Updating requirements for the INSERT RBAC tests

tests/testflows/rbac/requirements/requirements.py

@@ -5896,7 +5896,7 @@ RQ_SRS_006_RBAC_Privileges_Insert = Requirement(
         type=None,
         uid=None,
         description=(
-        '[ClickHouse] SHALL support granting or revoking **insert** privilege\n'
+        '[ClickHouse] SHALL support changing access to the **insert** privilege\n'
         'for a database or a specific table to one or more **users** or **roles**.\n'
         'Any `INSERT INTO` statements SHALL not to be executed, unless the user\n'
         'has the **insert** privilege for the destination table\n'
@@ -5905,6 +5905,34 @@ RQ_SRS_006_RBAC_Privileges_Insert = Requirement(
         link=None
     )
 
+RQ_SRS_006_RBAC_Privileges_Insert_Grant = Requirement(
+        name='RQ.SRS-006.RBAC.Privileges.Insert.Grant',
+        version='1.0',
+        priority=None,
+        group=None,
+        type=None,
+        uid=None,
+        description=(
+        '[ClickHouse] SHALL support granting **insert** privilege\n'
+        'for a database or a specific table to one or more **users** or **roles**.\n'
+        ),
+        link=None
+    )
+
+RQ_SRS_006_RBAC_Privileges_Insert_Revoke = Requirement(
+        name='RQ.SRS-006.RBAC.Privileges.Insert.Revoke',
+        version='1.0',
+        priority=None,
+        group=None,
+        type=None,
+        uid=None,
+        description=(
+        '[ClickHouse] SHALL support revoking **insert** privilege\n'
+        'for a database or a specific table to one or more **users** or **roles**\n'
+        ),
+        link=None
+    )
+
 RQ_SRS_006_RBAC_Privileges_Insert_Column = Requirement(
         name='RQ.SRS-006.RBAC.Privileges.Insert.Column',
         version='1.0',
@@ -5946,15 +5974,45 @@ RQ_SRS_006_RBAC_Privileges_Insert_GrantOption = Requirement(
         type=None,
         uid=None,
         description=(
-        '[ClickHouse] SHALL support granting or revoking **insert** privilege\n'
+        '[ClickHouse] SHALL support granting **insert** privilege\n'
         'for a database or a specific table to one or more **users** or **roles**\n'
-        'with a `GRANT OPTION` clause. Granting or revoking **insert** privilege\n'
+        'with a `GRANT OPTION` clause. User with **grant option** privilege SHALL be able to\n'
-        'by a user with `GRANT OPTION` SHALL only succeed if the access scope of the grant or revoke\n'
+        'change access to the **insert** privilege by another user or role\n'
-        'is less than or equal to their own. Any `INSERT INTO` statements SHALL succeed\n'
+        'on the same or smaller scope that they have access to.\n'
+        ),
+        link=None
+    )
+
+RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Grant = Requirement(
+        name='RQ.SRS-006.RBAC.Privileges.Insert.GrantOption.Grant',
+        version='1.0',
+        priority=None,
+        group=None,
+        type=None,
+        uid=None,
+        description=(
+        '[ClickHouse] SHALL support a user with **grant option** privilege\n'
+        'granting **insert** privilege to other **users** or **roles** on the same\n'
+        'or smaller scope that they have access to. Any `INSERT INTO` statements SHALL succeed\n'
         'when done by a user with privilege granted by a user with `GRANT OPTION`,\n'
-        'either directly or through an assigned role. Any `INSERT INTO` statements SHALL fail\n'
+        'either directly or through an assigned role.\n'
-        'when done by a user with privilege revoked by a user with `GRANT OPTION`,\n'
+        ),
-        'unless they have access otherwise.\n'
+        link=None
+    )
+
+RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Revoke = Requirement(
+        name='RQ.SRS-006.RBAC.Privileges.Insert.GrantOption.Revoke',
+        version='1.0',
+        priority=None,
+        group=None,
+        type=None,
+        uid=None,
+        description=(
+        '[ClickHouse] SHALL support a user with **grant option** privilege\n'
+        'revoking **insert** privilege from other **users** or **roles** on the same\n'
+        'or smaller scope that they have access to. Any `INSERT INTO` statements SHALL fail\n'
+        'when done by a user with privilege revoke by a user with `GRANT OPTION`,\n'
+        'either directly or through an assigned role, unless they have access otherwise.\n'
         ),
         link=None
     )

tests/testflows/rbac/tests/privileges/insert.py

@@ -69,6 +69,9 @@ def without_privilege(self, table_type, node=None):
                             exitcode=exitcode, message=message)
 
 @TestScenario
+@Requirements(
+    RQ_SRS_006_RBAC_Privileges_Insert_Grant("1.0"),
+)
 def user_with_privilege(self, table_type, node=None):
     """Check that user can insert into a table on which they have insert privilege and the inserted data is correct.
     """
@@ -85,6 +88,9 @@ def user_with_privilege(self, table_type, node=None):
                 assert output == '{"d":"2020-01-01"}', error()
 
 @TestScenario
+@Requirements(
+    RQ_SRS_006_RBAC_Privileges_Insert_Revoke("1.0"),
+)
 def user_with_revoked_privilege(self, table_type, node=None):
     """Check that user is unable to insert into a table after insert privilege on that table has been revoked from user.
     """
@@ -149,6 +155,9 @@ def user_column_privileges(self, grant_columns, insert_columns_pass, data_fail,
                                 settings=[("user","user0")], exitcode=exitcode, message=message)
 
 @TestScenario
+@Requirements(
+    RQ_SRS_006_RBAC_Privileges_Insert_Grant("1.0"),
+)
 def role_with_privilege(self, table_type, node=None):
     """Check that user can insert into a table after it is granted a role that
     has the insert privilege for that table.
@@ -168,6 +177,9 @@ def role_with_privilege(self, table_type, node=None):
                 assert output == '{"d":"2020-01-01"}', error()
 
 @TestScenario
+@Requirements(
+    RQ_SRS_006_RBAC_Privileges_Insert_Revoke("1.0"),
+)
 def role_with_revoked_privilege(self, table_type, node=None):
     """Check that user with a role that has insert privilege on a table
     is unable to insert into that table after insert privilege
@@ -208,6 +220,7 @@ def user_with_revoked_role(self, table_type, node=None):
                 exitcode, message = errors.not_enough_privileges(name="user0")
                 node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')",
                             settings=[("user","user0")], exitcode=exitcode, message=message)
+
 @TestScenario
 def role_with_privilege_on_columns(self, table_type):
     Scenario(run=role_column_privileges,
@@ -289,7 +302,7 @@ def user_with_privilege_on_cluster(self, table_type, node=None):
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Grant("1.0"),
 )
 def user_with_privilege_from_user_with_grant_option(self, table_type, node=None):
     """Check that user is able to insert on a table when granted privilege
@@ -315,7 +328,7 @@ def user_with_privilege_from_user_with_grant_option(self, table_type, node=None)
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Grant("1.0"),
 )
 def role_with_privilege_from_user_with_grant_option(self, table_type, node=None):
     """Check that user is able to insert on a table when granted a role with
@@ -343,7 +356,7 @@ def role_with_privilege_from_user_with_grant_option(self, table_type, node=None)
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Grant("1.0"),
 )
 def user_with_privilege_from_role_with_grant_option(self, table_type, node=None):
     """Check that user is able to insert on a table when granted privilege from a role with grant option
@@ -370,7 +383,7 @@ def user_with_privilege_from_role_with_grant_option(self, table_type, node=None)
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Grant("1.0"),
 )
 def role_with_privilege_from_role_with_grant_option(self, table_type, node=None):
     """Check that a user is able to insert on a table with a role that was granted privilege
@@ -400,7 +413,7 @@ def role_with_privilege_from_role_with_grant_option(self, table_type, node=None)
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Revoke("1.0"),
 )
 def revoke_privilege_from_user_via_user_with_grant_option(self, table_type, node=None):
     """Check that user is unable to revoke a column they don't have access to from a user.
@@ -418,7 +431,7 @@ def revoke_privilege_from_user_via_user_with_grant_option(self, table_type, node
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Revoke("1.0"),
 )
 def revoke_privilege_from_role_via_user_with_grant_option(self, table_type, node=None):
     """Check that user is unable to revoke a column they dont have acces to from a role.
@@ -436,7 +449,7 @@ def revoke_privilege_from_role_via_user_with_grant_option(self, table_type, node
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Revoke("1.0"),
 )
 def revoke_privilege_from_user_via_role_with_grant_option(self, table_type, node=None):
     """Check that user with a role is unable to revoke a column they dont have acces to from a user.
@@ -456,7 +469,7 @@ def revoke_privilege_from_user_via_role_with_grant_option(self, table_type, node
 
 @TestScenario
 @Requirements(
-    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption("1.0"),
+    RQ_SRS_006_RBAC_Privileges_Insert_GrantOption_Revoke("1.0"),
 )
 def revoke_privilege_from_role_via_role_with_grant_option(self, table_type, node=None):
     """Check that user with a role is unable to revoke a column they dont have acces to from a role.