Merge pull request #73318 from ClickHouse/backport/24.10/72872

Backport #72872 to 24.10: Fix revoke of implicit grants

src/Interpreters/Access/InterpreterGrantQuery.cpp

@@ -190,7 +190,7 @@ namespace
         /// REVOKE SELECT ON system.* FROM user2;
         ///
         /// the query `REVOKE SELECT ON *.* FROM user1` executed by user2 should succeed.
-        if (current_user_access.getAccessRights()->containsWithGrantOption(access_to_revoke))
+        if (current_user_access.getAccessRightsWithImplicit()->containsWithGrantOption(access_to_revoke))
             return;
 
         /// Technically, this check always fails if `containsWithGrantOption` returns `false`. But we still call it to get a nice exception message.

tests/queries/0_stateless/03278_revoke_implicit_grants.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CURDIR"/../shell_config.sh
+
+user="user03278_${CLICKHOUSE_DATABASE}_$RANDOM"
+role1="role03278_1_${CLICKHOUSE_DATABASE}_$RANDOM"
+role2="role03278_2_${CLICKHOUSE_DATABASE}_$RANDOM"
+
+
+${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS $user;";
+
+${CLICKHOUSE_CLIENT} <<EOF
+CREATE USER $user;
+CREATE ROLE $role1, $role2;
+
+GRANT SELECT ON *.* TO $role1 WITH GRANT OPTION;
+REVOKE SELECT ON test.table FROM $role1;
+
+GRANT SELECT ON *.* TO $role2 WITH GRANT OPTION;
+REVOKE SELECT ON test.table FROM $role2;
+GRANT SHOW TABLES ON default.* TO $role2;
+
+GRANT $role1 TO $user;
+EOF
+
+${CLICKHOUSE_CLIENT} --user $user --query "REVOKE ALL ON *.* FROM $role2"
+${CLICKHOUSE_CLIENT} --query "SHOW GRANTS FOR $role2"