Merge pull request #53170 from ClickHouse/fix-row-policy-analyzer

Analyzer: fix row policy
2024-11-28 02:21:59 +00:00 · 2023-11-01 18:30:49 +01:00 · 2023-11-01 18:30:49 +01:00 · 1f1453dba5
commit 1f1453dba5
parent 754ab9fa6c f08634a0f6
4 changed files with 19 additions and 19 deletions
--- a/src/Planner/Planner.cpp
+++ b/src/Planner/Planner.cpp
@ -1373,6 +1373,9 @@ void Planner::buildPlanForQueryNode()
    {
        if (table_expression_data.getPrewhereFilterActions())
            result_actions_to_execute.push_back(table_expression_data.getPrewhereFilterActions());
+
+        if (table_expression_data.getRowLevelFilterActions())
+            result_actions_to_execute.push_back(table_expression_data.getRowLevelFilterActions());
    }

    if (query_processing_info.isIntermediateStage())
--- a/src/Planner/PlannerJoinTree.cpp
+++ b/src/Planner/PlannerJoinTree.cpp
@ -447,7 +447,7 @@ FilterDAGInfo buildRowPolicyFilterIfNeeded(const StoragePtr & storage,
    const auto & query_context = planner_context->getQueryContext();

    auto row_policy_filter = query_context->getRowPolicyFilter(storage_id.getDatabaseName(), storage_id.getTableName(), RowPolicyFilterType::SELECT_FILTER);
-    if (!row_policy_filter)
+    if (!row_policy_filter || row_policy_filter->empty())
        return {};

    return buildFilterInfo(row_policy_filter->expression, table_expression_query_info.table_expression, planner_context);
@ -783,6 +783,8 @@ JoinTreeQueryPlan buildQueryPlanForTableExpression(QueryTreeNodePtr table_expres

                auto row_policy_filter_info = buildRowPolicyFilterIfNeeded(storage, table_expression_query_info, planner_context);
                add_filter(row_policy_filter_info, "Row-level security filter");
+                if (row_policy_filter_info.actions)
+                    table_expression_data.setRowLevelFilterActions(row_policy_filter_info.actions);

                if (query_context->getParallelReplicasMode() == Context::ParallelReplicasMode::CUSTOM_KEY)
                {
--- a/src/Planner/TableExpressionData.h
+++ b/src/Planner/TableExpressionData.h
@ -245,6 +245,16 @@ public:
        return prewhere_filter_actions;
    }

+    void setRowLevelFilterActions(ActionsDAGPtr row_level_filter_actions_value)
+    {
+        row_level_filter_actions = std::move(row_level_filter_actions_value);
+    }
+
+    const ActionsDAGPtr & getRowLevelFilterActions() const
+    {
+        return row_level_filter_actions;
+    }
+
    void setPrewhereFilterActions(ActionsDAGPtr prewhere_filter_actions_value)
    {
        prewhere_filter_actions = std::move(prewhere_filter_actions_value);
@ -290,6 +300,9 @@ private:
    /// Valid for table, table function
    ActionsDAGPtr prewhere_filter_actions;

+    /// Valid for table, table function
+    ActionsDAGPtr row_level_filter_actions;
+
    /// Is storage remote
    bool is_remote = false;
 };
--- a/tests/analyzer_integration_broken_tests.txt
+++ b/tests/analyzer_integration_broken_tests.txt
@ -14,24 +14,6 @@ test_mysql_database_engine/test.py::test_mysql_ddl_for_mysql_database
 test_passing_max_partitions_to_read_remotely/test.py::test_default_database_on_cluster
 test_profile_events_s3/test.py::test_profile_events
 test_replicating_constants/test.py::test_different_versions
-test_row_policy/test.py::test_change_of_users_xml_changes_row_policies
-test_row_policy/test.py::test_dcl_introspection
-test_row_policy/test.py::test_dcl_management
-test_row_policy/test.py::test_dcl_users_with_policies_from_users_xml
-test_row_policy/test.py::test_grant_create_row_policy
-test_row_policy/test.py::test_policy_from_users_xml_affects_only_user_assigned
-test_row_policy/test.py::test_policy_on_distributed_table_via_role
-test_row_policy/test.py::test_reload_users_xml_by_timer
-test_row_policy/test.py::test_row_policy_filter_with_subquery
-test_row_policy/test.py::test_smoke
-test_row_policy/test.py::test_some_users_without_policies
-test_row_policy/test.py::test_tags_with_db_and_table_names
-test_row_policy/test.py::test_throwif_error_in_prewhere_with_same_condition_as_filter
-test_row_policy/test.py::test_throwif_error_in_where_with_same_condition_as_filter
-test_row_policy/test.py::test_throwif_in_prewhere_doesnt_expose_restricted_data
-test_row_policy/test.py::test_throwif_in_where_doesnt_expose_restricted_data
-test_row_policy/test.py::test_users_xml_is_readonly
-test_row_policy/test.py::test_with_prewhere
 test_select_access_rights/test_main.py::test_alias_columns
 test_select_access_rights/test_main.py::test_select_count
 test_select_access_rights/test_main.py::test_select_join