readonly user now can execute SHOW CREATE for access entities.

2024-11-27 18:12:02 +00:00 · 2020-04-08 04:35:15 +03:00 · 2020-04-08 04:35:15 +03:00 · 23ac1ee87c
commit 23ac1ee87c
parent c97d12a19c
4 changed files with 39 additions and 1 deletions
--- a/src/Access/ContextAccess.cpp
+++ b/src/Access/ContextAccess.cpp
@ -408,9 +408,10 @@ boost::shared_ptr<const AccessRights> ContextAccess::calculateResultAccess(bool
    static const AccessFlags dictionary_ddl = AccessType::CREATE_DICTIONARY | AccessType::DROP_DICTIONARY;
    static const AccessFlags table_and_dictionary_ddl = table_ddl | dictionary_ddl;
    static const AccessFlags write_table_access = AccessType::INSERT | AccessType::OPTIMIZE;
    static const AccessFlags write_dcl_access = AccessType::ACCESS_MANAGEMENT - AccessType::SHOW_ACCESS;
    if (readonly_)
-        merged_access->revoke(write_table_access | table_and_dictionary_ddl | AccessType::SYSTEM | AccessType::KILL_QUERY | AccessType::ACCESS_MANAGEMENT);
+        merged_access->revoke(write_table_access | table_and_dictionary_ddl | write_dcl_access | AccessType::SYSTEM | AccessType::KILL_QUERY);
    if (readonly_ == 1)
    {
--- a/tests/integration/test_enabling_access_management/init.py
+++ b/tests/integration/test_enabling_access_management/init.py
--- a/tests/integration/test_enabling_access_management/configs/users.d/extra_users.xml
+++ b/tests/integration/test_enabling_access_management/configs/users.d/extra_users.xml
@ -0,0 +1,13 @@
 <yandex>
    <users>
        <readonly>
            <password></password>
            <profile>readonly</profile>
            <access_management>1</access_management>
        </readonly>
        <xyz>
            <password></password>
            <profile>default</profile>
        </xyz>
    </users>
 </yandex>
--- a/tests/integration/test_enabling_access_management/test.py
+++ b/tests/integration/test_enabling_access_management/test.py
@ -0,0 +1,24 @@
 import pytest
 from helpers.cluster import ClickHouseCluster
 cluster = ClickHouseCluster(__file__)
 instance = cluster.add_instance('instance', config_dir="configs")
@pytest.fixture(scope="module", autouse=True)
 def started_cluster():
    try:
        cluster.start()
        yield cluster
    finally:
        cluster.shutdown()
 def test_enabling_access_management():
    instance.query("CREATE USER Alex", user='default')
    assert instance.query("SHOW CREATE USER Alex", user='default') == "CREATE USER Alex\n"
    assert instance.query("SHOW CREATE USER Alex", user='readonly') == "CREATE USER Alex\n"
    assert "Not enough privileges" in instance.query_and_get_error("SHOW CREATE USER Alex", user='xyz')
    assert "Cannot execute query in readonly mode" in instance.query_and_get_error("CREATE USER Robin", user='readonly')
    assert "Not enough privileges" in instance.query_and_get_error("CREATE USER Robin", user='xyz')