Merge pull request #63209 from ClickHouse/pufit/fix-sql-security-none-from-load

Correct load for SQL security defaults during startup
2024-09-20 00:30:49 +00:00 · 2024-05-06 10:52:44 +00:00 · 2024-05-06 10:52:44 +00:00 · 4c0c4d1485
commit 4c0c4d1485
parent 1016d2e0d3 c63cc7eb0c
5 changed files with 60 additions and 23 deletions
--- a/src/Processors/Transforms/buildPushingToViewsChain.cpp
+++ b/src/Processors/Transforms/buildPushingToViewsChain.cpp
@ -361,7 +361,10 @@ std::optional<Chain> generateViewChain(
        }

        InterpreterInsertQuery interpreter(nullptr, insert_context, false, false, false);
-        out = interpreter.buildChain(inner_table, inner_metadata_snapshot, insert_columns, thread_status_holder, view_counter_ms, !materialized_view->hasInnerTable());
+
+        /// TODO: remove sql_security_type check after we turn `ignore_empty_sql_security_in_create_view_query=false`
+        bool check_access = !materialized_view->hasInnerTable() && materialized_view->getInMemoryMetadataPtr()->sql_security_type;
+        out = interpreter.buildChain(inner_table, inner_metadata_snapshot, insert_columns, thread_status_holder, view_counter_ms, check_access);

        if (interpreter.shouldAddSquashingFroStorage(inner_table))
        {
--- a/src/Storages/StorageMaterializedView.cpp
+++ b/src/Storages/StorageMaterializedView.cpp
@ -100,6 +100,7 @@ StorageMaterializedView::StorageMaterializedView(
    if (query.sql_security)
        storage_metadata.setSQLSecurity(query.sql_security->as<ASTSQLSecurity &>());

+    /// Materialized view doesn't support SQL SECURITY INVOKER.
    if (storage_metadata.sql_security_type == SQLSecurityType::INVOKER)
        throw Exception(ErrorCodes::QUERY_IS_NOT_SUPPORTED_IN_MATERIALIZED_VIEW, "SQL SECURITY INVOKER can't be specified for MATERIALIZED VIEW");

@ -219,8 +220,10 @@ void StorageMaterializedView::read(
        context->checkAccess(AccessType::SELECT, getInMemoryMetadataPtr()->select.select_table_id, column_names);

    auto storage_id = storage->getStorageID();
+
+    /// TODO: remove sql_security_type check after we turn `ignore_empty_sql_security_in_create_view_query=false`
    /// We don't need to check access if the inner table was created automatically.
-    if (!has_inner_table && !storage_id.empty())
+    if (!has_inner_table && !storage_id.empty() && getInMemoryMetadataPtr()->sql_security_type)
        context->checkAccess(AccessType::SELECT, storage_id, column_names);

    storage->read(query_plan, column_names, target_storage_snapshot, query_info, context, processed_stage, max_block_size, num_streams);
@ -268,8 +271,10 @@ SinkToStoragePtr StorageMaterializedView::write(const ASTPtr & query, const Stor
    auto metadata_snapshot = storage->getInMemoryMetadataPtr();

    auto storage_id = storage->getStorageID();
+
+    /// TODO: remove sql_security_type check after we turn `ignore_empty_sql_security_in_create_view_query=false`
    /// We don't need to check access if the inner table was created automatically.
-    if (!has_inner_table && !storage_id.empty())
+    if (!has_inner_table && !storage_id.empty() && getInMemoryMetadataPtr()->sql_security_type)
    {
        auto query_sample_block = InterpreterInsertQuery::getSampleBlock(query->as<ASTInsertQuery &>(), storage, metadata_snapshot, context);
        context->checkAccess(AccessType::INSERT, storage_id, query_sample_block.getNames());
--- a/tests/ci/download_release_packages.py
+++ b/tests/ci/download_release_packages.py
@ -1,10 +1,9 @@
 #!/usr/bin/env python3

-import os
 import logging
+import os

 import requests
-
 from requests.adapters import HTTPAdapter  # type: ignore
 from urllib3.util.retry import Retry  # type: ignore

@ -19,10 +18,10 @@ CLICKHOUSE_COMMON_STATIC_PACKAGE_NAME = "clickhouse-common-static_{version}_amd6
 CLICKHOUSE_COMMON_STATIC_DBG_PACKAGE_NAME = (
    "clickhouse-common-static-dbg_{version}_amd64.deb"
 )
-CLICKHOUSE_SERVER_PACKAGE_NAME = "clickhouse-server_{version}_amd64.deb"
-CLICKHOUSE_SERVER_PACKAGE_FALLBACK = "clickhouse-server_{version}_all.deb"
 CLICKHOUSE_CLIENT_PACKAGE_NAME = "clickhouse-client_{version}_amd64.deb"
-CLICKHOUSE_CLIENT_PACKAGE_FALLBACK = "clickhouse-client_{version}_all.deb"
+CLICKHOUSE_LIBRARY_BRIDGE_PACKAGE_NAME = "clickhouse-library-bridge_{version}_amd64.deb"
+CLICKHOUSE_ODBC_BRIDGE_PACKAGE_NAME = "clickhouse-odbc-bridge_{version}_amd64.deb"
+CLICKHOUSE_SERVER_PACKAGE_NAME = "clickhouse-server_{version}_amd64.deb"

 PACKAGES_DIR = "previous_release_package_folder/"
 VERSION_PATTERN = r"((?:\d+\.)?(?:\d+\.)?(?:\d+\.)?\d+-[a-zA-Z]*)"
@ -59,26 +58,15 @@ def download_packages(release, dest_path=PACKAGES_DIR):
    for pkg in (
        CLICKHOUSE_COMMON_STATIC_PACKAGE_NAME,
        CLICKHOUSE_COMMON_STATIC_DBG_PACKAGE_NAME,
+        CLICKHOUSE_CLIENT_PACKAGE_NAME,
+        CLICKHOUSE_LIBRARY_BRIDGE_PACKAGE_NAME,
+        CLICKHOUSE_ODBC_BRIDGE_PACKAGE_NAME,
+        CLICKHOUSE_SERVER_PACKAGE_NAME,
    ):
        url = (DOWNLOAD_PREFIX + pkg).format(version=release.version, type=release.type)
        pkg_name = get_dest_path(pkg.format(version=release.version))
        download_package(url, pkg_name)

-    for pkg, fallback in (
-        (CLICKHOUSE_SERVER_PACKAGE_NAME, CLICKHOUSE_SERVER_PACKAGE_FALLBACK),
-        (CLICKHOUSE_CLIENT_PACKAGE_NAME, CLICKHOUSE_CLIENT_PACKAGE_FALLBACK),
-    ):
-        url = (DOWNLOAD_PREFIX + pkg).format(version=release.version, type=release.type)
-        pkg_name = get_dest_path(pkg.format(version=release.version))
-        try:
-            download_package(url, pkg_name)
-        except Exception:
-            url = (DOWNLOAD_PREFIX + fallback).format(
-                version=release.version, type=release.type
-            )
-            pkg_name = get_dest_path(fallback.format(version=release.version))
-            download_package(url, pkg_name)
-

 def download_last_release(dest_path):
    current_release = get_previous_release(None)
--- a/tests/queries/0_stateless/02884_create_view_with_sql_security_option.reference
+++ b/tests/queries/0_stateless/02884_create_view_with_sql_security_option.reference
@ -32,3 +32,5 @@ OK
 2	2
 6	6
 9	9
+1000
+1000
--- a/tests/queries/0_stateless/02884_create_view_with_sql_security_option.sh
+++ b/tests/queries/0_stateless/02884_create_view_with_sql_security_option.sh
@ -222,4 +222,43 @@ EOF

 ${CLICKHOUSE_CLIENT} --user $user2 --query "SELECT * FROM $db.test_mv_row_2"

+${CLICKHOUSE_CLIENT} --multiquery <<EOF
+CREATE TABLE $db.session_events(
+    clientId UUID,
+    sessionId UUID,
+    pageId UUID,
+    timestamp DateTime,
+    type String
+)
+ENGINE = MergeTree
+ORDER BY (timestamp);
+
+CREATE TABLE $db.materialized_events(
+    clientId UUID,
+    sessionId UUID,
+    pageId UUID,
+    timestamp DateTime,
+    type String
+)
+ENGINE = MergeTree
+ORDER BY (timestamp);
+
+CREATE MATERIALIZED VIEW $db.events_mv TO $db.materialized_events AS
+SELECT
+    clientId,
+    sessionId,
+    pageId,
+    timestamp,
+    type
+FROM
+    $db.session_events;
+
+GRANT INSERT ON $db.session_events TO $user3;
+GRANT SELECT ON $db.session_events TO $user3;
+EOF
+
+${CLICKHOUSE_CLIENT} --user $user3 --query "INSERT INTO $db.session_events SELECT * FROM generateRandom('clientId UUID, sessionId UUID, pageId UUID, timestamp DateTime, type Enum(\'type1\', \'type2\')', 1, 10, 2) LIMIT 1000"
+${CLICKHOUSE_CLIENT} --user $user3 --query "SELECT count(*) FROM session_events"
+${CLICKHOUSE_CLIENT} --query "SELECT count(*) FROM materialized_events"
+
 ${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS $user1, $user2, $user3";