Merge pull request #64769 from ClickHouse/pufit/rbac-fix-on-cluster-grant-with-default-database

Fix default database with grant on cluster
This commit is contained in:
Alexey Milovidov 2024-06-06 03:35:32 +02:00 committed by GitHub
commit 53f26f614e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 21 additions and 3 deletions

View File

@ -438,6 +438,12 @@ BlockIO InterpreterGrantQuery::execute()
RolesOrUsersSet roles_to_revoke;
collectRolesToGrantOrRevoke(access_control, query, roles_to_grant, roles_to_revoke);
/// Replacing empty database with the default. This step must be done before replication to avoid privilege escalation.
String current_database = getContext()->getCurrentDatabase();
elements_to_grant.replaceEmptyDatabase(current_database);
elements_to_revoke.replaceEmptyDatabase(current_database);
query.access_rights_elements.replaceEmptyDatabase(current_database);
/// Executing on cluster.
if (!query.cluster.empty())
{
@ -453,9 +459,6 @@ BlockIO InterpreterGrantQuery::execute()
}
/// Check if the current user has corresponding access rights granted with grant option.
String current_database = getContext()->getCurrentDatabase();
elements_to_grant.replaceEmptyDatabase(current_database);
elements_to_revoke.replaceEmptyDatabase(current_database);
bool need_check_grantees_are_allowed = true;
if (!query.current_grants)
checkGrantOption(access_control, *current_user_access, grantees, need_check_grantees_are_allowed, elements_to_grant, elements_to_revoke);

View File

@ -74,3 +74,18 @@ def test_grant_all_on_cluster():
assert ch2.query("SHOW GRANTS FOR Alex") == "GRANT ALL ON *.* TO Alex\n"
ch1.query("DROP USER Alex ON CLUSTER 'cluster'")
def test_grant_current_database_on_cluster():
ch1.query("CREATE DATABASE user_db ON CLUSTER 'cluster'")
ch1.query(
"CREATE USER IF NOT EXISTS test_user ON CLUSTER 'cluster' DEFAULT DATABASE user_db"
)
ch1.query(
"GRANT SELECT ON user_db.* TO test_user ON CLUSTER 'cluster' WITH GRANT OPTION"
)
ch1.query("GRANT CLUSTER ON *.* TO test_user ON CLUSTER 'cluster'")
assert ch1.query("SHOW DATABASES", user="test_user") == "user_db\n"
ch1.query("GRANT SELECT ON * TO test_user ON CLUSTER 'cluster'", user="test_user")
assert ch1.query("SHOW DATABASES", user="test_user") == "user_db\n"