mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-12-14 18:32:29 +00:00
Merge pull request #73318 from ClickHouse/backport/24.10/72872
Backport #72872 to 24.10: Fix revoke of implicit grants
This commit is contained in:
commit
4e3d0e08c2
@ -190,7 +190,7 @@ namespace
|
||||
/// REVOKE SELECT ON system.* FROM user2;
|
||||
///
|
||||
/// the query `REVOKE SELECT ON *.* FROM user1` executed by user2 should succeed.
|
||||
if (current_user_access.getAccessRights()->containsWithGrantOption(access_to_revoke))
|
||||
if (current_user_access.getAccessRightsWithImplicit()->containsWithGrantOption(access_to_revoke))
|
||||
return;
|
||||
|
||||
/// Technically, this check always fails if `containsWithGrantOption` returns `false`. But we still call it to get a nice exception message.
|
||||
|
29
tests/queries/0_stateless/03278_revoke_implicit_grants.sh
Executable file
29
tests/queries/0_stateless/03278_revoke_implicit_grants.sh
Executable file
@ -0,0 +1,29 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
|
||||
# shellcheck source=../shell_config.sh
|
||||
. "$CURDIR"/../shell_config.sh
|
||||
|
||||
user="user03278_${CLICKHOUSE_DATABASE}_$RANDOM"
|
||||
role1="role03278_1_${CLICKHOUSE_DATABASE}_$RANDOM"
|
||||
role2="role03278_2_${CLICKHOUSE_DATABASE}_$RANDOM"
|
||||
|
||||
|
||||
${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS $user;";
|
||||
|
||||
${CLICKHOUSE_CLIENT} <<EOF
|
||||
CREATE USER $user;
|
||||
CREATE ROLE $role1, $role2;
|
||||
|
||||
GRANT SELECT ON *.* TO $role1 WITH GRANT OPTION;
|
||||
REVOKE SELECT ON test.table FROM $role1;
|
||||
|
||||
GRANT SELECT ON *.* TO $role2 WITH GRANT OPTION;
|
||||
REVOKE SELECT ON test.table FROM $role2;
|
||||
GRANT SHOW TABLES ON default.* TO $role2;
|
||||
|
||||
GRANT $role1 TO $user;
|
||||
EOF
|
||||
|
||||
${CLICKHOUSE_CLIENT} --user $user --query "REVOKE ALL ON *.* FROM $role2"
|
||||
${CLICKHOUSE_CLIENT} --query "SHOW GRANTS FOR $role2"
|
Loading…
Reference in New Issue
Block a user