readonly user now can execute SHOW CREATE for access entities.

2024-11-24 00:22:29 +00:00 · 2020-04-08 04:35:15 +03:00 · 2020-04-08 04:35:15 +03:00 · 23ac1ee87c
commit 23ac1ee87c
parent c97d12a19c
4 changed files with 39 additions and 1 deletions
--- a/src/Access/ContextAccess.cpp
+++ b/src/Access/ContextAccess.cpp
@ -408,9 +408,10 @@ boost::shared_ptr<const AccessRights> ContextAccess::calculateResultAccess(bool
    static const AccessFlags dictionary_ddl = AccessType::CREATE_DICTIONARY | AccessType::DROP_DICTIONARY;
    static const AccessFlags table_and_dictionary_ddl = table_ddl | dictionary_ddl;
    static const AccessFlags write_table_access = AccessType::INSERT | AccessType::OPTIMIZE;
+    static const AccessFlags write_dcl_access = AccessType::ACCESS_MANAGEMENT - AccessType::SHOW_ACCESS;

    if (readonly_)
-        merged_access->revoke(write_table_access | table_and_dictionary_ddl | AccessType::SYSTEM | AccessType::KILL_QUERY | AccessType::ACCESS_MANAGEMENT);
+        merged_access->revoke(write_table_access | table_and_dictionary_ddl | write_dcl_access | AccessType::SYSTEM | AccessType::KILL_QUERY);

    if (readonly_ == 1)
    {
--- a/tests/integration/test_enabling_access_management/init.py
+++ b/tests/integration/test_enabling_access_management/init.py
--- a/tests/integration/test_enabling_access_management/configs/users.d/extra_users.xml
+++ b/tests/integration/test_enabling_access_management/configs/users.d/extra_users.xml
@ -0,0 +1,13 @@
+<yandex>
+    <users>
+        <readonly>
+            <password></password>
+            <profile>readonly</profile>
+            <access_management>1</access_management>
+        </readonly>
+        <xyz>
+            <password></password>
+            <profile>default</profile>
+        </xyz>
+    </users>
+</yandex>
--- a/tests/integration/test_enabling_access_management/test.py
+++ b/tests/integration/test_enabling_access_management/test.py
@ -0,0 +1,24 @@
+import pytest
+from helpers.cluster import ClickHouseCluster
+
+cluster = ClickHouseCluster(__file__)
+instance = cluster.add_instance('instance', config_dir="configs")
+
+@pytest.fixture(scope="module", autouse=True)
+def started_cluster():
+    try:
+        cluster.start()
+        yield cluster
+
+    finally:
+        cluster.shutdown()
+
+
+def test_enabling_access_management():
+    instance.query("CREATE USER Alex", user='default')
+    assert instance.query("SHOW CREATE USER Alex", user='default') == "CREATE USER Alex\n"
+    assert instance.query("SHOW CREATE USER Alex", user='readonly') == "CREATE USER Alex\n"
+    assert "Not enough privileges" in instance.query_and_get_error("SHOW CREATE USER Alex", user='xyz')
+
+    assert "Cannot execute query in readonly mode" in instance.query_and_get_error("CREATE USER Robin", user='readonly')
+    assert "Not enough privileges" in instance.query_and_get_error("CREATE USER Robin", user='xyz')