Add SHOW_USERS(SHOW ROLES, etc.) privileges.

2024-11-22 07:31:57 +00:00 · 2020-04-05 19:28:52 +03:00 · 2020-04-05 19:28:52 +03:00 · 423fa5087a
commit 423fa5087a
parent b4d7ef390c
8 changed files with 59 additions and 24 deletions
--- a/src/Access/AccessType.h
+++ b/src/Access/AccessType.h
@ -91,22 +91,29 @@ enum class AccessType
    M(KILL_QUERY, "", GLOBAL, ALL) /* allows to kill a query started by another user
                                      (anyone can kill his own queries) */\
    \
-    M(CREATE_USER, "", GLOBAL, ALL) \
-    M(ALTER_USER, "", GLOBAL, ALL) \
-    M(DROP_USER, "", GLOBAL, ALL) \
-    M(CREATE_ROLE, "", GLOBAL, ALL) \
-    M(ALTER_ROLE, "", GLOBAL, ALL) \
-    M(DROP_ROLE, "", GLOBAL, ALL) \
-    M(ROLE_ADMIN, "", GLOBAL, ALL) /* allows to grant and revoke the roles which are not granted to the current user with admin option */\
-    M(CREATE_ROW_POLICY, "CREATE POLICY", GLOBAL, ALL) \
-    M(ALTER_ROW_POLICY, "ALTER POLICY", GLOBAL, ALL) \
-    M(DROP_ROW_POLICY, "DROP POLICY", GLOBAL, ALL) \
-    M(CREATE_QUOTA, "", GLOBAL, ALL) \
-    M(ALTER_QUOTA, "", GLOBAL, ALL) \
-    M(DROP_QUOTA, "", GLOBAL, ALL) \
-    M(CREATE_SETTINGS_PROFILE, "CREATE PROFILE", GLOBAL, ALL) \
-    M(ALTER_SETTINGS_PROFILE, "ALTER PROFILE", GLOBAL, ALL) \
-    M(DROP_SETTINGS_PROFILE, "DROP PROFILE", GLOBAL, ALL) \
+    M(CREATE_USER, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(ALTER_USER, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(DROP_USER, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(CREATE_ROLE, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(ALTER_ROLE, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(DROP_ROLE, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(ROLE_ADMIN, "", GLOBAL, ACCESS_MANAGEMENT) /* allows to grant and revoke the roles which are not granted to the current user with admin option */\
+    M(CREATE_ROW_POLICY, "CREATE POLICY", GLOBAL, ACCESS_MANAGEMENT) \
+    M(ALTER_ROW_POLICY, "ALTER POLICY", GLOBAL, ACCESS_MANAGEMENT) \
+    M(DROP_ROW_POLICY, "DROP POLICY", GLOBAL, ACCESS_MANAGEMENT) \
+    M(CREATE_QUOTA, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(ALTER_QUOTA, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(DROP_QUOTA, "", GLOBAL, ACCESS_MANAGEMENT) \
+    M(CREATE_SETTINGS_PROFILE, "CREATE PROFILE", GLOBAL, ACCESS_MANAGEMENT) \
+    M(ALTER_SETTINGS_PROFILE, "ALTER PROFILE", GLOBAL, ACCESS_MANAGEMENT) \
+    M(DROP_SETTINGS_PROFILE, "DROP PROFILE", GLOBAL, ACCESS_MANAGEMENT) \
+    M(SHOW_USERS, "SHOW CREATE USER", GLOBAL, SHOW_ACCESS) \
+    M(SHOW_ROLES, "SHOW CREATE ROLE", GLOBAL, SHOW_ACCESS) \
+    M(SHOW_ROW_POLICIES, "SHOW POLICIES, SHOW CREATE ROW POLICY, SHOW CREATE POLICY", GLOBAL, SHOW_ACCESS) \
+    M(SHOW_QUOTAS, "SHOW CREATE QUOTA", GLOBAL, SHOW_ACCESS) \
+    M(SHOW_SETTINGS_PROFILES, "SHOW PROFILES, SHOW CREATE SETTINGS PROFILE, SHOW CREATE PROFILE", GLOBAL, SHOW_ACCESS) \
+    M(SHOW_ACCESS, "", GROUP, ACCESS_MANAGEMENT) \
+    M(ACCESS_MANAGEMENT, "", GROUP, ALL) \
    \
    M(SYSTEM_SHUTDOWN, "SYSTEM KILL, SHUTDOWN", GLOBAL, SYSTEM) \
    M(SYSTEM_DROP_DNS_CACHE, "SYSTEM DROP DNS, DROP DNS CACHE, DROP DNS", GLOBAL, SYSTEM_DROP_CACHE) \
--- a/src/Access/ContextAccess.cpp
+++ b/src/Access/ContextAccess.cpp
@ -409,14 +409,8 @@ boost::shared_ptr<const AccessRights> ContextAccess::calculateResultAccess(bool
    static const AccessFlags table_and_dictionary_ddl = table_ddl | dictionary_ddl;
    static const AccessFlags write_table_access = AccessType::INSERT | AccessType::OPTIMIZE;

-    static const AccessFlags all_dcl = AccessType::CREATE_USER | AccessType::ALTER_USER | AccessType::DROP_USER
-                                     | AccessType::CREATE_ROLE | AccessType::ALTER_ROLE | AccessType::DROP_ROLE | AccessType::ROLE_ADMIN
-                                     | AccessType::CREATE_ROW_POLICY | AccessType::ALTER_ROW_POLICY | AccessType::DROP_ROW_POLICY
-                                     | AccessType::CREATE_SETTINGS_PROFILE | AccessType::ALTER_SETTINGS_PROFILE | AccessType::DROP_SETTINGS_PROFILE
-                                     | AccessType::CREATE_QUOTA | AccessType::ALTER_QUOTA | AccessType::DROP_QUOTA;
-
    if (readonly_)
-        merged_access->revoke(write_table_access | all_dcl | table_and_dictionary_ddl | AccessType::SYSTEM | AccessType::KILL_QUERY);
+        merged_access->revoke(write_table_access | table_and_dictionary_ddl | AccessType::SYSTEM | AccessType::KILL_QUERY | AccessType::ACCESS_MANAGEMENT);

    if (readonly_ == 1)
    {
--- a/src/Access/UsersConfigAccessStorage.cpp
+++ b/src/Access/UsersConfigAccessStorage.cpp
@ -168,7 +168,14 @@ namespace
                user->access.grant(AccessFlags::allDictionaryFlags(), IDictionary::NO_DATABASE_TAG, dictionary);
        }

-        user->access_with_grant_option = user->access;
+        user->access_with_grant_option = user->access; /// By default the user can grant everything he has.
+
+        bool access_management = config.getBool(user_config + ".access_management", false);
+        if (!access_management)
+        {
+            user->access.revoke(AccessType::ACCESS_MANAGEMENT);
+            user->access_with_grant_option.clear();
+        }

        return user;
    }
--- a/src/Interpreters/InterpreterShowCreateAccessEntityQuery.cpp
+++ b/src/Interpreters/InterpreterShowCreateAccessEntityQuery.cpp
@ -256,6 +256,7 @@ BlockInputStreamPtr InterpreterShowCreateAccessEntityQuery::executeImpl()
 ASTPtr InterpreterShowCreateAccessEntityQuery::getCreateQuery(const ASTShowCreateAccessEntityQuery & show_query) const
 {
    const auto & access_control = context.getAccessControlManager();
+    context.checkAccess(getRequiredAccess());

    if (show_query.current_user)
    {
@ -281,6 +282,22 @@ ASTPtr InterpreterShowCreateAccessEntityQuery::getCreateQuery(const ASTShowCreat
 }


+AccessRightsElements InterpreterShowCreateAccessEntityQuery::getRequiredAccess() const
+{
+    const auto & show_query = query_ptr->as<ASTShowCreateAccessEntityQuery &>();
+    AccessRightsElements res;
+    switch (show_query.kind)
+    {
+        case Kind::USER: res.emplace_back(AccessType::SHOW_USERS); break;
+        case Kind::ROLE: res.emplace_back(AccessType::SHOW_ROLES); break;
+        case Kind::ROW_POLICY: res.emplace_back(AccessType::SHOW_ROW_POLICIES); break;
+        case Kind::SETTINGS_PROFILE: res.emplace_back(AccessType::SHOW_SETTINGS_PROFILES); break;
+        case Kind::QUOTA: res.emplace_back(AccessType::SHOW_QUOTAS); break;
+    }
+    return res;
+}
+
+
 ASTPtr InterpreterShowCreateAccessEntityQuery::getAttachQuery(const IAccessEntity & entity)
 {
    return getCreateQueryImpl(entity, nullptr, true);
--- a/src/Interpreters/InterpreterShowCreateAccessEntityQuery.h
+++ b/src/Interpreters/InterpreterShowCreateAccessEntityQuery.h
@ -9,6 +9,7 @@ namespace DB
 {
 class Context;
 class ASTShowCreateAccessEntityQuery;
+class AccessRightsElements;
 struct IAccessEntity;


@ -30,6 +31,7 @@ public:
 private:
    BlockInputStreamPtr executeImpl();
    ASTPtr getCreateQuery(const ASTShowCreateAccessEntityQuery & show_query) const;
+    AccessRightsElements getRequiredAccess() const;

    ASTPtr query_ptr;
    const Context & context;
--- a/src/Storages/System/StorageSystemQuotaUsage.cpp
+++ b/src/Storages/System/StorageSystemQuotaUsage.cpp
@ -8,6 +8,7 @@
 #include <Access/AccessControlManager.h>
 #include <Access/EnabledQuota.h>
 #include <Access/QuotaUsageInfo.h>
+#include <Access/AccessFlags.h>
 #include <ext/range.h>


@ -40,7 +41,9 @@ NamesAndTypesList StorageSystemQuotaUsage::getNamesAndTypes()

 void StorageSystemQuotaUsage::fillData(MutableColumns & res_columns, const Context & context, const SelectQueryInfo &) const
 {
+    context.checkAccess(AccessType::SHOW_QUOTAS);
    const auto & access_control = context.getAccessControlManager();
+
    for (const auto & info : access_control.getQuotaUsageInfo())
    {
        for (const auto & interval : info.intervals)
--- a/src/Storages/System/StorageSystemQuotas.cpp
+++ b/src/Storages/System/StorageSystemQuotas.cpp
@ -9,6 +9,7 @@
 #include <Interpreters/Context.h>
 #include <Access/AccessControlManager.h>
 #include <Access/Quota.h>
+#include <Access/AccessFlags.h>
 #include <ext/range.h>


@ -54,6 +55,8 @@ NamesAndTypesList StorageSystemQuotas::getNamesAndTypes()

 void StorageSystemQuotas::fillData(MutableColumns & res_columns, const Context & context, const SelectQueryInfo &) const
 {
+    context.checkAccess(AccessType::SHOW_QUOTAS);
+
    size_t i = 0;
    auto & name_column = *res_columns[i++];
    auto & id_column = *res_columns[i++];
--- a/src/Storages/System/StorageSystemRowPolicies.cpp
+++ b/src/Storages/System/StorageSystemRowPolicies.cpp
@ -7,6 +7,7 @@
 #include <Interpreters/Context.h>
 #include <Access/AccessControlManager.h>
 #include <Access/RowPolicy.h>
+#include <Access/AccessFlags.h>
 #include <ext/range.h>


@ -33,6 +34,7 @@ NamesAndTypesList StorageSystemRowPolicies::getNamesAndTypes()

 void StorageSystemRowPolicies::fillData(MutableColumns & res_columns, const Context & context, const SelectQueryInfo &) const
 {
+    context.checkAccess(AccessType::SHOW_ROW_POLICIES);
    const auto & access_control = context.getAccessControlManager();
    std::vector<UUID> ids = access_control.findAll<RowPolicy>();