|
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
grantee.access.grant(query.access_rights_elements, current_database);
|
2020-02-17 02:59:56 +00:00
|
|
|
if (query.grant_option)
|
2020-02-21 19:27:12 +00:00
|
|
|
grantee.access_with_grant_option.grant(query.access_rights_elements, current_database);
|
2020-02-17 02:59:56 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
grantee.access_with_grant_option.revoke(query.access_rights_elements, current_database);
|
2020-02-17 02:59:56 +00:00
|
|
|
if (!query.grant_option)
|
2020-02-21 19:27:12 +00:00
|
|
|
grantee.access.revoke(query.access_rights_elements, current_database);
|
2020-02-17 02:59:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-21 19:27:12 +00:00
|
|
|
if (!roles_from_query.empty())
|
2020-02-04 22:37:04 +00:00
|
|
|
{
|
2020-02-17 02:59:56 +00:00
|
|
|
if (query.kind == Kind::GRANT)
|
|
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
boost::range::copy(roles_from_query, std::inserter(grantee.granted_roles, grantee.granted_roles.end()));
|
2020-02-17 02:59:56 +00:00
|
|
|
if (query.admin_option)
|
2020-02-21 19:27:12 +00:00
|
|
|
boost::range::copy(roles_from_query, std::inserter(grantee.granted_roles_with_admin_option, grantee.granted_roles_with_admin_option.end()));
|
2020-02-17 02:59:56 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
for (const UUID & role_from_query : roles_from_query)
|
2020-02-17 02:59:56 +00:00
|
|
|
{
|
2020-02-21 19:27:12 +00:00
|
|
|
grantee.granted_roles_with_admin_option.erase(role_from_query);
|
2020-02-17 02:59:56 +00:00
|
|
|
if (!query.admin_option)
|
2020-02-21 19:27:12 +00:00
|
|
|
grantee.granted_roles.erase(role_from_query);
|
|
|
|
|
if constexpr (std::is_same_v<T, User>)
|
|
|
|
|
grantee.default_roles.ids.erase(role_from_query);
|
2020-02-17 02:59:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
2020-02-04 22:37:04 +00:00
|
|
|
}
|
2020-02-21 19:27:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BlockIO InterpreterGrantQuery::execute()
|
|
|
|
|
{
|
|
|
|
|
const auto & query = query_ptr->as<const ASTGrantQuery &>();
|
|
|
|
|
auto & access_control = context.getAccessControlManager();
|
|
|
|
|
context.getAccessRights()->checkGrantOption(query.access_rights_elements);
|
|
|
|
|
|
|
|
|
|
std::vector<UUID> roles_from_query;
|
|
|
|
|
if (query.roles)
|
|
|
|
|
{
|
|
|
|
|
roles_from_query = GenericRoleSet{*query.roles, access_control}.getMatchingRoles(access_control);
|
|
|
|
|
for (const UUID & role_from_query : roles_from_query)
|
|
|
|
|
context.getAccessRights()->checkAdminOption(role_from_query);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::vector<UUID> to_roles = GenericRoleSet{*query.to_roles, access_control, context.getUserID()}.getMatchingUsersAndRoles(access_control);
|
|
|
|
|
String current_database = context.getCurrentDatabase();
|
|
|
|
|
|
|
|
|
|
auto update_func = [&](const AccessEntityPtr & entity) -> AccessEntityPtr
|
|
|
|
|
{
|
|
|
|
|
auto clone = entity->clone();
|
|
|
|
|
if (auto user = typeid_cast<std::shared_ptr<User>>(clone))
|
|
|
|
|
{
|
2020-03-05 17:02:11 +00:00
|
|
|
updateFromQueryImpl(*user, query, roles_from_query, current_database);
|
2020-02-21 19:27:12 +00:00
|
|
|
return user;
|
|
|
|
|
}
|
|
|
|
|
else if (auto role = typeid_cast<std::shared_ptr<Role>>(clone))
|
|
|
|
|
{
|
2020-03-05 17:02:11 +00:00
|
|
|
updateFromQueryImpl(*role, query, roles_from_query, current_database);
|
2020-02-21 19:27:12 +00:00
|
|
|
return role;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
return entity;
|
2020-02-04 22:37:04 +00:00
|
|
|
};
|
|
|
|
|
|
2020-02-10 02:26:56 +00:00
|
|
|
access_control.update(to_roles, update_func);
|
|
|
|
|
|
2020-02-04 22:37:04 +00:00
|
|
|
return {};
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-21 19:27:12 +00:00
|
|
|
|
|
|
|
|
void InterpreterGrantQuery::updateUserFromQuery(User & user, const ASTGrantQuery & query)
|
|
|
|
|
{
|
|
|
|
|
std::vector<UUID> roles_from_query;
|
|
|
|
|
if (query.roles)
|
|
|
|
|
roles_from_query = GenericRoleSet{*query.roles}.getMatchingIDs();
|
2020-03-05 17:02:11 +00:00
|
|
|
updateFromQueryImpl(user, query, roles_from_query, {});
|
2020-02-21 19:27:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void InterpreterGrantQuery::updateRoleFromQuery(Role & role, const ASTGrantQuery & query)
|
|
|
|
|
{
|
|
|
|
|
std::vector<UUID> roles_from_query;
|
|
|
|
|
if (query.roles)
|
|
|
|
|
roles_from_query = GenericRoleSet{*query.roles}.getMatchingIDs();
|
2020-03-05 17:02:11 +00:00
|
|
|
updateFromQueryImpl(role, query, roles_from_query, {});
|
2020-02-21 19:27:12 +00:00
|
|
|
}
|
|
|
|
|
|
2020-02-04 22:37:04 +00:00
|
|
|
}
|
