From 5d6b5bc276f0f4158172e06b57f9ea68a9f5467f Mon Sep 17 00:00:00 2001 From: MyroTk Date: Mon, 1 Mar 2021 17:29:42 +0100 Subject: [PATCH] TFS tests --- .../docker-compose/clickhouse-service.yml | 2 +- .../rbac/docker-compose/docker-compose.yml | 2 +- .../rbac/docker-compose/zookeeper-service.yml | 2 +- tests/testflows/rbac/helper/common.py | 33 +- tests/testflows/rbac/regression.py | 14 +- .../rbac/requirements/requirements.md | 2939 +-- .../rbac/requirements/requirements.py | 20770 +++++++++------- .../rbac/tests/privileges/admin_option.py | 13 +- .../rbac/tests/privileges/all_role.py | 37 + .../tests/privileges/alter/alter_column.py | 42 +- .../privileges/alter/alter_constraint.py | 3 +- .../tests/privileges/alter/alter_delete.py | 28 +- .../tests/privileges/alter/alter_fetch.py | 14 +- .../tests/privileges/alter/alter_freeze.py | 16 +- .../tests/privileges/alter/alter_index.py | 12 +- .../rbac/tests/privileges/alter/alter_move.py | 12 +- .../tests/privileges/alter/alter_quota.py | 15 +- .../rbac/tests/privileges/alter/alter_role.py | 18 +- .../privileges/alter/alter_row_policy.py | 984 +- .../tests/privileges/alter/alter_settings.py | 25 +- .../alter/alter_settings_profile.py | 15 +- .../rbac/tests/privileges/alter/alter_ttl.py | 6 +- .../tests/privileges/alter/alter_update.py | 23 +- .../rbac/tests/privileges/alter/alter_user.py | 15 +- .../privileges/attach/attach_database.py | 57 +- .../privileges/attach/attach_dictionary.py | 55 +- .../tests/privileges/attach/attach_table.py | 54 +- .../privileges/attach/attach_temp_table.py | 53 +- .../privileges/create/create_database.py | 54 +- .../privileges/create/create_dictionary.py | 55 +- .../tests/privileges/create/create_quota.py | 15 +- .../tests/privileges/create/create_role.py | 15 +- .../privileges/create/create_row_policy.py | 960 +- .../create/create_settings_profile.py | 15 +- .../tests/privileges/create/create_table.py | 110 +- .../privileges/create/create_temp_table.py | 54 +- .../tests/privileges/create/create_user.py | 21 +- .../privileges/detach/detach_database.py | 62 +- .../privileges/detach/detach_dictionary.py | 63 +- .../tests/privileges/detach/detach_table.py | 62 +- .../tests/privileges/detach/detach_view.py | 62 +- .../rbac/tests/privileges/dictGet.py | 334 +- .../tests/privileges/distributed_table.py | 378 +- .../tests/privileges/drop/drop_database.py | 60 +- .../tests/privileges/drop/drop_dictionary.py | 38 +- .../rbac/tests/privileges/drop/drop_quota.py | 15 +- .../rbac/tests/privileges/drop/drop_role.py | 18 +- .../tests/privileges/drop/drop_row_policy.py | 138 +- .../privileges/drop/drop_settings_profile.py | 15 +- .../rbac/tests/privileges/drop/drop_table.py | 59 +- .../rbac/tests/privileges/drop/drop_user.py | 17 +- .../rbac/tests/privileges/feature.py | 151 +- .../testflows/rbac/tests/privileges/insert.py | 183 +- .../rbac/tests/privileges/introspection.py | 41 +- .../rbac/tests/privileges/kill_mutation.py | 175 +- .../rbac/tests/privileges/kill_query.py | 48 +- .../rbac/tests/privileges/optimize.py | 52 +- .../rbac/tests/privileges/public_tables.py | 4 +- .../rbac/tests/privileges/role_admin.py | 42 +- .../testflows/rbac/tests/privileges/select.py | 144 +- .../tests/privileges/show/show_columns.py | 62 +- .../tests/privileges/show/show_databases.py | 49 +- .../privileges/show/show_dictionaries.py | 40 +- .../rbac/tests/privileges/show/show_quotas.py | 27 +- .../rbac/tests/privileges/show/show_roles.py | 27 +- .../privileges/show/show_row_policies.py | 27 +- .../privileges/show/show_settings_profiles.py | 27 +- .../rbac/tests/privileges/show/show_tables.py | 48 +- .../rbac/tests/privileges/show/show_users.py | 27 +- .../rbac/tests/privileges/sources.py | 106 +- .../tests/privileges/system/drop_cache.py | 50 +- .../rbac/tests/privileges/system/fetches.py | 33 +- .../rbac/tests/privileges/system/flush.py | 34 +- .../rbac/tests/privileges/system/merges.py | 33 +- .../rbac/tests/privileges/system/moves.py | 33 +- .../rbac/tests/privileges/system/reload.py | 66 +- .../privileges/system/replication_queues.py | 33 +- .../privileges/system/restart_replica.py | 18 +- .../rbac/tests/privileges/system/sends.py | 64 +- .../rbac/tests/privileges/system/shutdown.py | 27 +- .../tests/privileges/system/sync_replica.py | 18 +- .../tests/privileges/system/ttl_merges.py | 33 +- .../rbac/tests/privileges/truncate.py | 53 +- .../rbac/tests/syntax/alter_quota.py | 42 +- .../testflows/rbac/tests/syntax/alter_role.py | 38 +- .../rbac/tests/syntax/alter_row_policy.py | 46 +- .../tests/syntax/alter_settings_profile.py | 56 +- .../testflows/rbac/tests/syntax/alter_user.py | 70 +- .../rbac/tests/syntax/create_quota.py | 42 +- .../rbac/tests/syntax/create_role.py | 22 +- .../rbac/tests/syntax/create_row_policy.py | 44 +- .../tests/syntax/create_settings_profile.py | 58 +- .../rbac/tests/syntax/create_user.py | 64 +- .../testflows/rbac/tests/syntax/drop_quota.py | 18 +- .../testflows/rbac/tests/syntax/drop_role.py | 16 +- .../rbac/tests/syntax/drop_row_policy.py | 22 +- .../tests/syntax/drop_settings_profile.py | 16 +- .../testflows/rbac/tests/syntax/drop_user.py | 18 +- tests/testflows/rbac/tests/syntax/feature.py | 58 +- .../rbac/tests/syntax/grant_privilege.py | 14 +- .../testflows/rbac/tests/syntax/grant_role.py | 16 +- .../rbac/tests/syntax/revoke_privilege.py | 20 +- .../rbac/tests/syntax/revoke_role.py | 34 +- .../rbac/tests/syntax/set_default_role.py | 16 +- tests/testflows/rbac/tests/syntax/set_role.py | 16 +- .../rbac/tests/syntax/show_create_quota.py | 6 +- .../rbac/tests/syntax/show_create_role.py | 4 +- .../tests/syntax/show_create_row_policy.py | 6 +- .../syntax/show_create_settings_profile.py | 4 +- .../rbac/tests/syntax/show_create_user.py | 4 +- .../rbac/tests/syntax/show_grants.py | 4 +- .../rbac/tests/syntax/show_quotas.py | 8 +- .../rbac/tests/syntax/show_row_policies.py | 8 +- tests/testflows/rbac/tests/views/live_view.py | 10 +- .../rbac/tests/views/materialized_view.py | 18 +- 115 files changed, 18688 insertions(+), 11784 deletions(-) create mode 100644 tests/testflows/rbac/tests/privileges/all_role.py diff --git a/tests/testflows/rbac/docker-compose/clickhouse-service.yml b/tests/testflows/rbac/docker-compose/clickhouse-service.yml index d5f981ca8b7..2d79443dcbb 100755 --- a/tests/testflows/rbac/docker-compose/clickhouse-service.yml +++ b/tests/testflows/rbac/docker-compose/clickhouse-service.yml @@ -20,7 +20,7 @@ services: test: clickhouse client --query='select 1' interval: 10s timeout: 10s - retries: 10 + retries: 3 start_period: 300s cap_add: - SYS_PTRACE diff --git a/tests/testflows/rbac/docker-compose/docker-compose.yml b/tests/testflows/rbac/docker-compose/docker-compose.yml index 29f2ef52470..a3f5144c9ed 100755 --- a/tests/testflows/rbac/docker-compose/docker-compose.yml +++ b/tests/testflows/rbac/docker-compose/docker-compose.yml @@ -57,4 +57,4 @@ services: clickhouse3: condition: service_healthy zookeeper: - condition: service_healthy + condition: service_healthy \ No newline at end of file diff --git a/tests/testflows/rbac/docker-compose/zookeeper-service.yml b/tests/testflows/rbac/docker-compose/zookeeper-service.yml index f27405b97a2..f3df33358be 100755 --- a/tests/testflows/rbac/docker-compose/zookeeper-service.yml +++ b/tests/testflows/rbac/docker-compose/zookeeper-service.yml @@ -2,7 +2,7 @@ version: '2.3' services: zookeeper: - image: zookeeper:3.6.2 + image: zookeeper:3.4.12 expose: - "2181" environment: diff --git a/tests/testflows/rbac/helper/common.py b/tests/testflows/rbac/helper/common.py index 47e38560714..c140e01f34f 100755 --- a/tests/testflows/rbac/helper/common.py +++ b/tests/testflows/rbac/helper/common.py @@ -2,6 +2,7 @@ import uuid from contextlib import contextmanager from multiprocessing.dummy import Pool +from multiprocessing import TimeoutError as PoolTaskTimeoutError from testflows.core.name import basename, parentname from testflows._core.testtype import TestSubType @@ -30,6 +31,9 @@ def instrument_clickhouse_server_log(self, node=None, clickhouse_server_log="/va yield finally: + if self.context.cluster.terminating is True: + return + with Finally("adding test name end message to the clickhouse-server.log", flags=TE): node.command(f"echo -e \"\\n-- end: {current().name} --\\n\" >> {clickhouse_server_log}") @@ -38,14 +42,20 @@ def instrument_clickhouse_server_log(self, node=None, clickhouse_server_log="/va with Then("dumping clickhouse-server.log for this test"): node.command(f"tail -c +{logsize} {clickhouse_server_log}") -def join(tasks): +def join(tasks, polling_timeout=5): """Join all parallel tests. """ exc = None while tasks: try: - tasks[0].get() - tasks.pop(0) + try: + tasks[0].get(timeout=polling_timeout) + tasks.pop(0) + + except PoolTaskTimeoutError as e: + task = tasks.pop(0) + tasks.append(task) + continue except KeyboardInterrupt as e: current().context.cluster.terminating = True @@ -133,6 +143,23 @@ def role(node, role): for role in roles: with Finally("I drop the role"): node.query(f"DROP ROLE IF EXISTS {role}") + +@TestStep(Given) +def row_policy(self, name, table, node=None): + """Create a row policy with a given name on a given table. + """ + if node is None: + node = self.context.node + + try: + with Given(f"I create row policy {name}"): + node.query(f"CREATE ROW POLICY {name} ON {table}") + yield + + finally: + with Finally(f"I delete row policy {name}"): + node.query(f"DROP ROW POLICY IF EXISTS {name} ON {table}") + tables = { "table0" : 1 << 0, "table1" : 1 << 1, diff --git a/tests/testflows/rbac/regression.py b/tests/testflows/rbac/regression.py index e89be3bab20..8c9ab9c262a 100755 --- a/tests/testflows/rbac/regression.py +++ b/tests/testflows/rbac/regression.py @@ -27,6 +27,8 @@ issue_17655 = "https://github.com/ClickHouse/ClickHouse/issues/17655" issue_17766 = "https://github.com/ClickHouse/ClickHouse/issues/17766" issue_18110 = "https://github.com/ClickHouse/ClickHouse/issues/18110" issue_18206 = "https://github.com/ClickHouse/ClickHouse/issues/18206" +issue_21083 = "https://github.com/ClickHouse/ClickHouse/issues/21083" +issue_21084 = "https://github.com/ClickHouse/ClickHouse/issues/21084" xfails = { "syntax/show create quota/I show create quota current": @@ -131,6 +133,12 @@ xfails = { [(Fail, issue_18206)], "privileges/system replication queues/:/:/:/:/SYSTEM:": [(Fail, issue_18206)], + "privileges/: row policy/nested live:": + [(Fail, issue_21083)], + "privileges/: row policy/nested mat:": + [(Fail, issue_21084)], + "privileges/: row policy/populate mat:": + [(Fail, "Investigating")], } xflags = { @@ -160,9 +168,9 @@ def regression(self, local, clickhouse_binary_path, stress=None, parallel=None): if parallel is not None: self.context.parallel = parallel - Feature(run=load("rbac.tests.syntax.feature", "feature"), flags=TE) - Feature(run=load("rbac.tests.privileges.feature", "feature"), flags=TE) - Feature(run=load("rbac.tests.views.feature", "feature"), flags=TE) + Feature(run=load("rbac.tests.syntax.feature", "feature")) + Feature(run=load("rbac.tests.privileges.feature", "feature")) + Feature(run=load("rbac.tests.views.feature", "feature")) if main(): regression() diff --git a/tests/testflows/rbac/requirements/requirements.md b/tests/testflows/rbac/requirements/requirements.md index ae6a038c15e..163417e1617 100644 --- a/tests/testflows/rbac/requirements/requirements.md +++ b/tests/testflows/rbac/requirements/requirements.md @@ -9,556 +9,588 @@ * 5 [Requirements](#requirements) * 5.1 [Generic](#generic) * 5.1.1 [RQ.SRS-006.RBAC](#rqsrs-006rbac) - * 5.1.2 [Login](#login) - * 5.1.2.1 [RQ.SRS-006.RBAC.Login](#rqsrs-006rbaclogin) - * 5.1.2.2 [RQ.SRS-006.RBAC.Login.DefaultUser](#rqsrs-006rbaclogindefaultuser) - * 5.1.3 [User](#user) - * 5.1.3.1 [RQ.SRS-006.RBAC.User](#rqsrs-006rbacuser) - * 5.1.3.2 [RQ.SRS-006.RBAC.User.Roles](#rqsrs-006rbacuserroles) - * 5.1.3.3 [RQ.SRS-006.RBAC.User.Privileges](#rqsrs-006rbacuserprivileges) - * 5.1.3.4 [RQ.SRS-006.RBAC.User.Variables](#rqsrs-006rbacuservariables) - * 5.1.3.5 [RQ.SRS-006.RBAC.User.Variables.Constraints](#rqsrs-006rbacuservariablesconstraints) - * 5.1.3.6 [RQ.SRS-006.RBAC.User.SettingsProfile](#rqsrs-006rbacusersettingsprofile) - * 5.1.3.7 [RQ.SRS-006.RBAC.User.Quotas](#rqsrs-006rbacuserquotas) - * 5.1.3.8 [RQ.SRS-006.RBAC.User.RowPolicies](#rqsrs-006rbacuserrowpolicies) - * 5.1.3.9 [RQ.SRS-006.RBAC.User.AccountLock](#rqsrs-006rbacuseraccountlock) - * 5.1.3.10 [RQ.SRS-006.RBAC.User.AccountLock.DenyAccess](#rqsrs-006rbacuseraccountlockdenyaccess) - * 5.1.3.11 [RQ.SRS-006.RBAC.User.DefaultRole](#rqsrs-006rbacuserdefaultrole) - * 5.1.3.12 [RQ.SRS-006.RBAC.User.RoleSelection](#rqsrs-006rbacuserroleselection) - * 5.1.3.13 [RQ.SRS-006.RBAC.User.ShowCreate](#rqsrs-006rbacusershowcreate) - * 5.1.3.14 [RQ.SRS-006.RBAC.User.ShowPrivileges](#rqsrs-006rbacusershowprivileges) - * 5.1.4 [Role](#role) - * 5.1.4.1 [RQ.SRS-006.RBAC.Role](#rqsrs-006rbacrole) - * 5.1.4.2 [RQ.SRS-006.RBAC.Role.Privileges](#rqsrs-006rbacroleprivileges) - * 5.1.4.3 [RQ.SRS-006.RBAC.Role.Variables](#rqsrs-006rbacrolevariables) - * 5.1.4.4 [RQ.SRS-006.RBAC.Role.SettingsProfile](#rqsrs-006rbacrolesettingsprofile) - * 5.1.4.5 [RQ.SRS-006.RBAC.Role.Quotas](#rqsrs-006rbacrolequotas) - * 5.1.4.6 [RQ.SRS-006.RBAC.Role.RowPolicies](#rqsrs-006rbacrolerowpolicies) - * 5.1.5 [Partial Revokes](#partial-revokes) - * 5.1.5.1 [RQ.SRS-006.RBAC.PartialRevokes](#rqsrs-006rbacpartialrevokes) - * 5.1.6 [Settings Profile](#settings-profile) - * 5.1.6.1 [RQ.SRS-006.RBAC.SettingsProfile](#rqsrs-006rbacsettingsprofile) - * 5.1.6.2 [RQ.SRS-006.RBAC.SettingsProfile.Constraints](#rqsrs-006rbacsettingsprofileconstraints) - * 5.1.6.3 [RQ.SRS-006.RBAC.SettingsProfile.ShowCreate](#rqsrs-006rbacsettingsprofileshowcreate) - * 5.1.7 [Quotas](#quotas) - * 5.1.7.1 [RQ.SRS-006.RBAC.Quotas](#rqsrs-006rbacquotas) - * 5.1.7.2 [RQ.SRS-006.RBAC.Quotas.Keyed](#rqsrs-006rbacquotaskeyed) - * 5.1.7.3 [RQ.SRS-006.RBAC.Quotas.Queries](#rqsrs-006rbacquotasqueries) - * 5.1.7.4 [RQ.SRS-006.RBAC.Quotas.Errors](#rqsrs-006rbacquotaserrors) - * 5.1.7.5 [RQ.SRS-006.RBAC.Quotas.ResultRows](#rqsrs-006rbacquotasresultrows) - * 5.1.7.6 [RQ.SRS-006.RBAC.Quotas.ReadRows](#rqsrs-006rbacquotasreadrows) - * 5.1.7.7 [RQ.SRS-006.RBAC.Quotas.ResultBytes](#rqsrs-006rbacquotasresultbytes) - * 5.1.7.8 [RQ.SRS-006.RBAC.Quotas.ReadBytes](#rqsrs-006rbacquotasreadbytes) - * 5.1.7.9 [RQ.SRS-006.RBAC.Quotas.ExecutionTime](#rqsrs-006rbacquotasexecutiontime) - * 5.1.7.10 [RQ.SRS-006.RBAC.Quotas.ShowCreate](#rqsrs-006rbacquotasshowcreate) - * 5.1.8 [Row Policy](#row-policy) - * 5.1.8.1 [RQ.SRS-006.RBAC.RowPolicy](#rqsrs-006rbacrowpolicy) - * 5.1.8.2 [RQ.SRS-006.RBAC.RowPolicy.Condition](#rqsrs-006rbacrowpolicycondition) - * 5.1.8.3 [RQ.SRS-006.RBAC.RowPolicy.ShowCreate](#rqsrs-006rbacrowpolicyshowcreate) - * 5.2 [Specific](#specific) - * 5.2.8.1 [RQ.SRS-006.RBAC.User.Use.DefaultRole](#rqsrs-006rbacuserusedefaultrole) - * 5.2.8.2 [RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole](#rqsrs-006rbacuseruseallroleswhennodefaultrole) - * 5.2.8.3 [RQ.SRS-006.RBAC.User.Create](#rqsrs-006rbacusercreate) - * 5.2.8.4 [RQ.SRS-006.RBAC.User.Create.IfNotExists](#rqsrs-006rbacusercreateifnotexists) - * 5.2.8.5 [RQ.SRS-006.RBAC.User.Create.Replace](#rqsrs-006rbacusercreatereplace) - * 5.2.8.6 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword](#rqsrs-006rbacusercreatepasswordnopassword) - * 5.2.8.7 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword.Login](#rqsrs-006rbacusercreatepasswordnopasswordlogin) - * 5.2.8.8 [RQ.SRS-006.RBAC.User.Create.Password.PlainText](#rqsrs-006rbacusercreatepasswordplaintext) - * 5.2.8.9 [RQ.SRS-006.RBAC.User.Create.Password.PlainText.Login](#rqsrs-006rbacusercreatepasswordplaintextlogin) - * 5.2.8.10 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password](#rqsrs-006rbacusercreatepasswordsha256password) - * 5.2.8.11 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password.Login](#rqsrs-006rbacusercreatepasswordsha256passwordlogin) - * 5.2.8.12 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash](#rqsrs-006rbacusercreatepasswordsha256hash) - * 5.2.8.13 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash.Login](#rqsrs-006rbacusercreatepasswordsha256hashlogin) - * 5.2.8.14 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password](#rqsrs-006rbacusercreatepassworddoublesha1password) - * 5.2.8.15 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password.Login](#rqsrs-006rbacusercreatepassworddoublesha1passwordlogin) - * 5.2.8.16 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash](#rqsrs-006rbacusercreatepassworddoublesha1hash) - * 5.2.8.17 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash.Login](#rqsrs-006rbacusercreatepassworddoublesha1hashlogin) - * 5.2.8.18 [RQ.SRS-006.RBAC.User.Create.Host.Name](#rqsrs-006rbacusercreatehostname) - * 5.2.8.19 [RQ.SRS-006.RBAC.User.Create.Host.Regexp](#rqsrs-006rbacusercreatehostregexp) - * 5.2.8.20 [RQ.SRS-006.RBAC.User.Create.Host.IP](#rqsrs-006rbacusercreatehostip) - * 5.2.8.21 [RQ.SRS-006.RBAC.User.Create.Host.Any](#rqsrs-006rbacusercreatehostany) - * 5.2.8.22 [RQ.SRS-006.RBAC.User.Create.Host.None](#rqsrs-006rbacusercreatehostnone) - * 5.2.8.23 [RQ.SRS-006.RBAC.User.Create.Host.Local](#rqsrs-006rbacusercreatehostlocal) - * 5.2.8.24 [RQ.SRS-006.RBAC.User.Create.Host.Like](#rqsrs-006rbacusercreatehostlike) - * 5.2.8.25 [RQ.SRS-006.RBAC.User.Create.Host.Default](#rqsrs-006rbacusercreatehostdefault) - * 5.2.8.26 [RQ.SRS-006.RBAC.User.Create.DefaultRole](#rqsrs-006rbacusercreatedefaultrole) - * 5.2.8.27 [RQ.SRS-006.RBAC.User.Create.DefaultRole.None](#rqsrs-006rbacusercreatedefaultrolenone) - * 5.2.8.28 [RQ.SRS-006.RBAC.User.Create.DefaultRole.All](#rqsrs-006rbacusercreatedefaultroleall) - * 5.2.8.29 [RQ.SRS-006.RBAC.User.Create.Settings](#rqsrs-006rbacusercreatesettings) - * 5.2.8.30 [RQ.SRS-006.RBAC.User.Create.OnCluster](#rqsrs-006rbacusercreateoncluster) - * 5.2.8.31 [RQ.SRS-006.RBAC.User.Create.Syntax](#rqsrs-006rbacusercreatesyntax) - * 5.2.8.32 [RQ.SRS-006.RBAC.User.Alter](#rqsrs-006rbacuseralter) - * 5.2.8.33 [RQ.SRS-006.RBAC.User.Alter.OrderOfEvaluation](#rqsrs-006rbacuseralterorderofevaluation) - * 5.2.8.34 [RQ.SRS-006.RBAC.User.Alter.IfExists](#rqsrs-006rbacuseralterifexists) - * 5.2.8.35 [RQ.SRS-006.RBAC.User.Alter.Cluster](#rqsrs-006rbacuseraltercluster) - * 5.2.8.36 [RQ.SRS-006.RBAC.User.Alter.Rename](#rqsrs-006rbacuseralterrename) - * 5.2.8.37 [RQ.SRS-006.RBAC.User.Alter.Password.PlainText](#rqsrs-006rbacuseralterpasswordplaintext) - * 5.2.8.38 [RQ.SRS-006.RBAC.User.Alter.Password.Sha256Password](#rqsrs-006rbacuseralterpasswordsha256password) - * 5.2.8.39 [RQ.SRS-006.RBAC.User.Alter.Password.DoubleSha1Password](#rqsrs-006rbacuseralterpassworddoublesha1password) - * 5.2.8.40 [RQ.SRS-006.RBAC.User.Alter.Host.AddDrop](#rqsrs-006rbacuseralterhostadddrop) - * 5.2.8.41 [RQ.SRS-006.RBAC.User.Alter.Host.Local](#rqsrs-006rbacuseralterhostlocal) - * 5.2.8.42 [RQ.SRS-006.RBAC.User.Alter.Host.Name](#rqsrs-006rbacuseralterhostname) - * 5.2.8.43 [RQ.SRS-006.RBAC.User.Alter.Host.Regexp](#rqsrs-006rbacuseralterhostregexp) - * 5.2.8.44 [RQ.SRS-006.RBAC.User.Alter.Host.IP](#rqsrs-006rbacuseralterhostip) - * 5.2.8.45 [RQ.SRS-006.RBAC.User.Alter.Host.Like](#rqsrs-006rbacuseralterhostlike) - * 5.2.8.46 [RQ.SRS-006.RBAC.User.Alter.Host.Any](#rqsrs-006rbacuseralterhostany) - * 5.2.8.47 [RQ.SRS-006.RBAC.User.Alter.Host.None](#rqsrs-006rbacuseralterhostnone) - * 5.2.8.48 [RQ.SRS-006.RBAC.User.Alter.DefaultRole](#rqsrs-006rbacuseralterdefaultrole) - * 5.2.8.49 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.All](#rqsrs-006rbacuseralterdefaultroleall) - * 5.2.8.50 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.AllExcept](#rqsrs-006rbacuseralterdefaultroleallexcept) - * 5.2.8.51 [RQ.SRS-006.RBAC.User.Alter.Settings](#rqsrs-006rbacuseraltersettings) - * 5.2.8.52 [RQ.SRS-006.RBAC.User.Alter.Settings.Min](#rqsrs-006rbacuseraltersettingsmin) - * 5.2.8.53 [RQ.SRS-006.RBAC.User.Alter.Settings.Max](#rqsrs-006rbacuseraltersettingsmax) - * 5.2.8.54 [RQ.SRS-006.RBAC.User.Alter.Settings.Profile](#rqsrs-006rbacuseraltersettingsprofile) - * 5.2.8.55 [RQ.SRS-006.RBAC.User.Alter.Syntax](#rqsrs-006rbacuseraltersyntax) - * 5.2.8.56 [RQ.SRS-006.RBAC.SetDefaultRole](#rqsrs-006rbacsetdefaultrole) - * 5.2.8.57 [RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser](#rqsrs-006rbacsetdefaultrolecurrentuser) - * 5.2.8.58 [RQ.SRS-006.RBAC.SetDefaultRole.All](#rqsrs-006rbacsetdefaultroleall) - * 5.2.8.59 [RQ.SRS-006.RBAC.SetDefaultRole.AllExcept](#rqsrs-006rbacsetdefaultroleallexcept) - * 5.2.8.60 [RQ.SRS-006.RBAC.SetDefaultRole.None](#rqsrs-006rbacsetdefaultrolenone) - * 5.2.8.61 [RQ.SRS-006.RBAC.SetDefaultRole.Syntax](#rqsrs-006rbacsetdefaultrolesyntax) - * 5.2.8.62 [RQ.SRS-006.RBAC.SetRole](#rqsrs-006rbacsetrole) - * 5.2.8.63 [RQ.SRS-006.RBAC.SetRole.Default](#rqsrs-006rbacsetroledefault) - * 5.2.8.64 [RQ.SRS-006.RBAC.SetRole.None](#rqsrs-006rbacsetrolenone) - * 5.2.8.65 [RQ.SRS-006.RBAC.SetRole.All](#rqsrs-006rbacsetroleall) - * 5.2.8.66 [RQ.SRS-006.RBAC.SetRole.AllExcept](#rqsrs-006rbacsetroleallexcept) - * 5.2.8.67 [RQ.SRS-006.RBAC.SetRole.Syntax](#rqsrs-006rbacsetrolesyntax) - * 5.2.8.68 [RQ.SRS-006.RBAC.User.ShowCreateUser](#rqsrs-006rbacusershowcreateuser) - * 5.2.8.69 [RQ.SRS-006.RBAC.User.ShowCreateUser.For](#rqsrs-006rbacusershowcreateuserfor) - * 5.2.8.70 [RQ.SRS-006.RBAC.User.ShowCreateUser.Syntax](#rqsrs-006rbacusershowcreateusersyntax) - * 5.2.8.71 [RQ.SRS-006.RBAC.User.Drop](#rqsrs-006rbacuserdrop) - * 5.2.8.72 [RQ.SRS-006.RBAC.User.Drop.IfExists](#rqsrs-006rbacuserdropifexists) - * 5.2.8.73 [RQ.SRS-006.RBAC.User.Drop.OnCluster](#rqsrs-006rbacuserdroponcluster) - * 5.2.8.74 [RQ.SRS-006.RBAC.User.Drop.Syntax](#rqsrs-006rbacuserdropsyntax) - * 5.2.8.75 [RQ.SRS-006.RBAC.Role.Create](#rqsrs-006rbacrolecreate) - * 5.2.8.76 [RQ.SRS-006.RBAC.Role.Create.IfNotExists](#rqsrs-006rbacrolecreateifnotexists) - * 5.2.8.77 [RQ.SRS-006.RBAC.Role.Create.Replace](#rqsrs-006rbacrolecreatereplace) - * 5.2.8.78 [RQ.SRS-006.RBAC.Role.Create.Settings](#rqsrs-006rbacrolecreatesettings) - * 5.2.8.79 [RQ.SRS-006.RBAC.Role.Create.Syntax](#rqsrs-006rbacrolecreatesyntax) - * 5.2.8.80 [RQ.SRS-006.RBAC.Role.Alter](#rqsrs-006rbacrolealter) - * 5.2.8.81 [RQ.SRS-006.RBAC.Role.Alter.IfExists](#rqsrs-006rbacrolealterifexists) - * 5.2.8.82 [RQ.SRS-006.RBAC.Role.Alter.Cluster](#rqsrs-006rbacrolealtercluster) - * 5.2.8.83 [RQ.SRS-006.RBAC.Role.Alter.Rename](#rqsrs-006rbacrolealterrename) - * 5.2.8.84 [RQ.SRS-006.RBAC.Role.Alter.Settings](#rqsrs-006rbacrolealtersettings) - * 5.2.8.85 [RQ.SRS-006.RBAC.Role.Alter.Syntax](#rqsrs-006rbacrolealtersyntax) - * 5.2.8.86 [RQ.SRS-006.RBAC.Role.Drop](#rqsrs-006rbacroledrop) - * 5.2.8.87 [RQ.SRS-006.RBAC.Role.Drop.IfExists](#rqsrs-006rbacroledropifexists) - * 5.2.8.88 [RQ.SRS-006.RBAC.Role.Drop.Cluster](#rqsrs-006rbacroledropcluster) - * 5.2.8.89 [RQ.SRS-006.RBAC.Role.Drop.Syntax](#rqsrs-006rbacroledropsyntax) - * 5.2.8.90 [RQ.SRS-006.RBAC.Role.ShowCreate](#rqsrs-006rbacroleshowcreate) - * 5.2.8.91 [RQ.SRS-006.RBAC.Role.ShowCreate.Syntax](#rqsrs-006rbacroleshowcreatesyntax) - * 5.2.8.92 [RQ.SRS-006.RBAC.Grant.Privilege.To](#rqsrs-006rbacgrantprivilegeto) - * 5.2.8.93 [RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser](#rqsrs-006rbacgrantprivilegetocurrentuser) - * 5.2.8.94 [RQ.SRS-006.RBAC.Grant.Privilege.Select](#rqsrs-006rbacgrantprivilegeselect) - * 5.2.8.95 [RQ.SRS-006.RBAC.Grant.Privilege.Insert](#rqsrs-006rbacgrantprivilegeinsert) - * 5.2.8.96 [RQ.SRS-006.RBAC.Grant.Privilege.Alter](#rqsrs-006rbacgrantprivilegealter) - * 5.2.8.97 [RQ.SRS-006.RBAC.Grant.Privilege.Create](#rqsrs-006rbacgrantprivilegecreate) - * 5.2.8.98 [RQ.SRS-006.RBAC.Grant.Privilege.Drop](#rqsrs-006rbacgrantprivilegedrop) - * 5.2.8.99 [RQ.SRS-006.RBAC.Grant.Privilege.Truncate](#rqsrs-006rbacgrantprivilegetruncate) - * 5.2.8.100 [RQ.SRS-006.RBAC.Grant.Privilege.Optimize](#rqsrs-006rbacgrantprivilegeoptimize) - * 5.2.8.101 [RQ.SRS-006.RBAC.Grant.Privilege.Show](#rqsrs-006rbacgrantprivilegeshow) - * 5.2.8.102 [RQ.SRS-006.RBAC.Grant.Privilege.KillQuery](#rqsrs-006rbacgrantprivilegekillquery) - * 5.2.8.103 [RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement](#rqsrs-006rbacgrantprivilegeaccessmanagement) - * 5.2.8.104 [RQ.SRS-006.RBAC.Grant.Privilege.System](#rqsrs-006rbacgrantprivilegesystem) - * 5.2.8.105 [RQ.SRS-006.RBAC.Grant.Privilege.Introspection](#rqsrs-006rbacgrantprivilegeintrospection) - * 5.2.8.106 [RQ.SRS-006.RBAC.Grant.Privilege.Sources](#rqsrs-006rbacgrantprivilegesources) - * 5.2.8.107 [RQ.SRS-006.RBAC.Grant.Privilege.DictGet](#rqsrs-006rbacgrantprivilegedictget) - * 5.2.8.108 [RQ.SRS-006.RBAC.Grant.Privilege.None](#rqsrs-006rbacgrantprivilegenone) - * 5.2.8.109 [RQ.SRS-006.RBAC.Grant.Privilege.All](#rqsrs-006rbacgrantprivilegeall) - * 5.2.8.110 [RQ.SRS-006.RBAC.Grant.Privilege.GrantOption](#rqsrs-006rbacgrantprivilegegrantoption) - * 5.2.8.111 [RQ.SRS-006.RBAC.Grant.Privilege.On](#rqsrs-006rbacgrantprivilegeon) - * 5.2.8.112 [RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns](#rqsrs-006rbacgrantprivilegeprivilegecolumns) - * 5.2.8.113 [RQ.SRS-006.RBAC.Grant.Privilege.OnCluster](#rqsrs-006rbacgrantprivilegeoncluster) - * 5.2.8.114 [RQ.SRS-006.RBAC.Grant.Privilege.Syntax](#rqsrs-006rbacgrantprivilegesyntax) - * 5.2.8.115 [RQ.SRS-006.RBAC.Revoke.Privilege.Cluster](#rqsrs-006rbacrevokeprivilegecluster) - * 5.2.8.116 [RQ.SRS-006.RBAC.Revoke.Privilege.Any](#rqsrs-006rbacrevokeprivilegeany) - * 5.2.8.117 [RQ.SRS-006.RBAC.Revoke.Privilege.Select](#rqsrs-006rbacrevokeprivilegeselect) - * 5.2.8.118 [RQ.SRS-006.RBAC.Revoke.Privilege.Insert](#rqsrs-006rbacrevokeprivilegeinsert) - * 5.2.8.119 [RQ.SRS-006.RBAC.Revoke.Privilege.Alter](#rqsrs-006rbacrevokeprivilegealter) - * 5.2.8.120 [RQ.SRS-006.RBAC.Revoke.Privilege.Create](#rqsrs-006rbacrevokeprivilegecreate) - * 5.2.8.121 [RQ.SRS-006.RBAC.Revoke.Privilege.Drop](#rqsrs-006rbacrevokeprivilegedrop) - * 5.2.8.122 [RQ.SRS-006.RBAC.Revoke.Privilege.Truncate](#rqsrs-006rbacrevokeprivilegetruncate) - * 5.2.8.123 [RQ.SRS-006.RBAC.Revoke.Privilege.Optimize](#rqsrs-006rbacrevokeprivilegeoptimize) - * 5.2.8.124 [RQ.SRS-006.RBAC.Revoke.Privilege.Show](#rqsrs-006rbacrevokeprivilegeshow) - * 5.2.8.125 [RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery](#rqsrs-006rbacrevokeprivilegekillquery) - * 5.2.8.126 [RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement](#rqsrs-006rbacrevokeprivilegeaccessmanagement) - * 5.2.8.127 [RQ.SRS-006.RBAC.Revoke.Privilege.System](#rqsrs-006rbacrevokeprivilegesystem) - * 5.2.8.128 [RQ.SRS-006.RBAC.Revoke.Privilege.Introspection](#rqsrs-006rbacrevokeprivilegeintrospection) - * 5.2.8.129 [RQ.SRS-006.RBAC.Revoke.Privilege.Sources](#rqsrs-006rbacrevokeprivilegesources) - * 5.2.8.130 [RQ.SRS-006.RBAC.Revoke.Privilege.DictGet](#rqsrs-006rbacrevokeprivilegedictget) - * 5.2.8.131 [RQ.SRS-006.RBAC.Revoke.Privilege.PrivelegeColumns](#rqsrs-006rbacrevokeprivilegeprivelegecolumns) - * 5.2.8.132 [RQ.SRS-006.RBAC.Revoke.Privilege.Multiple](#rqsrs-006rbacrevokeprivilegemultiple) - * 5.2.8.133 [RQ.SRS-006.RBAC.Revoke.Privilege.All](#rqsrs-006rbacrevokeprivilegeall) - * 5.2.8.134 [RQ.SRS-006.RBAC.Revoke.Privilege.None](#rqsrs-006rbacrevokeprivilegenone) - * 5.2.8.135 [RQ.SRS-006.RBAC.Revoke.Privilege.On](#rqsrs-006rbacrevokeprivilegeon) - * 5.2.8.136 [RQ.SRS-006.RBAC.Revoke.Privilege.From](#rqsrs-006rbacrevokeprivilegefrom) - * 5.2.8.137 [RQ.SRS-006.RBAC.Revoke.Privilege.Syntax](#rqsrs-006rbacrevokeprivilegesyntax) - * 5.2.8.138 [RQ.SRS-006.RBAC.PartialRevoke.Syntax](#rqsrs-006rbacpartialrevokesyntax) - * 5.2.8.139 [RQ.SRS-006.RBAC.Grant.Role](#rqsrs-006rbacgrantrole) - * 5.2.8.140 [RQ.SRS-006.RBAC.Grant.Role.CurrentUser](#rqsrs-006rbacgrantrolecurrentuser) - * 5.2.8.141 [RQ.SRS-006.RBAC.Grant.Role.AdminOption](#rqsrs-006rbacgrantroleadminoption) - * 5.2.8.142 [RQ.SRS-006.RBAC.Grant.Role.OnCluster](#rqsrs-006rbacgrantroleoncluster) - * 5.2.8.143 [RQ.SRS-006.RBAC.Grant.Role.Syntax](#rqsrs-006rbacgrantrolesyntax) - * 5.2.8.144 [RQ.SRS-006.RBAC.Revoke.Role](#rqsrs-006rbacrevokerole) - * 5.2.8.145 [RQ.SRS-006.RBAC.Revoke.Role.Keywords](#rqsrs-006rbacrevokerolekeywords) - * 5.2.8.146 [RQ.SRS-006.RBAC.Revoke.Role.Cluster](#rqsrs-006rbacrevokerolecluster) - * 5.2.8.147 [RQ.SRS-006.RBAC.Revoke.AdminOption](#rqsrs-006rbacrevokeadminoption) - * 5.2.8.148 [RQ.SRS-006.RBAC.Revoke.Role.Syntax](#rqsrs-006rbacrevokerolesyntax) - * 5.2.8.149 [RQ.SRS-006.RBAC.Show.Grants](#rqsrs-006rbacshowgrants) - * 5.2.8.150 [RQ.SRS-006.RBAC.Show.Grants.For](#rqsrs-006rbacshowgrantsfor) - * 5.2.8.151 [RQ.SRS-006.RBAC.Show.Grants.Syntax](#rqsrs-006rbacshowgrantssyntax) - * 5.2.8.152 [RQ.SRS-006.RBAC.SettingsProfile.Create](#rqsrs-006rbacsettingsprofilecreate) - * 5.2.8.153 [RQ.SRS-006.RBAC.SettingsProfile.Create.IfNotExists](#rqsrs-006rbacsettingsprofilecreateifnotexists) - * 5.2.8.154 [RQ.SRS-006.RBAC.SettingsProfile.Create.Replace](#rqsrs-006rbacsettingsprofilecreatereplace) - * 5.2.8.155 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables](#rqsrs-006rbacsettingsprofilecreatevariables) - * 5.2.8.156 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Value](#rqsrs-006rbacsettingsprofilecreatevariablesvalue) - * 5.2.8.157 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Constraints](#rqsrs-006rbacsettingsprofilecreatevariablesconstraints) - * 5.2.8.158 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment](#rqsrs-006rbacsettingsprofilecreateassignment) - * 5.2.8.159 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.None](#rqsrs-006rbacsettingsprofilecreateassignmentnone) - * 5.2.8.160 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.All](#rqsrs-006rbacsettingsprofilecreateassignmentall) - * 5.2.8.161 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilecreateassignmentallexcept) - * 5.2.8.162 [RQ.SRS-006.RBAC.SettingsProfile.Create.Inherit](#rqsrs-006rbacsettingsprofilecreateinherit) - * 5.2.8.163 [RQ.SRS-006.RBAC.SettingsProfile.Create.OnCluster](#rqsrs-006rbacsettingsprofilecreateoncluster) - * 5.2.8.164 [RQ.SRS-006.RBAC.SettingsProfile.Create.Syntax](#rqsrs-006rbacsettingsprofilecreatesyntax) - * 5.2.8.165 [RQ.SRS-006.RBAC.SettingsProfile.Alter](#rqsrs-006rbacsettingsprofilealter) - * 5.2.8.166 [RQ.SRS-006.RBAC.SettingsProfile.Alter.IfExists](#rqsrs-006rbacsettingsprofilealterifexists) - * 5.2.8.167 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Rename](#rqsrs-006rbacsettingsprofilealterrename) - * 5.2.8.168 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables](#rqsrs-006rbacsettingsprofilealtervariables) - * 5.2.8.169 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Value](#rqsrs-006rbacsettingsprofilealtervariablesvalue) - * 5.2.8.170 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Constraints](#rqsrs-006rbacsettingsprofilealtervariablesconstraints) - * 5.2.8.171 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment](#rqsrs-006rbacsettingsprofilealterassignment) - * 5.2.8.172 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.None](#rqsrs-006rbacsettingsprofilealterassignmentnone) - * 5.2.8.173 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.All](#rqsrs-006rbacsettingsprofilealterassignmentall) - * 5.2.8.174 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilealterassignmentallexcept) - * 5.2.8.175 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.Inherit](#rqsrs-006rbacsettingsprofilealterassignmentinherit) - * 5.2.8.176 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.OnCluster](#rqsrs-006rbacsettingsprofilealterassignmentoncluster) - * 5.2.8.177 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Syntax](#rqsrs-006rbacsettingsprofilealtersyntax) - * 5.2.8.178 [RQ.SRS-006.RBAC.SettingsProfile.Drop](#rqsrs-006rbacsettingsprofiledrop) - * 5.2.8.179 [RQ.SRS-006.RBAC.SettingsProfile.Drop.IfExists](#rqsrs-006rbacsettingsprofiledropifexists) - * 5.2.8.180 [RQ.SRS-006.RBAC.SettingsProfile.Drop.OnCluster](#rqsrs-006rbacsettingsprofiledroponcluster) - * 5.2.8.181 [RQ.SRS-006.RBAC.SettingsProfile.Drop.Syntax](#rqsrs-006rbacsettingsprofiledropsyntax) - * 5.2.8.182 [RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile](#rqsrs-006rbacsettingsprofileshowcreatesettingsprofile) - * 5.2.8.183 [RQ.SRS-006.RBAC.Quota.Create](#rqsrs-006rbacquotacreate) - * 5.2.8.184 [RQ.SRS-006.RBAC.Quota.Create.IfNotExists](#rqsrs-006rbacquotacreateifnotexists) - * 5.2.8.185 [RQ.SRS-006.RBAC.Quota.Create.Replace](#rqsrs-006rbacquotacreatereplace) - * 5.2.8.186 [RQ.SRS-006.RBAC.Quota.Create.Cluster](#rqsrs-006rbacquotacreatecluster) - * 5.2.8.187 [RQ.SRS-006.RBAC.Quota.Create.Interval](#rqsrs-006rbacquotacreateinterval) - * 5.2.8.188 [RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized](#rqsrs-006rbacquotacreateintervalrandomized) - * 5.2.8.189 [RQ.SRS-006.RBAC.Quota.Create.Queries](#rqsrs-006rbacquotacreatequeries) - * 5.2.8.190 [RQ.SRS-006.RBAC.Quota.Create.Errors](#rqsrs-006rbacquotacreateerrors) - * 5.2.8.191 [RQ.SRS-006.RBAC.Quota.Create.ResultRows](#rqsrs-006rbacquotacreateresultrows) - * 5.2.8.192 [RQ.SRS-006.RBAC.Quota.Create.ReadRows](#rqsrs-006rbacquotacreatereadrows) - * 5.2.8.193 [RQ.SRS-006.RBAC.Quota.Create.ResultBytes](#rqsrs-006rbacquotacreateresultbytes) - * 5.2.8.194 [RQ.SRS-006.RBAC.Quota.Create.ReadBytes](#rqsrs-006rbacquotacreatereadbytes) - * 5.2.8.195 [RQ.SRS-006.RBAC.Quota.Create.ExecutionTime](#rqsrs-006rbacquotacreateexecutiontime) - * 5.2.8.196 [RQ.SRS-006.RBAC.Quota.Create.NoLimits](#rqsrs-006rbacquotacreatenolimits) - * 5.2.8.197 [RQ.SRS-006.RBAC.Quota.Create.TrackingOnly](#rqsrs-006rbacquotacreatetrackingonly) - * 5.2.8.198 [RQ.SRS-006.RBAC.Quota.Create.KeyedBy](#rqsrs-006rbacquotacreatekeyedby) - * 5.2.8.199 [RQ.SRS-006.RBAC.Quota.Create.KeyedByOptions](#rqsrs-006rbacquotacreatekeyedbyoptions) - * 5.2.8.200 [RQ.SRS-006.RBAC.Quota.Create.Assignment](#rqsrs-006rbacquotacreateassignment) - * 5.2.8.201 [RQ.SRS-006.RBAC.Quota.Create.Assignment.None](#rqsrs-006rbacquotacreateassignmentnone) - * 5.2.8.202 [RQ.SRS-006.RBAC.Quota.Create.Assignment.All](#rqsrs-006rbacquotacreateassignmentall) - * 5.2.8.203 [RQ.SRS-006.RBAC.Quota.Create.Assignment.Except](#rqsrs-006rbacquotacreateassignmentexcept) - * 5.2.8.204 [RQ.SRS-006.RBAC.Quota.Create.Syntax](#rqsrs-006rbacquotacreatesyntax) - * 5.2.8.205 [RQ.SRS-006.RBAC.Quota.Alter](#rqsrs-006rbacquotaalter) - * 5.2.8.206 [RQ.SRS-006.RBAC.Quota.Alter.IfExists](#rqsrs-006rbacquotaalterifexists) - * 5.2.8.207 [RQ.SRS-006.RBAC.Quota.Alter.Rename](#rqsrs-006rbacquotaalterrename) - * 5.2.8.208 [RQ.SRS-006.RBAC.Quota.Alter.Cluster](#rqsrs-006rbacquotaaltercluster) - * 5.2.8.209 [RQ.SRS-006.RBAC.Quota.Alter.Interval](#rqsrs-006rbacquotaalterinterval) - * 5.2.8.210 [RQ.SRS-006.RBAC.Quota.Alter.Interval.Randomized](#rqsrs-006rbacquotaalterintervalrandomized) - * 5.2.8.211 [RQ.SRS-006.RBAC.Quota.Alter.Queries](#rqsrs-006rbacquotaalterqueries) - * 5.2.8.212 [RQ.SRS-006.RBAC.Quota.Alter.Errors](#rqsrs-006rbacquotaaltererrors) - * 5.2.8.213 [RQ.SRS-006.RBAC.Quota.Alter.ResultRows](#rqsrs-006rbacquotaalterresultrows) - * 5.2.8.214 [RQ.SRS-006.RBAC.Quota.Alter.ReadRows](#rqsrs-006rbacquotaalterreadrows) - * 5.2.8.215 [RQ.SRS-006.RBAC.Quota.ALter.ResultBytes](#rqsrs-006rbacquotaalterresultbytes) - * 5.2.8.216 [RQ.SRS-006.RBAC.Quota.Alter.ReadBytes](#rqsrs-006rbacquotaalterreadbytes) - * 5.2.8.217 [RQ.SRS-006.RBAC.Quota.Alter.ExecutionTime](#rqsrs-006rbacquotaalterexecutiontime) - * 5.2.8.218 [RQ.SRS-006.RBAC.Quota.Alter.NoLimits](#rqsrs-006rbacquotaalternolimits) - * 5.2.8.219 [RQ.SRS-006.RBAC.Quota.Alter.TrackingOnly](#rqsrs-006rbacquotaaltertrackingonly) - * 5.2.8.220 [RQ.SRS-006.RBAC.Quota.Alter.KeyedBy](#rqsrs-006rbacquotaalterkeyedby) - * 5.2.8.221 [RQ.SRS-006.RBAC.Quota.Alter.KeyedByOptions](#rqsrs-006rbacquotaalterkeyedbyoptions) - * 5.2.8.222 [RQ.SRS-006.RBAC.Quota.Alter.Assignment](#rqsrs-006rbacquotaalterassignment) - * 5.2.8.223 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.None](#rqsrs-006rbacquotaalterassignmentnone) - * 5.2.8.224 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.All](#rqsrs-006rbacquotaalterassignmentall) - * 5.2.8.225 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.Except](#rqsrs-006rbacquotaalterassignmentexcept) - * 5.2.8.226 [RQ.SRS-006.RBAC.Quota.Alter.Syntax](#rqsrs-006rbacquotaaltersyntax) - * 5.2.8.227 [RQ.SRS-006.RBAC.Quota.Drop](#rqsrs-006rbacquotadrop) - * 5.2.8.228 [RQ.SRS-006.RBAC.Quota.Drop.IfExists](#rqsrs-006rbacquotadropifexists) - * 5.2.8.229 [RQ.SRS-006.RBAC.Quota.Drop.Cluster](#rqsrs-006rbacquotadropcluster) - * 5.2.8.230 [RQ.SRS-006.RBAC.Quota.Drop.Syntax](#rqsrs-006rbacquotadropsyntax) - * 5.2.8.231 [RQ.SRS-006.RBAC.Quota.ShowQuotas](#rqsrs-006rbacquotashowquotas) - * 5.2.8.232 [RQ.SRS-006.RBAC.Quota.ShowQuotas.IntoOutfile](#rqsrs-006rbacquotashowquotasintooutfile) - * 5.2.8.233 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Format](#rqsrs-006rbacquotashowquotasformat) - * 5.2.8.234 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Settings](#rqsrs-006rbacquotashowquotassettings) - * 5.2.8.235 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax](#rqsrs-006rbacquotashowquotassyntax) - * 5.2.8.236 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name](#rqsrs-006rbacquotashowcreatequotaname) - * 5.2.8.237 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Current](#rqsrs-006rbacquotashowcreatequotacurrent) - * 5.2.8.238 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Syntax](#rqsrs-006rbacquotashowcreatequotasyntax) - * 5.2.8.239 [RQ.SRS-006.RBAC.RowPolicy.Create](#rqsrs-006rbacrowpolicycreate) - * 5.2.8.240 [RQ.SRS-006.RBAC.RowPolicy.Create.IfNotExists](#rqsrs-006rbacrowpolicycreateifnotexists) - * 5.2.8.241 [RQ.SRS-006.RBAC.RowPolicy.Create.Replace](#rqsrs-006rbacrowpolicycreatereplace) - * 5.2.8.242 [RQ.SRS-006.RBAC.RowPolicy.Create.OnCluster](#rqsrs-006rbacrowpolicycreateoncluster) - * 5.2.8.243 [RQ.SRS-006.RBAC.RowPolicy.Create.On](#rqsrs-006rbacrowpolicycreateon) - * 5.2.8.244 [RQ.SRS-006.RBAC.RowPolicy.Create.Access](#rqsrs-006rbacrowpolicycreateaccess) - * 5.2.8.245 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Permissive](#rqsrs-006rbacrowpolicycreateaccesspermissive) - * 5.2.8.246 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Restrictive](#rqsrs-006rbacrowpolicycreateaccessrestrictive) - * 5.2.8.247 [RQ.SRS-006.RBAC.RowPolicy.Create.ForSelect](#rqsrs-006rbacrowpolicycreateforselect) - * 5.2.8.248 [RQ.SRS-006.RBAC.RowPolicy.Create.Condition](#rqsrs-006rbacrowpolicycreatecondition) - * 5.2.8.249 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment](#rqsrs-006rbacrowpolicycreateassignment) - * 5.2.8.250 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.None](#rqsrs-006rbacrowpolicycreateassignmentnone) - * 5.2.8.251 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.All](#rqsrs-006rbacrowpolicycreateassignmentall) - * 5.2.8.252 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.AllExcept](#rqsrs-006rbacrowpolicycreateassignmentallexcept) - * 5.2.8.253 [RQ.SRS-006.RBAC.RowPolicy.Create.Syntax](#rqsrs-006rbacrowpolicycreatesyntax) - * 5.2.8.254 [RQ.SRS-006.RBAC.RowPolicy.Alter](#rqsrs-006rbacrowpolicyalter) - * 5.2.8.255 [RQ.SRS-006.RBAC.RowPolicy.Alter.IfExists](#rqsrs-006rbacrowpolicyalterifexists) - * 5.2.8.256 [RQ.SRS-006.RBAC.RowPolicy.Alter.ForSelect](#rqsrs-006rbacrowpolicyalterforselect) - * 5.2.8.257 [RQ.SRS-006.RBAC.RowPolicy.Alter.OnCluster](#rqsrs-006rbacrowpolicyalteroncluster) - * 5.2.8.258 [RQ.SRS-006.RBAC.RowPolicy.Alter.On](#rqsrs-006rbacrowpolicyalteron) - * 5.2.8.259 [RQ.SRS-006.RBAC.RowPolicy.Alter.Rename](#rqsrs-006rbacrowpolicyalterrename) - * 5.2.8.260 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access](#rqsrs-006rbacrowpolicyalteraccess) - * 5.2.8.261 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Permissive](#rqsrs-006rbacrowpolicyalteraccesspermissive) - * 5.2.8.262 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Restrictive](#rqsrs-006rbacrowpolicyalteraccessrestrictive) - * 5.2.8.263 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition](#rqsrs-006rbacrowpolicyaltercondition) - * 5.2.8.264 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition.None](#rqsrs-006rbacrowpolicyalterconditionnone) - * 5.2.8.265 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment](#rqsrs-006rbacrowpolicyalterassignment) - * 5.2.8.266 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.None](#rqsrs-006rbacrowpolicyalterassignmentnone) - * 5.2.8.267 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.All](#rqsrs-006rbacrowpolicyalterassignmentall) - * 5.2.8.268 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.AllExcept](#rqsrs-006rbacrowpolicyalterassignmentallexcept) - * 5.2.8.269 [RQ.SRS-006.RBAC.RowPolicy.Alter.Syntax](#rqsrs-006rbacrowpolicyaltersyntax) - * 5.2.8.270 [RQ.SRS-006.RBAC.RowPolicy.Drop](#rqsrs-006rbacrowpolicydrop) - * 5.2.8.271 [RQ.SRS-006.RBAC.RowPolicy.Drop.IfExists](#rqsrs-006rbacrowpolicydropifexists) - * 5.2.8.272 [RQ.SRS-006.RBAC.RowPolicy.Drop.On](#rqsrs-006rbacrowpolicydropon) - * 5.2.8.273 [RQ.SRS-006.RBAC.RowPolicy.Drop.OnCluster](#rqsrs-006rbacrowpolicydroponcluster) - * 5.2.8.274 [RQ.SRS-006.RBAC.RowPolicy.Drop.Syntax](#rqsrs-006rbacrowpolicydropsyntax) - * 5.2.8.275 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy](#rqsrs-006rbacrowpolicyshowcreaterowpolicy) - * 5.2.8.276 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.On](#rqsrs-006rbacrowpolicyshowcreaterowpolicyon) - * 5.2.8.277 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.Syntax](#rqsrs-006rbacrowpolicyshowcreaterowpolicysyntax) - * 5.2.8.278 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies](#rqsrs-006rbacrowpolicyshowrowpolicies) - * 5.2.8.279 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.On](#rqsrs-006rbacrowpolicyshowrowpolicieson) - * 5.2.8.280 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.Syntax](#rqsrs-006rbacrowpolicyshowrowpoliciessyntax) - * 5.2.9 [Table Privileges](#table-privileges) - * 5.2.9.1 [RQ.SRS-006.RBAC.Table.PublicTables](#rqsrs-006rbactablepublictables) - * 5.2.9.2 [RQ.SRS-006.RBAC.Table.SensitiveTables](#rqsrs-006rbactablesensitivetables) - * 5.2.10 [Distributed Tables](#distributed-tables) - * 5.2.10.1 [RQ.SRS-006.RBAC.DistributedTable.Create](#rqsrs-006rbacdistributedtablecreate) - * 5.2.10.2 [RQ.SRS-006.RBAC.DistributedTable.Select](#rqsrs-006rbacdistributedtableselect) - * 5.2.10.3 [RQ.SRS-006.RBAC.DistributedTable.Insert](#rqsrs-006rbacdistributedtableinsert) - * 5.2.10.4 [RQ.SRS-006.RBAC.DistributedTable.SpecialTables](#rqsrs-006rbacdistributedtablespecialtables) - * 5.2.10.5 [RQ.SRS-006.RBAC.DistributedTable.LocalUser](#rqsrs-006rbacdistributedtablelocaluser) - * 5.2.10.6 [RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges](#rqsrs-006rbacdistributedtablesameuserdifferentnodesdifferentprivileges) - * 5.2.11 [Views](#views) - * 5.2.11.1 [View](#view) - * 5.2.11.1.1 [RQ.SRS-006.RBAC.View](#rqsrs-006rbacview) - * 5.2.11.1.2 [RQ.SRS-006.RBAC.View.Create](#rqsrs-006rbacviewcreate) - * 5.2.11.1.3 [RQ.SRS-006.RBAC.View.Select](#rqsrs-006rbacviewselect) - * 5.2.11.1.4 [RQ.SRS-006.RBAC.View.Drop](#rqsrs-006rbacviewdrop) - * 5.2.11.2 [Materialized View](#materialized-view) - * 5.2.11.2.1 [RQ.SRS-006.RBAC.MaterializedView](#rqsrs-006rbacmaterializedview) - * 5.2.11.2.2 [RQ.SRS-006.RBAC.MaterializedView.Create](#rqsrs-006rbacmaterializedviewcreate) - * 5.2.11.2.3 [RQ.SRS-006.RBAC.MaterializedView.Select](#rqsrs-006rbacmaterializedviewselect) - * 5.2.11.2.4 [RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable](#rqsrs-006rbacmaterializedviewselecttargettable) - * 5.2.11.2.5 [RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable](#rqsrs-006rbacmaterializedviewselectsourcetable) - * 5.2.11.2.6 [RQ.SRS-006.RBAC.MaterializedView.Drop](#rqsrs-006rbacmaterializedviewdrop) - * 5.2.11.2.7 [RQ.SRS-006.RBAC.MaterializedView.ModifyQuery](#rqsrs-006rbacmaterializedviewmodifyquery) - * 5.2.11.2.8 [RQ.SRS-006.RBAC.MaterializedView.Insert](#rqsrs-006rbacmaterializedviewinsert) - * 5.2.11.2.9 [RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable](#rqsrs-006rbacmaterializedviewinsertsourcetable) - * 5.2.11.2.10 [RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable](#rqsrs-006rbacmaterializedviewinserttargettable) - * 5.2.11.3 [Live View](#live-view) - * 5.2.11.3.1 [RQ.SRS-006.RBAC.LiveView](#rqsrs-006rbacliveview) - * 5.2.11.3.2 [RQ.SRS-006.RBAC.LiveView.Create](#rqsrs-006rbacliveviewcreate) - * 5.2.11.3.3 [RQ.SRS-006.RBAC.LiveView.Select](#rqsrs-006rbacliveviewselect) - * 5.2.11.3.4 [RQ.SRS-006.RBAC.LiveView.Drop](#rqsrs-006rbacliveviewdrop) - * 5.2.11.3.5 [RQ.SRS-006.RBAC.LiveView.Refresh](#rqsrs-006rbacliveviewrefresh) - * 5.2.12 [Select](#select) - * 5.2.12.1 [RQ.SRS-006.RBAC.Select](#rqsrs-006rbacselect) - * 5.2.12.2 [RQ.SRS-006.RBAC.Select.Column](#rqsrs-006rbacselectcolumn) - * 5.2.12.3 [RQ.SRS-006.RBAC.Select.Cluster](#rqsrs-006rbacselectcluster) - * 5.2.12.4 [RQ.SRS-006.RBAC.Select.TableEngines](#rqsrs-006rbacselecttableengines) - * 5.2.13 [Insert](#insert) - * 5.2.13.1 [RQ.SRS-006.RBAC.Insert](#rqsrs-006rbacinsert) - * 5.2.13.2 [RQ.SRS-006.RBAC.Insert.Column](#rqsrs-006rbacinsertcolumn) - * 5.2.13.3 [RQ.SRS-006.RBAC.Insert.Cluster](#rqsrs-006rbacinsertcluster) - * 5.2.13.4 [RQ.SRS-006.RBAC.Insert.TableEngines](#rqsrs-006rbacinserttableengines) - * 5.2.14 [Alter](#alter) - * 5.2.14.1 [Alter Column](#alter-column) - * 5.2.14.1.1 [RQ.SRS-006.RBAC.Privileges.AlterColumn](#rqsrs-006rbacprivilegesaltercolumn) - * 5.2.14.1.2 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant](#rqsrs-006rbacprivilegesaltercolumngrant) - * 5.2.14.1.3 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke](#rqsrs-006rbacprivilegesaltercolumnrevoke) - * 5.2.14.1.4 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Column](#rqsrs-006rbacprivilegesaltercolumncolumn) - * 5.2.14.1.5 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster](#rqsrs-006rbacprivilegesaltercolumncluster) - * 5.2.14.1.6 [RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines](#rqsrs-006rbacprivilegesaltercolumntableengines) - * 5.2.14.2 [Alter Index](#alter-index) - * 5.2.14.2.1 [RQ.SRS-006.RBAC.Privileges.AlterIndex](#rqsrs-006rbacprivilegesalterindex) - * 5.2.14.2.2 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant](#rqsrs-006rbacprivilegesalterindexgrant) - * 5.2.14.2.3 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke](#rqsrs-006rbacprivilegesalterindexrevoke) - * 5.2.14.2.4 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster](#rqsrs-006rbacprivilegesalterindexcluster) - * 5.2.14.2.5 [RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines](#rqsrs-006rbacprivilegesalterindextableengines) - * 5.2.14.3 [Alter Constraint](#alter-constraint) - * 5.2.14.3.1 [RQ.SRS-006.RBAC.Privileges.AlterConstraint](#rqsrs-006rbacprivilegesalterconstraint) - * 5.2.14.3.2 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant](#rqsrs-006rbacprivilegesalterconstraintgrant) - * 5.2.14.3.3 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke](#rqsrs-006rbacprivilegesalterconstraintrevoke) - * 5.2.14.3.4 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster](#rqsrs-006rbacprivilegesalterconstraintcluster) - * 5.2.14.3.5 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines](#rqsrs-006rbacprivilegesalterconstrainttableengines) - * 5.2.14.4 [Alter TTL](#alter-ttl) - * 5.2.14.4.1 [RQ.SRS-006.RBAC.Privileges.AlterTTL](#rqsrs-006rbacprivilegesalterttl) - * 5.2.14.4.2 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant](#rqsrs-006rbacprivilegesalterttlgrant) - * 5.2.14.4.3 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke](#rqsrs-006rbacprivilegesalterttlrevoke) - * 5.2.14.4.4 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster](#rqsrs-006rbacprivilegesalterttlcluster) - * 5.2.14.4.5 [RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines](#rqsrs-006rbacprivilegesalterttltableengines) - * 5.2.14.5 [Alter Settings](#alter-settings) - * 5.2.14.5.1 [RQ.SRS-006.RBAC.Privileges.AlterSettings](#rqsrs-006rbacprivilegesaltersettings) - * 5.2.14.5.2 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant](#rqsrs-006rbacprivilegesaltersettingsgrant) - * 5.2.14.5.3 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke](#rqsrs-006rbacprivilegesaltersettingsrevoke) - * 5.2.14.5.4 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster](#rqsrs-006rbacprivilegesaltersettingscluster) - * 5.2.14.5.5 [RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines](#rqsrs-006rbacprivilegesaltersettingstableengines) - * 5.2.14.6 [Alter Update](#alter-update) - * 5.2.14.6.1 [RQ.SRS-006.RBAC.Privileges.AlterUpdate](#rqsrs-006rbacprivilegesalterupdate) - * 5.2.14.6.2 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant](#rqsrs-006rbacprivilegesalterupdategrant) - * 5.2.14.6.3 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke](#rqsrs-006rbacprivilegesalterupdaterevoke) - * 5.2.14.6.4 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines](#rqsrs-006rbacprivilegesalterupdatetableengines) - * 5.2.14.7 [Alter Delete](#alter-delete) - * 5.2.14.7.1 [RQ.SRS-006.RBAC.Privileges.AlterDelete](#rqsrs-006rbacprivilegesalterdelete) - * 5.2.14.7.2 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant](#rqsrs-006rbacprivilegesalterdeletegrant) - * 5.2.14.7.3 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke](#rqsrs-006rbacprivilegesalterdeleterevoke) - * 5.2.14.7.4 [RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines](#rqsrs-006rbacprivilegesalterdeletetableengines) - * 5.2.14.8 [Alter Freeze Partition](#alter-freeze-partition) - * 5.2.14.8.1 [RQ.SRS-006.RBAC.Privileges.AlterFreeze](#rqsrs-006rbacprivilegesalterfreeze) - * 5.2.14.8.2 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant](#rqsrs-006rbacprivilegesalterfreezegrant) - * 5.2.14.8.3 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke](#rqsrs-006rbacprivilegesalterfreezerevoke) - * 5.2.14.8.4 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines](#rqsrs-006rbacprivilegesalterfreezetableengines) - * 5.2.14.9 [Alter Fetch Partition](#alter-fetch-partition) - * 5.2.14.9.1 [RQ.SRS-006.RBAC.Privileges.AlterFetch](#rqsrs-006rbacprivilegesalterfetch) - * 5.2.14.9.2 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant](#rqsrs-006rbacprivilegesalterfetchgrant) - * 5.2.14.9.3 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke](#rqsrs-006rbacprivilegesalterfetchrevoke) - * 5.2.14.9.4 [RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines](#rqsrs-006rbacprivilegesalterfetchtableengines) - * 5.2.14.10 [Alter Move Partition](#alter-move-partition) - * 5.2.14.10.1 [RQ.SRS-006.RBAC.Privileges.AlterMove](#rqsrs-006rbacprivilegesaltermove) - * 5.2.14.10.2 [RQ.SRS-006.RBAC.Privileges.AlterMove.Grant](#rqsrs-006rbacprivilegesaltermovegrant) - * 5.2.14.10.3 [RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke](#rqsrs-006rbacprivilegesaltermoverevoke) - * 5.2.14.10.4 [RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines](#rqsrs-006rbacprivilegesaltermovetableengines) - * 5.2.15 [RQ.SRS-006.RBAC.Privileges.CreateTable](#rqsrs-006rbacprivilegescreatetable) - * 5.2.16 [RQ.SRS-006.RBAC.Privileges.CreateDatabase](#rqsrs-006rbacprivilegescreatedatabase) - * 5.2.17 [RQ.SRS-006.RBAC.Privileges.CreateDictionary](#rqsrs-006rbacprivilegescreatedictionary) - * 5.2.18 [RQ.SRS-006.RBAC.Privileges.CreateTemporaryTable](#rqsrs-006rbacprivilegescreatetemporarytable) - * 5.2.19 [RQ.SRS-006.RBAC.Privileges.AttachDatabase](#rqsrs-006rbacprivilegesattachdatabase) - * 5.2.20 [RQ.SRS-006.RBAC.Privileges.AttachDictionary](#rqsrs-006rbacprivilegesattachdictionary) - * 5.2.21 [RQ.SRS-006.RBAC.Privileges.AttachTemporaryTable](#rqsrs-006rbacprivilegesattachtemporarytable) - * 5.2.22 [RQ.SRS-006.RBAC.Privileges.AttachTable](#rqsrs-006rbacprivilegesattachtable) - * 5.2.23 [RQ.SRS-006.RBAC.Privileges.DropTable](#rqsrs-006rbacprivilegesdroptable) - * 5.2.24 [RQ.SRS-006.RBAC.Privileges.DropDatabase](#rqsrs-006rbacprivilegesdropdatabase) - * 5.2.25 [RQ.SRS-006.RBAC.Privileges.DropDictionary](#rqsrs-006rbacprivilegesdropdictionary) - * 5.2.26 [RQ.SRS-006.RBAC.Privileges.DetachTable](#rqsrs-006rbacprivilegesdetachtable) - * 5.2.27 [RQ.SRS-006.RBAC.Privileges.DetachView](#rqsrs-006rbacprivilegesdetachview) - * 5.2.28 [RQ.SRS-006.RBAC.Privileges.DetachDatabase](#rqsrs-006rbacprivilegesdetachdatabase) - * 5.2.29 [RQ.SRS-006.RBAC.Privileges.DetachDictionary](#rqsrs-006rbacprivilegesdetachdictionary) - * 5.2.30 [RQ.SRS-006.RBAC.Privileges.Truncate](#rqsrs-006rbacprivilegestruncate) - * 5.2.31 [RQ.SRS-006.RBAC.Privileges.Optimize](#rqsrs-006rbacprivilegesoptimize) - * 5.2.32 [RQ.SRS-006.RBAC.Privileges.KillQuery](#rqsrs-006rbacprivilegeskillquery) - * 5.2.33 [Kill Mutation](#kill-mutation) - * 5.2.33.1 [RQ.SRS-006.RBAC.Privileges.KillMutation](#rqsrs-006rbacprivilegeskillmutation) - * 5.2.33.2 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate](#rqsrs-006rbacprivilegeskillmutationalterupdate) - * 5.2.33.3 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete](#rqsrs-006rbacprivilegeskillmutationalterdelete) - * 5.2.33.4 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn](#rqsrs-006rbacprivilegeskillmutationalterdropcolumn) - * 5.2.34 [Show](#show) - * 5.2.34.1 [RQ.SRS-006.RBAC.ShowTables.Privilege](#rqsrs-006rbacshowtablesprivilege) - * 5.2.34.2 [RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege](#rqsrs-006rbacshowtablesrequiredprivilege) - * 5.2.34.3 [RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege](#rqsrs-006rbacexiststablerequiredprivilege) - * 5.2.34.4 [RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege](#rqsrs-006rbacchecktablerequiredprivilege) - * 5.2.34.5 [RQ.SRS-006.RBAC.ShowDatabases.Privilege](#rqsrs-006rbacshowdatabasesprivilege) - * 5.2.34.6 [RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege](#rqsrs-006rbacshowdatabasesrequiredprivilege) - * 5.2.34.7 [RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege](#rqsrs-006rbacshowcreatedatabaserequiredprivilege) - * 5.2.34.8 [RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege](#rqsrs-006rbacusedatabaserequiredprivilege) - * 5.2.34.9 [RQ.SRS-006.RBAC.ShowColumns.Privilege](#rqsrs-006rbacshowcolumnsprivilege) - * 5.2.34.10 [RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege](#rqsrs-006rbacshowcreatetablerequiredprivilege) - * 5.2.34.11 [RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege](#rqsrs-006rbacdescribetablerequiredprivilege) - * 5.2.34.12 [RQ.SRS-006.RBAC.ShowDictionaries.Privilege](#rqsrs-006rbacshowdictionariesprivilege) - * 5.2.34.13 [RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege](#rqsrs-006rbacshowdictionariesrequiredprivilege) - * 5.2.34.14 [RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege](#rqsrs-006rbacshowcreatedictionaryrequiredprivilege) - * 5.2.34.15 [RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege](#rqsrs-006rbacexistsdictionaryrequiredprivilege) - * 5.2.35 [Access Management](#access-management) - * 5.2.35.1 [RQ.SRS-006.RBAC.Privileges.CreateUser](#rqsrs-006rbacprivilegescreateuser) - * 5.2.35.2 [RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole](#rqsrs-006rbacprivilegescreateuserdefaultrole) - * 5.2.35.3 [RQ.SRS-006.RBAC.Privileges.AlterUser](#rqsrs-006rbacprivilegesalteruser) - * 5.2.35.4 [RQ.SRS-006.RBAC.Privileges.DropUser](#rqsrs-006rbacprivilegesdropuser) - * 5.2.35.5 [RQ.SRS-006.RBAC.Privileges.CreateRole](#rqsrs-006rbacprivilegescreaterole) - * 5.2.35.6 [RQ.SRS-006.RBAC.Privileges.AlterRole](#rqsrs-006rbacprivilegesalterrole) - * 5.2.35.7 [RQ.SRS-006.RBAC.Privileges.DropRole](#rqsrs-006rbacprivilegesdroprole) - * 5.2.35.8 [RQ.SRS-006.RBAC.Privileges.CreateRowPolicy](#rqsrs-006rbacprivilegescreaterowpolicy) - * 5.2.35.9 [RQ.SRS-006.RBAC.Privileges.AlterRowPolicy](#rqsrs-006rbacprivilegesalterrowpolicy) - * 5.2.35.10 [RQ.SRS-006.RBAC.Privileges.DropRowPolicy](#rqsrs-006rbacprivilegesdroprowpolicy) - * 5.2.35.11 [RQ.SRS-006.RBAC.Privileges.CreateQuota](#rqsrs-006rbacprivilegescreatequota) - * 5.2.35.12 [RQ.SRS-006.RBAC.Privileges.AlterQuota](#rqsrs-006rbacprivilegesalterquota) - * 5.2.35.13 [RQ.SRS-006.RBAC.Privileges.DropQuota](#rqsrs-006rbacprivilegesdropquota) - * 5.2.35.14 [RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile](#rqsrs-006rbacprivilegescreatesettingsprofile) - * 5.2.35.15 [RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile](#rqsrs-006rbacprivilegesaltersettingsprofile) - * 5.2.35.16 [RQ.SRS-006.RBAC.Privileges.DropSettingsProfile](#rqsrs-006rbacprivilegesdropsettingsprofile) - * 5.2.35.17 [RQ.SRS-006.RBAC.Privileges.RoleAdmin](#rqsrs-006rbacprivilegesroleadmin) - * 5.2.35.18 [Show Access](#show-access) - * 5.2.35.18.1 [RQ.SRS-006.RBAC.ShowUsers.Privilege](#rqsrs-006rbacshowusersprivilege) - * 5.2.35.18.2 [RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege](#rqsrs-006rbacshowusersrequiredprivilege) - * 5.2.35.18.3 [RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege](#rqsrs-006rbacshowcreateuserrequiredprivilege) - * 5.2.35.18.4 [RQ.SRS-006.RBAC.ShowRoles.Privilege](#rqsrs-006rbacshowrolesprivilege) - * 5.2.35.18.5 [RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege](#rqsrs-006rbacshowrolesrequiredprivilege) - * 5.2.35.18.6 [RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege](#rqsrs-006rbacshowcreaterolerequiredprivilege) - * 5.2.35.18.7 [RQ.SRS-006.RBAC.ShowRowPolicies.Privilege](#rqsrs-006rbacshowrowpoliciesprivilege) - * 5.2.35.18.8 [RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege](#rqsrs-006rbacshowrowpoliciesrequiredprivilege) - * 5.2.35.18.9 [RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege](#rqsrs-006rbacshowcreaterowpolicyrequiredprivilege) - * 5.2.35.18.10 [RQ.SRS-006.RBAC.ShowQuotas.Privilege](#rqsrs-006rbacshowquotasprivilege) - * 5.2.35.18.11 [RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege](#rqsrs-006rbacshowquotasrequiredprivilege) - * 5.2.35.18.12 [RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege](#rqsrs-006rbacshowcreatequotarequiredprivilege) - * 5.2.35.18.13 [RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege](#rqsrs-006rbacshowsettingsprofilesprivilege) - * 5.2.35.18.14 [RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege](#rqsrs-006rbacshowsettingsprofilesrequiredprivilege) - * 5.2.35.18.15 [RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege](#rqsrs-006rbacshowcreatesettingsprofilerequiredprivilege) - * 5.2.36 [dictGet](#dictget) - * 5.2.36.1 [RQ.SRS-006.RBAC.dictGet.Privilege](#rqsrs-006rbacdictgetprivilege) - * 5.2.36.2 [RQ.SRS-006.RBAC.dictGet.RequiredPrivilege](#rqsrs-006rbacdictgetrequiredprivilege) - * 5.2.36.3 [RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege](#rqsrs-006rbacdictgettyperequiredprivilege) - * 5.2.36.4 [RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege](#rqsrs-006rbacdictgetordefaultrequiredprivilege) - * 5.2.36.5 [RQ.SRS-006.RBAC.dictHas.RequiredPrivilege](#rqsrs-006rbacdicthasrequiredprivilege) - * 5.2.36.6 [RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege](#rqsrs-006rbacdictgethierarchyrequiredprivilege) - * 5.2.36.7 [RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege](#rqsrs-006rbacdictisinrequiredprivilege) - * 5.2.37 [Introspection](#introspection) - * 5.2.37.1 [RQ.SRS-006.RBAC.Privileges.Introspection](#rqsrs-006rbacprivilegesintrospection) - * 5.2.37.2 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine](#rqsrs-006rbacprivilegesintrospectionaddresstoline) - * 5.2.37.3 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol](#rqsrs-006rbacprivilegesintrospectionaddresstosymbol) - * 5.2.37.4 [RQ.SRS-006.RBAC.Privileges.Introspection.demangle](#rqsrs-006rbacprivilegesintrospectiondemangle) - * 5.2.38 [System](#system) - * 5.2.38.1 [RQ.SRS-006.RBAC.Privileges.System.Shutdown](#rqsrs-006rbacprivilegessystemshutdown) - * 5.2.38.2 [RQ.SRS-006.RBAC.Privileges.System.DropCache](#rqsrs-006rbacprivilegessystemdropcache) - * 5.2.38.3 [RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS](#rqsrs-006rbacprivilegessystemdropcachedns) - * 5.2.38.4 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark](#rqsrs-006rbacprivilegessystemdropcachemark) - * 5.2.38.5 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed](#rqsrs-006rbacprivilegessystemdropcacheuncompressed) - * 5.2.38.6 [RQ.SRS-006.RBAC.Privileges.System.Reload](#rqsrs-006rbacprivilegessystemreload) - * 5.2.38.7 [RQ.SRS-006.RBAC.Privileges.System.Reload.Config](#rqsrs-006rbacprivilegessystemreloadconfig) - * 5.2.38.8 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary](#rqsrs-006rbacprivilegessystemreloaddictionary) - * 5.2.38.9 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries](#rqsrs-006rbacprivilegessystemreloaddictionaries) - * 5.2.38.10 [RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries](#rqsrs-006rbacprivilegessystemreloadembeddeddictionaries) - * 5.2.38.11 [RQ.SRS-006.RBAC.Privileges.System.Merges](#rqsrs-006rbacprivilegessystemmerges) - * 5.2.38.12 [RQ.SRS-006.RBAC.Privileges.System.TTLMerges](#rqsrs-006rbacprivilegessystemttlmerges) - * 5.2.38.13 [RQ.SRS-006.RBAC.Privileges.System.Fetches](#rqsrs-006rbacprivilegessystemfetches) - * 5.2.38.14 [RQ.SRS-006.RBAC.Privileges.System.Moves](#rqsrs-006rbacprivilegessystemmoves) - * 5.2.38.15 [RQ.SRS-006.RBAC.Privileges.System.Sends](#rqsrs-006rbacprivilegessystemsends) - * 5.2.38.16 [RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed](#rqsrs-006rbacprivilegessystemsendsdistributed) - * 5.2.38.17 [RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated](#rqsrs-006rbacprivilegessystemsendsreplicated) - * 5.2.38.18 [RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues](#rqsrs-006rbacprivilegessystemreplicationqueues) - * 5.2.38.19 [RQ.SRS-006.RBAC.Privileges.System.SyncReplica](#rqsrs-006rbacprivilegessystemsyncreplica) - * 5.2.38.20 [RQ.SRS-006.RBAC.Privileges.System.RestartReplica](#rqsrs-006rbacprivilegessystemrestartreplica) - * 5.2.38.21 [RQ.SRS-006.RBAC.Privileges.System.Flush](#rqsrs-006rbacprivilegessystemflush) - * 5.2.38.22 [RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed](#rqsrs-006rbacprivilegessystemflushdistributed) - * 5.2.38.23 [RQ.SRS-006.RBAC.Privileges.System.Flush.Logs](#rqsrs-006rbacprivilegessystemflushlogs) - * 5.2.39 [Sources](#sources) - * 5.2.39.1 [RQ.SRS-006.RBAC.Privileges.Sources](#rqsrs-006rbacprivilegessources) - * 5.2.39.2 [RQ.SRS-006.RBAC.Privileges.Sources.File](#rqsrs-006rbacprivilegessourcesfile) - * 5.2.39.3 [RQ.SRS-006.RBAC.Privileges.Sources.URL](#rqsrs-006rbacprivilegessourcesurl) - * 5.2.39.4 [RQ.SRS-006.RBAC.Privileges.Sources.Remote](#rqsrs-006rbacprivilegessourcesremote) - * 5.2.39.5 [RQ.SRS-006.RBAC.Privileges.Sources.MySQL](#rqsrs-006rbacprivilegessourcesmysql) - * 5.2.39.6 [RQ.SRS-006.RBAC.Privileges.Sources.ODBC](#rqsrs-006rbacprivilegessourcesodbc) - * 5.2.39.7 [RQ.SRS-006.RBAC.Privileges.Sources.JDBC](#rqsrs-006rbacprivilegessourcesjdbc) - * 5.2.39.8 [RQ.SRS-006.RBAC.Privileges.Sources.HDFS](#rqsrs-006rbacprivilegessourceshdfs) - * 5.2.39.9 [RQ.SRS-006.RBAC.Privileges.Sources.S3](#rqsrs-006rbacprivilegessourcess3) - * 5.2.40 [RQ.SRS-006.RBAC.Privileges.GrantOption](#rqsrs-006rbacprivilegesgrantoption) - * 5.2.41 [RQ.SRS-006.RBAC.Privileges.All](#rqsrs-006rbacprivilegesall) - * 5.2.42 [RQ.SRS-006.RBAC.Privileges.AdminOption](#rqsrs-006rbacprivilegesadminoption) + * 5.2 [Login](#login) + * 5.2.1 [RQ.SRS-006.RBAC.Login](#rqsrs-006rbaclogin) + * 5.2.2 [RQ.SRS-006.RBAC.Login.DefaultUser](#rqsrs-006rbaclogindefaultuser) + * 5.3 [User](#user) + * 5.3.1 [RQ.SRS-006.RBAC.User](#rqsrs-006rbacuser) + * 5.3.2 [RQ.SRS-006.RBAC.User.Roles](#rqsrs-006rbacuserroles) + * 5.3.3 [RQ.SRS-006.RBAC.User.Privileges](#rqsrs-006rbacuserprivileges) + * 5.3.4 [RQ.SRS-006.RBAC.User.Variables](#rqsrs-006rbacuservariables) + * 5.3.5 [RQ.SRS-006.RBAC.User.Variables.Constraints](#rqsrs-006rbacuservariablesconstraints) + * 5.3.6 [RQ.SRS-006.RBAC.User.SettingsProfile](#rqsrs-006rbacusersettingsprofile) + * 5.3.7 [RQ.SRS-006.RBAC.User.Quotas](#rqsrs-006rbacuserquotas) + * 5.3.8 [RQ.SRS-006.RBAC.User.RowPolicies](#rqsrs-006rbacuserrowpolicies) + * 5.3.9 [RQ.SRS-006.RBAC.User.DefaultRole](#rqsrs-006rbacuserdefaultrole) + * 5.3.10 [RQ.SRS-006.RBAC.User.RoleSelection](#rqsrs-006rbacuserroleselection) + * 5.3.11 [RQ.SRS-006.RBAC.User.ShowCreate](#rqsrs-006rbacusershowcreate) + * 5.3.12 [RQ.SRS-006.RBAC.User.ShowPrivileges](#rqsrs-006rbacusershowprivileges) + * 5.3.13 [RQ.SRS-006.RBAC.User.Use.DefaultRole](#rqsrs-006rbacuserusedefaultrole) + * 5.3.14 [RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole](#rqsrs-006rbacuseruseallroleswhennodefaultrole) + * 5.3.15 [Create User](#create-user) + * 5.3.15.1 [RQ.SRS-006.RBAC.User.Create](#rqsrs-006rbacusercreate) + * 5.3.15.2 [RQ.SRS-006.RBAC.User.Create.IfNotExists](#rqsrs-006rbacusercreateifnotexists) + * 5.3.15.3 [RQ.SRS-006.RBAC.User.Create.Replace](#rqsrs-006rbacusercreatereplace) + * 5.3.15.4 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword](#rqsrs-006rbacusercreatepasswordnopassword) + * 5.3.15.5 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword.Login](#rqsrs-006rbacusercreatepasswordnopasswordlogin) + * 5.3.15.6 [RQ.SRS-006.RBAC.User.Create.Password.PlainText](#rqsrs-006rbacusercreatepasswordplaintext) + * 5.3.15.7 [RQ.SRS-006.RBAC.User.Create.Password.PlainText.Login](#rqsrs-006rbacusercreatepasswordplaintextlogin) + * 5.3.15.8 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password](#rqsrs-006rbacusercreatepasswordsha256password) + * 5.3.15.9 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password.Login](#rqsrs-006rbacusercreatepasswordsha256passwordlogin) + * 5.3.15.10 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash](#rqsrs-006rbacusercreatepasswordsha256hash) + * 5.3.15.11 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash.Login](#rqsrs-006rbacusercreatepasswordsha256hashlogin) + * 5.3.15.12 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password](#rqsrs-006rbacusercreatepassworddoublesha1password) + * 5.3.15.13 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password.Login](#rqsrs-006rbacusercreatepassworddoublesha1passwordlogin) + * 5.3.15.14 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash](#rqsrs-006rbacusercreatepassworddoublesha1hash) + * 5.3.15.15 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash.Login](#rqsrs-006rbacusercreatepassworddoublesha1hashlogin) + * 5.3.15.16 [RQ.SRS-006.RBAC.User.Create.Host.Name](#rqsrs-006rbacusercreatehostname) + * 5.3.15.17 [RQ.SRS-006.RBAC.User.Create.Host.Regexp](#rqsrs-006rbacusercreatehostregexp) + * 5.3.15.18 [RQ.SRS-006.RBAC.User.Create.Host.IP](#rqsrs-006rbacusercreatehostip) + * 5.3.15.19 [RQ.SRS-006.RBAC.User.Create.Host.Any](#rqsrs-006rbacusercreatehostany) + * 5.3.15.20 [RQ.SRS-006.RBAC.User.Create.Host.None](#rqsrs-006rbacusercreatehostnone) + * 5.3.15.21 [RQ.SRS-006.RBAC.User.Create.Host.Local](#rqsrs-006rbacusercreatehostlocal) + * 5.3.15.22 [RQ.SRS-006.RBAC.User.Create.Host.Like](#rqsrs-006rbacusercreatehostlike) + * 5.3.15.23 [RQ.SRS-006.RBAC.User.Create.Host.Default](#rqsrs-006rbacusercreatehostdefault) + * 5.3.15.24 [RQ.SRS-006.RBAC.User.Create.DefaultRole](#rqsrs-006rbacusercreatedefaultrole) + * 5.3.15.25 [RQ.SRS-006.RBAC.User.Create.DefaultRole.None](#rqsrs-006rbacusercreatedefaultrolenone) + * 5.3.15.26 [RQ.SRS-006.RBAC.User.Create.DefaultRole.All](#rqsrs-006rbacusercreatedefaultroleall) + * 5.3.15.27 [RQ.SRS-006.RBAC.User.Create.Settings](#rqsrs-006rbacusercreatesettings) + * 5.3.15.28 [RQ.SRS-006.RBAC.User.Create.OnCluster](#rqsrs-006rbacusercreateoncluster) + * 5.3.15.29 [RQ.SRS-006.RBAC.User.Create.Syntax](#rqsrs-006rbacusercreatesyntax) + * 5.3.16 [Alter User](#alter-user) + * 5.3.16.1 [RQ.SRS-006.RBAC.User.Alter](#rqsrs-006rbacuseralter) + * 5.3.16.2 [RQ.SRS-006.RBAC.User.Alter.OrderOfEvaluation](#rqsrs-006rbacuseralterorderofevaluation) + * 5.3.16.3 [RQ.SRS-006.RBAC.User.Alter.IfExists](#rqsrs-006rbacuseralterifexists) + * 5.3.16.4 [RQ.SRS-006.RBAC.User.Alter.Cluster](#rqsrs-006rbacuseraltercluster) + * 5.3.16.5 [RQ.SRS-006.RBAC.User.Alter.Rename](#rqsrs-006rbacuseralterrename) + * 5.3.16.6 [RQ.SRS-006.RBAC.User.Alter.Password.PlainText](#rqsrs-006rbacuseralterpasswordplaintext) + * 5.3.16.7 [RQ.SRS-006.RBAC.User.Alter.Password.Sha256Password](#rqsrs-006rbacuseralterpasswordsha256password) + * 5.3.16.8 [RQ.SRS-006.RBAC.User.Alter.Password.DoubleSha1Password](#rqsrs-006rbacuseralterpassworddoublesha1password) + * 5.3.16.9 [RQ.SRS-006.RBAC.User.Alter.Host.AddDrop](#rqsrs-006rbacuseralterhostadddrop) + * 5.3.16.10 [RQ.SRS-006.RBAC.User.Alter.Host.Local](#rqsrs-006rbacuseralterhostlocal) + * 5.3.16.11 [RQ.SRS-006.RBAC.User.Alter.Host.Name](#rqsrs-006rbacuseralterhostname) + * 5.3.16.12 [RQ.SRS-006.RBAC.User.Alter.Host.Regexp](#rqsrs-006rbacuseralterhostregexp) + * 5.3.16.13 [RQ.SRS-006.RBAC.User.Alter.Host.IP](#rqsrs-006rbacuseralterhostip) + * 5.3.16.14 [RQ.SRS-006.RBAC.User.Alter.Host.Like](#rqsrs-006rbacuseralterhostlike) + * 5.3.16.15 [RQ.SRS-006.RBAC.User.Alter.Host.Any](#rqsrs-006rbacuseralterhostany) + * 5.3.16.16 [RQ.SRS-006.RBAC.User.Alter.Host.None](#rqsrs-006rbacuseralterhostnone) + * 5.3.16.17 [RQ.SRS-006.RBAC.User.Alter.DefaultRole](#rqsrs-006rbacuseralterdefaultrole) + * 5.3.16.18 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.All](#rqsrs-006rbacuseralterdefaultroleall) + * 5.3.16.19 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.AllExcept](#rqsrs-006rbacuseralterdefaultroleallexcept) + * 5.3.16.20 [RQ.SRS-006.RBAC.User.Alter.Settings](#rqsrs-006rbacuseraltersettings) + * 5.3.16.21 [RQ.SRS-006.RBAC.User.Alter.Settings.Min](#rqsrs-006rbacuseraltersettingsmin) + * 5.3.16.22 [RQ.SRS-006.RBAC.User.Alter.Settings.Max](#rqsrs-006rbacuseraltersettingsmax) + * 5.3.16.23 [RQ.SRS-006.RBAC.User.Alter.Settings.Profile](#rqsrs-006rbacuseraltersettingsprofile) + * 5.3.16.24 [RQ.SRS-006.RBAC.User.Alter.Syntax](#rqsrs-006rbacuseraltersyntax) + * 5.3.17 [Show Create User](#show-create-user) + * 5.3.17.1 [RQ.SRS-006.RBAC.User.ShowCreateUser](#rqsrs-006rbacusershowcreateuser) + * 5.3.17.2 [RQ.SRS-006.RBAC.User.ShowCreateUser.For](#rqsrs-006rbacusershowcreateuserfor) + * 5.3.17.3 [RQ.SRS-006.RBAC.User.ShowCreateUser.Syntax](#rqsrs-006rbacusershowcreateusersyntax) + * 5.3.18 [Drop User](#drop-user) + * 5.3.18.1 [RQ.SRS-006.RBAC.User.Drop](#rqsrs-006rbacuserdrop) + * 5.3.18.2 [RQ.SRS-006.RBAC.User.Drop.IfExists](#rqsrs-006rbacuserdropifexists) + * 5.3.18.3 [RQ.SRS-006.RBAC.User.Drop.OnCluster](#rqsrs-006rbacuserdroponcluster) + * 5.3.18.4 [RQ.SRS-006.RBAC.User.Drop.Syntax](#rqsrs-006rbacuserdropsyntax) + * 5.4 [Role](#role) + * 5.4.1 [RQ.SRS-006.RBAC.Role](#rqsrs-006rbacrole) + * 5.4.2 [RQ.SRS-006.RBAC.Role.Privileges](#rqsrs-006rbacroleprivileges) + * 5.4.3 [RQ.SRS-006.RBAC.Role.Variables](#rqsrs-006rbacrolevariables) + * 5.4.4 [RQ.SRS-006.RBAC.Role.SettingsProfile](#rqsrs-006rbacrolesettingsprofile) + * 5.4.5 [RQ.SRS-006.RBAC.Role.Quotas](#rqsrs-006rbacrolequotas) + * 5.4.6 [RQ.SRS-006.RBAC.Role.RowPolicies](#rqsrs-006rbacrolerowpolicies) + * 5.4.7 [Create Role](#create-role) + * 5.4.7.1 [RQ.SRS-006.RBAC.Role.Create](#rqsrs-006rbacrolecreate) + * 5.4.7.2 [RQ.SRS-006.RBAC.Role.Create.IfNotExists](#rqsrs-006rbacrolecreateifnotexists) + * 5.4.7.3 [RQ.SRS-006.RBAC.Role.Create.Replace](#rqsrs-006rbacrolecreatereplace) + * 5.4.7.4 [RQ.SRS-006.RBAC.Role.Create.Settings](#rqsrs-006rbacrolecreatesettings) + * 5.4.7.5 [RQ.SRS-006.RBAC.Role.Create.Syntax](#rqsrs-006rbacrolecreatesyntax) + * 5.4.8 [Alter Role](#alter-role) + * 5.4.8.1 [RQ.SRS-006.RBAC.Role.Alter](#rqsrs-006rbacrolealter) + * 5.4.8.2 [RQ.SRS-006.RBAC.Role.Alter.IfExists](#rqsrs-006rbacrolealterifexists) + * 5.4.8.3 [RQ.SRS-006.RBAC.Role.Alter.Cluster](#rqsrs-006rbacrolealtercluster) + * 5.4.8.4 [RQ.SRS-006.RBAC.Role.Alter.Rename](#rqsrs-006rbacrolealterrename) + * 5.4.8.5 [RQ.SRS-006.RBAC.Role.Alter.Settings](#rqsrs-006rbacrolealtersettings) + * 5.4.8.6 [RQ.SRS-006.RBAC.Role.Alter.Syntax](#rqsrs-006rbacrolealtersyntax) + * 5.4.9 [Drop Role](#drop-role) + * 5.4.9.1 [RQ.SRS-006.RBAC.Role.Drop](#rqsrs-006rbacroledrop) + * 5.4.9.2 [RQ.SRS-006.RBAC.Role.Drop.IfExists](#rqsrs-006rbacroledropifexists) + * 5.4.9.3 [RQ.SRS-006.RBAC.Role.Drop.Cluster](#rqsrs-006rbacroledropcluster) + * 5.4.9.4 [RQ.SRS-006.RBAC.Role.Drop.Syntax](#rqsrs-006rbacroledropsyntax) + * 5.4.10 [Show Create Role](#show-create-role) + * 5.4.10.1 [RQ.SRS-006.RBAC.Role.ShowCreate](#rqsrs-006rbacroleshowcreate) + * 5.4.10.2 [RQ.SRS-006.RBAC.Role.ShowCreate.Syntax](#rqsrs-006rbacroleshowcreatesyntax) + * 5.5 [Partial Revokes](#partial-revokes) + * 5.5.1 [RQ.SRS-006.RBAC.PartialRevokes](#rqsrs-006rbacpartialrevokes) + * 5.5.2 [RQ.SRS-006.RBAC.PartialRevoke.Syntax](#rqsrs-006rbacpartialrevokesyntax) + * 5.6 [Settings Profile](#settings-profile) + * 5.6.1 [RQ.SRS-006.RBAC.SettingsProfile](#rqsrs-006rbacsettingsprofile) + * 5.6.2 [RQ.SRS-006.RBAC.SettingsProfile.Constraints](#rqsrs-006rbacsettingsprofileconstraints) + * 5.6.3 [Create Settings Profile](#create-settings-profile) + * 5.6.3.1 [RQ.SRS-006.RBAC.SettingsProfile.Create](#rqsrs-006rbacsettingsprofilecreate) + * 5.6.3.2 [RQ.SRS-006.RBAC.SettingsProfile.Create.IfNotExists](#rqsrs-006rbacsettingsprofilecreateifnotexists) + * 5.6.3.3 [RQ.SRS-006.RBAC.SettingsProfile.Create.Replace](#rqsrs-006rbacsettingsprofilecreatereplace) + * 5.6.3.4 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables](#rqsrs-006rbacsettingsprofilecreatevariables) + * 5.6.3.5 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Value](#rqsrs-006rbacsettingsprofilecreatevariablesvalue) + * 5.6.3.6 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Constraints](#rqsrs-006rbacsettingsprofilecreatevariablesconstraints) + * 5.6.3.7 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment](#rqsrs-006rbacsettingsprofilecreateassignment) + * 5.6.3.8 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.None](#rqsrs-006rbacsettingsprofilecreateassignmentnone) + * 5.6.3.9 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.All](#rqsrs-006rbacsettingsprofilecreateassignmentall) + * 5.6.3.10 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilecreateassignmentallexcept) + * 5.6.3.11 [RQ.SRS-006.RBAC.SettingsProfile.Create.Inherit](#rqsrs-006rbacsettingsprofilecreateinherit) + * 5.6.3.12 [RQ.SRS-006.RBAC.SettingsProfile.Create.OnCluster](#rqsrs-006rbacsettingsprofilecreateoncluster) + * 5.6.3.13 [RQ.SRS-006.RBAC.SettingsProfile.Create.Syntax](#rqsrs-006rbacsettingsprofilecreatesyntax) + * 5.6.4 [Alter Settings Profile](#alter-settings-profile) + * 5.6.4.1 [RQ.SRS-006.RBAC.SettingsProfile.Alter](#rqsrs-006rbacsettingsprofilealter) + * 5.6.4.2 [RQ.SRS-006.RBAC.SettingsProfile.Alter.IfExists](#rqsrs-006rbacsettingsprofilealterifexists) + * 5.6.4.3 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Rename](#rqsrs-006rbacsettingsprofilealterrename) + * 5.6.4.4 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables](#rqsrs-006rbacsettingsprofilealtervariables) + * 5.6.4.5 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Value](#rqsrs-006rbacsettingsprofilealtervariablesvalue) + * 5.6.4.6 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Constraints](#rqsrs-006rbacsettingsprofilealtervariablesconstraints) + * 5.6.4.7 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment](#rqsrs-006rbacsettingsprofilealterassignment) + * 5.6.4.8 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.None](#rqsrs-006rbacsettingsprofilealterassignmentnone) + * 5.6.4.9 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.All](#rqsrs-006rbacsettingsprofilealterassignmentall) + * 5.6.4.10 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilealterassignmentallexcept) + * 5.6.4.11 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.Inherit](#rqsrs-006rbacsettingsprofilealterassignmentinherit) + * 5.6.4.12 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.OnCluster](#rqsrs-006rbacsettingsprofilealterassignmentoncluster) + * 5.6.4.13 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Syntax](#rqsrs-006rbacsettingsprofilealtersyntax) + * 5.6.5 [Drop Settings Profile](#drop-settings-profile) + * 5.6.5.1 [RQ.SRS-006.RBAC.SettingsProfile.Drop](#rqsrs-006rbacsettingsprofiledrop) + * 5.6.5.2 [RQ.SRS-006.RBAC.SettingsProfile.Drop.IfExists](#rqsrs-006rbacsettingsprofiledropifexists) + * 5.6.5.3 [RQ.SRS-006.RBAC.SettingsProfile.Drop.OnCluster](#rqsrs-006rbacsettingsprofiledroponcluster) + * 5.6.5.4 [RQ.SRS-006.RBAC.SettingsProfile.Drop.Syntax](#rqsrs-006rbacsettingsprofiledropsyntax) + * 5.6.6 [Show Create Settings Profile](#show-create-settings-profile) + * 5.6.6.1 [RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile](#rqsrs-006rbacsettingsprofileshowcreatesettingsprofile) + * 5.7 [Quotas](#quotas) + * 5.7.1 [RQ.SRS-006.RBAC.Quotas](#rqsrs-006rbacquotas) + * 5.7.2 [RQ.SRS-006.RBAC.Quotas.Keyed](#rqsrs-006rbacquotaskeyed) + * 5.7.3 [RQ.SRS-006.RBAC.Quotas.Queries](#rqsrs-006rbacquotasqueries) + * 5.7.4 [RQ.SRS-006.RBAC.Quotas.Errors](#rqsrs-006rbacquotaserrors) + * 5.7.5 [RQ.SRS-006.RBAC.Quotas.ResultRows](#rqsrs-006rbacquotasresultrows) + * 5.7.6 [RQ.SRS-006.RBAC.Quotas.ReadRows](#rqsrs-006rbacquotasreadrows) + * 5.7.7 [RQ.SRS-006.RBAC.Quotas.ResultBytes](#rqsrs-006rbacquotasresultbytes) + * 5.7.8 [RQ.SRS-006.RBAC.Quotas.ReadBytes](#rqsrs-006rbacquotasreadbytes) + * 5.7.9 [RQ.SRS-006.RBAC.Quotas.ExecutionTime](#rqsrs-006rbacquotasexecutiontime) + * 5.7.10 [Create Quotas](#create-quotas) + * 5.7.10.1 [RQ.SRS-006.RBAC.Quota.Create](#rqsrs-006rbacquotacreate) + * 5.7.10.2 [RQ.SRS-006.RBAC.Quota.Create.IfNotExists](#rqsrs-006rbacquotacreateifnotexists) + * 5.7.10.3 [RQ.SRS-006.RBAC.Quota.Create.Replace](#rqsrs-006rbacquotacreatereplace) + * 5.7.10.4 [RQ.SRS-006.RBAC.Quota.Create.Cluster](#rqsrs-006rbacquotacreatecluster) + * 5.7.10.5 [RQ.SRS-006.RBAC.Quota.Create.Interval](#rqsrs-006rbacquotacreateinterval) + * 5.7.10.6 [RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized](#rqsrs-006rbacquotacreateintervalrandomized) + * 5.7.10.7 [RQ.SRS-006.RBAC.Quota.Create.Queries](#rqsrs-006rbacquotacreatequeries) + * 5.7.10.8 [RQ.SRS-006.RBAC.Quota.Create.Errors](#rqsrs-006rbacquotacreateerrors) + * 5.7.10.9 [RQ.SRS-006.RBAC.Quota.Create.ResultRows](#rqsrs-006rbacquotacreateresultrows) + * 5.7.10.10 [RQ.SRS-006.RBAC.Quota.Create.ReadRows](#rqsrs-006rbacquotacreatereadrows) + * 5.7.10.11 [RQ.SRS-006.RBAC.Quota.Create.ResultBytes](#rqsrs-006rbacquotacreateresultbytes) + * 5.7.10.12 [RQ.SRS-006.RBAC.Quota.Create.ReadBytes](#rqsrs-006rbacquotacreatereadbytes) + * 5.7.10.13 [RQ.SRS-006.RBAC.Quota.Create.ExecutionTime](#rqsrs-006rbacquotacreateexecutiontime) + * 5.7.10.14 [RQ.SRS-006.RBAC.Quota.Create.NoLimits](#rqsrs-006rbacquotacreatenolimits) + * 5.7.10.15 [RQ.SRS-006.RBAC.Quota.Create.TrackingOnly](#rqsrs-006rbacquotacreatetrackingonly) + * 5.7.10.16 [RQ.SRS-006.RBAC.Quota.Create.KeyedBy](#rqsrs-006rbacquotacreatekeyedby) + * 5.7.10.17 [RQ.SRS-006.RBAC.Quota.Create.KeyedByOptions](#rqsrs-006rbacquotacreatekeyedbyoptions) + * 5.7.10.18 [RQ.SRS-006.RBAC.Quota.Create.Assignment](#rqsrs-006rbacquotacreateassignment) + * 5.7.10.19 [RQ.SRS-006.RBAC.Quota.Create.Assignment.None](#rqsrs-006rbacquotacreateassignmentnone) + * 5.7.10.20 [RQ.SRS-006.RBAC.Quota.Create.Assignment.All](#rqsrs-006rbacquotacreateassignmentall) + * 5.7.10.21 [RQ.SRS-006.RBAC.Quota.Create.Assignment.Except](#rqsrs-006rbacquotacreateassignmentexcept) + * 5.7.10.22 [RQ.SRS-006.RBAC.Quota.Create.Syntax](#rqsrs-006rbacquotacreatesyntax) + * 5.7.11 [Alter Quota](#alter-quota) + * 5.7.11.1 [RQ.SRS-006.RBAC.Quota.Alter](#rqsrs-006rbacquotaalter) + * 5.7.11.2 [RQ.SRS-006.RBAC.Quota.Alter.IfExists](#rqsrs-006rbacquotaalterifexists) + * 5.7.11.3 [RQ.SRS-006.RBAC.Quota.Alter.Rename](#rqsrs-006rbacquotaalterrename) + * 5.7.11.4 [RQ.SRS-006.RBAC.Quota.Alter.Cluster](#rqsrs-006rbacquotaaltercluster) + * 5.7.11.5 [RQ.SRS-006.RBAC.Quota.Alter.Interval](#rqsrs-006rbacquotaalterinterval) + * 5.7.11.6 [RQ.SRS-006.RBAC.Quota.Alter.Interval.Randomized](#rqsrs-006rbacquotaalterintervalrandomized) + * 5.7.11.7 [RQ.SRS-006.RBAC.Quota.Alter.Queries](#rqsrs-006rbacquotaalterqueries) + * 5.7.11.8 [RQ.SRS-006.RBAC.Quota.Alter.Errors](#rqsrs-006rbacquotaaltererrors) + * 5.7.11.9 [RQ.SRS-006.RBAC.Quota.Alter.ResultRows](#rqsrs-006rbacquotaalterresultrows) + * 5.7.11.10 [RQ.SRS-006.RBAC.Quota.Alter.ReadRows](#rqsrs-006rbacquotaalterreadrows) + * 5.7.11.11 [RQ.SRS-006.RBAC.Quota.ALter.ResultBytes](#rqsrs-006rbacquotaalterresultbytes) + * 5.7.11.12 [RQ.SRS-006.RBAC.Quota.Alter.ReadBytes](#rqsrs-006rbacquotaalterreadbytes) + * 5.7.11.13 [RQ.SRS-006.RBAC.Quota.Alter.ExecutionTime](#rqsrs-006rbacquotaalterexecutiontime) + * 5.7.11.14 [RQ.SRS-006.RBAC.Quota.Alter.NoLimits](#rqsrs-006rbacquotaalternolimits) + * 5.7.11.15 [RQ.SRS-006.RBAC.Quota.Alter.TrackingOnly](#rqsrs-006rbacquotaaltertrackingonly) + * 5.7.11.16 [RQ.SRS-006.RBAC.Quota.Alter.KeyedBy](#rqsrs-006rbacquotaalterkeyedby) + * 5.7.11.17 [RQ.SRS-006.RBAC.Quota.Alter.KeyedByOptions](#rqsrs-006rbacquotaalterkeyedbyoptions) + * 5.7.11.18 [RQ.SRS-006.RBAC.Quota.Alter.Assignment](#rqsrs-006rbacquotaalterassignment) + * 5.7.11.19 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.None](#rqsrs-006rbacquotaalterassignmentnone) + * 5.7.11.20 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.All](#rqsrs-006rbacquotaalterassignmentall) + * 5.7.11.21 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.Except](#rqsrs-006rbacquotaalterassignmentexcept) + * 5.7.11.22 [RQ.SRS-006.RBAC.Quota.Alter.Syntax](#rqsrs-006rbacquotaaltersyntax) + * 5.7.12 [Drop Quota](#drop-quota) + * 5.7.12.1 [RQ.SRS-006.RBAC.Quota.Drop](#rqsrs-006rbacquotadrop) + * 5.7.12.2 [RQ.SRS-006.RBAC.Quota.Drop.IfExists](#rqsrs-006rbacquotadropifexists) + * 5.7.12.3 [RQ.SRS-006.RBAC.Quota.Drop.Cluster](#rqsrs-006rbacquotadropcluster) + * 5.7.12.4 [RQ.SRS-006.RBAC.Quota.Drop.Syntax](#rqsrs-006rbacquotadropsyntax) + * 5.7.13 [Show Quotas](#show-quotas) + * 5.7.13.1 [RQ.SRS-006.RBAC.Quota.ShowQuotas](#rqsrs-006rbacquotashowquotas) + * 5.7.13.2 [RQ.SRS-006.RBAC.Quota.ShowQuotas.IntoOutfile](#rqsrs-006rbacquotashowquotasintooutfile) + * 5.7.13.3 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Format](#rqsrs-006rbacquotashowquotasformat) + * 5.7.13.4 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Settings](#rqsrs-006rbacquotashowquotassettings) + * 5.7.13.5 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax](#rqsrs-006rbacquotashowquotassyntax) + * 5.7.14 [Show Create Quota](#show-create-quota) + * 5.7.14.1 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name](#rqsrs-006rbacquotashowcreatequotaname) + * 5.7.14.2 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Current](#rqsrs-006rbacquotashowcreatequotacurrent) + * 5.7.14.3 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Syntax](#rqsrs-006rbacquotashowcreatequotasyntax) + * 5.8 [Row Policy](#row-policy) + * 5.8.1 [RQ.SRS-006.RBAC.RowPolicy](#rqsrs-006rbacrowpolicy) + * 5.8.2 [RQ.SRS-006.RBAC.RowPolicy.Condition](#rqsrs-006rbacrowpolicycondition) + * 5.8.3 [RQ.SRS-006.RBAC.RowPolicy.Restriction](#rqsrs-006rbacrowpolicyrestriction) + * 5.8.4 [RQ.SRS-006.RBAC.RowPolicy.Nesting](#rqsrs-006rbacrowpolicynesting) + * 5.8.5 [Create Row Policy](#create-row-policy) + * 5.8.5.1 [RQ.SRS-006.RBAC.RowPolicy.Create](#rqsrs-006rbacrowpolicycreate) + * 5.8.5.2 [RQ.SRS-006.RBAC.RowPolicy.Create.IfNotExists](#rqsrs-006rbacrowpolicycreateifnotexists) + * 5.8.5.3 [RQ.SRS-006.RBAC.RowPolicy.Create.Replace](#rqsrs-006rbacrowpolicycreatereplace) + * 5.8.5.4 [RQ.SRS-006.RBAC.RowPolicy.Create.OnCluster](#rqsrs-006rbacrowpolicycreateoncluster) + * 5.8.5.5 [RQ.SRS-006.RBAC.RowPolicy.Create.On](#rqsrs-006rbacrowpolicycreateon) + * 5.8.5.6 [RQ.SRS-006.RBAC.RowPolicy.Create.Access](#rqsrs-006rbacrowpolicycreateaccess) + * 5.8.5.7 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Permissive](#rqsrs-006rbacrowpolicycreateaccesspermissive) + * 5.8.5.8 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Restrictive](#rqsrs-006rbacrowpolicycreateaccessrestrictive) + * 5.8.5.9 [RQ.SRS-006.RBAC.RowPolicy.Create.ForSelect](#rqsrs-006rbacrowpolicycreateforselect) + * 5.8.5.10 [RQ.SRS-006.RBAC.RowPolicy.Create.Condition](#rqsrs-006rbacrowpolicycreatecondition) + * 5.8.5.11 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment](#rqsrs-006rbacrowpolicycreateassignment) + * 5.8.5.12 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.None](#rqsrs-006rbacrowpolicycreateassignmentnone) + * 5.8.5.13 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.All](#rqsrs-006rbacrowpolicycreateassignmentall) + * 5.8.5.14 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.AllExcept](#rqsrs-006rbacrowpolicycreateassignmentallexcept) + * 5.8.5.15 [RQ.SRS-006.RBAC.RowPolicy.Create.Syntax](#rqsrs-006rbacrowpolicycreatesyntax) + * 5.8.6 [Alter Row Policy](#alter-row-policy) + * 5.8.6.1 [RQ.SRS-006.RBAC.RowPolicy.Alter](#rqsrs-006rbacrowpolicyalter) + * 5.8.6.2 [RQ.SRS-006.RBAC.RowPolicy.Alter.IfExists](#rqsrs-006rbacrowpolicyalterifexists) + * 5.8.6.3 [RQ.SRS-006.RBAC.RowPolicy.Alter.ForSelect](#rqsrs-006rbacrowpolicyalterforselect) + * 5.8.6.4 [RQ.SRS-006.RBAC.RowPolicy.Alter.OnCluster](#rqsrs-006rbacrowpolicyalteroncluster) + * 5.8.6.5 [RQ.SRS-006.RBAC.RowPolicy.Alter.On](#rqsrs-006rbacrowpolicyalteron) + * 5.8.6.6 [RQ.SRS-006.RBAC.RowPolicy.Alter.Rename](#rqsrs-006rbacrowpolicyalterrename) + * 5.8.6.7 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access](#rqsrs-006rbacrowpolicyalteraccess) + * 5.8.6.8 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Permissive](#rqsrs-006rbacrowpolicyalteraccesspermissive) + * 5.8.6.9 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Restrictive](#rqsrs-006rbacrowpolicyalteraccessrestrictive) + * 5.8.6.10 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition](#rqsrs-006rbacrowpolicyaltercondition) + * 5.8.6.11 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition.None](#rqsrs-006rbacrowpolicyalterconditionnone) + * 5.8.6.12 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment](#rqsrs-006rbacrowpolicyalterassignment) + * 5.8.6.13 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.None](#rqsrs-006rbacrowpolicyalterassignmentnone) + * 5.8.6.14 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.All](#rqsrs-006rbacrowpolicyalterassignmentall) + * 5.8.6.15 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.AllExcept](#rqsrs-006rbacrowpolicyalterassignmentallexcept) + * 5.8.6.16 [RQ.SRS-006.RBAC.RowPolicy.Alter.Syntax](#rqsrs-006rbacrowpolicyaltersyntax) + * 5.8.7 [Drop Row Policy](#drop-row-policy) + * 5.8.7.1 [RQ.SRS-006.RBAC.RowPolicy.Drop](#rqsrs-006rbacrowpolicydrop) + * 5.8.7.2 [RQ.SRS-006.RBAC.RowPolicy.Drop.IfExists](#rqsrs-006rbacrowpolicydropifexists) + * 5.8.7.3 [RQ.SRS-006.RBAC.RowPolicy.Drop.On](#rqsrs-006rbacrowpolicydropon) + * 5.8.7.4 [RQ.SRS-006.RBAC.RowPolicy.Drop.OnCluster](#rqsrs-006rbacrowpolicydroponcluster) + * 5.8.7.5 [RQ.SRS-006.RBAC.RowPolicy.Drop.Syntax](#rqsrs-006rbacrowpolicydropsyntax) + * 5.8.8 [Show Create Row Policy](#show-create-row-policy) + * 5.8.8.1 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy](#rqsrs-006rbacrowpolicyshowcreaterowpolicy) + * 5.8.8.2 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.On](#rqsrs-006rbacrowpolicyshowcreaterowpolicyon) + * 5.8.8.3 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.Syntax](#rqsrs-006rbacrowpolicyshowcreaterowpolicysyntax) + * 5.8.8.4 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies](#rqsrs-006rbacrowpolicyshowrowpolicies) + * 5.8.8.5 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.On](#rqsrs-006rbacrowpolicyshowrowpolicieson) + * 5.8.8.6 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.Syntax](#rqsrs-006rbacrowpolicyshowrowpoliciessyntax) + * 5.9 [Set Default Role](#set-default-role) + * 5.9.1 [RQ.SRS-006.RBAC.SetDefaultRole](#rqsrs-006rbacsetdefaultrole) + * 5.9.2 [RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser](#rqsrs-006rbacsetdefaultrolecurrentuser) + * 5.9.3 [RQ.SRS-006.RBAC.SetDefaultRole.All](#rqsrs-006rbacsetdefaultroleall) + * 5.9.4 [RQ.SRS-006.RBAC.SetDefaultRole.AllExcept](#rqsrs-006rbacsetdefaultroleallexcept) + * 5.9.5 [RQ.SRS-006.RBAC.SetDefaultRole.None](#rqsrs-006rbacsetdefaultrolenone) + * 5.9.6 [RQ.SRS-006.RBAC.SetDefaultRole.Syntax](#rqsrs-006rbacsetdefaultrolesyntax) + * 5.10 [Set Role](#set-role) + * 5.10.1 [RQ.SRS-006.RBAC.SetRole](#rqsrs-006rbacsetrole) + * 5.10.2 [RQ.SRS-006.RBAC.SetRole.Default](#rqsrs-006rbacsetroledefault) + * 5.10.3 [RQ.SRS-006.RBAC.SetRole.None](#rqsrs-006rbacsetrolenone) + * 5.10.4 [RQ.SRS-006.RBAC.SetRole.All](#rqsrs-006rbacsetroleall) + * 5.10.5 [RQ.SRS-006.RBAC.SetRole.AllExcept](#rqsrs-006rbacsetroleallexcept) + * 5.10.6 [RQ.SRS-006.RBAC.SetRole.Syntax](#rqsrs-006rbacsetrolesyntax) + * 5.11 [Grant](#grant) + * 5.11.1 [RQ.SRS-006.RBAC.Grant.Privilege.To](#rqsrs-006rbacgrantprivilegeto) + * 5.11.2 [RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser](#rqsrs-006rbacgrantprivilegetocurrentuser) + * 5.11.3 [RQ.SRS-006.RBAC.Grant.Privilege.Select](#rqsrs-006rbacgrantprivilegeselect) + * 5.11.4 [RQ.SRS-006.RBAC.Grant.Privilege.Insert](#rqsrs-006rbacgrantprivilegeinsert) + * 5.11.5 [RQ.SRS-006.RBAC.Grant.Privilege.Alter](#rqsrs-006rbacgrantprivilegealter) + * 5.11.6 [RQ.SRS-006.RBAC.Grant.Privilege.Create](#rqsrs-006rbacgrantprivilegecreate) + * 5.11.7 [RQ.SRS-006.RBAC.Grant.Privilege.Drop](#rqsrs-006rbacgrantprivilegedrop) + * 5.11.8 [RQ.SRS-006.RBAC.Grant.Privilege.Truncate](#rqsrs-006rbacgrantprivilegetruncate) + * 5.11.9 [RQ.SRS-006.RBAC.Grant.Privilege.Optimize](#rqsrs-006rbacgrantprivilegeoptimize) + * 5.11.10 [RQ.SRS-006.RBAC.Grant.Privilege.Show](#rqsrs-006rbacgrantprivilegeshow) + * 5.11.11 [RQ.SRS-006.RBAC.Grant.Privilege.KillQuery](#rqsrs-006rbacgrantprivilegekillquery) + * 5.11.12 [RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement](#rqsrs-006rbacgrantprivilegeaccessmanagement) + * 5.11.13 [RQ.SRS-006.RBAC.Grant.Privilege.System](#rqsrs-006rbacgrantprivilegesystem) + * 5.11.14 [RQ.SRS-006.RBAC.Grant.Privilege.Introspection](#rqsrs-006rbacgrantprivilegeintrospection) + * 5.11.15 [RQ.SRS-006.RBAC.Grant.Privilege.Sources](#rqsrs-006rbacgrantprivilegesources) + * 5.11.16 [RQ.SRS-006.RBAC.Grant.Privilege.DictGet](#rqsrs-006rbacgrantprivilegedictget) + * 5.11.17 [RQ.SRS-006.RBAC.Grant.Privilege.None](#rqsrs-006rbacgrantprivilegenone) + * 5.11.18 [RQ.SRS-006.RBAC.Grant.Privilege.All](#rqsrs-006rbacgrantprivilegeall) + * 5.11.19 [RQ.SRS-006.RBAC.Grant.Privilege.GrantOption](#rqsrs-006rbacgrantprivilegegrantoption) + * 5.11.20 [RQ.SRS-006.RBAC.Grant.Privilege.On](#rqsrs-006rbacgrantprivilegeon) + * 5.11.21 [RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns](#rqsrs-006rbacgrantprivilegeprivilegecolumns) + * 5.11.22 [RQ.SRS-006.RBAC.Grant.Privilege.OnCluster](#rqsrs-006rbacgrantprivilegeoncluster) + * 5.11.23 [RQ.SRS-006.RBAC.Grant.Privilege.Syntax](#rqsrs-006rbacgrantprivilegesyntax) + * 5.12 [Revoke](#revoke) + * 5.12.1 [RQ.SRS-006.RBAC.Revoke.Privilege.Cluster](#rqsrs-006rbacrevokeprivilegecluster) + * 5.12.2 [RQ.SRS-006.RBAC.Revoke.Privilege.Select](#rqsrs-006rbacrevokeprivilegeselect) + * 5.12.3 [RQ.SRS-006.RBAC.Revoke.Privilege.Insert](#rqsrs-006rbacrevokeprivilegeinsert) + * 5.12.4 [RQ.SRS-006.RBAC.Revoke.Privilege.Alter](#rqsrs-006rbacrevokeprivilegealter) + * 5.12.5 [RQ.SRS-006.RBAC.Revoke.Privilege.Create](#rqsrs-006rbacrevokeprivilegecreate) + * 5.12.6 [RQ.SRS-006.RBAC.Revoke.Privilege.Drop](#rqsrs-006rbacrevokeprivilegedrop) + * 5.12.7 [RQ.SRS-006.RBAC.Revoke.Privilege.Truncate](#rqsrs-006rbacrevokeprivilegetruncate) + * 5.12.8 [RQ.SRS-006.RBAC.Revoke.Privilege.Optimize](#rqsrs-006rbacrevokeprivilegeoptimize) + * 5.12.9 [RQ.SRS-006.RBAC.Revoke.Privilege.Show](#rqsrs-006rbacrevokeprivilegeshow) + * 5.12.10 [RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery](#rqsrs-006rbacrevokeprivilegekillquery) + * 5.12.11 [RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement](#rqsrs-006rbacrevokeprivilegeaccessmanagement) + * 5.12.12 [RQ.SRS-006.RBAC.Revoke.Privilege.System](#rqsrs-006rbacrevokeprivilegesystem) + * 5.12.13 [RQ.SRS-006.RBAC.Revoke.Privilege.Introspection](#rqsrs-006rbacrevokeprivilegeintrospection) + * 5.12.14 [RQ.SRS-006.RBAC.Revoke.Privilege.Sources](#rqsrs-006rbacrevokeprivilegesources) + * 5.12.15 [RQ.SRS-006.RBAC.Revoke.Privilege.DictGet](#rqsrs-006rbacrevokeprivilegedictget) + * 5.12.16 [RQ.SRS-006.RBAC.Revoke.Privilege.PrivilegeColumns](#rqsrs-006rbacrevokeprivilegeprivilegecolumns) + * 5.12.17 [RQ.SRS-006.RBAC.Revoke.Privilege.Multiple](#rqsrs-006rbacrevokeprivilegemultiple) + * 5.12.18 [RQ.SRS-006.RBAC.Revoke.Privilege.All](#rqsrs-006rbacrevokeprivilegeall) + * 5.12.19 [RQ.SRS-006.RBAC.Revoke.Privilege.None](#rqsrs-006rbacrevokeprivilegenone) + * 5.12.20 [RQ.SRS-006.RBAC.Revoke.Privilege.On](#rqsrs-006rbacrevokeprivilegeon) + * 5.12.21 [RQ.SRS-006.RBAC.Revoke.Privilege.From](#rqsrs-006rbacrevokeprivilegefrom) + * 5.12.22 [RQ.SRS-006.RBAC.Revoke.Privilege.Syntax](#rqsrs-006rbacrevokeprivilegesyntax) + * 5.13 [Grant Role](#grant-role) + * 5.13.1 [RQ.SRS-006.RBAC.Grant.Role](#rqsrs-006rbacgrantrole) + * 5.13.2 [RQ.SRS-006.RBAC.Grant.Role.CurrentUser](#rqsrs-006rbacgrantrolecurrentuser) + * 5.13.3 [RQ.SRS-006.RBAC.Grant.Role.AdminOption](#rqsrs-006rbacgrantroleadminoption) + * 5.13.4 [RQ.SRS-006.RBAC.Grant.Role.OnCluster](#rqsrs-006rbacgrantroleoncluster) + * 5.13.5 [RQ.SRS-006.RBAC.Grant.Role.Syntax](#rqsrs-006rbacgrantrolesyntax) + * 5.14 [Revoke Role](#revoke-role) + * 5.14.1 [RQ.SRS-006.RBAC.Revoke.Role](#rqsrs-006rbacrevokerole) + * 5.14.2 [RQ.SRS-006.RBAC.Revoke.Role.Keywords](#rqsrs-006rbacrevokerolekeywords) + * 5.14.3 [RQ.SRS-006.RBAC.Revoke.Role.Cluster](#rqsrs-006rbacrevokerolecluster) + * 5.14.4 [RQ.SRS-006.RBAC.Revoke.AdminOption](#rqsrs-006rbacrevokeadminoption) + * 5.14.5 [RQ.SRS-006.RBAC.Revoke.Role.Syntax](#rqsrs-006rbacrevokerolesyntax) + * 5.15 [Show Grants](#show-grants) + * 5.15.1 [RQ.SRS-006.RBAC.Show.Grants](#rqsrs-006rbacshowgrants) + * 5.15.2 [RQ.SRS-006.RBAC.Show.Grants.For](#rqsrs-006rbacshowgrantsfor) + * 5.15.3 [RQ.SRS-006.RBAC.Show.Grants.Syntax](#rqsrs-006rbacshowgrantssyntax) + * 5.16 [Table Privileges](#table-privileges) + * 5.16.1 [RQ.SRS-006.RBAC.Table.PublicTables](#rqsrs-006rbactablepublictables) + * 5.16.2 [RQ.SRS-006.RBAC.Table.SensitiveTables](#rqsrs-006rbactablesensitivetables) + * 5.17 [Distributed Tables](#distributed-tables) + * 5.17.1 [RQ.SRS-006.RBAC.DistributedTable.Create](#rqsrs-006rbacdistributedtablecreate) + * 5.17.2 [RQ.SRS-006.RBAC.DistributedTable.Select](#rqsrs-006rbacdistributedtableselect) + * 5.17.3 [RQ.SRS-006.RBAC.DistributedTable.Insert](#rqsrs-006rbacdistributedtableinsert) + * 5.17.4 [RQ.SRS-006.RBAC.DistributedTable.SpecialTables](#rqsrs-006rbacdistributedtablespecialtables) + * 5.17.5 [RQ.SRS-006.RBAC.DistributedTable.LocalUser](#rqsrs-006rbacdistributedtablelocaluser) + * 5.17.6 [RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges](#rqsrs-006rbacdistributedtablesameuserdifferentnodesdifferentprivileges) + * 5.18 [Views](#views) + * 5.18.1 [View](#view) + * 5.18.1.1 [RQ.SRS-006.RBAC.View](#rqsrs-006rbacview) + * 5.18.1.2 [RQ.SRS-006.RBAC.View.Create](#rqsrs-006rbacviewcreate) + * 5.18.1.3 [RQ.SRS-006.RBAC.View.Select](#rqsrs-006rbacviewselect) + * 5.18.1.4 [RQ.SRS-006.RBAC.View.Drop](#rqsrs-006rbacviewdrop) + * 5.18.2 [Materialized View](#materialized-view) + * 5.18.2.1 [RQ.SRS-006.RBAC.MaterializedView](#rqsrs-006rbacmaterializedview) + * 5.18.2.2 [RQ.SRS-006.RBAC.MaterializedView.Create](#rqsrs-006rbacmaterializedviewcreate) + * 5.18.2.3 [RQ.SRS-006.RBAC.MaterializedView.Select](#rqsrs-006rbacmaterializedviewselect) + * 5.18.2.4 [RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable](#rqsrs-006rbacmaterializedviewselecttargettable) + * 5.18.2.5 [RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable](#rqsrs-006rbacmaterializedviewselectsourcetable) + * 5.18.2.6 [RQ.SRS-006.RBAC.MaterializedView.Drop](#rqsrs-006rbacmaterializedviewdrop) + * 5.18.2.7 [RQ.SRS-006.RBAC.MaterializedView.ModifyQuery](#rqsrs-006rbacmaterializedviewmodifyquery) + * 5.18.2.8 [RQ.SRS-006.RBAC.MaterializedView.Insert](#rqsrs-006rbacmaterializedviewinsert) + * 5.18.2.9 [RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable](#rqsrs-006rbacmaterializedviewinsertsourcetable) + * 5.18.2.10 [RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable](#rqsrs-006rbacmaterializedviewinserttargettable) + * 5.18.3 [Live View](#live-view) + * 5.18.3.1 [RQ.SRS-006.RBAC.LiveView](#rqsrs-006rbacliveview) + * 5.18.3.2 [RQ.SRS-006.RBAC.LiveView.Create](#rqsrs-006rbacliveviewcreate) + * 5.18.3.3 [RQ.SRS-006.RBAC.LiveView.Select](#rqsrs-006rbacliveviewselect) + * 5.18.3.4 [RQ.SRS-006.RBAC.LiveView.Drop](#rqsrs-006rbacliveviewdrop) + * 5.18.3.5 [RQ.SRS-006.RBAC.LiveView.Refresh](#rqsrs-006rbacliveviewrefresh) + * 5.19 [Select](#select) + * 5.19.1 [RQ.SRS-006.RBAC.Select](#rqsrs-006rbacselect) + * 5.19.2 [RQ.SRS-006.RBAC.Select.Column](#rqsrs-006rbacselectcolumn) + * 5.19.3 [RQ.SRS-006.RBAC.Select.Cluster](#rqsrs-006rbacselectcluster) + * 5.19.4 [RQ.SRS-006.RBAC.Select.TableEngines](#rqsrs-006rbacselecttableengines) + * 5.20 [Insert](#insert) + * 5.20.1 [RQ.SRS-006.RBAC.Insert](#rqsrs-006rbacinsert) + * 5.20.2 [RQ.SRS-006.RBAC.Insert.Column](#rqsrs-006rbacinsertcolumn) + * 5.20.3 [RQ.SRS-006.RBAC.Insert.Cluster](#rqsrs-006rbacinsertcluster) + * 5.20.4 [RQ.SRS-006.RBAC.Insert.TableEngines](#rqsrs-006rbacinserttableengines) + * 5.21 [Alter](#alter) + * 5.21.1 [Alter Column](#alter-column) + * 5.21.1.1 [RQ.SRS-006.RBAC.Privileges.AlterColumn](#rqsrs-006rbacprivilegesaltercolumn) + * 5.21.1.2 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant](#rqsrs-006rbacprivilegesaltercolumngrant) + * 5.21.1.3 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke](#rqsrs-006rbacprivilegesaltercolumnrevoke) + * 5.21.1.4 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Column](#rqsrs-006rbacprivilegesaltercolumncolumn) + * 5.21.1.5 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster](#rqsrs-006rbacprivilegesaltercolumncluster) + * 5.21.1.6 [RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines](#rqsrs-006rbacprivilegesaltercolumntableengines) + * 5.21.2 [Alter Index](#alter-index) + * 5.21.2.1 [RQ.SRS-006.RBAC.Privileges.AlterIndex](#rqsrs-006rbacprivilegesalterindex) + * 5.21.2.2 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant](#rqsrs-006rbacprivilegesalterindexgrant) + * 5.21.2.3 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke](#rqsrs-006rbacprivilegesalterindexrevoke) + * 5.21.2.4 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster](#rqsrs-006rbacprivilegesalterindexcluster) + * 5.21.2.5 [RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines](#rqsrs-006rbacprivilegesalterindextableengines) + * 5.21.3 [Alter Constraint](#alter-constraint) + * 5.21.3.1 [RQ.SRS-006.RBAC.Privileges.AlterConstraint](#rqsrs-006rbacprivilegesalterconstraint) + * 5.21.3.2 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant](#rqsrs-006rbacprivilegesalterconstraintgrant) + * 5.21.3.3 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke](#rqsrs-006rbacprivilegesalterconstraintrevoke) + * 5.21.3.4 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster](#rqsrs-006rbacprivilegesalterconstraintcluster) + * 5.21.3.5 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines](#rqsrs-006rbacprivilegesalterconstrainttableengines) + * 5.21.4 [Alter TTL](#alter-ttl) + * 5.21.4.1 [RQ.SRS-006.RBAC.Privileges.AlterTTL](#rqsrs-006rbacprivilegesalterttl) + * 5.21.4.2 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant](#rqsrs-006rbacprivilegesalterttlgrant) + * 5.21.4.3 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke](#rqsrs-006rbacprivilegesalterttlrevoke) + * 5.21.4.4 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster](#rqsrs-006rbacprivilegesalterttlcluster) + * 5.21.4.5 [RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines](#rqsrs-006rbacprivilegesalterttltableengines) + * 5.21.5 [Alter Settings](#alter-settings) + * 5.21.5.1 [RQ.SRS-006.RBAC.Privileges.AlterSettings](#rqsrs-006rbacprivilegesaltersettings) + * 5.21.5.2 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant](#rqsrs-006rbacprivilegesaltersettingsgrant) + * 5.21.5.3 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke](#rqsrs-006rbacprivilegesaltersettingsrevoke) + * 5.21.5.4 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster](#rqsrs-006rbacprivilegesaltersettingscluster) + * 5.21.5.5 [RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines](#rqsrs-006rbacprivilegesaltersettingstableengines) + * 5.21.6 [Alter Update](#alter-update) + * 5.21.6.1 [RQ.SRS-006.RBAC.Privileges.AlterUpdate](#rqsrs-006rbacprivilegesalterupdate) + * 5.21.6.2 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant](#rqsrs-006rbacprivilegesalterupdategrant) + * 5.21.6.3 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke](#rqsrs-006rbacprivilegesalterupdaterevoke) + * 5.21.6.4 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines](#rqsrs-006rbacprivilegesalterupdatetableengines) + * 5.21.7 [Alter Delete](#alter-delete) + * 5.21.7.1 [RQ.SRS-006.RBAC.Privileges.AlterDelete](#rqsrs-006rbacprivilegesalterdelete) + * 5.21.7.2 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant](#rqsrs-006rbacprivilegesalterdeletegrant) + * 5.21.7.3 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke](#rqsrs-006rbacprivilegesalterdeleterevoke) + * 5.21.7.4 [RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines](#rqsrs-006rbacprivilegesalterdeletetableengines) + * 5.21.8 [Alter Freeze Partition](#alter-freeze-partition) + * 5.21.8.1 [RQ.SRS-006.RBAC.Privileges.AlterFreeze](#rqsrs-006rbacprivilegesalterfreeze) + * 5.21.8.2 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant](#rqsrs-006rbacprivilegesalterfreezegrant) + * 5.21.8.3 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke](#rqsrs-006rbacprivilegesalterfreezerevoke) + * 5.21.8.4 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines](#rqsrs-006rbacprivilegesalterfreezetableengines) + * 5.21.9 [Alter Fetch Partition](#alter-fetch-partition) + * 5.21.9.1 [RQ.SRS-006.RBAC.Privileges.AlterFetch](#rqsrs-006rbacprivilegesalterfetch) + * 5.21.9.2 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant](#rqsrs-006rbacprivilegesalterfetchgrant) + * 5.21.9.3 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke](#rqsrs-006rbacprivilegesalterfetchrevoke) + * 5.21.9.4 [RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines](#rqsrs-006rbacprivilegesalterfetchtableengines) + * 5.21.10 [Alter Move Partition](#alter-move-partition) + * 5.21.10.1 [RQ.SRS-006.RBAC.Privileges.AlterMove](#rqsrs-006rbacprivilegesaltermove) + * 5.21.10.2 [RQ.SRS-006.RBAC.Privileges.AlterMove.Grant](#rqsrs-006rbacprivilegesaltermovegrant) + * 5.21.10.3 [RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke](#rqsrs-006rbacprivilegesaltermoverevoke) + * 5.21.10.4 [RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines](#rqsrs-006rbacprivilegesaltermovetableengines) + * 5.22 [Create](#create) + * 5.22.1 [RQ.SRS-006.RBAC.Privileges.CreateTable](#rqsrs-006rbacprivilegescreatetable) + * 5.22.2 [RQ.SRS-006.RBAC.Privileges.CreateDatabase](#rqsrs-006rbacprivilegescreatedatabase) + * 5.22.3 [RQ.SRS-006.RBAC.Privileges.CreateDictionary](#rqsrs-006rbacprivilegescreatedictionary) + * 5.22.4 [RQ.SRS-006.RBAC.Privileges.CreateTemporaryTable](#rqsrs-006rbacprivilegescreatetemporarytable) + * 5.23 [Attach](#attach) + * 5.23.1 [RQ.SRS-006.RBAC.Privileges.AttachDatabase](#rqsrs-006rbacprivilegesattachdatabase) + * 5.23.2 [RQ.SRS-006.RBAC.Privileges.AttachDictionary](#rqsrs-006rbacprivilegesattachdictionary) + * 5.23.3 [RQ.SRS-006.RBAC.Privileges.AttachTemporaryTable](#rqsrs-006rbacprivilegesattachtemporarytable) + * 5.23.4 [RQ.SRS-006.RBAC.Privileges.AttachTable](#rqsrs-006rbacprivilegesattachtable) + * 5.24 [Drop](#drop) + * 5.24.1 [RQ.SRS-006.RBAC.Privileges.DropTable](#rqsrs-006rbacprivilegesdroptable) + * 5.24.2 [RQ.SRS-006.RBAC.Privileges.DropDatabase](#rqsrs-006rbacprivilegesdropdatabase) + * 5.24.3 [RQ.SRS-006.RBAC.Privileges.DropDictionary](#rqsrs-006rbacprivilegesdropdictionary) + * 5.25 [Detach](#detach) + * 5.25.1 [RQ.SRS-006.RBAC.Privileges.DetachTable](#rqsrs-006rbacprivilegesdetachtable) + * 5.25.2 [RQ.SRS-006.RBAC.Privileges.DetachView](#rqsrs-006rbacprivilegesdetachview) + * 5.25.3 [RQ.SRS-006.RBAC.Privileges.DetachDatabase](#rqsrs-006rbacprivilegesdetachdatabase) + * 5.25.4 [RQ.SRS-006.RBAC.Privileges.DetachDictionary](#rqsrs-006rbacprivilegesdetachdictionary) + * 5.26 [Truncate](#truncate) + * 5.26.1 [RQ.SRS-006.RBAC.Privileges.Truncate](#rqsrs-006rbacprivilegestruncate) + * 5.27 [Optimize](#optimize) + * 5.27.1 [RQ.SRS-006.RBAC.Privileges.Optimize](#rqsrs-006rbacprivilegesoptimize) + * 5.28 [Kill Query](#kill-query) + * 5.28.1 [RQ.SRS-006.RBAC.Privileges.KillQuery](#rqsrs-006rbacprivilegeskillquery) + * 5.29 [Kill Mutation](#kill-mutation) + * 5.29.1 [RQ.SRS-006.RBAC.Privileges.KillMutation](#rqsrs-006rbacprivilegeskillmutation) + * 5.29.2 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate](#rqsrs-006rbacprivilegeskillmutationalterupdate) + * 5.29.3 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete](#rqsrs-006rbacprivilegeskillmutationalterdelete) + * 5.29.4 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn](#rqsrs-006rbacprivilegeskillmutationalterdropcolumn) + * 5.30 [Show](#show) + * 5.30.1 [RQ.SRS-006.RBAC.ShowTables.Privilege](#rqsrs-006rbacshowtablesprivilege) + * 5.30.2 [RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege](#rqsrs-006rbacshowtablesrequiredprivilege) + * 5.30.3 [RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege](#rqsrs-006rbacexiststablerequiredprivilege) + * 5.30.4 [RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege](#rqsrs-006rbacchecktablerequiredprivilege) + * 5.30.5 [RQ.SRS-006.RBAC.ShowDatabases.Privilege](#rqsrs-006rbacshowdatabasesprivilege) + * 5.30.6 [RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege](#rqsrs-006rbacshowdatabasesrequiredprivilege) + * 5.30.7 [RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege](#rqsrs-006rbacshowcreatedatabaserequiredprivilege) + * 5.30.8 [RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege](#rqsrs-006rbacusedatabaserequiredprivilege) + * 5.30.9 [RQ.SRS-006.RBAC.ShowColumns.Privilege](#rqsrs-006rbacshowcolumnsprivilege) + * 5.30.10 [RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege](#rqsrs-006rbacshowcreatetablerequiredprivilege) + * 5.30.11 [RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege](#rqsrs-006rbacdescribetablerequiredprivilege) + * 5.30.12 [RQ.SRS-006.RBAC.ShowDictionaries.Privilege](#rqsrs-006rbacshowdictionariesprivilege) + * 5.30.13 [RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege](#rqsrs-006rbacshowdictionariesrequiredprivilege) + * 5.30.14 [RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege](#rqsrs-006rbacshowcreatedictionaryrequiredprivilege) + * 5.30.15 [RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege](#rqsrs-006rbacexistsdictionaryrequiredprivilege) + * 5.31 [Access Management](#access-management) + * 5.31.1 [RQ.SRS-006.RBAC.Privileges.CreateUser](#rqsrs-006rbacprivilegescreateuser) + * 5.31.2 [RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole](#rqsrs-006rbacprivilegescreateuserdefaultrole) + * 5.31.3 [RQ.SRS-006.RBAC.Privileges.AlterUser](#rqsrs-006rbacprivilegesalteruser) + * 5.31.4 [RQ.SRS-006.RBAC.Privileges.DropUser](#rqsrs-006rbacprivilegesdropuser) + * 5.31.5 [RQ.SRS-006.RBAC.Privileges.CreateRole](#rqsrs-006rbacprivilegescreaterole) + * 5.31.6 [RQ.SRS-006.RBAC.Privileges.AlterRole](#rqsrs-006rbacprivilegesalterrole) + * 5.31.7 [RQ.SRS-006.RBAC.Privileges.DropRole](#rqsrs-006rbacprivilegesdroprole) + * 5.31.8 [RQ.SRS-006.RBAC.Privileges.CreateRowPolicy](#rqsrs-006rbacprivilegescreaterowpolicy) + * 5.31.9 [RQ.SRS-006.RBAC.Privileges.AlterRowPolicy](#rqsrs-006rbacprivilegesalterrowpolicy) + * 5.31.10 [RQ.SRS-006.RBAC.Privileges.DropRowPolicy](#rqsrs-006rbacprivilegesdroprowpolicy) + * 5.31.11 [RQ.SRS-006.RBAC.Privileges.CreateQuota](#rqsrs-006rbacprivilegescreatequota) + * 5.31.12 [RQ.SRS-006.RBAC.Privileges.AlterQuota](#rqsrs-006rbacprivilegesalterquota) + * 5.31.13 [RQ.SRS-006.RBAC.Privileges.DropQuota](#rqsrs-006rbacprivilegesdropquota) + * 5.31.14 [RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile](#rqsrs-006rbacprivilegescreatesettingsprofile) + * 5.31.15 [RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile](#rqsrs-006rbacprivilegesaltersettingsprofile) + * 5.31.16 [RQ.SRS-006.RBAC.Privileges.DropSettingsProfile](#rqsrs-006rbacprivilegesdropsettingsprofile) + * 5.31.17 [RQ.SRS-006.RBAC.Privileges.RoleAdmin](#rqsrs-006rbacprivilegesroleadmin) + * 5.31.18 [Show Access](#show-access) + * 5.31.18.1 [RQ.SRS-006.RBAC.ShowUsers.Privilege](#rqsrs-006rbacshowusersprivilege) + * 5.31.18.2 [RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege](#rqsrs-006rbacshowusersrequiredprivilege) + * 5.31.18.3 [RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege](#rqsrs-006rbacshowcreateuserrequiredprivilege) + * 5.31.18.4 [RQ.SRS-006.RBAC.ShowRoles.Privilege](#rqsrs-006rbacshowrolesprivilege) + * 5.31.18.5 [RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege](#rqsrs-006rbacshowrolesrequiredprivilege) + * 5.31.18.6 [RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege](#rqsrs-006rbacshowcreaterolerequiredprivilege) + * 5.31.18.7 [RQ.SRS-006.RBAC.ShowRowPolicies.Privilege](#rqsrs-006rbacshowrowpoliciesprivilege) + * 5.31.18.8 [RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege](#rqsrs-006rbacshowrowpoliciesrequiredprivilege) + * 5.31.18.9 [RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege](#rqsrs-006rbacshowcreaterowpolicyrequiredprivilege) + * 5.31.18.10 [RQ.SRS-006.RBAC.ShowQuotas.Privilege](#rqsrs-006rbacshowquotasprivilege) + * 5.31.18.11 [RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege](#rqsrs-006rbacshowquotasrequiredprivilege) + * 5.31.18.12 [RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege](#rqsrs-006rbacshowcreatequotarequiredprivilege) + * 5.31.18.13 [RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege](#rqsrs-006rbacshowsettingsprofilesprivilege) + * 5.31.18.14 [RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege](#rqsrs-006rbacshowsettingsprofilesrequiredprivilege) + * 5.31.18.15 [RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege](#rqsrs-006rbacshowcreatesettingsprofilerequiredprivilege) + * 5.32 [dictGet](#dictget) + * 5.32.1 [RQ.SRS-006.RBAC.dictGet.Privilege](#rqsrs-006rbacdictgetprivilege) + * 5.32.2 [RQ.SRS-006.RBAC.dictGet.RequiredPrivilege](#rqsrs-006rbacdictgetrequiredprivilege) + * 5.32.3 [RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege](#rqsrs-006rbacdictgettyperequiredprivilege) + * 5.32.4 [RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege](#rqsrs-006rbacdictgetordefaultrequiredprivilege) + * 5.32.5 [RQ.SRS-006.RBAC.dictHas.RequiredPrivilege](#rqsrs-006rbacdicthasrequiredprivilege) + * 5.32.6 [RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege](#rqsrs-006rbacdictgethierarchyrequiredprivilege) + * 5.32.7 [RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege](#rqsrs-006rbacdictisinrequiredprivilege) + * 5.33 [Introspection](#introspection) + * 5.33.1 [RQ.SRS-006.RBAC.Privileges.Introspection](#rqsrs-006rbacprivilegesintrospection) + * 5.33.2 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine](#rqsrs-006rbacprivilegesintrospectionaddresstoline) + * 5.33.3 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol](#rqsrs-006rbacprivilegesintrospectionaddresstosymbol) + * 5.33.4 [RQ.SRS-006.RBAC.Privileges.Introspection.demangle](#rqsrs-006rbacprivilegesintrospectiondemangle) + * 5.34 [System](#system) + * 5.34.1 [RQ.SRS-006.RBAC.Privileges.System.Shutdown](#rqsrs-006rbacprivilegessystemshutdown) + * 5.34.2 [RQ.SRS-006.RBAC.Privileges.System.DropCache](#rqsrs-006rbacprivilegessystemdropcache) + * 5.34.3 [RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS](#rqsrs-006rbacprivilegessystemdropcachedns) + * 5.34.4 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark](#rqsrs-006rbacprivilegessystemdropcachemark) + * 5.34.5 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed](#rqsrs-006rbacprivilegessystemdropcacheuncompressed) + * 5.34.6 [RQ.SRS-006.RBAC.Privileges.System.Reload](#rqsrs-006rbacprivilegessystemreload) + * 5.34.7 [RQ.SRS-006.RBAC.Privileges.System.Reload.Config](#rqsrs-006rbacprivilegessystemreloadconfig) + * 5.34.8 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary](#rqsrs-006rbacprivilegessystemreloaddictionary) + * 5.34.9 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries](#rqsrs-006rbacprivilegessystemreloaddictionaries) + * 5.34.10 [RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries](#rqsrs-006rbacprivilegessystemreloadembeddeddictionaries) + * 5.34.11 [RQ.SRS-006.RBAC.Privileges.System.Merges](#rqsrs-006rbacprivilegessystemmerges) + * 5.34.12 [RQ.SRS-006.RBAC.Privileges.System.TTLMerges](#rqsrs-006rbacprivilegessystemttlmerges) + * 5.34.13 [RQ.SRS-006.RBAC.Privileges.System.Fetches](#rqsrs-006rbacprivilegessystemfetches) + * 5.34.14 [RQ.SRS-006.RBAC.Privileges.System.Moves](#rqsrs-006rbacprivilegessystemmoves) + * 5.34.15 [RQ.SRS-006.RBAC.Privileges.System.Sends](#rqsrs-006rbacprivilegessystemsends) + * 5.34.16 [RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed](#rqsrs-006rbacprivilegessystemsendsdistributed) + * 5.34.17 [RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated](#rqsrs-006rbacprivilegessystemsendsreplicated) + * 5.34.18 [RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues](#rqsrs-006rbacprivilegessystemreplicationqueues) + * 5.34.19 [RQ.SRS-006.RBAC.Privileges.System.SyncReplica](#rqsrs-006rbacprivilegessystemsyncreplica) + * 5.34.20 [RQ.SRS-006.RBAC.Privileges.System.RestartReplica](#rqsrs-006rbacprivilegessystemrestartreplica) + * 5.34.21 [RQ.SRS-006.RBAC.Privileges.System.Flush](#rqsrs-006rbacprivilegessystemflush) + * 5.34.22 [RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed](#rqsrs-006rbacprivilegessystemflushdistributed) + * 5.34.23 [RQ.SRS-006.RBAC.Privileges.System.Flush.Logs](#rqsrs-006rbacprivilegessystemflushlogs) + * 5.35 [Sources](#sources) + * 5.35.1 [RQ.SRS-006.RBAC.Privileges.Sources](#rqsrs-006rbacprivilegessources) + * 5.35.2 [RQ.SRS-006.RBAC.Privileges.Sources.File](#rqsrs-006rbacprivilegessourcesfile) + * 5.35.3 [RQ.SRS-006.RBAC.Privileges.Sources.URL](#rqsrs-006rbacprivilegessourcesurl) + * 5.35.4 [RQ.SRS-006.RBAC.Privileges.Sources.Remote](#rqsrs-006rbacprivilegessourcesremote) + * 5.35.5 [RQ.SRS-006.RBAC.Privileges.Sources.MySQL](#rqsrs-006rbacprivilegessourcesmysql) + * 5.35.6 [RQ.SRS-006.RBAC.Privileges.Sources.ODBC](#rqsrs-006rbacprivilegessourcesodbc) + * 5.35.7 [RQ.SRS-006.RBAC.Privileges.Sources.JDBC](#rqsrs-006rbacprivilegessourcesjdbc) + * 5.35.8 [RQ.SRS-006.RBAC.Privileges.Sources.HDFS](#rqsrs-006rbacprivilegessourceshdfs) + * 5.35.9 [RQ.SRS-006.RBAC.Privileges.Sources.S3](#rqsrs-006rbacprivilegessourcess3) + * 5.36 [RQ.SRS-006.RBAC.Privileges.GrantOption](#rqsrs-006rbacprivilegesgrantoption) + * 5.37 [RQ.SRS-006.RBAC.Privileges.All](#rqsrs-006rbacprivilegesall) + * 5.38 [RQ.SRS-006.RBAC.Privileges.RoleAll](#rqsrs-006rbacprivilegesroleall) + * 5.39 [RQ.SRS-006.RBAC.Privileges.None](#rqsrs-006rbacprivilegesnone) + * 5.40 [RQ.SRS-006.RBAC.Privileges.AdminOption](#rqsrs-006rbacprivilegesadminoption) * 6 [References](#references) ## Revision History @@ -631,256 +663,103 @@ version: 1.0 [ClickHouse] SHALL support role based access control. -#### Login +### Login -##### RQ.SRS-006.RBAC.Login +#### RQ.SRS-006.RBAC.Login version: 1.0 [ClickHouse] SHALL only allow access to the server for a given user only when correct username and password are used during the connection to the server. -##### RQ.SRS-006.RBAC.Login.DefaultUser +#### RQ.SRS-006.RBAC.Login.DefaultUser version: 1.0 [ClickHouse] SHALL use the **default user** when no username and password are specified during the connection to the server. -#### User +### User -##### RQ.SRS-006.RBAC.User +#### RQ.SRS-006.RBAC.User version: 1.0 [ClickHouse] SHALL support creation and manipulation of one or more **user** accounts to which roles, privileges, settings profile, quotas and row policies can be assigned. -##### RQ.SRS-006.RBAC.User.Roles +#### RQ.SRS-006.RBAC.User.Roles version: 1.0 [ClickHouse] SHALL support assigning one or more **roles** to a **user**. -##### RQ.SRS-006.RBAC.User.Privileges +#### RQ.SRS-006.RBAC.User.Privileges version: 1.0 [ClickHouse] SHALL support assigning one or more privileges to a **user**. -##### RQ.SRS-006.RBAC.User.Variables +#### RQ.SRS-006.RBAC.User.Variables version: 1.0 [ClickHouse] SHALL support assigning one or more variables to a **user**. -##### RQ.SRS-006.RBAC.User.Variables.Constraints +#### RQ.SRS-006.RBAC.User.Variables.Constraints version: 1.0 [ClickHouse] SHALL support assigning min, max and read-only constraints for the variables that can be set and read by the **user**. -##### RQ.SRS-006.RBAC.User.SettingsProfile +#### RQ.SRS-006.RBAC.User.SettingsProfile version: 1.0 [ClickHouse] SHALL support assigning one or more **settings profiles** to a **user**. -##### RQ.SRS-006.RBAC.User.Quotas +#### RQ.SRS-006.RBAC.User.Quotas version: 1.0 [ClickHouse] SHALL support assigning one or more **quotas** to a **user**. -##### RQ.SRS-006.RBAC.User.RowPolicies +#### RQ.SRS-006.RBAC.User.RowPolicies version: 1.0 [ClickHouse] SHALL support assigning one or more **row policies** to a **user**. -##### RQ.SRS-006.RBAC.User.AccountLock -version: 1.0 - -[ClickHouse] SHALL support locking and unlocking of **user** accounts. - -##### RQ.SRS-006.RBAC.User.AccountLock.DenyAccess -version: 1.0 - -[ClickHouse] SHALL deny access to the user whose account is locked. - -##### RQ.SRS-006.RBAC.User.DefaultRole +#### RQ.SRS-006.RBAC.User.DefaultRole version: 1.0 [ClickHouse] SHALL support assigning a default role to a **user**. -##### RQ.SRS-006.RBAC.User.RoleSelection +#### RQ.SRS-006.RBAC.User.RoleSelection version: 1.0 [ClickHouse] SHALL support selection of one or more **roles** from the available roles -that are assigned to a **user**. +that are assigned to a **user** using `SET ROLE` statement. -##### RQ.SRS-006.RBAC.User.ShowCreate +#### RQ.SRS-006.RBAC.User.ShowCreate version: 1.0 [ClickHouse] SHALL support showing the command of how **user** account was created. -##### RQ.SRS-006.RBAC.User.ShowPrivileges +#### RQ.SRS-006.RBAC.User.ShowPrivileges version: 1.0 [ClickHouse] SHALL support listing the privileges of the **user**. -#### Role - -##### RQ.SRS-006.RBAC.Role -version: 1.0 - -[ClikHouse] SHALL support creation and manipulation of **roles** -to which privileges, settings profile, quotas and row policies can be -assigned. - -##### RQ.SRS-006.RBAC.Role.Privileges -version: 1.0 - -[ClickHouse] SHALL support assigning one or more privileges to a **role**. - -##### RQ.SRS-006.RBAC.Role.Variables -version: 1.0 - -[ClickHouse] SHALL support assigning one or more variables to a **role**. - -##### RQ.SRS-006.RBAC.Role.SettingsProfile -version: 1.0 - -[ClickHouse] SHALL support assigning one or more **settings profiles** -to a **role**. - -##### RQ.SRS-006.RBAC.Role.Quotas -version: 1.0 - -[ClickHouse] SHALL support assigning one or more **quotas** to a **role**. - -##### RQ.SRS-006.RBAC.Role.RowPolicies -version: 1.0 - -[ClickHouse] SHALL support assigning one or more **row policies** to a **role**. - -#### Partial Revokes - -##### RQ.SRS-006.RBAC.PartialRevokes -version: 1.0 - -[ClickHouse] SHALL support partial revoking of privileges granted -to a **user** or a **role**. - -#### Settings Profile - -##### RQ.SRS-006.RBAC.SettingsProfile -version: 1.0 - -[ClickHouse] SHALL support creation and manipulation of **settings profiles** -that can include value definition for one or more variables and can -can be assigned to one or more **users** or **roles**. - -##### RQ.SRS-006.RBAC.SettingsProfile.Constraints -version: 1.0 - -[ClickHouse] SHALL support assigning min, max and read-only constraints -for the variables specified in the **settings profile**. - -##### RQ.SRS-006.RBAC.SettingsProfile.ShowCreate -version: 1.0 - -[ClickHouse] SHALL support showing the command of how **setting profile** was created. - -#### Quotas - -##### RQ.SRS-006.RBAC.Quotas -version: 1.0 - -[ClickHouse] SHALL support creation and manipulation of **quotas** -that can be used to limit resource usage by a **user** or a **role** -over a period of time. - -##### RQ.SRS-006.RBAC.Quotas.Keyed -version: 1.0 - -[ClickHouse] SHALL support creating **quotas** that are keyed -so that a quota is tracked separately for each key value. - -##### RQ.SRS-006.RBAC.Quotas.Queries -version: 1.0 - -[ClickHouse] SHALL support setting **queries** quota to limit the total number of requests. - -##### RQ.SRS-006.RBAC.Quotas.Errors -version: 1.0 - -[ClickHouse] SHALL support setting **errors** quota to limit the number of queries that threw an exception. - -##### RQ.SRS-006.RBAC.Quotas.ResultRows -version: 1.0 - -[ClickHouse] SHALL support setting **result rows** quota to limit the -the total number of rows given as the result. - -##### RQ.SRS-006.RBAC.Quotas.ReadRows -version: 1.0 - -[ClickHouse] SHALL support setting **read rows** quota to limit the total -number of source rows read from tables for running the query on all remote servers. - -##### RQ.SRS-006.RBAC.Quotas.ResultBytes -version: 1.0 - -[ClickHouse] SHALL support setting **result bytes** quota to limit the total number -of bytes that can be returned as the result. - -##### RQ.SRS-006.RBAC.Quotas.ReadBytes -version: 1.0 - -[ClickHouse] SHALL support setting **read bytes** quota to limit the total number -of source bytes read from tables for running the query on all remote servers. - -##### RQ.SRS-006.RBAC.Quotas.ExecutionTime -version: 1.0 - -[ClickHouse] SHALL support setting **execution time** quota to limit the maximum -query execution time. - -##### RQ.SRS-006.RBAC.Quotas.ShowCreate -version: 1.0 - -[ClickHouse] SHALL support showing the command of how **quota** was created. - -#### Row Policy - -##### RQ.SRS-006.RBAC.RowPolicy -version: 1.0 - -[ClickHouse] SHALL support creation and manipulation of table **row policies** -that can be used to limit access to the table contents for a **user** or a **role** -using a specified **condition**. - -##### RQ.SRS-006.RBAC.RowPolicy.Condition -version: 1.0 - -[ClickHouse] SHALL support row policy **conditions** that can be any SQL -expression that returns a boolean. - -##### RQ.SRS-006.RBAC.RowPolicy.ShowCreate -version: 1.0 - -[ClickHouse] SHALL support showing the command of how **row policy** was created. - -### Specific - -##### RQ.SRS-006.RBAC.User.Use.DefaultRole +#### RQ.SRS-006.RBAC.User.Use.DefaultRole version: 1.0 [ClickHouse] SHALL by default use default role or roles assigned to the user if specified. -##### RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole +#### RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole version: 1.0 [ClickHouse] SHALL by default use all the roles assigned to the user if no default role or roles are specified for the user. +#### Create User + ##### RQ.SRS-006.RBAC.User.Create version: 1.0 @@ -1078,6 +957,8 @@ CREATE USER [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name] [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` +#### Alter User + ##### RQ.SRS-006.RBAC.User.Alter version: 1.0 @@ -1094,7 +975,8 @@ the left. version: 1.0 [ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER USER` statement -to skip raising an exception (producing a warning instead) if a user with the specified **name** does not exist. If the `IF EXISTS` clause is not specified then an exception SHALL be raised if a user with the **name** does not exist. +to skip raising an exception (producing a warning instead) if a user with the specified **name** does not exist. +If the `IF EXISTS` clause is not specified then an exception SHALL be raised if a user with the **name** does not exist. ##### RQ.SRS-006.RBAC.User.Alter.Cluster version: 1.0 @@ -1132,7 +1014,8 @@ to some password as identification when altering user account using ##### RQ.SRS-006.RBAC.User.Alter.Host.AddDrop version: 1.0 -[ClickHouse] SHALL support altering user by adding and dropping access to hosts with the `ADD HOST` or the `DROP HOST`in the `ALTER USER` statement. +[ClickHouse] SHALL support altering user by adding and dropping access to hosts +with the `ADD HOST` or the `DROP HOST` in the `ALTER USER` statement. ##### RQ.SRS-006.RBAC.User.Alter.Host.Local version: 1.0 @@ -1164,7 +1047,8 @@ which user can access the server using the `HOST IP` clause in the ##### RQ.SRS-006.RBAC.User.Alter.Host.Like version: 1.0 -[ClickHouse] SHALL support specifying sone or more similar hosts using `LIKE` command syntax using the `HOST LIKE` clause in the `ALTER USER` statement. +[ClickHouse] SHALL support specifying one or more similar hosts using `LIKE` command syntax +using the `HOST LIKE` clause in the `ALTER USER` statement. ##### RQ.SRS-006.RBAC.User.Alter.Host.Any version: 1.0 @@ -1207,7 +1091,6 @@ version: 1.0 [ClickHouse] SHALL support specifying a minimum value for the variable specifed using `SETTINGS` with `MIN` clause in the `ALTER USER` statement. - ##### RQ.SRS-006.RBAC.User.Alter.Settings.Max version: 1.0 @@ -1232,85 +1115,7 @@ ALTER USER [IF EXISTS] name [ON CLUSTER cluster_name] [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` -##### RQ.SRS-006.RBAC.SetDefaultRole -version: 1.0 - -[ClickHouse] SHALL support setting or changing granted roles to default for one or more -users using `SET DEFAULT ROLE` statement which -SHALL permanently change the default roles for the user or users if successful. - -##### RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser -version: 1.0 - -[ClickHouse] SHALL support setting or changing granted roles to default for -the current user using `CURRENT_USER` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.All -version: 1.0 - -[ClickHouse] SHALL support setting or changing all granted roles to default -for one or more users using `ALL` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.AllExcept -version: 1.0 - -[ClickHouse] SHALL support setting or changing all granted roles except those specified -to default for one or more users using `ALL EXCEPT` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.None -version: 1.0 - -[ClickHouse] SHALL support removing all granted roles from default -for one or more users using `NONE` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `SET DEFAULT ROLE` statement. - -```sql -SET DEFAULT ROLE - {NONE | role [,...] | ALL | ALL EXCEPT role [,...]} - TO {user|CURRENT_USER} [,...] - -``` - -##### RQ.SRS-006.RBAC.SetRole -version: 1.0 - -[ClickHouse] SHALL support activating role or roles for the current user -using `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.Default -version: 1.0 - -[ClickHouse] SHALL support activating default roles for the current user -using `DEFAULT` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.None -version: 1.0 - -[ClickHouse] SHALL support activating no roles for the current user -using `NONE` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.All -version: 1.0 - -[ClickHouse] SHALL support activating all roles for the current user -using `ALL` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.AllExcept -version: 1.0 - -[ClickHouse] SHALL support activating all roles except those specified -for the current user using `ALL EXCEPT` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.Syntax -version: 1.0 - -```sql -SET ROLE {DEFAULT | NONE | role [,...] | ALL | ALL EXCEPT role [,...]} -``` +#### Show Create User ##### RQ.SRS-006.RBAC.User.ShowCreateUser version: 1.0 @@ -1333,6 +1138,8 @@ version: 1.0 SHOW CREATE USER [name | CURRENT_USER] ``` +#### Drop User + ##### RQ.SRS-006.RBAC.User.Drop version: 1.0 @@ -1361,6 +1168,43 @@ version: 1.0 DROP USER [IF EXISTS] name [,...] [ON CLUSTER cluster_name] ``` +### Role + +#### RQ.SRS-006.RBAC.Role +version: 1.0 + +[ClikHouse] SHALL support creation and manipulation of **roles** +to which privileges, settings profile, quotas and row policies can be +assigned. + +#### RQ.SRS-006.RBAC.Role.Privileges +version: 1.0 + +[ClickHouse] SHALL support assigning one or more privileges to a **role**. + +#### RQ.SRS-006.RBAC.Role.Variables +version: 1.0 + +[ClickHouse] SHALL support assigning one or more variables to a **role**. + +#### RQ.SRS-006.RBAC.Role.SettingsProfile +version: 1.0 + +[ClickHouse] SHALL support assigning one or more **settings profiles** +to a **role**. + +#### RQ.SRS-006.RBAC.Role.Quotas +version: 1.0 + +[ClickHouse] SHALL support assigning one or more **quotas** to a **role**. + +#### RQ.SRS-006.RBAC.Role.RowPolicies +version: 1.0 + +[ClickHouse] SHALL support assigning one or more **row policies** to a **role**. + +#### Create Role + ##### RQ.SRS-006.RBAC.Role.Create version: 1.0 @@ -1396,6 +1240,8 @@ CREATE ROLE [IF NOT EXISTS | OR REPLACE] name [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` +#### Alter Role + ##### RQ.SRS-006.RBAC.Role.Alter version: 1.0 @@ -1442,6 +1288,8 @@ ALTER ROLE [IF EXISTS] name [ON CLUSTER cluster_name] [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` +#### Drop Role + ##### RQ.SRS-006.RBAC.Role.Drop version: 1.0 @@ -1469,6 +1317,8 @@ version: 1.0 DROP ROLE [IF EXISTS] name [,...] [ON CLUSTER cluster_name] ``` +#### Show Create Role + ##### RQ.SRS-006.RBAC.Role.ShowCreate version: 1.0 @@ -1484,326 +1334,15 @@ version: 1.0 SHOW CREATE ROLE name ``` -##### RQ.SRS-006.RBAC.Grant.Privilege.To +### Partial Revokes + +#### RQ.SRS-006.RBAC.PartialRevokes version: 1.0 -[ClickHouse] SHALL support granting privileges to one or more users or roles using `TO` clause -in the `GRANT PRIVILEGE` statement. +[ClickHouse] SHALL support partial revoking of privileges granted +to a **user** or a **role**. -##### RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser -version: 1.0 - -[ClickHouse] SHALL support granting privileges to current user using `TO CURRENT_USER` clause -in the `GRANT PRIVILEGE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Select -version: 1.0 - -[ClickHouse] SHALL support granting the **select** privilege to one or more users or roles -for a database or a table using the `GRANT SELECT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Insert -version: 1.0 - -[ClickHouse] SHALL support granting the **insert** privilege to one or more users or roles -for a database or a table using the `GRANT INSERT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Alter -version: 1.0 - -[ClickHouse] SHALL support granting the **alter** privilege to one or more users or roles -for a database or a table using the `GRANT ALTER` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Create -version: 1.0 - -[ClickHouse] SHALL support granting the **create** privilege to one or more users or roles -using the `GRANT CREATE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Drop -version: 1.0 - -[ClickHouse] SHALL support granting the **drop** privilege to one or more users or roles -using the `GRANT DROP` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Truncate -version: 1.0 - -[ClickHouse] SHALL support granting the **truncate** privilege to one or more users or roles -for a database or a table using `GRANT TRUNCATE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Optimize -version: 1.0 - -[ClickHouse] SHALL support granting the **optimize** privilege to one or more users or roles -for a database or a table using `GRANT OPTIMIZE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Show -version: 1.0 - -[ClickHouse] SHALL support granting the **show** privilege to one or more users or roles -for a database or a table using `GRANT SHOW` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.KillQuery -version: 1.0 - -[ClickHouse] SHALL support granting the **kill query** privilege to one or more users or roles -for a database or a table using `GRANT KILL QUERY` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement -version: 1.0 - -[ClickHouse] SHALL support granting the **access management** privileges to one or more users or roles -for a database or a table using `GRANT ACCESS MANAGEMENT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.System -version: 1.0 - -[ClickHouse] SHALL support granting the **system** privileges to one or more users or roles -for a database or a table using `GRANT SYSTEM` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Introspection -version: 1.0 - -[ClickHouse] SHALL support granting the **introspection** privileges to one or more users or roles -for a database or a table using `GRANT INTROSPECTION` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Sources -version: 1.0 - -[ClickHouse] SHALL support granting the **sources** privileges to one or more users or roles -for a database or a table using `GRANT SOURCES` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.DictGet -version: 1.0 - -[ClickHouse] SHALL support granting the **dictGet** privilege to one or more users or roles -for a database or a table using `GRANT dictGet` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.None -version: 1.0 - -[ClickHouse] SHALL support granting no privileges to one or more users or roles -for a database or a table using `GRANT NONE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.All -version: 1.0 - -[ClickHouse] SHALL support granting the **all** privileges to one or more users or roles -for a database or a table using the `GRANT ALL` or `GRANT ALL PRIVILEGES` statements. - -##### RQ.SRS-006.RBAC.Grant.Privilege.GrantOption -version: 1.0 - -[ClickHouse] SHALL support granting the **grant option** privilege to one or more users or roles -for a database or a table using the `WITH GRANT OPTION` clause in the `GRANT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.On -version: 1.0 - -[ClickHouse] SHALL support the `ON` clause in the `GRANT` privilege statement -which SHALL allow to specify one or more tables to which the privilege SHALL -be granted using the following patterns - -* `*.*` any table in any database -* `database.*` any table in the specified database -* `database.table` specific table in the specified database -* `*` any table in the current database -* `table` specific table in the current database - -##### RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns -version: 1.0 - -[ClickHouse] SHALL support granting the privilege **some_privilege** to one or more users or roles -for a database or a table using the `GRANT some_privilege(column)` statement for one column. -Multiple columns will be supported with `GRANT some_privilege(column1, column2...)` statement. -The privileges will be granted for only the specified columns. - -##### RQ.SRS-006.RBAC.Grant.Privilege.OnCluster -version: 1.0 - -[ClickHouse] SHALL support specifying cluster on which to grant privileges using the `ON CLUSTER` -clause in the `GRANT PRIVILEGE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `GRANT` statement that -grants explicit privileges to a user or a role. - -```sql -GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] - ON {db.table|db.*|*.*|table|*} - TO {user | role | CURRENT_USER} [,...] - [WITH GRANT OPTION] -``` - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Cluster -version: 1.0 - -[ClickHouse] SHALL support revoking privileges to one or more users or roles -for a database or a table on some specific cluster using the `REVOKE ON CLUSTER cluster_name` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Any -version: 1.0 - -[ClickHouse] SHALL support revoking ANY privilege to one or more users or roles -for a database or a table using the `REVOKE some_privilege` statement. -**some_privilege** refers to any Clickhouse defined privilege, whose hierarchy includes -SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT, -SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Select -version: 1.0 - -[ClickHouse] SHALL support revoking the **select** privilege to one or more users or roles -for a database or a table using the `REVOKE SELECT` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Insert -version: 1.0 - -[ClickHouse] SHALL support revoking the **insert** privilege to one or more users or roles -for a database or a table using the `REVOKE INSERT` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Alter -version: 1.0 - -[ClickHouse] SHALL support revoking the **alter** privilege to one or more users or roles -for a database or a table using the `REVOKE ALTER` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Create -version: 1.0 - -[ClickHouse] SHALL support revoking the **create** privilege to one or more users or roles -using the `REVOKE CREATE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Drop -version: 1.0 - -[ClickHouse] SHALL support revoking the **drop** privilege to one or more users or roles -using the `REVOKE DROP` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Truncate -version: 1.0 - -[ClickHouse] SHALL support revoking the **truncate** privilege to one or more users or roles -for a database or a table using the `REVOKE TRUNCATE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Optimize -version: 1.0 - -[ClickHouse] SHALL support revoking the **optimize** privilege to one or more users or roles -for a database or a table using the `REVOKE OPTIMIZE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Show -version: 1.0 - -[ClickHouse] SHALL support revoking the **show** privilege to one or more users or roles -for a database or a table using the `REVOKE SHOW` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery -version: 1.0 - -[ClickHouse] SHALL support revoking the **kill query** privilege to one or more users or roles -for a database or a table using the `REVOKE KILL QUERY` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement -version: 1.0 - -[ClickHouse] SHALL support revoking the **access management** privilege to one or more users or roles -for a database or a table using the `REVOKE ACCESS MANAGEMENT` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.System -version: 1.0 - -[ClickHouse] SHALL support revoking the **system** privilege to one or more users or roles -for a database or a table using the `REVOKE SYSTEM` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Introspection -version: 1.0 - -[ClickHouse] SHALL support revoking the **introspection** privilege to one or more users or roles -for a database or a table using the `REVOKE INTROSPECTION` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Sources -version: 1.0 - -[ClickHouse] SHALL support revoking the **sources** privilege to one or more users or roles -for a database or a table using the `REVOKE SOURCES` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.DictGet -version: 1.0 - -[ClickHouse] SHALL support revoking the **dictGet** privilege to one or more users or roles -for a database or a table using the `REVOKE dictGet` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.PrivelegeColumns -version: 1.0 - -[ClickHouse] SHALL support revoking the privilege **some_privilege** to one or more users or roles -for a database or a table using the `REVOKE some_privilege(column)` statement for one column. -Multiple columns will be supported with `REVOKE some_privilege(column1, column2...)` statement. -The privileges will be revoked for only the specified columns. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Multiple -version: 1.0 - -[ClickHouse] SHALL support revoking MULTIPLE **privileges** to one or more users or roles -for a database or a table using the `REVOKE privilege1, privilege2...` statement. -**privileges** refers to any set of Clickhouse defined privilege, whose hierarchy includes -SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT, -SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.All -version: 1.0 - -[ClickHouse] SHALL support revoking **all** privileges to one or more users or roles -for a database or a table using the `REVOKE ALL` or `REVOKE ALL PRIVILEGES` statements. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.None -version: 1.0 - -[ClickHouse] SHALL support revoking **no** privileges to one or more users or roles -for a database or a table using the `REVOKE NONE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.On -version: 1.0 - -[ClickHouse] SHALL support the `ON` clause in the `REVOKE` privilege statement -which SHALL allow to specify one or more tables to which the privilege SHALL -be revoked using the following patterns - -* `db.table` specific table in the specified database -* `db.*` any table in the specified database -* `*.*` any table in any database -* `table` specific table in the current database -* `*` any table in the current database - -##### RQ.SRS-006.RBAC.Revoke.Privilege.From -version: 1.0 - -[ClickHouse] SHALL support the `FROM` clause in the `REVOKE` privilege statement -which SHALL allow to specify one or more users to which the privilege SHALL -be revoked using the following patterns - -* `{user | CURRENT_USER} [,...]` some combination of users by name, which may include the current user -* `ALL` all users -* `ALL EXCEPT {user | CURRENT_USER} [,...]` the logical reverse of the first pattern - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `REVOKE` statement that -revokes explicit privileges of a user or a role. - -```sql -REVOKE [ON CLUSTER cluster_name] privilege - [(column_name [,...])] [,...] - ON {db.table|db.*|*.*|table|*} - FROM {user | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user | CURRENT_USER} [,...] -``` - -##### RQ.SRS-006.RBAC.PartialRevoke.Syntax +#### RQ.SRS-006.RBAC.PartialRevoke.Syntax version: 1.0 [ClickHouse] SHALL support partial revokes by using `partial_revokes` variable @@ -1821,102 +1360,22 @@ To enable partial revokes the `partial revokes` variable SHALL be set to `1` SET partial_revokes = 1 ``` -##### RQ.SRS-006.RBAC.Grant.Role +### Settings Profile + +#### RQ.SRS-006.RBAC.SettingsProfile version: 1.0 -[ClickHouse] SHALL support granting one or more roles to -one or more users or roles using the `GRANT` role statement. +[ClickHouse] SHALL support creation and manipulation of **settings profiles** +that can include value definition for one or more variables and can +can be assigned to one or more **users** or **roles**. -##### RQ.SRS-006.RBAC.Grant.Role.CurrentUser +#### RQ.SRS-006.RBAC.SettingsProfile.Constraints version: 1.0 -[ClickHouse] SHALL support granting one or more roles to current user using -`TO CURRENT_USER` clause in the `GRANT` role statement. +[ClickHouse] SHALL support assigning min, max and read-only constraints +for the variables specified in the **settings profile**. -##### RQ.SRS-006.RBAC.Grant.Role.AdminOption -version: 1.0 - -[ClickHouse] SHALL support granting `admin option` privilege -to one or more users or roles using the `WITH ADMIN OPTION` clause -in the `GRANT` role statement. - -##### RQ.SRS-006.RBAC.Grant.Role.OnCluster -version: 1.0 - -[ClickHouse] SHALL support specifying cluster on which the user is to be granted one or more roles -using `ON CLUSTER` clause in the `GRANT` statement. - -##### RQ.SRS-006.RBAC.Grant.Role.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for `GRANT` role statement - -``` sql -GRANT - ON CLUSTER cluster_name - role [, role ...] - TO {user | role | CURRENT_USER} [,...] - [WITH ADMIN OPTION] -``` - -##### RQ.SRS-006.RBAC.Revoke.Role -version: 1.0 - -[ClickHouse] SHALL support revoking one or more roles from -one or more users or roles using the `REVOKE` role statement. - -##### RQ.SRS-006.RBAC.Revoke.Role.Keywords -version: 1.0 - -[ClickHouse] SHALL support revoking one or more roles from -special groupings of one or more users or roles with the `ALL`, `ALL EXCEPT`, -and `CURRENT_USER` keywords. - -##### RQ.SRS-006.RBAC.Revoke.Role.Cluster -version: 1.0 - -[ClickHouse] SHALL support revoking one or more roles from -one or more users or roles from one or more clusters -using the `REVOKE ON CLUSTER` role statement. - -##### RQ.SRS-006.RBAC.Revoke.AdminOption -version: 1.0 - -[ClickHouse] SHALL support revoking `admin option` privilege -in one or more users or roles using the `ADMIN OPTION FOR` clause -in the `REVOKE` role statement. - -##### RQ.SRS-006.RBAC.Revoke.Role.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `REVOKE` role statement - -```sql -REVOKE [ON CLUSTER cluster_name] [ADMIN OPTION FOR] - role [,...] - FROM {user | role | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user_name | role_name | CURRENT_USER} [,...] -``` - -##### RQ.SRS-006.RBAC.Show.Grants -version: 1.0 - -[ClickHouse] SHALL support listing all the privileges granted to current user and role -using the `SHOW GRANTS` statement. - -##### RQ.SRS-006.RBAC.Show.Grants.For -version: 1.0 - -[ClickHouse] SHALL support listing all the privileges granted to a user or a role -using the `FOR` clause in the `SHOW GRANTS` statement. - -##### RQ.SRS-006.RBAC.Show.Grants.Syntax -version: 1.0 - -[Clickhouse] SHALL use the following syntax for the `SHOW GRANTS` statement - -``` sql -SHOW GRANTS [FOR user_or_role] -``` +#### Create Settings Profile ##### RQ.SRS-006.RBAC.SettingsProfile.Create version: 1.0 @@ -2002,6 +1461,8 @@ CREATE SETTINGS PROFILE [IF NOT EXISTS | OR REPLACE] name [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]}] ``` +#### Alter Settings Profile + ##### RQ.SRS-006.RBAC.SettingsProfile.Alter version: 1.0 @@ -2087,6 +1548,8 @@ ALTER SETTINGS PROFILE [IF EXISTS] name [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]]} ``` +#### Drop Settings Profile + ##### RQ.SRS-006.RBAC.SettingsProfile.Drop version: 1.0 @@ -2115,6 +1578,8 @@ version: 1.0 DROP SETTINGS PROFILE [IF EXISTS] name [,name,...] ``` +#### Show Create Settings Profile + ##### RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile version: 1.0 @@ -2125,6 +1590,63 @@ using the `SHOW CREATE SETTINGS PROFILE` statement with the following syntax SHOW CREATE SETTINGS PROFILE name ``` +### Quotas + +#### RQ.SRS-006.RBAC.Quotas +version: 1.0 + +[ClickHouse] SHALL support creation and manipulation of **quotas** +that can be used to limit resource usage by a **user** or a **role** +over a period of time. + +#### RQ.SRS-006.RBAC.Quotas.Keyed +version: 1.0 + +[ClickHouse] SHALL support creating **quotas** that are keyed +so that a quota is tracked separately for each key value. + +#### RQ.SRS-006.RBAC.Quotas.Queries +version: 1.0 + +[ClickHouse] SHALL support setting **queries** quota to limit the total number of requests. + +#### RQ.SRS-006.RBAC.Quotas.Errors +version: 1.0 + +[ClickHouse] SHALL support setting **errors** quota to limit the number of queries that threw an exception. + +#### RQ.SRS-006.RBAC.Quotas.ResultRows +version: 1.0 + +[ClickHouse] SHALL support setting **result rows** quota to limit the +the total number of rows given as the result. + +#### RQ.SRS-006.RBAC.Quotas.ReadRows +version: 1.0 + +[ClickHouse] SHALL support setting **read rows** quota to limit the total +number of source rows read from tables for running the query on all remote servers. + +#### RQ.SRS-006.RBAC.Quotas.ResultBytes +version: 1.0 + +[ClickHouse] SHALL support setting **result bytes** quota to limit the total number +of bytes that can be returned as the result. + +#### RQ.SRS-006.RBAC.Quotas.ReadBytes +version: 1.0 + +[ClickHouse] SHALL support setting **read bytes** quota to limit the total number +of source bytes read from tables for running the query on all remote servers. + +#### RQ.SRS-006.RBAC.Quotas.ExecutionTime +version: 1.0 + +[ClickHouse] SHALL support setting **execution time** quota to limit the maximum +query execution time. + +#### Create Quotas + ##### RQ.SRS-006.RBAC.Quota.Create version: 1.0 @@ -2163,7 +1685,6 @@ of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be: `FOR INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some real number to define the interval. - ##### RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized version: 1.0 @@ -2286,6 +1807,8 @@ CREATE QUOTA [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name] [TO {role [,...] | ALL | ALL EXCEPT role [,...]}] ``` +#### Alter Quota + ##### RQ.SRS-006.RBAC.Quota.Alter version: 1.0 @@ -2444,6 +1967,8 @@ ALTER QUOTA [IF EXIST] name [TO {user_or_role [,...] | NONE | ALL} [EXCEPT user_or_role [,...]]] ``` +#### Drop Quota + ##### RQ.SRS-006.RBAC.Quota.Drop version: 1.0 @@ -2472,6 +1997,8 @@ version: 1.0 DROP QUOTA [IF EXISTS] name [,name...] ``` +#### Show Quotas + ##### RQ.SRS-006.RBAC.Quota.ShowQuotas version: 1.0 @@ -2496,7 +2023,6 @@ version: 1.0 [ClickHouse] SHALL support the `SETTINGS` clause in the `SHOW QUOTAS` statement to define settings in the showing of all quotas. - ##### RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax version: 1.0 @@ -2505,6 +2031,9 @@ with the following syntax ``` sql SHOW QUOTAS ``` + +#### Show Create Quota + ##### RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name version: 1.0 @@ -2532,6 +2061,34 @@ using the `SHOW CREATE QUOTA` statement. SHOW CREATE QUOTA [name | CURRENT] ``` +### Row Policy + +#### RQ.SRS-006.RBAC.RowPolicy +version: 1.0 + +[ClickHouse] SHALL support creation and manipulation of table **row policies** +that can be used to limit access to the table contents for a **user** or a **role** +using a specified **condition**. + +#### RQ.SRS-006.RBAC.RowPolicy.Condition +version: 1.0 + +[ClickHouse] SHALL support row policy **conditions** that can be any SQL +expression that returns a boolean. + +#### RQ.SRS-006.RBAC.RowPolicy.Restriction +version: 1.0 + +[ClickHouse] SHALL restrict all access to a table when a row policy with a condition is created on that table. +All users require a permissive row policy in order to view the table. + +#### RQ.SRS-006.RBAC.RowPolicy.Nesting +version: 1.0 + +[ClickHouse] SHALL restrict rows of tables or views created on top of a table with row policies according to those policies. + +#### Create Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.Create version: 1.0 @@ -2586,14 +2143,14 @@ version: 1.0 [ClickHouse] SHALL support specifying which rows are affected using the `FOR SELECT` clause in the `CREATE ROW POLICY` statement. -REQUIRES CONFIRMATION +REQUIRES CONDITION. ##### RQ.SRS-006.RBAC.RowPolicy.Create.Condition version: 1.0 [ClickHouse] SHALL support specifying a condition that that can be any SQL expression which returns a boolean using the `USING` -clause in the `CREATE ROW POLOCY` statement. +clause in the `CREATE ROW POLICY` statement. ##### RQ.SRS-006.RBAC.RowPolicy.Create.Assignment version: 1.0 @@ -2632,6 +2189,8 @@ CREATE [ROW] POLICY [IF NOT EXISTS | OR REPLACE] policy_name [ON CLUSTER cluster [TO {role [,...] | ALL | ALL EXCEPT role [,...]}] ``` +#### Alter Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.Alter version: 1.0 @@ -2738,6 +2297,8 @@ ALTER [ROW] POLICY [IF EXISTS] name [ON CLUSTER cluster_name] ON [database.]tabl [TO {role [,...] | ALL | ALL EXCEPT role [,...]}] ``` +#### Drop Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.Drop version: 1.0 @@ -2772,6 +2333,8 @@ version: 1.0 DROP [ROW] POLICY [IF EXISTS] name [,...] ON [database.]table [,...] [ON CLUSTER cluster_name] ``` +#### Show Create Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy version: 1.0 @@ -2813,9 +2376,510 @@ version: 1.0 SHOW [ROW] POLICIES [ON [database.]table] ``` -#### Table Privileges +### Set Default Role -##### RQ.SRS-006.RBAC.Table.PublicTables +#### RQ.SRS-006.RBAC.SetDefaultRole +version: 1.0 + +[ClickHouse] SHALL support setting or changing granted roles to default for one or more +users using `SET DEFAULT ROLE` statement which +SHALL permanently change the default roles for the user or users if successful. + +#### RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser +version: 1.0 + +[ClickHouse] SHALL support setting or changing granted roles to default for +the current user using `CURRENT_USER` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.All +version: 1.0 + +[ClickHouse] SHALL support setting or changing all granted roles to default +for one or more users using `ALL` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.AllExcept +version: 1.0 + +[ClickHouse] SHALL support setting or changing all granted roles except those specified +to default for one or more users using `ALL EXCEPT` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.None +version: 1.0 + +[ClickHouse] SHALL support removing all granted roles from default +for one or more users using `NONE` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `SET DEFAULT ROLE` statement. + +```sql +SET DEFAULT ROLE + {NONE | role [,...] | ALL | ALL EXCEPT role [,...]} + TO {user|CURRENT_USER} [,...] + +``` + +### Set Role + +#### RQ.SRS-006.RBAC.SetRole +version: 1.0 + +[ClickHouse] SHALL support activating role or roles for the current user +using `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.Default +version: 1.0 + +[ClickHouse] SHALL support activating default roles for the current user +using `DEFAULT` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.None +version: 1.0 + +[ClickHouse] SHALL support activating no roles for the current user +using `NONE` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.All +version: 1.0 + +[ClickHouse] SHALL support activating all roles for the current user +using `ALL` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.AllExcept +version: 1.0 + +[ClickHouse] SHALL support activating all roles except those specified +for the current user using `ALL EXCEPT` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.Syntax +version: 1.0 + +```sql +SET ROLE {DEFAULT | NONE | role [,...] | ALL | ALL EXCEPT role [,...]} +``` + +### Grant + +#### RQ.SRS-006.RBAC.Grant.Privilege.To +version: 1.0 + +[ClickHouse] SHALL support granting privileges to one or more users or roles using `TO` clause +in the `GRANT PRIVILEGE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser +version: 1.0 + +[ClickHouse] SHALL support granting privileges to current user using `TO CURRENT_USER` clause +in the `GRANT PRIVILEGE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Select +version: 1.0 + +[ClickHouse] SHALL support granting the **select** privilege to one or more users or roles +for a database or a table using the `GRANT SELECT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Insert +version: 1.0 + +[ClickHouse] SHALL support granting the **insert** privilege to one or more users or roles +for a database or a table using the `GRANT INSERT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Alter +version: 1.0 + +[ClickHouse] SHALL support granting the **alter** privilege to one or more users or roles +for a database or a table using the `GRANT ALTER` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Create +version: 1.0 + +[ClickHouse] SHALL support granting the **create** privilege to one or more users or roles +using the `GRANT CREATE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Drop +version: 1.0 + +[ClickHouse] SHALL support granting the **drop** privilege to one or more users or roles +using the `GRANT DROP` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Truncate +version: 1.0 + +[ClickHouse] SHALL support granting the **truncate** privilege to one or more users or roles +for a database or a table using `GRANT TRUNCATE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Optimize +version: 1.0 + +[ClickHouse] SHALL support granting the **optimize** privilege to one or more users or roles +for a database or a table using `GRANT OPTIMIZE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Show +version: 1.0 + +[ClickHouse] SHALL support granting the **show** privilege to one or more users or roles +for a database or a table using `GRANT SHOW` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.KillQuery +version: 1.0 + +[ClickHouse] SHALL support granting the **kill query** privilege to one or more users or roles +for a database or a table using `GRANT KILL QUERY` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement +version: 1.0 + +[ClickHouse] SHALL support granting the **access management** privileges to one or more users or roles +for a database or a table using `GRANT ACCESS MANAGEMENT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.System +version: 1.0 + +[ClickHouse] SHALL support granting the **system** privileges to one or more users or roles +for a database or a table using `GRANT SYSTEM` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Introspection +version: 1.0 + +[ClickHouse] SHALL support granting the **introspection** privileges to one or more users or roles +for a database or a table using `GRANT INTROSPECTION` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Sources +version: 1.0 + +[ClickHouse] SHALL support granting the **sources** privileges to one or more users or roles +for a database or a table using `GRANT SOURCES` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.DictGet +version: 1.0 + +[ClickHouse] SHALL support granting the **dictGet** privilege to one or more users or roles +for a database or a table using `GRANT dictGet` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.None +version: 1.0 + +[ClickHouse] SHALL support granting no privileges to one or more users or roles +for a database or a table using `GRANT NONE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.All +version: 1.0 + +[ClickHouse] SHALL support granting the **all** privileges to one or more users or roles +using the `GRANT ALL` or `GRANT ALL PRIVILEGES` statements. + +#### RQ.SRS-006.RBAC.Grant.Privilege.GrantOption +version: 1.0 + +[ClickHouse] SHALL support granting the **grant option** privilege to one or more users or roles +for a database or a table using the `WITH GRANT OPTION` clause in the `GRANT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.On +version: 1.0 + +[ClickHouse] SHALL support the `ON` clause in the `GRANT` privilege statement +which SHALL allow to specify one or more tables to which the privilege SHALL +be granted using the following patterns + +* `*.*` any table in any database +* `database.*` any table in the specified database +* `database.table` specific table in the specified database +* `*` any table in the current database +* `table` specific table in the current database + +#### RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns +version: 1.0 + +[ClickHouse] SHALL support granting the privilege **some_privilege** to one or more users or roles +for a database or a table using the `GRANT some_privilege(column)` statement for one column. +Multiple columns will be supported with `GRANT some_privilege(column1, column2...)` statement. +The privileges will be granted for only the specified columns. + +#### RQ.SRS-006.RBAC.Grant.Privilege.OnCluster +version: 1.0 + +[ClickHouse] SHALL support specifying cluster on which to grant privileges using the `ON CLUSTER` +clause in the `GRANT PRIVILEGE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `GRANT` statement that +grants explicit privileges to a user or a role. + +```sql +GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] + ON {db.table|db.*|*.*|table|*} + TO {user | role | CURRENT_USER} [,...] + [WITH GRANT OPTION] +``` + +### Revoke + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Cluster +version: 1.0 + +[ClickHouse] SHALL support revoking privileges to one or more users or roles +for a database or a table on some specific cluster using the `REVOKE ON CLUSTER cluster_name` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Select +version: 1.0 + +[ClickHouse] SHALL support revoking the **select** privilege to one or more users or roles +for a database or a table using the `REVOKE SELECT` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Insert +version: 1.0 + +[ClickHouse] SHALL support revoking the **insert** privilege to one or more users or roles +for a database or a table using the `REVOKE INSERT` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Alter +version: 1.0 + +[ClickHouse] SHALL support revoking the **alter** privilege to one or more users or roles +for a database or a table using the `REVOKE ALTER` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Create +version: 1.0 + +[ClickHouse] SHALL support revoking the **create** privilege to one or more users or roles +using the `REVOKE CREATE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Drop +version: 1.0 + +[ClickHouse] SHALL support revoking the **drop** privilege to one or more users or roles +using the `REVOKE DROP` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Truncate +version: 1.0 + +[ClickHouse] SHALL support revoking the **truncate** privilege to one or more users or roles +for a database or a table using the `REVOKE TRUNCATE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Optimize +version: 1.0 + +[ClickHouse] SHALL support revoking the **optimize** privilege to one or more users or roles +for a database or a table using the `REVOKE OPTIMIZE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Show +version: 1.0 + +[ClickHouse] SHALL support revoking the **show** privilege to one or more users or roles +for a database or a table using the `REVOKE SHOW` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery +version: 1.0 + +[ClickHouse] SHALL support revoking the **kill query** privilege to one or more users or roles +for a database or a table using the `REVOKE KILL QUERY` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement +version: 1.0 + +[ClickHouse] SHALL support revoking the **access management** privilege to one or more users or roles +for a database or a table using the `REVOKE ACCESS MANAGEMENT` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.System +version: 1.0 + +[ClickHouse] SHALL support revoking the **system** privilege to one or more users or roles +for a database or a table using the `REVOKE SYSTEM` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Introspection +version: 1.0 + +[ClickHouse] SHALL support revoking the **introspection** privilege to one or more users or roles +for a database or a table using the `REVOKE INTROSPECTION` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Sources +version: 1.0 + +[ClickHouse] SHALL support revoking the **sources** privilege to one or more users or roles +for a database or a table using the `REVOKE SOURCES` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.DictGet +version: 1.0 + +[ClickHouse] SHALL support revoking the **dictGet** privilege to one or more users or roles +for a database or a table using the `REVOKE dictGet` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.PrivilegeColumns +version: 1.0 + +[ClickHouse] SHALL support revoking the privilege **some_privilege** to one or more users or roles +for a database or a table using the `REVOKE some_privilege(column)` statement for one column. +Multiple columns will be supported with `REVOKE some_privilege(column1, column2...)` statement. +The privileges will be revoked for only the specified columns. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Multiple +version: 1.0 + +[ClickHouse] SHALL support revoking MULTIPLE **privileges** to one or more users or roles +for a database or a table using the `REVOKE privilege1, privilege2...` statement. +**privileges** refers to any set of Clickhouse defined privilege, whose hierarchy includes +SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT, +SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.All +version: 1.0 + +[ClickHouse] SHALL support revoking **all** privileges to one or more users or roles +for a database or a table using the `REVOKE ALL` or `REVOKE ALL PRIVILEGES` statements. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.None +version: 1.0 + +[ClickHouse] SHALL support revoking **no** privileges to one or more users or roles +for a database or a table using the `REVOKE NONE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.On +version: 1.0 + +[ClickHouse] SHALL support the `ON` clause in the `REVOKE` privilege statement +which SHALL allow to specify one or more tables to which the privilege SHALL +be revoked using the following patterns + +* `db.table` specific table in the specified database +* `db.*` any table in the specified database +* `*.*` any table in any database +* `table` specific table in the current database +* `*` any table in the current database + +#### RQ.SRS-006.RBAC.Revoke.Privilege.From +version: 1.0 + +[ClickHouse] SHALL support the `FROM` clause in the `REVOKE` privilege statement +which SHALL allow to specify one or more users to which the privilege SHALL +be revoked using the following patterns + +* `{user | CURRENT_USER} [,...]` some combination of users by name, which may include the current user +* `ALL` all users +* `ALL EXCEPT {user | CURRENT_USER} [,...]` the logical reverse of the first pattern + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `REVOKE` statement that +revokes explicit privileges of a user or a role. + +```sql +REVOKE [ON CLUSTER cluster_name] privilege + [(column_name [,...])] [,...] + ON {db.table|db.*|*.*|table|*} + FROM {user | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user | CURRENT_USER} [,...] +``` + +### Grant Role + +#### RQ.SRS-006.RBAC.Grant.Role +version: 1.0 + +[ClickHouse] SHALL support granting one or more roles to +one or more users or roles using the `GRANT` role statement. + +#### RQ.SRS-006.RBAC.Grant.Role.CurrentUser +version: 1.0 + +[ClickHouse] SHALL support granting one or more roles to current user using +`TO CURRENT_USER` clause in the `GRANT` role statement. + +#### RQ.SRS-006.RBAC.Grant.Role.AdminOption +version: 1.0 + +[ClickHouse] SHALL support granting `admin option` privilege +to one or more users or roles using the `WITH ADMIN OPTION` clause +in the `GRANT` role statement. + +#### RQ.SRS-006.RBAC.Grant.Role.OnCluster +version: 1.0 + +[ClickHouse] SHALL support specifying cluster on which the user is to be granted one or more roles +using `ON CLUSTER` clause in the `GRANT` statement. + +#### RQ.SRS-006.RBAC.Grant.Role.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for `GRANT` role statement + +``` sql +GRANT + ON CLUSTER cluster_name + role [, role ...] + TO {user | role | CURRENT_USER} [,...] + [WITH ADMIN OPTION] +``` + +### Revoke Role + +#### RQ.SRS-006.RBAC.Revoke.Role +version: 1.0 + +[ClickHouse] SHALL support revoking one or more roles from +one or more users or roles using the `REVOKE` role statement. + +#### RQ.SRS-006.RBAC.Revoke.Role.Keywords +version: 1.0 + +[ClickHouse] SHALL support revoking one or more roles from +special groupings of one or more users or roles with the `ALL`, `ALL EXCEPT`, +and `CURRENT_USER` keywords. + +#### RQ.SRS-006.RBAC.Revoke.Role.Cluster +version: 1.0 + +[ClickHouse] SHALL support revoking one or more roles from +one or more users or roles from one or more clusters +using the `REVOKE ON CLUSTER` role statement. + +#### RQ.SRS-006.RBAC.Revoke.AdminOption +version: 1.0 + +[ClickHouse] SHALL support revoking `admin option` privilege +in one or more users or roles using the `ADMIN OPTION FOR` clause +in the `REVOKE` role statement. + +#### RQ.SRS-006.RBAC.Revoke.Role.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `REVOKE` role statement + +```sql +REVOKE [ON CLUSTER cluster_name] [ADMIN OPTION FOR] + role [,...] + FROM {user | role | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user_name | role_name | CURRENT_USER} [,...] +``` + +### Show Grants + +#### RQ.SRS-006.RBAC.Show.Grants +version: 1.0 + +[ClickHouse] SHALL support listing all the privileges granted to current user and role +using the `SHOW GRANTS` statement. + +#### RQ.SRS-006.RBAC.Show.Grants.For +version: 1.0 + +[ClickHouse] SHALL support listing all the privileges granted to a user or a role +using the `FOR` clause in the `SHOW GRANTS` statement. + +#### RQ.SRS-006.RBAC.Show.Grants.Syntax +version: 1.0 + +[Clickhouse] SHALL use the following syntax for the `SHOW GRANTS` statement + +``` sql +SHOW GRANTS [FOR user_or_role] +``` + +### Table Privileges + +#### RQ.SRS-006.RBAC.Table.PublicTables version: 1.0 [ClickHouse] SHALL support that a user without any privileges will be able to access the following tables @@ -2825,7 +2889,7 @@ version: 1.0 * system.contributors * system.functions -##### RQ.SRS-006.RBAC.Table.SensitiveTables +#### RQ.SRS-006.RBAC.Table.SensitiveTables version: 1.0 [ClickHouse] SHALL not support a user with no privileges accessing the following `system` tables: @@ -2842,15 +2906,15 @@ version: 1.0 * zookeeper * macros -#### Distributed Tables +### Distributed Tables -##### RQ.SRS-006.RBAC.DistributedTable.Create +#### RQ.SRS-006.RBAC.DistributedTable.Create version: 1.0 [ClickHouse] SHALL successfully `CREATE` a distributed table if and only if the user has **create table** privilege on the table and **remote** privilege on *.* -##### RQ.SRS-006.RBAC.DistributedTable.Select +#### RQ.SRS-006.RBAC.DistributedTable.Select version: 1.0 [ClickHouse] SHALL successfully `SELECT` from a distributed table if and only if @@ -2858,7 +2922,7 @@ the user has **select** privilege on the table and on the remote table specified Does not require **select** privilege for the remote table if the remote table does not exist on the same server as the user. -##### RQ.SRS-006.RBAC.DistributedTable.Insert +#### RQ.SRS-006.RBAC.DistributedTable.Insert version: 1.0 [ClickHouse] SHALL successfully `INSERT` into a distributed table if and only if @@ -2867,7 +2931,7 @@ the user has **insert** privilege on the table and on the remote table specified Does not require **insert** privilege for the remote table if the remote table does not exist on the same server as the user, insert executes into the remote table on a different server. -##### RQ.SRS-006.RBAC.DistributedTable.SpecialTables +#### RQ.SRS-006.RBAC.DistributedTable.SpecialTables version: 1.0 [ClickHouse] SHALL successfully execute a query using a distributed table that uses one of the special tables if and only if @@ -2877,29 +2941,29 @@ Special tables include: * distributed table * source table of a materialized view -##### RQ.SRS-006.RBAC.DistributedTable.LocalUser +#### RQ.SRS-006.RBAC.DistributedTable.LocalUser version: 1.0 [ClickHouse] SHALL successfully execute a query using a distributed table from a user present locally, but not remotely. -##### RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges +#### RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges version: 1.0 [ClickHouse] SHALL successfully execute a query using a distributed table by a user that exists on multiple nodes if and only if the user has the required privileges on the node the query is being executed from. -#### Views +### Views -##### View +#### View -###### RQ.SRS-006.RBAC.View +##### RQ.SRS-006.RBAC.View version: 1.0 [ClickHouse] SHALL support controlling access to **create**, **select** and **drop** privileges for a view for users or roles. -###### RQ.SRS-006.RBAC.View.Create +##### RQ.SRS-006.RBAC.View.Create version: 1.0 [ClickHouse] SHALL only successfully execute a `CREATE VIEW` command if and only if @@ -2917,7 +2981,7 @@ CREATE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2 ``` -###### RQ.SRS-006.RBAC.View.Select +##### RQ.SRS-006.RBAC.View.Select version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from a view if and only if @@ -2937,21 +3001,21 @@ CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2 SELECT * FROM view ``` -###### RQ.SRS-006.RBAC.View.Drop +##### RQ.SRS-006.RBAC.View.Drop version: 1.0 [ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if the user has **drop view** privilege on that view either explicitly or through a role. -##### Materialized View +#### Materialized View -###### RQ.SRS-006.RBAC.MaterializedView +##### RQ.SRS-006.RBAC.MaterializedView version: 1.0 [ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop** privileges for a materialized view for users or roles. -###### RQ.SRS-006.RBAC.MaterializedView.Create +##### RQ.SRS-006.RBAC.MaterializedView.Create version: 1.0 [ClickHouse] SHALL only successfully execute a `CREATE MATERIALIZED VIEW` command if and only if @@ -2983,7 +3047,7 @@ For example, CREATE MATERIALIZED VIEW view TO target_table AS SELECT * FROM source_table ``` -###### RQ.SRS-006.RBAC.MaterializedView.Select +##### RQ.SRS-006.RBAC.MaterializedView.Select version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from a materialized view if and only if @@ -3003,25 +3067,25 @@ CREATE MATERIALIZED VIEW view0 ENGINE = Memory AS SELECT column FROM view1 UNION SELECT * FROM view ``` -###### RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable +##### RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from the target table, implicit or explicit, of a materialized view if and only if the user has `SELECT` privilege for the table, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable +##### RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from the source table of a materialized view if and only if the user has `SELECT` privilege for the table, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Drop +##### RQ.SRS-006.RBAC.MaterializedView.Drop version: 1.0 [ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if the user has **drop view** privilege on that view either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.ModifyQuery +##### RQ.SRS-006.RBAC.MaterializedView.ModifyQuery version: 1.0 [ClickHouse] SHALL only successfully execute a `MODIFY QUERY` command if and only if @@ -3034,33 +3098,33 @@ For example, ALTER TABLE view MODIFY QUERY SELECT * FROM source_table ``` -###### RQ.SRS-006.RBAC.MaterializedView.Insert +##### RQ.SRS-006.RBAC.MaterializedView.Insert version: 1.0 [ClickHouse] SHALL only succesfully `INSERT` into a materialized view if and only if the user has `INSERT` privilege on the view, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable +##### RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable version: 1.0 [ClickHouse] SHALL only succesfully `INSERT` into a source table of a materialized view if and only if the user has `INSERT` privilege on the source table, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable +##### RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable version: 1.0 [ClickHouse] SHALL only succesfully `INSERT` into a target table of a materialized view if and only if the user has `INSERT` privelege on the target table, either explicitly or through a role. -##### Live View +#### Live View -###### RQ.SRS-006.RBAC.LiveView +##### RQ.SRS-006.RBAC.LiveView version: 1.0 [ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop** privileges for a live view for users or roles. -###### RQ.SRS-006.RBAC.LiveView.Create +##### RQ.SRS-006.RBAC.LiveView.Create version: 1.0 [ClickHouse] SHALL only successfully execute a `CREATE LIVE VIEW` command if and only if @@ -3078,7 +3142,7 @@ CREATE LIVE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNIO CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2 ``` -###### RQ.SRS-006.RBAC.LiveView.Select +##### RQ.SRS-006.RBAC.LiveView.Select version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from a live view if and only if @@ -3098,28 +3162,28 @@ CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM SELECT * FROM view ``` -###### RQ.SRS-006.RBAC.LiveView.Drop +##### RQ.SRS-006.RBAC.LiveView.Drop version: 1.0 [ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if the user has **drop view** privilege on that view either explicitly or through a role. -###### RQ.SRS-006.RBAC.LiveView.Refresh +##### RQ.SRS-006.RBAC.LiveView.Refresh version: 1.0 [ClickHouse] SHALL only successfully execute an `ALTER LIVE VIEW REFRESH` command if and only if the user has **refresh** privilege on that view either explicitly or through a role. -#### Select +### Select -##### RQ.SRS-006.RBAC.Select +#### RQ.SRS-006.RBAC.Select version: 1.0 [ClickHouse] SHALL execute `SELECT` if and only if the user has the **select** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Select.Column +#### RQ.SRS-006.RBAC.Select.Column version: 1.0 [ClickHouse] SHALL support granting or revoking **select** privilege @@ -3128,7 +3192,7 @@ Any `SELECT` statements SHALL not to be executed, unless the user has the **select** privilege for the destination column either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Select.Cluster +#### RQ.SRS-006.RBAC.Select.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **select** privilege @@ -3136,7 +3200,7 @@ on a specified cluster to one or more **users** or **roles**. Any `SELECT` statements SHALL succeed only on nodes where the table exists and privilege was granted. -##### RQ.SRS-006.RBAC.Select.TableEngines +#### RQ.SRS-006.RBAC.Select.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **select** privilege @@ -3157,16 +3221,16 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -#### Insert +### Insert -##### RQ.SRS-006.RBAC.Insert +#### RQ.SRS-006.RBAC.Insert version: 1.0 [ClickHouse] SHALL execute `INSERT INTO` if and only if the user has the **insert** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Insert.Column +#### RQ.SRS-006.RBAC.Insert.Column version: 1.0 [ClickHouse] SHALL support granting or revoking **insert** privilege @@ -3175,7 +3239,7 @@ Any `INSERT INTO` statements SHALL not to be executed, unless the user has the **insert** privilege for the destination column either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Insert.Cluster +#### RQ.SRS-006.RBAC.Insert.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **insert** privilege @@ -3183,7 +3247,7 @@ on a specified cluster to one or more **users** or **roles**. Any `INSERT INTO` statements SHALL succeed only on nodes where the table exists and privilege was granted. -##### RQ.SRS-006.RBAC.Insert.TableEngines +#### RQ.SRS-006.RBAC.Insert.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **insert** privilege @@ -3204,11 +3268,11 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -#### Alter +### Alter -##### Alter Column +#### Alter Column -###### RQ.SRS-006.RBAC.Privileges.AlterColumn +##### RQ.SRS-006.RBAC.Privileges.AlterColumn version: 1.0 [ClickHouse] SHALL support controlling access to the **alter column** privilege @@ -3218,19 +3282,19 @@ return an error, unless the user has the **alter column** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant version: 1.0 [ClickHouse] SHALL support granting **alter column** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter column** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Column +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Column version: 1.0 [ClickHouse] SHALL support granting or revoking **alter column** privilege @@ -3239,7 +3303,7 @@ Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL retu unless the user has the **alter column** privilege for the destination column either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter column** privilege @@ -3247,7 +3311,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter column** privilege @@ -3268,9 +3332,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Index +#### Alter Index -###### RQ.SRS-006.RBAC.Privileges.AlterIndex +##### RQ.SRS-006.RBAC.Privileges.AlterIndex version: 1.0 [ClickHouse] SHALL support controlling access to the **alter index** privilege @@ -3280,19 +3344,19 @@ return an error, unless the user has the **alter index** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant version: 1.0 [ClickHouse] SHALL support granting **alter index** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter index** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter index** privilege @@ -3300,7 +3364,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ORDER BY | ADD|DROP|MATERIALIZE|CLEAR INDEX` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter index** privilege @@ -3321,9 +3385,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Constraint +#### Alter Constraint -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint version: 1.0 [ClickHouse] SHALL support controlling access to the **alter constraint** privilege @@ -3333,19 +3397,19 @@ return an error, unless the user has the **alter constraint** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant version: 1.0 [ClickHouse] SHALL support granting **alter constraint** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter constraint** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter constraint** privilege @@ -3353,7 +3417,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ADD|DROP CONSTRAINT` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter constraint** privilege @@ -3374,9 +3438,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter TTL +#### Alter TTL -###### RQ.SRS-006.RBAC.Privileges.AlterTTL +##### RQ.SRS-006.RBAC.Privileges.AlterTTL version: 1.0 [ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege @@ -3386,19 +3450,19 @@ return an error, unless the user has the **alter ttl** or **alter materialize tt the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant version: 1.0 [ClickHouse] SHALL support granting **alter ttl** or **alter materialize ttl** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter ttl** or **alter materialize ttl** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter ttl** or **alter materialize ttl** privilege @@ -3406,7 +3470,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ALTER TTL | ALTER MATERIALIZE TTL` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege @@ -3414,9 +3478,9 @@ on tables created using the following engines * MergeTree -##### Alter Settings +#### Alter Settings -###### RQ.SRS-006.RBAC.Privileges.AlterSettings +##### RQ.SRS-006.RBAC.Privileges.AlterSettings version: 1.0 [ClickHouse] SHALL support controlling access to the **alter settings** privilege @@ -3427,19 +3491,19 @@ the destination table either because of the explicit grant or through one of the roles assigned to the user. The **alter settings** privilege allows modifying table engine settings. It doesn’t affect settings or server configuration parameters. -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant version: 1.0 [ClickHouse] SHALL support granting **alter settings** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter settings** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter settings** privilege @@ -3447,7 +3511,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... MODIFY SETTING setting` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter settings** privilege @@ -3468,27 +3532,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Update +#### Alter Update -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate version: 1.0 [ClickHouse] SHALL successfully execute `ALTER UPDATE` statement if and only if the user has **alter update** privilege for that column, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant version: 1.0 [ClickHouse] SHALL support granting **alter update** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter update** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter update** privilege @@ -3509,27 +3573,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Delete +#### Alter Delete -###### RQ.SRS-006.RBAC.Privileges.AlterDelete +##### RQ.SRS-006.RBAC.Privileges.AlterDelete version: 1.0 [ClickHouse] SHALL successfully execute `ALTER DELETE` statement if and only if the user has **alter delete** privilege for that table, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant version: 1.0 [ClickHouse] SHALL support granting **alter delete** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter delete** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter delete** privilege @@ -3550,27 +3614,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Freeze Partition +#### Alter Freeze Partition -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze version: 1.0 [ClickHouse] SHALL successfully execute `ALTER FREEZE` statement if and only if the user has **alter freeze** privilege for that table, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant version: 1.0 [ClickHouse] SHALL support granting **alter freeze** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter freeze** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter freeze** privilege @@ -3591,27 +3655,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Fetch Partition +#### Alter Fetch Partition -###### RQ.SRS-006.RBAC.Privileges.AlterFetch +##### RQ.SRS-006.RBAC.Privileges.AlterFetch version: 1.0 [ClickHouse] SHALL successfully execute `ALTER FETCH` statement if and only if the user has **alter fetch** privilege for that table, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant version: 1.0 [ClickHouse] SHALL support granting **alter fetch** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter fetch** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter fetch** privilege @@ -3625,9 +3689,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Move Partition +#### Alter Move Partition -###### RQ.SRS-006.RBAC.Privileges.AlterMove +##### RQ.SRS-006.RBAC.Privileges.AlterMove version: 1.0 [ClickHouse] SHALL successfully execute `ALTER MOVE` statement if and only if the user has **alter move**, **select**, and **alter delete** privilege on the source table @@ -3637,19 +3701,19 @@ For example, ALTER TABLE source_table MOVE PARTITION 1 TO target_table ``` -###### RQ.SRS-006.RBAC.Privileges.AlterMove.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterMove.Grant version: 1.0 [ClickHouse] SHALL support granting **alter move** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter move** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter move** privilege @@ -3670,6 +3734,8 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree +### Create + #### RQ.SRS-006.RBAC.Privileges.CreateTable version: 1.0 @@ -3706,6 +3772,8 @@ version: 1.0 [ClickHouse] SHALL successfully execute `CREATE TEMPORARY TABLE` statement if and only if the user has **create temporary table** privilege on the table, either directly or through a role. +### Attach + #### RQ.SRS-006.RBAC.Privileges.AttachDatabase version: 1.0 @@ -3730,6 +3798,8 @@ version: 1.0 [ClickHouse] SHALL successfully execute `ATTACH TABLE` statement if and only if the user has **create table** privilege on the table, either directly or through a role. +### Drop + #### RQ.SRS-006.RBAC.Privileges.DropTable version: 1.0 @@ -3748,6 +3818,8 @@ version: 1.0 [ClickHouse] SHALL successfully execute `DROP DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary, either directly or through a role. +### Detach + #### RQ.SRS-006.RBAC.Privileges.DetachTable version: 1.0 @@ -3772,354 +3844,360 @@ version: 1.0 [ClickHouse] SHALL successfully execute `DETACH DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary, either directly or through a role. +### Truncate + #### RQ.SRS-006.RBAC.Privileges.Truncate version: 1.0 [ClickHouse] SHALL successfully execute `TRUNCATE TABLE` statement if and only if the user has **truncate table** privilege on the table, either directly or through a role. +### Optimize + #### RQ.SRS-006.RBAC.Privileges.Optimize version: 1.0 [ClickHouse] SHALL successfully execute `OPTIMIZE TABLE` statement if and only if the user has **optimize table** privilege on the table, either directly or through a role. +### Kill Query + #### RQ.SRS-006.RBAC.Privileges.KillQuery version: 1.0 [ClickHouse] SHALL successfully execute `KILL QUERY` statement if and only if the user has **kill query** privilege, either directly or through a role. -#### Kill Mutation +### Kill Mutation -##### RQ.SRS-006.RBAC.Privileges.KillMutation +#### RQ.SRS-006.RBAC.Privileges.KillMutation version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` statement if and only if the user has the privilege that created the mutation, either directly or through a role. For example, to `KILL MUTATION` after `ALTER UPDATE` query, the user needs `ALTER UPDATE` privilege. -##### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate +#### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER UPDATE` mutation if and only if the user has `ALTER UPDATE` privilege on the table where the mutation was created, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete +#### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DELETE` mutation if and only if the user has `ALTER DELETE` privilege on the table where the mutation was created, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn +#### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DROP COLUMN` mutation if and only if the user has `ALTER DROP COLUMN` privilege on the table where the mutation was created, either directly or through a role. -#### Show +### Show -##### RQ.SRS-006.RBAC.ShowTables.Privilege +#### RQ.SRS-006.RBAC.ShowTables.Privilege version: 1.0 [ClickHouse] SHALL grant **show tables** privilege on a table to a user if that user has recieved any grant, including `SHOW TABLES`, on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW TABLES` statement if and only if the user has **show tables** privilege, or any privilege on the table either directly or through a role. -##### RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `EXISTS table` statement if and only if the user has **show tables** privilege, or any privilege on the table either directly or through a role. -##### RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `CHECK table` statement if and only if the user has **show tables** privilege, or any privilege on the table either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDatabases.Privilege +#### RQ.SRS-006.RBAC.ShowDatabases.Privilege version: 1.0 [ClickHouse] SHALL grant **show databases** privilege on a database to a user if that user has recieved any grant, including `SHOW DATABASES`, on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW DATABASES` statement if and only if the user has **show databases** privilege, or any privilege on the database either directly or through a role. -##### RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE DATABASE` statement if and only if the user has **show databases** privilege, or any privilege on the database either directly or through a role. -##### RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege +#### RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `USE database` statement if and only if the user has **show databases** privilege, or any privilege on the database either directly or through a role. -##### RQ.SRS-006.RBAC.ShowColumns.Privilege +#### RQ.SRS-006.RBAC.ShowColumns.Privilege version: 1.0 [ClickHouse] SHALL support granting or revoking the `SHOW COLUMNS` privilege. -##### RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE TABLE` statement if and only if the user has **show columns** privilege on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `DESCRIBE table` statement if and only if the user has **show columns** privilege on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDictionaries.Privilege +#### RQ.SRS-006.RBAC.ShowDictionaries.Privilege version: 1.0 [ClickHouse] SHALL grant **show dictionaries** privilege on a dictionary to a user if that user has recieved any grant, including `SHOW DICTIONARIES`, on that dictionary, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW DICTIONARIES` statement if and only if the user has **show dictionaries** privilege, or any privilege on the dictionary either directly or through a role. -##### RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE DICTIONARY` statement if and only if the user has **show dictionaries** privilege, or any privilege on the dictionary either directly or through a role. -##### RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege +#### RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `EXISTS dictionary` statement if and only if the user has **show dictionaries** privilege, or any privilege on the dictionary either directly or through a role. -#### Access Management +### Access Management -##### RQ.SRS-006.RBAC.Privileges.CreateUser +#### RQ.SRS-006.RBAC.Privileges.CreateUser version: 1.0 [ClickHouse] SHALL successfully execute `CREATE USER` statement if and only if the user has **create user** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole +#### RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole version: 1.0 [ClickHouse] SHALL successfully execute `CREATE USER` statement with `DEFAULT ROLE ` clause if and only if the user has **create user** privilege and the role with **admin option**, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterUser +#### RQ.SRS-006.RBAC.Privileges.AlterUser version: 1.0 [ClickHouse] SHALL successfully execute `ALTER USER` statement if and only if the user has **alter user** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropUser +#### RQ.SRS-006.RBAC.Privileges.DropUser version: 1.0 [ClickHouse] SHALL successfully execute `DROP USER` statement if and only if the user has **drop user** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateRole +#### RQ.SRS-006.RBAC.Privileges.CreateRole version: 1.0 [ClickHouse] SHALL successfully execute `CREATE ROLE` statement if and only if the user has **create role** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterRole +#### RQ.SRS-006.RBAC.Privileges.AlterRole version: 1.0 [ClickHouse] SHALL successfully execute `ALTER ROLE` statement if and only if the user has **alter role** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropRole +#### RQ.SRS-006.RBAC.Privileges.DropRole version: 1.0 [ClickHouse] SHALL successfully execute `DROP ROLE` statement if and only if the user has **drop role** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateRowPolicy +#### RQ.SRS-006.RBAC.Privileges.CreateRowPolicy version: 1.0 [ClickHouse] SHALL successfully execute `CREATE ROW POLICY` statement if and only if the user has **create row policy** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterRowPolicy +#### RQ.SRS-006.RBAC.Privileges.AlterRowPolicy version: 1.0 [ClickHouse] SHALL successfully execute `ALTER ROW POLICY` statement if and only if the user has **alter row policy** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropRowPolicy +#### RQ.SRS-006.RBAC.Privileges.DropRowPolicy version: 1.0 [ClickHouse] SHALL successfully execute `DROP ROW POLICY` statement if and only if the user has **drop row policy** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateQuota +#### RQ.SRS-006.RBAC.Privileges.CreateQuota version: 1.0 [ClickHouse] SHALL successfully execute `CREATE QUOTA` statement if and only if the user has **create quota** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterQuota +#### RQ.SRS-006.RBAC.Privileges.AlterQuota version: 1.0 [ClickHouse] SHALL successfully execute `ALTER QUOTA` statement if and only if the user has **alter quota** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropQuota +#### RQ.SRS-006.RBAC.Privileges.DropQuota version: 1.0 [ClickHouse] SHALL successfully execute `DROP QUOTA` statement if and only if the user has **drop quota** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile +#### RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile version: 1.0 [ClickHouse] SHALL successfully execute `CREATE SETTINGS PROFILE` statement if and only if the user has **create settings profile** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile +#### RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile version: 1.0 [ClickHouse] SHALL successfully execute `ALTER SETTINGS PROFILE` statement if and only if the user has **alter settings profile** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropSettingsProfile +#### RQ.SRS-006.RBAC.Privileges.DropSettingsProfile version: 1.0 [ClickHouse] SHALL successfully execute `DROP SETTINGS PROFILE` statement if and only if the user has **drop settings profile** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.RoleAdmin +#### RQ.SRS-006.RBAC.Privileges.RoleAdmin version: 1.0 [ClickHouse] SHALL successfully execute any role grant or revoke by a user with `ROLE ADMIN` privilege. -##### Show Access +#### Show Access -###### RQ.SRS-006.RBAC.ShowUsers.Privilege +##### RQ.SRS-006.RBAC.ShowUsers.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW USERS` privilege when the user is granted `SHOW USERS`, `SHOW CREATE USER`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW USERS` statement if and only if the user has **show users** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE USER` statement if and only if the user has **show users** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowRoles.Privilege +##### RQ.SRS-006.RBAC.ShowRoles.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW ROLES` privilege when the user is granted `SHOW ROLES`, `SHOW CREATE ROLE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW ROLES` statement if and only if the user has **show roles** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE ROLE` statement if and only if the user has **show roles** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowRowPolicies.Privilege +##### RQ.SRS-006.RBAC.ShowRowPolicies.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW ROW POLICIES` privilege when the user is granted `SHOW ROW POLICIES`, `SHOW POLICIES`, `SHOW CREATE ROW POLICY`, `SHOW CREATE POLICY`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW ROW POLICIES` or `SHOW POLICIES` statement if and only if the user has **show row policies** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE ROW POLICY` or `SHOW CREATE POLICY` statement if and only if the user has **show row policies** privilege,either directly or through a role. -###### RQ.SRS-006.RBAC.ShowQuotas.Privilege +##### RQ.SRS-006.RBAC.ShowQuotas.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW QUOTAS` privilege when the user is granted `SHOW QUOTAS`, `SHOW CREATE QUOTA`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW QUOTAS` statement if and only if the user has **show quotas** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE QUOTA` statement if and only if the user has **show quotas** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege +##### RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW SETTINGS PROFILES` privilege when the user is granted `SHOW SETTINGS PROFILES`, `SHOW PROFILES`, `SHOW CREATE SETTINGS PROFILE`, `SHOW SETTINGS PROFILE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW SETTINGS PROFILES` or `SHOW PROFILES` statement if and only if the user has **show settings profiles** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE SETTINGS PROFILE` or `SHOW CREATE PROFILE` statement if and only if the user has **show settings profiles** privilege, either directly or through a role. -#### dictGet +### dictGet -##### RQ.SRS-006.RBAC.dictGet.Privilege +#### RQ.SRS-006.RBAC.dictGet.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `dictGet` privilege when the user is granted `dictGet`, `dictHas`, `dictGetHierarchy`, or `dictIsIn`. -##### RQ.SRS-006.RBAC.dictGet.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGet.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGet` statement if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role. -##### RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGet[TYPE]` statement @@ -4141,270 +4219,283 @@ Available types: * UUID * String -##### RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGetOrDefault` statement if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role. -##### RQ.SRS-006.RBAC.dictHas.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictHas.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictHas` statement if and only if the user has **dictGet** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGetHierarchy` statement if and only if the user has **dictGet** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictIsIn` statement if and only if the user has **dictGet** privilege, either directly or through a role. -#### Introspection +### Introspection -##### RQ.SRS-006.RBAC.Privileges.Introspection +#### RQ.SRS-006.RBAC.Privileges.Introspection version: 1.0 [ClickHouse] SHALL successfully grant `INTROSPECTION` privilege when the user is granted `INTROSPECTION` or `INTROSPECTION FUNCTIONS`. -##### RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine +#### RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine version: 1.0 [ClickHouse] SHALL successfully execute `addressToLine` statement if and only if the user has **introspection** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol +#### RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol version: 1.0 [ClickHouse] SHALL successfully execute `addressToSymbol` statement if and only if the user has **introspection** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Introspection.demangle +#### RQ.SRS-006.RBAC.Privileges.Introspection.demangle version: 1.0 [ClickHouse] SHALL successfully execute `demangle` statement if and only if the user has **introspection** privilege, either directly or through a role. -#### System +### System -##### RQ.SRS-006.RBAC.Privileges.System.Shutdown +#### RQ.SRS-006.RBAC.Privileges.System.Shutdown version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM SHUTDOWN` privilege when the user is granted `SYSTEM`, `SYSTEM SHUTDOWN`, `SHUTDOWN`,or `SYSTEM KILL`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache +#### RQ.SRS-006.RBAC.Privileges.System.DropCache version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, or `DROP CACHE`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS +#### RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP DNS CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP DNS CACHE`, `SYSTEM DROP DNS`, `DROP DNS CACHE`, or `DROP DNS`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark +#### RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP MARK CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP MARK CACHE`, `SYSTEM DROP MARK`, `DROP MARK CACHE`, or `DROP MARKS`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed +#### RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP UNCOMPRESSED CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP UNCOMPRESSED CACHE`, `SYSTEM DROP UNCOMPRESSED`, `DROP UNCOMPRESSED CACHE`, or `DROP UNCOMPRESSED`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload +#### RQ.SRS-006.RBAC.Privileges.System.Reload version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD` privilege when the user is granted `SYSTEM` or `SYSTEM RELOAD`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.Config +#### RQ.SRS-006.RBAC.Privileges.System.Reload.Config version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD CONFIG` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD CONFIG`, or `RELOAD CONFIG`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary +#### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARY` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries +#### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARIES` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries +#### RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD EMBEDDED DICTIONARIES` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARY ON *.*`, or `SYSTEM RELOAD EMBEDDED DICTIONARIES`. -##### RQ.SRS-006.RBAC.Privileges.System.Merges +#### RQ.SRS-006.RBAC.Privileges.System.Merges version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM MERGES` privilege when the user is granted `SYSTEM`, `SYSTEM MERGES`, `SYSTEM STOP MERGES`, `SYSTEM START MERGES`, `STOP MERGES`, or `START MERGES`. -##### RQ.SRS-006.RBAC.Privileges.System.TTLMerges +#### RQ.SRS-006.RBAC.Privileges.System.TTLMerges version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM TTL MERGES` privilege when the user is granted `SYSTEM`, `SYSTEM TTL MERGES`, `SYSTEM STOP TTL MERGES`, `SYSTEM START TTL MERGES`, `STOP TTL MERGES`, or `START TTL MERGES`. -##### RQ.SRS-006.RBAC.Privileges.System.Fetches +#### RQ.SRS-006.RBAC.Privileges.System.Fetches version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FETCHES` privilege when the user is granted `SYSTEM`, `SYSTEM FETCHES`, `SYSTEM STOP FETCHES`, `SYSTEM START FETCHES`, `STOP FETCHES`, or `START FETCHES`. -##### RQ.SRS-006.RBAC.Privileges.System.Moves +#### RQ.SRS-006.RBAC.Privileges.System.Moves version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM MOVES` privilege when the user is granted `SYSTEM`, `SYSTEM MOVES`, `SYSTEM STOP MOVES`, `SYSTEM START MOVES`, `STOP MOVES`, or `START MOVES`. -##### RQ.SRS-006.RBAC.Privileges.System.Sends +#### RQ.SRS-006.RBAC.Privileges.System.Sends version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM SENDS` privilege when the user is granted `SYSTEM`, `SYSTEM SENDS`, `SYSTEM STOP SENDS`, `SYSTEM START SENDS`, `STOP SENDS`, or `START SENDS`. -##### RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed +#### RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DISTRIBUTED SENDS` privilege when the user is granted `SYSTEM`, `SYSTEM DISTRIBUTED SENDS`, `SYSTEM STOP DISTRIBUTED SENDS`, `SYSTEM START DISTRIBUTED SENDS`, `STOP DISTRIBUTED SENDS`, or `START DISTRIBUTED SENDS`. -##### RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated +#### RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM REPLICATED SENDS` privilege when the user is granted `SYSTEM`, `SYSTEM REPLICATED SENDS`, `SYSTEM STOP REPLICATED SENDS`, `SYSTEM START REPLICATED SENDS`, `STOP REPLICATED SENDS`, or `START REPLICATED SENDS`. -##### RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues +#### RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM REPLICATION QUEUES` privilege when the user is granted `SYSTEM`, `SYSTEM REPLICATION QUEUES`, `SYSTEM STOP REPLICATION QUEUES`, `SYSTEM START REPLICATION QUEUES`, `STOP REPLICATION QUEUES`, or `START REPLICATION QUEUES`. -##### RQ.SRS-006.RBAC.Privileges.System.SyncReplica +#### RQ.SRS-006.RBAC.Privileges.System.SyncReplica version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM SYNC REPLICA` privilege when the user is granted `SYSTEM`, `SYSTEM SYNC REPLICA`, or `SYNC REPLICA`. -##### RQ.SRS-006.RBAC.Privileges.System.RestartReplica +#### RQ.SRS-006.RBAC.Privileges.System.RestartReplica version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RESTART REPLICA` privilege when the user is granted `SYSTEM`, `SYSTEM RESTART REPLICA`, or `RESTART REPLICA`. -##### RQ.SRS-006.RBAC.Privileges.System.Flush +#### RQ.SRS-006.RBAC.Privileges.System.Flush version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FLUSH` privilege when the user is granted `SYSTEM` or `SYSTEM FLUSH`. -##### RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed +#### RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FLUSH DISTRIBUTED` privilege when the user is granted `SYSTEM`, `SYSTEM FLUSH DISTRIBUTED`, or `FLUSH DISTRIBUTED`. -##### RQ.SRS-006.RBAC.Privileges.System.Flush.Logs +#### RQ.SRS-006.RBAC.Privileges.System.Flush.Logs version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FLUSH LOGS` privilege when the user is granted `SYSTEM`, `SYSTEM FLUSH LOGS`, or `FLUSH LOGS`. -#### Sources +### Sources -##### RQ.SRS-006.RBAC.Privileges.Sources +#### RQ.SRS-006.RBAC.Privileges.Sources version: 1.0 [ClickHouse] SHALL support granting or revoking `SOURCES` privilege from the user, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.File +#### RQ.SRS-006.RBAC.Privileges.Sources.File version: 1.0 [ClickHouse] SHALL support the use of `FILE` source by a user if and only if the user has `FILE` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.URL +#### RQ.SRS-006.RBAC.Privileges.Sources.URL version: 1.0 [ClickHouse] SHALL support the use of `URL` source by a user if and only if the user has `URL` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.Remote +#### RQ.SRS-006.RBAC.Privileges.Sources.Remote version: 1.0 [ClickHouse] SHALL support the use of `REMOTE` source by a user if and only if the user has `REMOTE` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.MySQL +#### RQ.SRS-006.RBAC.Privileges.Sources.MySQL version: 1.0 [ClickHouse] SHALL support the use of `MySQL` source by a user if and only if the user has `MySQL` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.ODBC +#### RQ.SRS-006.RBAC.Privileges.Sources.ODBC version: 1.0 [ClickHouse] SHALL support the use of `ODBC` source by a user if and only if the user has `ODBC` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.JDBC +#### RQ.SRS-006.RBAC.Privileges.Sources.JDBC version: 1.0 [ClickHouse] SHALL support the use of `JDBC` source by a user if and only if the user has `JDBC` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.HDFS +#### RQ.SRS-006.RBAC.Privileges.Sources.HDFS version: 1.0 [ClickHouse] SHALL support the use of `HDFS` source by a user if and only if the user has `HDFS` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.S3 +#### RQ.SRS-006.RBAC.Privileges.Sources.S3 version: 1.0 [ClickHouse] SHALL support the use of `S3` source by a user if and only if the user has `S3` or `SOURCES` privileges granted to them directly or through a role. -#### RQ.SRS-006.RBAC.Privileges.GrantOption +### RQ.SRS-006.RBAC.Privileges.GrantOption version: 1.0 [ClickHouse] SHALL successfully execute `GRANT` or `REVOKE` privilege statements by a user if and only if the user has that privilege with `GRANT OPTION`, either directly or through a role. -#### RQ.SRS-006.RBAC.Privileges.All +### RQ.SRS-006.RBAC.Privileges.All version: 1.0 -[ClickHouse] SHALL support granting or revoking `ALL` privilege. +[ClickHouse] SHALL support granting or revoking `ALL` privilege +using `GRANT ALL ON *.* TO user`. -#### RQ.SRS-006.RBAC.Privileges.AdminOption +### RQ.SRS-006.RBAC.Privileges.RoleAll +version: 1.0 + +[ClickHouse] SHALL support granting a role named `ALL` using `GRANT ALL TO user`. +This shall only grant the user the privileges that have been granted to the role. + +### RQ.SRS-006.RBAC.Privileges.None +version: 1.0 + +[ClickHouse] SHALL support granting or revoking `NONE` privilege +using `GRANT NONE TO user` or `GRANT USAGE ON *.* TO user`. + +### RQ.SRS-006.RBAC.Privileges.AdminOption version: 1.0 [ClickHouse] SHALL support a user granting or revoking a role if and only if diff --git a/tests/testflows/rbac/requirements/requirements.py b/tests/testflows/rbac/requirements/requirements.py index f276d811f19..27f455d3fe6 100755 --- a/tests/testflows/rbac/requirements/requirements.py +++ b/tests/testflows/rbac/requirements/requirements.py @@ -1,28 +1,9983 @@ # These requirements were auto generated # from software requirements specification (SRS) -# document by TestFlows v1.6.201124.1002350. +# document by TestFlows v1.6.201216.1172002. # Do not edit by hand but re-generate instead # using 'tfs requirements generate' command. from testflows.core import Specification from testflows.core import Requirement +Heading = Specification.Heading + +RQ_SRS_006_RBAC = Requirement( + name='RQ.SRS-006.RBAC', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support role based access control.\n' + '\n' + ), + link=None, + level=3, + num='5.1.1') + +RQ_SRS_006_RBAC_Login = Requirement( + name='RQ.SRS-006.RBAC.Login', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only allow access to the server for a given\n' + 'user only when correct username and password are used during\n' + 'the connection to the server.\n' + '\n' + ), + link=None, + level=3, + num='5.2.1') + +RQ_SRS_006_RBAC_Login_DefaultUser = Requirement( + name='RQ.SRS-006.RBAC.Login.DefaultUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL use the **default user** when no username and password\n' + 'are specified during the connection to the server.\n' + '\n' + ), + link=None, + level=3, + num='5.2.2') + +RQ_SRS_006_RBAC_User = Requirement( + name='RQ.SRS-006.RBAC.User', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creation and manipulation of\n' + 'one or more **user** accounts to which roles, privileges,\n' + 'settings profile, quotas and row policies can be assigned.\n' + '\n' + ), + link=None, + level=3, + num='5.3.1') + +RQ_SRS_006_RBAC_User_Roles = Requirement( + name='RQ.SRS-006.RBAC.User.Roles', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more **roles**\n' + 'to a **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.2') + +RQ_SRS_006_RBAC_User_Privileges = Requirement( + name='RQ.SRS-006.RBAC.User.Privileges', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more privileges to a **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.3') + +RQ_SRS_006_RBAC_User_Variables = Requirement( + name='RQ.SRS-006.RBAC.User.Variables', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more variables to a **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.4') + +RQ_SRS_006_RBAC_User_Variables_Constraints = Requirement( + name='RQ.SRS-006.RBAC.User.Variables.Constraints', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning min, max and read-only constraints\n' + 'for the variables that can be set and read by the **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.5') + +RQ_SRS_006_RBAC_User_SettingsProfile = Requirement( + name='RQ.SRS-006.RBAC.User.SettingsProfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more **settings profiles**\n' + 'to a **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.6') + +RQ_SRS_006_RBAC_User_Quotas = Requirement( + name='RQ.SRS-006.RBAC.User.Quotas', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more **quotas** to a **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.7') + +RQ_SRS_006_RBAC_User_RowPolicies = Requirement( + name='RQ.SRS-006.RBAC.User.RowPolicies', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more **row policies** to a **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.8') + +RQ_SRS_006_RBAC_User_DefaultRole = Requirement( + name='RQ.SRS-006.RBAC.User.DefaultRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning a default role to a **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.9') + +RQ_SRS_006_RBAC_User_RoleSelection = Requirement( + name='RQ.SRS-006.RBAC.User.RoleSelection', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support selection of one or more **roles** from the available roles\n' + 'that are assigned to a **user** using `SET ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.3.10') + +RQ_SRS_006_RBAC_User_ShowCreate = Requirement( + name='RQ.SRS-006.RBAC.User.ShowCreate', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the command of how **user** account was created.\n' + '\n' + ), + link=None, + level=3, + num='5.3.11') + +RQ_SRS_006_RBAC_User_ShowPrivileges = Requirement( + name='RQ.SRS-006.RBAC.User.ShowPrivileges', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support listing the privileges of the **user**.\n' + '\n' + ), + link=None, + level=3, + num='5.3.12') + +RQ_SRS_006_RBAC_User_Use_DefaultRole = Requirement( + name='RQ.SRS-006.RBAC.User.Use.DefaultRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL by default use default role or roles assigned\n' + 'to the user if specified.\n' + '\n' + ), + link=None, + level=3, + num='5.3.13') + +RQ_SRS_006_RBAC_User_Use_AllRolesWhenNoDefaultRole = Requirement( + name='RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL by default use all the roles assigned to the user\n' + 'if no default role or roles are specified for the user.\n' + '\n' + ), + link=None, + level=3, + num='5.3.14') + +RQ_SRS_006_RBAC_User_Create = Requirement( + name='RQ.SRS-006.RBAC.User.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creating **user** accounts using `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.1') + +RQ_SRS_006_RBAC_User_Create_IfNotExists = Requirement( + name='RQ.SRS-006.RBAC.User.Create.IfNotExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE USER` statement\n' + 'to skip raising an exception if a user with the same **name** already exists.\n' + 'If the `IF NOT EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if a user with the same **name** already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.2') + +RQ_SRS_006_RBAC_User_Create_Replace = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Replace', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE USER` statement\n' + 'to replace existing user account if already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.3') + +RQ_SRS_006_RBAC_User_Create_Password_NoPassword = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.NoPassword', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying no password when creating\n' + 'user account using `IDENTIFIED WITH NO_PASSWORD` clause .\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.4') + +RQ_SRS_006_RBAC_User_Create_Password_NoPassword_Login = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.NoPassword.Login', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL use no password for the user when connecting to the server\n' + 'when an account was created with `IDENTIFIED WITH NO_PASSWORD` clause.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.5') + +RQ_SRS_006_RBAC_User_Create_Password_PlainText = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.PlainText', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying plaintext password when creating\n' + 'user account using `IDENTIFIED WITH PLAINTEXT_PASSWORD BY` clause.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.6') + +RQ_SRS_006_RBAC_User_Create_Password_PlainText_Login = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.PlainText.Login', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL use the plaintext password passed by the user when connecting to the server\n' + 'when an account was created with `IDENTIFIED WITH PLAINTEXT_PASSWORD` clause\n' + 'and compare the password with the one used in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.7') + +RQ_SRS_006_RBAC_User_Create_Password_Sha256Password = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Password', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the result of applying SHA256\n' + 'to some password when creating user account using `IDENTIFIED WITH SHA256_PASSWORD BY` or `IDENTIFIED BY`\n' + 'clause.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.8') + +RQ_SRS_006_RBAC_User_Create_Password_Sha256Password_Login = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Password.Login', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL calculate `SHA256` of the password passed by the user when connecting to the server\n' + "when an account was created with `IDENTIFIED WITH SHA256_PASSWORD` or with 'IDENTIFIED BY' clause\n" + 'and compare the calculated hash to the one used in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.9') + +RQ_SRS_006_RBAC_User_Create_Password_Sha256Hash = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the result of applying SHA256\n' + 'to some already calculated hash when creating user account using `IDENTIFIED WITH SHA256_HASH`\n' + 'clause.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.10') + +RQ_SRS_006_RBAC_User_Create_Password_Sha256Hash_Login = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash.Login', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL calculate `SHA256` of the already calculated hash passed by\n' + 'the user when connecting to the server\n' + 'when an account was created with `IDENTIFIED WITH SHA256_HASH` clause\n' + 'and compare the calculated hash to the one used in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.11') + +RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Password = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the result of applying SHA1 two times\n' + 'to a password when creating user account using `IDENTIFIED WITH DOUBLE_SHA1_PASSWORD`\n' + 'clause.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.12') + +RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Password_Login = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password.Login', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL calculate `SHA1` two times over the password passed by\n' + 'the user when connecting to the server\n' + 'when an account was created with `IDENTIFIED WITH DOUBLE_SHA1_PASSWORD` clause\n' + 'and compare the calculated value to the one used in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.13') + +RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Hash = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the result of applying SHA1 two times\n' + 'to a hash when creating user account using `IDENTIFIED WITH DOUBLE_SHA1_HASH`\n' + 'clause.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.14') + +RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Hash_Login = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash.Login', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL calculate `SHA1` two times over the hash passed by\n' + 'the user when connecting to the server\n' + 'when an account was created with `IDENTIFIED WITH DOUBLE_SHA1_HASH` clause\n' + 'and compare the calculated value to the one used in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.15') + +RQ_SRS_006_RBAC_User_Create_Host_Name = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.Name', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more hostnames from\n' + 'which user can access the server using the `HOST NAME` clause\n' + 'in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.16') + +RQ_SRS_006_RBAC_User_Create_Host_Regexp = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.Regexp', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more regular expressions\n' + 'to match hostnames from which user can access the server\n' + 'using the `HOST REGEXP` clause in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.17') + +RQ_SRS_006_RBAC_User_Create_Host_IP = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.IP', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more IP address or subnet from\n' + 'which user can access the server using the `HOST IP` clause in the\n' + '`CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.18') + +RQ_SRS_006_RBAC_User_Create_Host_Any = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.Any', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying `HOST ANY` clause in the `CREATE USER` statement\n' + 'to indicate that user can access the server from any host.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.19') + +RQ_SRS_006_RBAC_User_Create_Host_None = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support fobidding access from any host using `HOST NONE` clause in the\n' + '`CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.20') + +RQ_SRS_006_RBAC_User_Create_Host_Local = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.Local', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting user access to local only using `HOST LOCAL` clause in the\n' + '`CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.21') + +RQ_SRS_006_RBAC_User_Create_Host_Like = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.Like', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying host using `LIKE` command syntax using the\n' + '`HOST LIKE` clause in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.22') + +RQ_SRS_006_RBAC_User_Create_Host_Default = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Host.Default', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support user access to server from any host\n' + 'if no `HOST` clause is specified in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.23') + +RQ_SRS_006_RBAC_User_Create_DefaultRole = Requirement( + name='RQ.SRS-006.RBAC.User.Create.DefaultRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more default roles\n' + 'using `DEFAULT ROLE` clause in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.24') + +RQ_SRS_006_RBAC_User_Create_DefaultRole_None = Requirement( + name='RQ.SRS-006.RBAC.User.Create.DefaultRole.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying no default roles\n' + 'using `DEFAULT ROLE NONE` clause in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.25') + +RQ_SRS_006_RBAC_User_Create_DefaultRole_All = Requirement( + name='RQ.SRS-006.RBAC.User.Create.DefaultRole.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying all roles to be used as default\n' + 'using `DEFAULT ROLE ALL` clause in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.26') + +RQ_SRS_006_RBAC_User_Create_Settings = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Settings', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying settings and profile\n' + 'using `SETTINGS` clause in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.27') + +RQ_SRS_006_RBAC_User_Create_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.User.Create.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying cluster on which the user\n' + 'will be created using `ON CLUSTER` clause in the `CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.28') + +RQ_SRS_006_RBAC_User_Create_Syntax = Requirement( + name='RQ.SRS-006.RBAC.User.Create.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for `CREATE USER` statement.\n' + '\n' + '```sql\n' + 'CREATE USER [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name]\n' + " [IDENTIFIED [WITH {NO_PASSWORD|PLAINTEXT_PASSWORD|SHA256_PASSWORD|SHA256_HASH|DOUBLE_SHA1_PASSWORD|DOUBLE_SHA1_HASH}] BY {'password'|'hash'}]\n" + " [HOST {LOCAL | NAME 'name' | NAME REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]\n" + ' [DEFAULT ROLE role [,...]]\n' + " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" + '```\n' + '\n' + ), + link=None, + level=4, + num='5.3.15.29') + +RQ_SRS_006_RBAC_User_Alter = Requirement( + name='RQ.SRS-006.RBAC.User.Alter', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering **user** accounts using `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.1') + +RQ_SRS_006_RBAC_User_Alter_OrderOfEvaluation = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.OrderOfEvaluation', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support evaluating `ALTER USER` statement from left to right\n' + 'where things defined on the right override anything that was previously defined on\n' + 'the left.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.2') + +RQ_SRS_006_RBAC_User_Alter_IfExists = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER USER` statement\n' + 'to skip raising an exception (producing a warning instead) if a user with the specified **name** does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be raised if a user with the **name** does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.3') + +RQ_SRS_006_RBAC_User_Alter_Cluster = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the cluster the user is on\n' + 'when altering user account using `ON CLUSTER` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.4') + +RQ_SRS_006_RBAC_User_Alter_Rename = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Rename', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying a new name for the user when\n' + 'altering user account using `RENAME` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.5') + +RQ_SRS_006_RBAC_User_Alter_Password_PlainText = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Password.PlainText', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying plaintext password when altering\n' + 'user account using `IDENTIFIED WITH PLAINTEXT_PASSWORD BY` or\n' + 'using shorthand `IDENTIFIED BY` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.6') + +RQ_SRS_006_RBAC_User_Alter_Password_Sha256Password = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Password.Sha256Password', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the result of applying SHA256\n' + 'to some password as identification when altering user account using\n' + '`IDENTIFIED WITH SHA256_PASSWORD` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.7') + +RQ_SRS_006_RBAC_User_Alter_Password_DoubleSha1Password = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Password.DoubleSha1Password', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the result of applying Double SHA1\n' + 'to some password as identification when altering user account using\n' + '`IDENTIFIED WITH DOUBLE_SHA1_PASSWORD` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.8') + +RQ_SRS_006_RBAC_User_Alter_Host_AddDrop = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.AddDrop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering user by adding and dropping access to hosts\n' + 'with the `ADD HOST` or the `DROP HOST` in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.9') + +RQ_SRS_006_RBAC_User_Alter_Host_Local = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.Local', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting user access to local only using `HOST LOCAL` clause in the\n' + '`ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.10') + +RQ_SRS_006_RBAC_User_Alter_Host_Name = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.Name', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more hostnames from\n' + 'which user can access the server using the `HOST NAME` clause\n' + 'in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.11') + +RQ_SRS_006_RBAC_User_Alter_Host_Regexp = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.Regexp', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more regular expressions\n' + 'to match hostnames from which user can access the server\n' + 'using the `HOST REGEXP` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.12') + +RQ_SRS_006_RBAC_User_Alter_Host_IP = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.IP', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more IP address or subnet from\n' + 'which user can access the server using the `HOST IP` clause in the\n' + '`ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.13') + +RQ_SRS_006_RBAC_User_Alter_Host_Like = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.Like', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more similar hosts using `LIKE` command syntax\n' + 'using the `HOST LIKE` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.14') + +RQ_SRS_006_RBAC_User_Alter_Host_Any = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.Any', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying `HOST ANY` clause in the `ALTER USER` statement\n' + 'to indicate that user can access the server from any host.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.15') + +RQ_SRS_006_RBAC_User_Alter_Host_None = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Host.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support fobidding access from any host using `HOST NONE` clause in the\n' + '`ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.16') + +RQ_SRS_006_RBAC_User_Alter_DefaultRole = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.DefaultRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more default roles\n' + 'using `DEFAULT ROLE` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.17') + +RQ_SRS_006_RBAC_User_Alter_DefaultRole_All = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.DefaultRole.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying all roles to be used as default\n' + 'using `DEFAULT ROLE ALL` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.18') + +RQ_SRS_006_RBAC_User_Alter_DefaultRole_AllExcept = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.DefaultRole.AllExcept', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more roles which will not be used as default\n' + 'using `DEFAULT ROLE ALL EXCEPT` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.19') + +RQ_SRS_006_RBAC_User_Alter_Settings = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Settings', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying one or more variables\n' + 'using `SETTINGS` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.20') + +RQ_SRS_006_RBAC_User_Alter_Settings_Min = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Settings.Min', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying a minimum value for the variable specifed using `SETTINGS` with `MIN` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.21') + +RQ_SRS_006_RBAC_User_Alter_Settings_Max = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Settings.Max', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying a maximum value for the variable specifed using `SETTINGS` with `MAX` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.22') + +RQ_SRS_006_RBAC_User_Alter_Settings_Profile = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Settings.Profile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying the name of a profile for the variable specifed using `SETTINGS` with `PROFILE` clause in the `ALTER USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.23') + +RQ_SRS_006_RBAC_User_Alter_Syntax = Requirement( + name='RQ.SRS-006.RBAC.User.Alter.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `ALTER USER` statement.\n' + '\n' + '```sql\n' + 'ALTER USER [IF EXISTS] name [ON CLUSTER cluster_name]\n' + ' [RENAME TO new_name]\n' + " [IDENTIFIED [WITH {PLAINTEXT_PASSWORD|SHA256_PASSWORD|DOUBLE_SHA1_PASSWORD}] BY {'password'|'hash'}]\n" + " [[ADD|DROP] HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]\n" + ' [DEFAULT ROLE role [,...] | ALL | ALL EXCEPT role [,...] ]\n' + " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" + '```\n' + '\n' + ), + link=None, + level=4, + num='5.3.16.24') + +RQ_SRS_006_RBAC_User_ShowCreateUser = Requirement( + name='RQ.SRS-006.RBAC.User.ShowCreateUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the `CREATE USER` statement used to create the current user object\n' + 'using the `SHOW CREATE USER` statement with `CURRENT_USER` or no argument.\n' + '\n' + ), + link=None, + level=4, + num='5.3.17.1') + +RQ_SRS_006_RBAC_User_ShowCreateUser_For = Requirement( + name='RQ.SRS-006.RBAC.User.ShowCreateUser.For', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the `CREATE USER` statement used to create the specified user object\n' + 'using the `FOR` clause in the `SHOW CREATE USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.17.2') + +RQ_SRS_006_RBAC_User_ShowCreateUser_Syntax = Requirement( + name='RQ.SRS-006.RBAC.User.ShowCreateUser.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the following syntax for `SHOW CREATE USER` statement.\n' + '\n' + '```sql\n' + 'SHOW CREATE USER [name | CURRENT_USER]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.3.17.3') + +RQ_SRS_006_RBAC_User_Drop = Requirement( + name='RQ.SRS-006.RBAC.User.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing a user account using `DROP USER` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.3.18.1') + +RQ_SRS_006_RBAC_User_Drop_IfExists = Requirement( + name='RQ.SRS-006.RBAC.User.Drop.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP USER` statement\n' + 'to skip raising an exception if the user account does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if a user does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.3.18.2') + +RQ_SRS_006_RBAC_User_Drop_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.User.Drop.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using `ON CLUSTER` clause in the `DROP USER` statement\n' + 'to specify the name of the cluster the user should be dropped from.\n' + '\n' + ), + link=None, + level=4, + num='5.3.18.3') + +RQ_SRS_006_RBAC_User_Drop_Syntax = Requirement( + name='RQ.SRS-006.RBAC.User.Drop.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for `DROP USER` statement\n' + '\n' + '```sql\n' + 'DROP USER [IF EXISTS] name [,...] [ON CLUSTER cluster_name]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.3.18.4') + +RQ_SRS_006_RBAC_Role = Requirement( + name='RQ.SRS-006.RBAC.Role', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClikHouse] SHALL support creation and manipulation of **roles**\n' + 'to which privileges, settings profile, quotas and row policies can be\n' + 'assigned.\n' + '\n' + ), + link=None, + level=3, + num='5.4.1') + +RQ_SRS_006_RBAC_Role_Privileges = Requirement( + name='RQ.SRS-006.RBAC.Role.Privileges', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more privileges to a **role**.\n' + '\n' + ), + link=None, + level=3, + num='5.4.2') + +RQ_SRS_006_RBAC_Role_Variables = Requirement( + name='RQ.SRS-006.RBAC.Role.Variables', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more variables to a **role**.\n' + '\n' + ), + link=None, + level=3, + num='5.4.3') + +RQ_SRS_006_RBAC_Role_SettingsProfile = Requirement( + name='RQ.SRS-006.RBAC.Role.SettingsProfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more **settings profiles**\n' + 'to a **role**.\n' + '\n' + ), + link=None, + level=3, + num='5.4.4') + +RQ_SRS_006_RBAC_Role_Quotas = Requirement( + name='RQ.SRS-006.RBAC.Role.Quotas', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more **quotas** to a **role**.\n' + '\n' + ), + link=None, + level=3, + num='5.4.5') + +RQ_SRS_006_RBAC_Role_RowPolicies = Requirement( + name='RQ.SRS-006.RBAC.Role.RowPolicies', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning one or more **row policies** to a **role**.\n' + '\n' + ), + link=None, + level=3, + num='5.4.6') + +RQ_SRS_006_RBAC_Role_Create = Requirement( + name='RQ.SRS-006.RBAC.Role.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creating a **role** using `CREATE ROLE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.4.7.1') + +RQ_SRS_006_RBAC_Role_Create_IfNotExists = Requirement( + name='RQ.SRS-006.RBAC.Role.Create.IfNotExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE ROLE` statement\n' + 'to raising an exception if a role with the same **name** already exists.\n' + 'If the `IF NOT EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if a role with the same **name** already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.4.7.2') + +RQ_SRS_006_RBAC_Role_Create_Replace = Requirement( + name='RQ.SRS-006.RBAC.Role.Create.Replace', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE ROLE` statement\n' + 'to replace existing role if it already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.4.7.3') + +RQ_SRS_006_RBAC_Role_Create_Settings = Requirement( + name='RQ.SRS-006.RBAC.Role.Create.Settings', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying settings and profile using `SETTINGS`\n' + 'clause in the `CREATE ROLE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.4.7.4') + +RQ_SRS_006_RBAC_Role_Create_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Role.Create.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `CREATE ROLE` statement\n' + '\n' + '``` sql\n' + 'CREATE ROLE [IF NOT EXISTS | OR REPLACE] name\n' + " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" + '```\n' + '\n' + ), + link=None, + level=4, + num='5.4.7.5') + +RQ_SRS_006_RBAC_Role_Alter = Requirement( + name='RQ.SRS-006.RBAC.Role.Alter', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.4.8.1') + +RQ_SRS_006_RBAC_Role_Alter_IfExists = Requirement( + name='RQ.SRS-006.RBAC.Role.Alter.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE IF EXISTS` statement, where no exception\n' + 'will be thrown if the role does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.4.8.2') + +RQ_SRS_006_RBAC_Role_Alter_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Role.Alter.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE role ON CLUSTER` statement to specify the\n' + 'cluster location of the specified role.\n' + '\n' + ), + link=None, + level=4, + num='5.4.8.3') + +RQ_SRS_006_RBAC_Role_Alter_Rename = Requirement( + name='RQ.SRS-006.RBAC.Role.Alter.Rename', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE role RENAME TO` statement which renames the\n' + 'role to a specified new name. If the new name already exists, that an exception SHALL be raised unless the\n' + '`IF EXISTS` clause is specified, by which no exception will be raised and nothing will change.\n' + '\n' + ), + link=None, + level=4, + num='5.4.8.4') + +RQ_SRS_006_RBAC_Role_Alter_Settings = Requirement( + name='RQ.SRS-006.RBAC.Role.Alter.Settings', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the settings of one **role** using `ALTER ROLE role SETTINGS ...` statement.\n' + 'Altering variable values, creating max and min values, specifying readonly or writable, and specifying the\n' + 'profiles for which this alter change shall be applied to, are all supported, using the following syntax.\n' + '\n' + '```sql\n' + "[SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" + '```\n' + '\n' + 'One or more variables and profiles may be specified as shown above.\n' + '\n' + ), + link=None, + level=4, + num='5.4.8.5') + +RQ_SRS_006_RBAC_Role_Alter_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Role.Alter.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '```sql\n' + 'ALTER ROLE [IF EXISTS] name [ON CLUSTER cluster_name]\n' + ' [RENAME TO new_name]\n' + " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" + '```\n' + '\n' + ), + link=None, + level=4, + num='5.4.8.6') + +RQ_SRS_006_RBAC_Role_Drop = Requirement( + name='RQ.SRS-006.RBAC.Role.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing one or more roles using `DROP ROLE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.4.9.1') + +RQ_SRS_006_RBAC_Role_Drop_IfExists = Requirement( + name='RQ.SRS-006.RBAC.Role.Drop.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP ROLE` statement\n' + 'to skip raising an exception if the role does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if a role does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.4.9.2') + +RQ_SRS_006_RBAC_Role_Drop_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Role.Drop.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using `ON CLUSTER` clause in the `DROP ROLE` statement to specify the cluster from which to drop the specified role.\n' + '\n' + ), + link=None, + level=4, + num='5.4.9.3') + +RQ_SRS_006_RBAC_Role_Drop_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Role.Drop.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `DROP ROLE` statement\n' + '\n' + '``` sql\n' + 'DROP ROLE [IF EXISTS] name [,...] [ON CLUSTER cluster_name]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.4.9.4') + +RQ_SRS_006_RBAC_Role_ShowCreate = Requirement( + name='RQ.SRS-006.RBAC.Role.ShowCreate', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support viewing the settings for a role upon creation with the `SHOW CREATE ROLE`\n' + 'statement.\n' + '\n' + ), + link=None, + level=4, + num='5.4.10.1') + +RQ_SRS_006_RBAC_Role_ShowCreate_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Role.ShowCreate.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `SHOW CREATE ROLE` command.\n' + '\n' + '```sql\n' + 'SHOW CREATE ROLE name\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.4.10.2') + +RQ_SRS_006_RBAC_PartialRevokes = Requirement( + name='RQ.SRS-006.RBAC.PartialRevokes', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support partial revoking of privileges granted\n' + 'to a **user** or a **role**.\n' + '\n' + ), + link=None, + level=3, + num='5.5.1') + +RQ_SRS_006_RBAC_PartialRevoke_Syntax = Requirement( + name='RQ.SRS-006.RBAC.PartialRevoke.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support partial revokes by using `partial_revokes` variable\n' + 'that can be set or unset using the following syntax.\n' + '\n' + 'To disable partial revokes the `partial_revokes` variable SHALL be set to `0`\n' + '\n' + '```sql\n' + 'SET partial_revokes = 0\n' + '```\n' + '\n' + 'To enable partial revokes the `partial revokes` variable SHALL be set to `1`\n' + '\n' + '```sql\n' + 'SET partial_revokes = 1\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.5.2') + +RQ_SRS_006_RBAC_SettingsProfile = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creation and manipulation of **settings profiles**\n' + 'that can include value definition for one or more variables and can\n' + 'can be assigned to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=3, + num='5.6.1') + +RQ_SRS_006_RBAC_SettingsProfile_Constraints = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Constraints', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning min, max and read-only constraints\n' + 'for the variables specified in the **settings profile**.\n' + '\n' + ), + link=None, + level=3, + num='5.6.2') + +RQ_SRS_006_RBAC_SettingsProfile_Create = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creating settings profile using the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.1') + +RQ_SRS_006_RBAC_SettingsProfile_Create_IfNotExists = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.IfNotExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE SETTINGS PROFILE` statement\n' + 'to skip raising an exception if a settings profile with the same **name** already exists.\n' + 'If `IF NOT EXISTS` clause is not specified then an exception SHALL be raised if\n' + 'a settings profile with the same **name** already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.2') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Replace = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Replace', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE SETTINGS PROFILE` statement\n' + 'to replace existing settings profile if it already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.3') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Variables = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning values and constraints to one or more\n' + 'variables in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.4') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Value = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Value', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning variable value in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.5') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Constraints', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting `MIN`, `MAX`, `READONLY`, and `WRITABLE`\n' + 'constraints for the variables in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.6') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning settings profile to one or more users\n' + 'or roles in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.7') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_None = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning settings profile to no users or roles using\n' + '`TO NONE` clause in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.8') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_All = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning settings profile to all current users and roles\n' + 'using `TO ALL` clause in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.9') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_AllExcept = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.AllExcept', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support excluding assignment to one or more users or roles using\n' + 'the `ALL EXCEPT` clause in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.10') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Inherit = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Inherit', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support inheriting profile settings from indicated profile using\n' + 'the `INHERIT` clause in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.11') + +RQ_SRS_006_RBAC_SettingsProfile_Create_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying what cluster to create settings profile on\n' + 'using `ON CLUSTER` clause in the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.12') + +RQ_SRS_006_RBAC_SettingsProfile_Create_Syntax = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Create.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `CREATE SETTINGS PROFILE` statement.\n' + '\n' + '``` sql\n' + 'CREATE SETTINGS PROFILE [IF NOT EXISTS | OR REPLACE] name\n' + ' [ON CLUSTER cluster_name]\n' + " [SET varname [= value] [MIN min] [MAX max] [READONLY|WRITABLE] | [INHERIT 'profile_name'] [,...]]\n" + ' [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]}]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.6.3.13') + +RQ_SRS_006_RBAC_SettingsProfile_Alter = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering settings profile using the `ALTER STETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.1') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_IfExists = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER SETTINGS PROFILE` statement\n' + 'to not raise exception if a settings profile does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if a settings profile does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.2') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Rename = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Rename', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support renaming settings profile using the `RANAME TO` clause\n' + 'in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.3') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering values and constraints of one or more\n' + 'variables in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.4') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Value = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Value', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering value of the variable in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.5') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Constraints', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering `MIN`, `MAX`, `READONLY`, and `WRITABLE`\n' + 'constraints for the variables in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.6') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning settings profile to one or more users\n' + 'or roles using the `TO` clause in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.7') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_None = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning settings profile to no users or roles using the\n' + '`TO NONE` clause in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.8') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_All = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning settings profile to all current users and roles\n' + 'using the `TO ALL` clause in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.9') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_AllExcept = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.AllExcept', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support excluding assignment to one or more users or roles using\n' + 'the `TO ALL EXCEPT` clause in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.10') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_Inherit = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.Inherit', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the settings profile by inheriting settings from\n' + 'specified profile using `INHERIT` clause in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.11') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the settings profile on a specified cluster using\n' + '`ON CLUSTER` clause in the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.12') + +RQ_SRS_006_RBAC_SettingsProfile_Alter_Syntax = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `ALTER SETTINGS PROFILE` statement.\n' + '\n' + '``` sql\n' + 'ALTER SETTINGS PROFILE [IF EXISTS] name\n' + ' [ON CLUSTER cluster_name]\n' + ' [RENAME TO new_name]\n' + " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | INHERIT 'profile_name'] [,...]\n" + ' [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]]}\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.6.4.13') + +RQ_SRS_006_RBAC_SettingsProfile_Drop = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing one or more settings profiles using the `DROP SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.5.1') + +RQ_SRS_006_RBAC_SettingsProfile_Drop_IfExists = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Drop.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP SETTINGS PROFILE` statement\n' + 'to skip raising an exception if the settings profile does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if a settings profile does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.6.5.2') + +RQ_SRS_006_RBAC_SettingsProfile_Drop_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Drop.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support dropping one or more settings profiles on specified cluster using\n' + '`ON CLUSTER` clause in the `DROP SETTINGS PROFILE` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.6.5.3') + +RQ_SRS_006_RBAC_SettingsProfile_Drop_Syntax = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.Drop.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `DROP SETTINGS PROFILE` statement\n' + '\n' + '``` sql\n' + 'DROP SETTINGS PROFILE [IF EXISTS] name [,name,...]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.6.5.4') + +RQ_SRS_006_RBAC_SettingsProfile_ShowCreateSettingsProfile = Requirement( + name='RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the `CREATE SETTINGS PROFILE` statement used to create the settings profile\n' + 'using the `SHOW CREATE SETTINGS PROFILE` statement with the following syntax\n' + '\n' + '``` sql\n' + 'SHOW CREATE SETTINGS PROFILE name\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.6.6.1') + +RQ_SRS_006_RBAC_Quotas = Requirement( + name='RQ.SRS-006.RBAC.Quotas', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creation and manipulation of **quotas**\n' + 'that can be used to limit resource usage by a **user** or a **role**\n' + 'over a period of time.\n' + '\n' + ), + link=None, + level=3, + num='5.7.1') + +RQ_SRS_006_RBAC_Quotas_Keyed = Requirement( + name='RQ.SRS-006.RBAC.Quotas.Keyed', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creating **quotas** that are keyed\n' + 'so that a quota is tracked separately for each key value.\n' + '\n' + ), + link=None, + level=3, + num='5.7.2') + +RQ_SRS_006_RBAC_Quotas_Queries = Requirement( + name='RQ.SRS-006.RBAC.Quotas.Queries', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting **queries** quota to limit the total number of requests.\n' + '\n' + ), + link=None, + level=3, + num='5.7.3') + +RQ_SRS_006_RBAC_Quotas_Errors = Requirement( + name='RQ.SRS-006.RBAC.Quotas.Errors', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting **errors** quota to limit the number of queries that threw an exception.\n' + '\n' + ), + link=None, + level=3, + num='5.7.4') + +RQ_SRS_006_RBAC_Quotas_ResultRows = Requirement( + name='RQ.SRS-006.RBAC.Quotas.ResultRows', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting **result rows** quota to limit the\n' + 'the total number of rows given as the result.\n' + '\n' + ), + link=None, + level=3, + num='5.7.5') + +RQ_SRS_006_RBAC_Quotas_ReadRows = Requirement( + name='RQ.SRS-006.RBAC.Quotas.ReadRows', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting **read rows** quota to limit the total\n' + 'number of source rows read from tables for running the query on all remote servers.\n' + '\n' + ), + link=None, + level=3, + num='5.7.6') + +RQ_SRS_006_RBAC_Quotas_ResultBytes = Requirement( + name='RQ.SRS-006.RBAC.Quotas.ResultBytes', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting **result bytes** quota to limit the total number\n' + 'of bytes that can be returned as the result.\n' + '\n' + ), + link=None, + level=3, + num='5.7.7') + +RQ_SRS_006_RBAC_Quotas_ReadBytes = Requirement( + name='RQ.SRS-006.RBAC.Quotas.ReadBytes', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting **read bytes** quota to limit the total number\n' + 'of source bytes read from tables for running the query on all remote servers.\n' + '\n' + ), + link=None, + level=3, + num='5.7.8') + +RQ_SRS_006_RBAC_Quotas_ExecutionTime = Requirement( + name='RQ.SRS-006.RBAC.Quotas.ExecutionTime', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting **execution time** quota to limit the maximum\n' + 'query execution time.\n' + '\n' + ), + link=None, + level=3, + num='5.7.9') + +RQ_SRS_006_RBAC_Quota_Create = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creating quotas using the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.1') + +RQ_SRS_006_RBAC_Quota_Create_IfNotExists = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.IfNotExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE QUOTA` statement\n' + 'to skip raising an exception if a quota with the same **name** already exists.\n' + 'If `IF NOT EXISTS` clause is not specified then an exception SHALL be raised if\n' + 'a quota with the same **name** already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.2') + +RQ_SRS_006_RBAC_Quota_Create_Replace = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Replace', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE QUOTA` statement\n' + 'to replace existing quota if it already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.3') + +RQ_SRS_006_RBAC_Quota_Create_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creating quotas on a specific cluster with the\n' + '`ON CLUSTER` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.4') + +RQ_SRS_006_RBAC_Quota_Create_Interval = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Interval', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support defining the quota interval that specifies\n' + 'a period of time over for which the quota SHALL apply using the\n' + '`FOR INTERVAL` clause in the `CREATE QUOTA` statement.\n' + '\n' + 'This statement SHALL also support a number and a time period which will be one\n' + 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' + '\n' + '`FOR INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some real number\n' + 'to define the interval.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.5') + +RQ_SRS_006_RBAC_Quota_Create_Interval_Randomized = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support defining the quota randomized interval that specifies\n' + 'a period of time over for which the quota SHALL apply using the\n' + '`FOR RANDOMIZED INTERVAL` clause in the `CREATE QUOTA` statement.\n' + '\n' + 'This statement SHALL also support a number and a time period which will be one\n' + 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' + '\n' + '`FOR [RANDOMIZED] INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some\n' + 'real number to define the interval.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.6') + +RQ_SRS_006_RBAC_Quota_Create_Queries = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Queries', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting number of requests over a period of time\n' + 'using the `QUERIES` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.7') + +RQ_SRS_006_RBAC_Quota_Create_Errors = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Errors', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting number of queries that threw an exception\n' + 'using the `ERRORS` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.8') + +RQ_SRS_006_RBAC_Quota_Create_ResultRows = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.ResultRows', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the total number of rows given as the result\n' + 'using the `RESULT ROWS` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.9') + +RQ_SRS_006_RBAC_Quota_Create_ReadRows = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.ReadRows', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the total number of source rows read from tables\n' + 'for running the query on all remote servers\n' + 'using the `READ ROWS` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.10') + +RQ_SRS_006_RBAC_Quota_Create_ResultBytes = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.ResultBytes', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the total number of bytes that can be returned as the result\n' + 'using the `RESULT BYTES` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.11') + +RQ_SRS_006_RBAC_Quota_Create_ReadBytes = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.ReadBytes', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the total number of source bytes read from tables\n' + 'for running the query on all remote servers\n' + 'using the `READ BYTES` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.12') + +RQ_SRS_006_RBAC_Quota_Create_ExecutionTime = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.ExecutionTime', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the maximum query execution time\n' + 'using the `EXECUTION TIME` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.13') + +RQ_SRS_006_RBAC_Quota_Create_NoLimits = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.NoLimits', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the maximum query execution time\n' + 'using the `NO LIMITS` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.14') + +RQ_SRS_006_RBAC_Quota_Create_TrackingOnly = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.TrackingOnly', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the maximum query execution time\n' + 'using the `TRACKING ONLY` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.15') + +RQ_SRS_006_RBAC_Quota_Create_KeyedBy = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.KeyedBy', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support to track quota for some key\n' + 'following the `KEYED BY` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.16') + +RQ_SRS_006_RBAC_Quota_Create_KeyedByOptions = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.KeyedByOptions', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support to track quota separately for some parameter\n' + "using the `KEYED BY 'parameter'` clause in the `CREATE QUOTA` statement.\n" + '\n' + "'parameter' can be one of:\n" + "`{'none' | 'user name' | 'ip address' | 'client key' | 'client key or user name' | 'client key or ip address'}`\n" + '\n' + ), + link=None, + level=4, + num='5.7.10.17') + +RQ_SRS_006_RBAC_Quota_Create_Assignment = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Assignment', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning quota to one or more users\n' + 'or roles using the `TO` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.18') + +RQ_SRS_006_RBAC_Quota_Create_Assignment_None = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Assignment.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning quota to no users or roles using\n' + '`TO NONE` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.19') + +RQ_SRS_006_RBAC_Quota_Create_Assignment_All = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Assignment.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning quota to all current users and roles\n' + 'using `TO ALL` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.20') + +RQ_SRS_006_RBAC_Quota_Create_Assignment_Except = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Assignment.Except', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support excluding assignment of quota to one or more users or roles using\n' + 'the `EXCEPT` clause in the `CREATE QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.21') + +RQ_SRS_006_RBAC_Quota_Create_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Quota.Create.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `CREATE QUOTA` statement\n' + '\n' + '```sql\n' + 'CREATE QUOTA [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name]\n' + " [KEYED BY {'none' | 'user name' | 'ip address' | 'client key' | 'client key or user name' | 'client key or ip address'}]\n" + ' [FOR [RANDOMIZED] INTERVAL number {SECOND | MINUTE | HOUR | DAY}\n' + ' {MAX { {QUERIES | ERRORS | RESULT ROWS | RESULT BYTES | READ ROWS | READ BYTES | EXECUTION TIME} = number } [,...] |\n' + ' NO LIMITS | TRACKING ONLY} [,...]]\n' + ' [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.7.10.22') + +RQ_SRS_006_RBAC_Quota_Alter = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering quotas using the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.1') + +RQ_SRS_006_RBAC_Quota_Alter_IfExists = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER QUOTA` statement\n' + 'to skip raising an exception if a quota does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be raised if\n' + 'a quota does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.2') + +RQ_SRS_006_RBAC_Quota_Alter_Rename = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Rename', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `RENAME TO` clause in the `ALTER QUOTA` statement\n' + 'to rename the quota to the specified name.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.3') + +RQ_SRS_006_RBAC_Quota_Alter_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering quotas on a specific cluster with the\n' + '`ON CLUSTER` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.4') + +RQ_SRS_006_RBAC_Quota_Alter_Interval = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Interval', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support redefining the quota interval that specifies\n' + 'a period of time over for which the quota SHALL apply using the\n' + '`FOR INTERVAL` clause in the `ALTER QUOTA` statement.\n' + '\n' + 'This statement SHALL also support a number and a time period which will be one\n' + 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' + '\n' + '`FOR INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some real number\n' + 'to define the interval.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.5') + +RQ_SRS_006_RBAC_Quota_Alter_Interval_Randomized = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Interval.Randomized', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support redefining the quota randomized interval that specifies\n' + 'a period of time over for which the quota SHALL apply using the\n' + '`FOR RANDOMIZED INTERVAL` clause in the `ALTER QUOTA` statement.\n' + '\n' + 'This statement SHALL also support a number and a time period which will be one\n' + 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' + '\n' + '`FOR [RANDOMIZED] INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some\n' + 'real number to define the interval.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.6') + +RQ_SRS_006_RBAC_Quota_Alter_Queries = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Queries', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the limit of number of requests over a period of time\n' + 'using the `QUERIES` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.7') + +RQ_SRS_006_RBAC_Quota_Alter_Errors = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Errors', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the limit of number of queries that threw an exception\n' + 'using the `ERRORS` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.8') + +RQ_SRS_006_RBAC_Quota_Alter_ResultRows = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.ResultRows', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the limit of the total number of rows given as the result\n' + 'using the `RESULT ROWS` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.9') + +RQ_SRS_006_RBAC_Quota_Alter_ReadRows = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.ReadRows', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the limit of the total number of source rows read from tables\n' + 'for running the query on all remote servers\n' + 'using the `READ ROWS` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.10') + +RQ_SRS_006_RBAC_Quota_ALter_ResultBytes = Requirement( + name='RQ.SRS-006.RBAC.Quota.ALter.ResultBytes', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the limit of the total number of bytes that can be returned as the result\n' + 'using the `RESULT BYTES` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.11') + +RQ_SRS_006_RBAC_Quota_Alter_ReadBytes = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.ReadBytes', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the limit of the total number of source bytes read from tables\n' + 'for running the query on all remote servers\n' + 'using the `READ BYTES` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.12') + +RQ_SRS_006_RBAC_Quota_Alter_ExecutionTime = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.ExecutionTime', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering the limit of the maximum query execution time\n' + 'using the `EXECUTION TIME` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.13') + +RQ_SRS_006_RBAC_Quota_Alter_NoLimits = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.NoLimits', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the maximum query execution time\n' + 'using the `NO LIMITS` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.14') + +RQ_SRS_006_RBAC_Quota_Alter_TrackingOnly = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.TrackingOnly', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support limiting the maximum query execution time\n' + 'using the `TRACKING ONLY` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.15') + +RQ_SRS_006_RBAC_Quota_Alter_KeyedBy = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.KeyedBy', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering quota to track quota separately for some key\n' + 'following the `KEYED BY` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.16') + +RQ_SRS_006_RBAC_Quota_Alter_KeyedByOptions = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.KeyedByOptions', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering quota to track quota separately for some parameter\n' + "using the `KEYED BY 'parameter'` clause in the `ALTER QUOTA` statement.\n" + '\n' + "'parameter' can be one of:\n" + "`{'none' | 'user name' | 'ip address' | 'client key' | 'client key or user name' | 'client key or ip address'}`\n" + '\n' + ), + link=None, + level=4, + num='5.7.11.17') + +RQ_SRS_006_RBAC_Quota_Alter_Assignment = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Assignment', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning quota to one or more users\n' + 'or roles using the `TO` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.18') + +RQ_SRS_006_RBAC_Quota_Alter_Assignment_None = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning quota to no users or roles using\n' + '`TO NONE` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.19') + +RQ_SRS_006_RBAC_Quota_Alter_Assignment_All = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning quota to all current users and roles\n' + 'using `TO ALL` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.20') + +RQ_SRS_006_RBAC_Quota_Alter_Assignment_Except = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.Except', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support excluding assignment of quota to one or more users or roles using\n' + 'the `EXCEPT` clause in the `ALTER QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.21') + +RQ_SRS_006_RBAC_Quota_Alter_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Quota.Alter.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `ALTER QUOTA` statement\n' + '\n' + '``` sql\n' + 'ALTER QUOTA [IF EXIST] name\n' + ' {{{QUERIES | ERRORS | RESULT ROWS | READ ROWS | RESULT BYTES | READ BYTES | EXECUTION TIME} number} [, ...] FOR INTERVAL number time_unit} [, ...]\n' + ' [KEYED BY USERNAME | KEYED BY IP | NOT KEYED] [ALLOW CUSTOM KEY | DISALLOW CUSTOM KEY]\n' + ' [TO {user_or_role [,...] | NONE | ALL} [EXCEPT user_or_role [,...]]]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.7.11.22') + +RQ_SRS_006_RBAC_Quota_Drop = Requirement( + name='RQ.SRS-006.RBAC.Quota.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing one or more quotas using the `DROP QUOTA` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.7.12.1') + +RQ_SRS_006_RBAC_Quota_Drop_IfExists = Requirement( + name='RQ.SRS-006.RBAC.Quota.Drop.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP QUOTA` statement\n' + 'to skip raising an exception when the quota does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if the quota does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.7.12.2') + +RQ_SRS_006_RBAC_Quota_Drop_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Quota.Drop.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using `ON CLUSTER` clause in the `DROP QUOTA` statement\n' + 'to indicate the cluster the quota to be dropped is located on.\n' + '\n' + ), + link=None, + level=4, + num='5.7.12.3') + +RQ_SRS_006_RBAC_Quota_Drop_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Quota.Drop.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `DROP QUOTA` statement\n' + '\n' + '``` sql\n' + 'DROP QUOTA [IF EXISTS] name [,name...]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.7.12.4') + +RQ_SRS_006_RBAC_Quota_ShowQuotas = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowQuotas', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing all of the current quotas\n' + 'using the `SHOW QUOTAS` statement with the following syntax\n' + '\n' + ), + link=None, + level=4, + num='5.7.13.1') + +RQ_SRS_006_RBAC_Quota_ShowQuotas_IntoOutfile = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowQuotas.IntoOutfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the `INTO OUTFILE` clause in the `SHOW QUOTAS` statement to define an outfile by some given string literal.\n' + '\n' + ), + link=None, + level=4, + num='5.7.13.2') + +RQ_SRS_006_RBAC_Quota_ShowQuotas_Format = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Format', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the `FORMAT` clause in the `SHOW QUOTAS` statement to define a format for the output quota list.\n' + '\n' + 'The types of valid formats are many, listed in output column:\n' + 'https://clickhouse.tech/docs/en/interfaces/formats/\n' + '\n' + ), + link=None, + level=4, + num='5.7.13.3') + +RQ_SRS_006_RBAC_Quota_ShowQuotas_Settings = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Settings', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the `SETTINGS` clause in the `SHOW QUOTAS` statement to define settings in the showing of all quotas.\n' + '\n' + ), + link=None, + level=4, + num='5.7.13.4') + +RQ_SRS_006_RBAC_Quota_ShowQuotas_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using the `SHOW QUOTAS` statement\n' + 'with the following syntax\n' + '``` sql\n' + 'SHOW QUOTAS\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.7.13.5') + +RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Name = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the `CREATE QUOTA` statement used to create the quota with some given name\n' + 'using the `SHOW CREATE QUOTA` statement with the following syntax\n' + '\n' + '``` sql\n' + 'SHOW CREATE QUOTA name\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.7.14.1') + +RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Current = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Current', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the `CREATE QUOTA` statement used to create the CURRENT quota\n' + 'using the `SHOW CREATE QUOTA CURRENT` statement or the shorthand form\n' + '`SHOW CREATE QUOTA`\n' + '\n' + ), + link=None, + level=4, + num='5.7.14.2') + +RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax when\n' + 'using the `SHOW CREATE QUOTA` statement.\n' + '\n' + '```sql\n' + 'SHOW CREATE QUOTA [name | CURRENT]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.7.14.3') + +RQ_SRS_006_RBAC_RowPolicy = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creation and manipulation of table **row policies**\n' + 'that can be used to limit access to the table contents for a **user** or a **role**\n' + 'using a specified **condition**.\n' + '\n' + ), + link=None, + level=3, + num='5.8.1') + +RQ_SRS_006_RBAC_RowPolicy_Condition = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Condition', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support row policy **conditions** that can be any SQL\n' + 'expression that returns a boolean.\n' + '\n' + ), + link=None, + level=3, + num='5.8.2') + +RQ_SRS_006_RBAC_RowPolicy_Restriction = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Restriction', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL restrict all access to a table when a row policy with a condition is created on that table.\n' + 'All users require a permissive row policy in order to view the table.\n' + '\n' + ), + link=None, + level=3, + num='5.8.3') + +RQ_SRS_006_RBAC_RowPolicy_Nesting = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Nesting', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL restrict rows of tables or views created on top of a table with row policies according to those policies.\n' + '\n' + ), + link=None, + level=3, + num='5.8.4') + +RQ_SRS_006_RBAC_RowPolicy_Create = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support creating row policy using the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.1') + +RQ_SRS_006_RBAC_RowPolicy_Create_IfNotExists = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.IfNotExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE ROW POLICY` statement\n' + 'to skip raising an exception if a row policy with the same **name** already exists.\n' + 'If the `IF NOT EXISTS` clause is not specified then an exception SHALL be raised if\n' + 'a row policy with the same **name** already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.2') + +RQ_SRS_006_RBAC_RowPolicy_Create_Replace = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Replace', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE ROW POLICY` statement\n' + 'to replace existing row policy if it already exists.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.3') + +RQ_SRS_006_RBAC_RowPolicy_Create_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying cluster on which to create the role policy\n' + 'using the `ON CLUSTER` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.4') + +RQ_SRS_006_RBAC_RowPolicy_Create_On = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.On', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying table on which to create the role policy\n' + 'using the `ON` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.5') + +RQ_SRS_006_RBAC_RowPolicy_Create_Access = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Access', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support allowing or restricting access to rows using the\n' + '`AS` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.6') + +RQ_SRS_006_RBAC_RowPolicy_Create_Access_Permissive = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Access.Permissive', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support allowing access to rows using the\n' + '`AS PERMISSIVE` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.7') + +RQ_SRS_006_RBAC_RowPolicy_Create_Access_Restrictive = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Access.Restrictive', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support restricting access to rows using the\n' + '`AS RESTRICTIVE` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.8') + +RQ_SRS_006_RBAC_RowPolicy_Create_ForSelect = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.ForSelect', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying which rows are affected\n' + 'using the `FOR SELECT` clause in the `CREATE ROW POLICY` statement.\n' + 'REQUIRES CONDITION.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.9') + +RQ_SRS_006_RBAC_RowPolicy_Create_Condition = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Condition', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying a condition that\n' + 'that can be any SQL expression which returns a boolean using the `USING`\n' + 'clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.10') + +RQ_SRS_006_RBAC_RowPolicy_Create_Assignment = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning row policy to one or more users\n' + 'or roles using the `TO` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.11') + +RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_None = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning row policy to no users or roles using\n' + 'the `TO NONE` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.12') + +RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_All = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support assigning row policy to all current users and roles\n' + 'using `TO ALL` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.13') + +RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_AllExcept = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.AllExcept', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support excluding assignment of row policy to one or more users or roles using\n' + 'the `ALL EXCEPT` clause in the `CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.14') + +RQ_SRS_006_RBAC_RowPolicy_Create_Syntax = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Create.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `CRETE ROW POLICY` statement\n' + '\n' + '``` sql\n' + 'CREATE [ROW] POLICY [IF NOT EXISTS | OR REPLACE] policy_name [ON CLUSTER cluster_name] ON [db.]table\n' + ' [AS {PERMISSIVE | RESTRICTIVE}]\n' + ' [FOR SELECT]\n' + ' [USING condition]\n' + ' [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.8.5.15') + +RQ_SRS_006_RBAC_RowPolicy_Alter = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering row policy using the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.1') + +RQ_SRS_006_RBAC_RowPolicy_Alter_IfExists = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the `IF EXISTS` clause in the `ALTER ROW POLICY` statement\n' + 'to skip raising an exception if a row policy does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be raised if\n' + 'a row policy does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.2') + +RQ_SRS_006_RBAC_RowPolicy_Alter_ForSelect = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.ForSelect', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support modifying rows on which to apply the row policy\n' + 'using the `FOR SELECT` clause in the `ALTER ROW POLICY` statement.\n' + 'REQUIRES FUNCTION CONFIRMATION.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.3') + +RQ_SRS_006_RBAC_RowPolicy_Alter_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying cluster on which to alter the row policy\n' + 'using the `ON CLUSTER` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.4') + +RQ_SRS_006_RBAC_RowPolicy_Alter_On = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.On', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying table on which to alter the row policy\n' + 'using the `ON` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.5') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Rename = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Rename', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support renaming the row policy using the `RENAME` clause\n' + 'in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.6') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Access = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support altering access to rows using the\n' + '`AS` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.7') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Permissive = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Permissive', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support permitting access to rows using the\n' + '`AS PERMISSIVE` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.8') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Restrictive = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Restrictive', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support restricting access to rows using the\n' + '`AS RESTRICTIVE` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.9') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Condition = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Condition', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support re-specifying the row policy condition\n' + 'using the `USING` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.10') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Condition_None = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Condition.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing the row policy condition\n' + 'using the `USING NONE` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.11') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning row policy to one or more users\n' + 'or roles using the `TO` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.12') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_None = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning row policy to no users or roles using\n' + 'the `TO NONE` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.13') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_All = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support reassigning row policy to all current users and roles\n' + 'using the `TO ALL` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.14') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_AllExcept = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.AllExcept', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support excluding assignment of row policy to one or more users or roles using\n' + 'the `ALL EXCEPT` clause in the `ALTER ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.15') + +RQ_SRS_006_RBAC_RowPolicy_Alter_Syntax = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Alter.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `ALTER ROW POLICY` statement\n' + '\n' + '``` sql\n' + 'ALTER [ROW] POLICY [IF EXISTS] name [ON CLUSTER cluster_name] ON [database.]table\n' + ' [RENAME TO new_name]\n' + ' [AS {PERMISSIVE | RESTRICTIVE}]\n' + ' [FOR SELECT]\n' + ' [USING {condition | NONE}][,...]\n' + ' [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.8.6.16') + +RQ_SRS_006_RBAC_RowPolicy_Drop = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing one or more row policies using the `DROP ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.7.1') + +RQ_SRS_006_RBAC_RowPolicy_Drop_IfExists = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Drop.IfExists', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support using the `IF EXISTS` clause in the `DROP ROW POLICY` statement\n' + 'to skip raising an exception when the row policy does not exist.\n' + 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' + 'raised if the row policy does not exist.\n' + '\n' + ), + link=None, + level=4, + num='5.8.7.2') + +RQ_SRS_006_RBAC_RowPolicy_Drop_On = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Drop.On', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing row policy from one or more specified tables\n' + 'using the `ON` clause in the `DROP ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.7.3') + +RQ_SRS_006_RBAC_RowPolicy_Drop_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Drop.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing row policy from specified cluster\n' + 'using the `ON CLUSTER` clause in the `DROP ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.7.4') + +RQ_SRS_006_RBAC_RowPolicy_Drop_Syntax = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.Drop.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `DROP ROW POLICY` statement.\n' + '\n' + '``` sql\n' + 'DROP [ROW] POLICY [IF EXISTS] name [,...] ON [database.]table [,...] [ON CLUSTER cluster_name]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.8.7.5') + +RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing the `CREATE ROW POLICY` statement used to create the row policy\n' + 'using the `SHOW CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.8.1') + +RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_On = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.On', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing statement used to create row policy on specific table\n' + 'using the `ON` in the `SHOW CREATE ROW POLICY` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.8.2') + +RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_Syntax = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for `SHOW CREATE ROW POLICY`.\n' + '\n' + '``` sql\n' + 'SHOW CREATE [ROW] POLICY name ON [database.]table\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.8.8.3') + +RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing row policies using the `SHOW ROW POLICIES` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.8.4') + +RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_On = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.On', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support showing row policies on a specific table\n' + 'using the `ON` clause in the `SHOW ROW POLICIES` statement.\n' + '\n' + ), + link=None, + level=4, + num='5.8.8.5') + +RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_Syntax = Requirement( + name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for `SHOW ROW POLICIES`.\n' + '\n' + '```sql\n' + 'SHOW [ROW] POLICIES [ON [database.]table]\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.8.8.6') + +RQ_SRS_006_RBAC_SetDefaultRole = Requirement( + name='RQ.SRS-006.RBAC.SetDefaultRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting or changing granted roles to default for one or more\n' + 'users using `SET DEFAULT ROLE` statement which\n' + 'SHALL permanently change the default roles for the user or users if successful.\n' + '\n' + ), + link=None, + level=3, + num='5.9.1') + +RQ_SRS_006_RBAC_SetDefaultRole_CurrentUser = Requirement( + name='RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting or changing granted roles to default for\n' + 'the current user using `CURRENT_USER` clause in the `SET DEFAULT ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.9.2') + +RQ_SRS_006_RBAC_SetDefaultRole_All = Requirement( + name='RQ.SRS-006.RBAC.SetDefaultRole.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting or changing all granted roles to default\n' + 'for one or more users using `ALL` clause in the `SET DEFAULT ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.9.3') + +RQ_SRS_006_RBAC_SetDefaultRole_AllExcept = Requirement( + name='RQ.SRS-006.RBAC.SetDefaultRole.AllExcept', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support setting or changing all granted roles except those specified\n' + 'to default for one or more users using `ALL EXCEPT` clause in the `SET DEFAULT ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.9.4') + +RQ_SRS_006_RBAC_SetDefaultRole_None = Requirement( + name='RQ.SRS-006.RBAC.SetDefaultRole.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support removing all granted roles from default\n' + 'for one or more users using `NONE` clause in the `SET DEFAULT ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.9.5') + +RQ_SRS_006_RBAC_SetDefaultRole_Syntax = Requirement( + name='RQ.SRS-006.RBAC.SetDefaultRole.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `SET DEFAULT ROLE` statement.\n' + '\n' + '```sql\n' + 'SET DEFAULT ROLE\n' + ' {NONE | role [,...] | ALL | ALL EXCEPT role [,...]}\n' + ' TO {user|CURRENT_USER} [,...]\n' + '\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.9.6') + +RQ_SRS_006_RBAC_SetRole = Requirement( + name='RQ.SRS-006.RBAC.SetRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support activating role or roles for the current user\n' + 'using `SET ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.10.1') + +RQ_SRS_006_RBAC_SetRole_Default = Requirement( + name='RQ.SRS-006.RBAC.SetRole.Default', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support activating default roles for the current user\n' + 'using `DEFAULT` clause in the `SET ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.10.2') + +RQ_SRS_006_RBAC_SetRole_None = Requirement( + name='RQ.SRS-006.RBAC.SetRole.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support activating no roles for the current user\n' + 'using `NONE` clause in the `SET ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.10.3') + +RQ_SRS_006_RBAC_SetRole_All = Requirement( + name='RQ.SRS-006.RBAC.SetRole.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support activating all roles for the current user\n' + 'using `ALL` clause in the `SET ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.10.4') + +RQ_SRS_006_RBAC_SetRole_AllExcept = Requirement( + name='RQ.SRS-006.RBAC.SetRole.AllExcept', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support activating all roles except those specified\n' + 'for the current user using `ALL EXCEPT` clause in the `SET ROLE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.10.5') + +RQ_SRS_006_RBAC_SetRole_Syntax = Requirement( + name='RQ.SRS-006.RBAC.SetRole.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '```sql\n' + 'SET ROLE {DEFAULT | NONE | role [,...] | ALL | ALL EXCEPT role [,...]}\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.10.6') + +RQ_SRS_006_RBAC_Grant_Privilege_To = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.To', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting privileges to one or more users or roles using `TO` clause\n' + 'in the `GRANT PRIVILEGE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.1') + +RQ_SRS_006_RBAC_Grant_Privilege_ToCurrentUser = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting privileges to current user using `TO CURRENT_USER` clause\n' + 'in the `GRANT PRIVILEGE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.2') + +RQ_SRS_006_RBAC_Grant_Privilege_Select = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Select', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **select** privilege to one or more users or roles\n' + 'for a database or a table using the `GRANT SELECT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.3') + +RQ_SRS_006_RBAC_Grant_Privilege_Insert = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Insert', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **insert** privilege to one or more users or roles\n' + 'for a database or a table using the `GRANT INSERT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.4') + +RQ_SRS_006_RBAC_Grant_Privilege_Alter = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Alter', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **alter** privilege to one or more users or roles\n' + 'for a database or a table using the `GRANT ALTER` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.5') + +RQ_SRS_006_RBAC_Grant_Privilege_Create = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **create** privilege to one or more users or roles\n' + 'using the `GRANT CREATE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.6') + +RQ_SRS_006_RBAC_Grant_Privilege_Drop = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **drop** privilege to one or more users or roles\n' + 'using the `GRANT DROP` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.7') + +RQ_SRS_006_RBAC_Grant_Privilege_Truncate = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Truncate', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **truncate** privilege to one or more users or roles\n' + 'for a database or a table using `GRANT TRUNCATE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.8') + +RQ_SRS_006_RBAC_Grant_Privilege_Optimize = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Optimize', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **optimize** privilege to one or more users or roles\n' + 'for a database or a table using `GRANT OPTIMIZE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.9') + +RQ_SRS_006_RBAC_Grant_Privilege_Show = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Show', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **show** privilege to one or more users or roles\n' + 'for a database or a table using `GRANT SHOW` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.10') + +RQ_SRS_006_RBAC_Grant_Privilege_KillQuery = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.KillQuery', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **kill query** privilege to one or more users or roles\n' + 'for a database or a table using `GRANT KILL QUERY` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.11') + +RQ_SRS_006_RBAC_Grant_Privilege_AccessManagement = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **access management** privileges to one or more users or roles\n' + 'for a database or a table using `GRANT ACCESS MANAGEMENT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.12') + +RQ_SRS_006_RBAC_Grant_Privilege_System = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.System', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **system** privileges to one or more users or roles\n' + 'for a database or a table using `GRANT SYSTEM` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.13') + +RQ_SRS_006_RBAC_Grant_Privilege_Introspection = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Introspection', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **introspection** privileges to one or more users or roles\n' + 'for a database or a table using `GRANT INTROSPECTION` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.14') + +RQ_SRS_006_RBAC_Grant_Privilege_Sources = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Sources', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **sources** privileges to one or more users or roles\n' + 'for a database or a table using `GRANT SOURCES` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.15') + +RQ_SRS_006_RBAC_Grant_Privilege_DictGet = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.DictGet', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **dictGet** privilege to one or more users or roles\n' + 'for a database or a table using `GRANT dictGet` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.16') + +RQ_SRS_006_RBAC_Grant_Privilege_None = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting no privileges to one or more users or roles\n' + 'for a database or a table using `GRANT NONE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.17') + +RQ_SRS_006_RBAC_Grant_Privilege_All = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **all** privileges to one or more users or roles\n' + 'using the `GRANT ALL` or `GRANT ALL PRIVILEGES` statements.\n' + '\n' + ), + link=None, + level=3, + num='5.11.18') + +RQ_SRS_006_RBAC_Grant_Privilege_GrantOption = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.GrantOption', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the **grant option** privilege to one or more users or roles\n' + 'for a database or a table using the `WITH GRANT OPTION` clause in the `GRANT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.19') + +RQ_SRS_006_RBAC_Grant_Privilege_On = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.On', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the `ON` clause in the `GRANT` privilege statement\n' + 'which SHALL allow to specify one or more tables to which the privilege SHALL\n' + 'be granted using the following patterns\n' + '\n' + '* `*.*` any table in any database\n' + '* `database.*` any table in the specified database\n' + '* `database.table` specific table in the specified database\n' + '* `*` any table in the current database\n' + '* `table` specific table in the current database\n' + '\n' + ), + link=None, + level=3, + num='5.11.20') + +RQ_SRS_006_RBAC_Grant_Privilege_PrivilegeColumns = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting the privilege **some_privilege** to one or more users or roles\n' + 'for a database or a table using the `GRANT some_privilege(column)` statement for one column.\n' + 'Multiple columns will be supported with `GRANT some_privilege(column1, column2...)` statement.\n' + 'The privileges will be granted for only the specified columns.\n' + '\n' + ), + link=None, + level=3, + num='5.11.21') + +RQ_SRS_006_RBAC_Grant_Privilege_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying cluster on which to grant privileges using the `ON CLUSTER`\n' + 'clause in the `GRANT PRIVILEGE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.11.22') + +RQ_SRS_006_RBAC_Grant_Privilege_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Grant.Privilege.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `GRANT` statement that\n' + 'grants explicit privileges to a user or a role.\n' + '\n' + '```sql\n' + 'GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...]\n' + ' ON {db.table|db.*|*.*|table|*}\n' + ' TO {user | role | CURRENT_USER} [,...]\n' + ' [WITH GRANT OPTION]\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.11.23') + +RQ_SRS_006_RBAC_Revoke_Privilege_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking privileges to one or more users or roles\n' + 'for a database or a table on some specific cluster using the `REVOKE ON CLUSTER cluster_name` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.1') + +RQ_SRS_006_RBAC_Revoke_Privilege_Select = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Select', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **select** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE SELECT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.2') + +RQ_SRS_006_RBAC_Revoke_Privilege_Insert = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Insert', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **insert** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE INSERT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.3') + +RQ_SRS_006_RBAC_Revoke_Privilege_Alter = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Alter', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **alter** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE ALTER` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.4') + +RQ_SRS_006_RBAC_Revoke_Privilege_Create = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **create** privilege to one or more users or roles\n' + 'using the `REVOKE CREATE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.5') + +RQ_SRS_006_RBAC_Revoke_Privilege_Drop = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **drop** privilege to one or more users or roles\n' + 'using the `REVOKE DROP` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.6') + +RQ_SRS_006_RBAC_Revoke_Privilege_Truncate = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Truncate', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **truncate** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE TRUNCATE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.7') + +RQ_SRS_006_RBAC_Revoke_Privilege_Optimize = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Optimize', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **optimize** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE OPTIMIZE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.8') + +RQ_SRS_006_RBAC_Revoke_Privilege_Show = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Show', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **show** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE SHOW` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.9') + +RQ_SRS_006_RBAC_Revoke_Privilege_KillQuery = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **kill query** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE KILL QUERY` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.10') + +RQ_SRS_006_RBAC_Revoke_Privilege_AccessManagement = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **access management** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE ACCESS MANAGEMENT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.11') + +RQ_SRS_006_RBAC_Revoke_Privilege_System = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.System', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **system** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE SYSTEM` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.12') + +RQ_SRS_006_RBAC_Revoke_Privilege_Introspection = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Introspection', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **introspection** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE INTROSPECTION` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.13') + +RQ_SRS_006_RBAC_Revoke_Privilege_Sources = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Sources', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **sources** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE SOURCES` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.14') + +RQ_SRS_006_RBAC_Revoke_Privilege_DictGet = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.DictGet', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the **dictGet** privilege to one or more users or roles\n' + 'for a database or a table using the `REVOKE dictGet` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.15') + +RQ_SRS_006_RBAC_Revoke_Privilege_PrivilegeColumns = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.PrivilegeColumns', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking the privilege **some_privilege** to one or more users or roles\n' + 'for a database or a table using the `REVOKE some_privilege(column)` statement for one column.\n' + 'Multiple columns will be supported with `REVOKE some_privilege(column1, column2...)` statement.\n' + 'The privileges will be revoked for only the specified columns.\n' + '\n' + ), + link=None, + level=3, + num='5.12.16') + +RQ_SRS_006_RBAC_Revoke_Privilege_Multiple = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Multiple', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking MULTIPLE **privileges** to one or more users or roles\n' + 'for a database or a table using the `REVOKE privilege1, privilege2...` statement.\n' + '**privileges** refers to any set of Clickhouse defined privilege, whose hierarchy includes\n' + 'SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT,\n' + 'SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges.\n' + '\n' + ), + link=None, + level=3, + num='5.12.17') + +RQ_SRS_006_RBAC_Revoke_Privilege_All = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **all** privileges to one or more users or roles\n' + 'for a database or a table using the `REVOKE ALL` or `REVOKE ALL PRIVILEGES` statements.\n' + '\n' + ), + link=None, + level=3, + num='5.12.18') + +RQ_SRS_006_RBAC_Revoke_Privilege_None = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **no** privileges to one or more users or roles\n' + 'for a database or a table using the `REVOKE NONE` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.12.19') + +RQ_SRS_006_RBAC_Revoke_Privilege_On = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.On', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the `ON` clause in the `REVOKE` privilege statement\n' + 'which SHALL allow to specify one or more tables to which the privilege SHALL\n' + 'be revoked using the following patterns\n' + '\n' + '* `db.table` specific table in the specified database\n' + '* `db.*` any table in the specified database\n' + '* `*.*` any table in any database\n' + '* `table` specific table in the current database\n' + '* `*` any table in the current database\n' + '\n' + ), + link=None, + level=3, + num='5.12.20') + +RQ_SRS_006_RBAC_Revoke_Privilege_From = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.From', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the `FROM` clause in the `REVOKE` privilege statement\n' + 'which SHALL allow to specify one or more users to which the privilege SHALL\n' + 'be revoked using the following patterns\n' + '\n' + '* `{user | CURRENT_USER} [,...]` some combination of users by name, which may include the current user\n' + '* `ALL` all users\n' + '* `ALL EXCEPT {user | CURRENT_USER} [,...]` the logical reverse of the first pattern\n' + '\n' + ), + link=None, + level=3, + num='5.12.21') + +RQ_SRS_006_RBAC_Revoke_Privilege_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Privilege.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `REVOKE` statement that\n' + 'revokes explicit privileges of a user or a role.\n' + '\n' + '```sql\n' + 'REVOKE [ON CLUSTER cluster_name] privilege\n' + ' [(column_name [,...])] [,...]\n' + ' ON {db.table|db.*|*.*|table|*}\n' + ' FROM {user | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user | CURRENT_USER} [,...]\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.12.22') + +RQ_SRS_006_RBAC_Grant_Role = Requirement( + name='RQ.SRS-006.RBAC.Grant.Role', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting one or more roles to\n' + 'one or more users or roles using the `GRANT` role statement.\n' + '\n' + ), + link=None, + level=3, + num='5.13.1') + +RQ_SRS_006_RBAC_Grant_Role_CurrentUser = Requirement( + name='RQ.SRS-006.RBAC.Grant.Role.CurrentUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting one or more roles to current user using\n' + '`TO CURRENT_USER` clause in the `GRANT` role statement.\n' + '\n' + ), + link=None, + level=3, + num='5.13.2') + +RQ_SRS_006_RBAC_Grant_Role_AdminOption = Requirement( + name='RQ.SRS-006.RBAC.Grant.Role.AdminOption', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting `admin option` privilege\n' + 'to one or more users or roles using the `WITH ADMIN OPTION` clause\n' + 'in the `GRANT` role statement.\n' + '\n' + ), + link=None, + level=3, + num='5.13.3') + +RQ_SRS_006_RBAC_Grant_Role_OnCluster = Requirement( + name='RQ.SRS-006.RBAC.Grant.Role.OnCluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support specifying cluster on which the user is to be granted one or more roles\n' + 'using `ON CLUSTER` clause in the `GRANT` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.13.4') + +RQ_SRS_006_RBAC_Grant_Role_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Grant.Role.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for `GRANT` role statement\n' + '\n' + '``` sql\n' + 'GRANT\n' + ' ON CLUSTER cluster_name\n' + ' role [, role ...]\n' + ' TO {user | role | CURRENT_USER} [,...]\n' + ' [WITH ADMIN OPTION]\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.13.5') + +RQ_SRS_006_RBAC_Revoke_Role = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Role', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking one or more roles from\n' + 'one or more users or roles using the `REVOKE` role statement.\n' + '\n' + ), + link=None, + level=3, + num='5.14.1') + +RQ_SRS_006_RBAC_Revoke_Role_Keywords = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Role.Keywords', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking one or more roles from\n' + 'special groupings of one or more users or roles with the `ALL`, `ALL EXCEPT`,\n' + 'and `CURRENT_USER` keywords.\n' + '\n' + ), + link=None, + level=3, + num='5.14.2') + +RQ_SRS_006_RBAC_Revoke_Role_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Role.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking one or more roles from\n' + 'one or more users or roles from one or more clusters\n' + 'using the `REVOKE ON CLUSTER` role statement.\n' + '\n' + ), + link=None, + level=3, + num='5.14.3') + +RQ_SRS_006_RBAC_Revoke_AdminOption = Requirement( + name='RQ.SRS-006.RBAC.Revoke.AdminOption', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking `admin option` privilege\n' + 'in one or more users or roles using the `ADMIN OPTION FOR` clause\n' + 'in the `REVOKE` role statement.\n' + '\n' + ), + link=None, + level=3, + num='5.14.4') + +RQ_SRS_006_RBAC_Revoke_Role_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Revoke.Role.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the following syntax for the `REVOKE` role statement\n' + '\n' + '```sql\n' + 'REVOKE [ON CLUSTER cluster_name] [ADMIN OPTION FOR]\n' + ' role [,...]\n' + ' FROM {user | role | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user_name | role_name | CURRENT_USER} [,...]\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.14.5') + +RQ_SRS_006_RBAC_Show_Grants = Requirement( + name='RQ.SRS-006.RBAC.Show.Grants', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support listing all the privileges granted to current user and role\n' + 'using the `SHOW GRANTS` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.15.1') + +RQ_SRS_006_RBAC_Show_Grants_For = Requirement( + name='RQ.SRS-006.RBAC.Show.Grants.For', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support listing all the privileges granted to a user or a role\n' + 'using the `FOR` clause in the `SHOW GRANTS` statement.\n' + '\n' + ), + link=None, + level=3, + num='5.15.2') + +RQ_SRS_006_RBAC_Show_Grants_Syntax = Requirement( + name='RQ.SRS-006.RBAC.Show.Grants.Syntax', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[Clickhouse] SHALL use the following syntax for the `SHOW GRANTS` statement\n' + '\n' + '``` sql\n' + 'SHOW GRANTS [FOR user_or_role]\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.15.3') + +RQ_SRS_006_RBAC_Table_PublicTables = Requirement( + name='RQ.SRS-006.RBAC.Table.PublicTables', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support that a user without any privileges will be able to access the following tables\n' + '\n' + '* system.one\n' + '* system.numbers\n' + '* system.contributors\n' + '* system.functions\n' + '\n' + ), + link=None, + level=3, + num='5.16.1') + +RQ_SRS_006_RBAC_Table_SensitiveTables = Requirement( + name='RQ.SRS-006.RBAC.Table.SensitiveTables', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL not support a user with no privileges accessing the following `system` tables:\n' + '\n' + '* processes\n' + '* query_log\n' + '* query_thread_log\n' + '* clusters\n' + '* events\n' + '* graphite_retentions\n' + '* stack_trace\n' + '* trace_log\n' + '* user_directories\n' + '* zookeeper\n' + '* macros\n' + '\n' + ), + link=None, + level=3, + num='5.16.2') + +RQ_SRS_006_RBAC_DistributedTable_Create = Requirement( + name='RQ.SRS-006.RBAC.DistributedTable.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully `CREATE` a distributed table if and only if\n' + 'the user has **create table** privilege on the table and **remote** privilege on *.*\n' + '\n' + ), + link=None, + level=3, + num='5.17.1') + +RQ_SRS_006_RBAC_DistributedTable_Select = Requirement( + name='RQ.SRS-006.RBAC.DistributedTable.Select', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully `SELECT` from a distributed table if and only if\n' + 'the user has **select** privilege on the table and on the remote table specified in the `CREATE` query of the distributed table.\n' + '\n' + 'Does not require **select** privilege for the remote table if the remote table does not exist on the same server as the user.\n' + '\n' + ), + link=None, + level=3, + num='5.17.2') + +RQ_SRS_006_RBAC_DistributedTable_Insert = Requirement( + name='RQ.SRS-006.RBAC.DistributedTable.Insert', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully `INSERT` into a distributed table if and only if\n' + 'the user has **insert** privilege on the table and on the remote table specified in the `CREATE` query of the distributed table.\n' + '\n' + 'Does not require **insert** privilege for the remote table if the remote table does not exist on the same server as the user,\n' + 'insert executes into the remote table on a different server.\n' + '\n' + ), + link=None, + level=3, + num='5.17.3') + +RQ_SRS_006_RBAC_DistributedTable_SpecialTables = Requirement( + name='RQ.SRS-006.RBAC.DistributedTable.SpecialTables', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute a query using a distributed table that uses one of the special tables if and only if\n' + 'the user has the necessary privileges to interact with that special table, either granted directly or through a role.\n' + 'Special tables include:\n' + '* materialized view\n' + '* distributed table\n' + '* source table of a materialized view\n' + '\n' + ), + link=None, + level=3, + num='5.17.4') + +RQ_SRS_006_RBAC_DistributedTable_LocalUser = Requirement( + name='RQ.SRS-006.RBAC.DistributedTable.LocalUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute a query using a distributed table from\n' + 'a user present locally, but not remotely.\n' + '\n' + ), + link=None, + level=3, + num='5.17.5') + +RQ_SRS_006_RBAC_DistributedTable_SameUserDifferentNodesDifferentPrivileges = Requirement( + name='RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute a query using a distributed table by a user that exists on multiple nodes\n' + 'if and only if the user has the required privileges on the node the query is being executed from.\n' + '\n' + ), + link=None, + level=3, + num='5.17.6') + +RQ_SRS_006_RBAC_View = Requirement( + name='RQ.SRS-006.RBAC.View', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to **create**, **select** and **drop**\n' + 'privileges for a view for users or roles.\n' + '\n' + ), + link=None, + level=4, + num='5.18.1.1') + +RQ_SRS_006_RBAC_View_Create = Requirement( + name='RQ.SRS-006.RBAC.View.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `CREATE VIEW` command if and only if\n' + 'the user has **create view** privilege either explicitly or through roles.\n' + '\n' + 'If the stored query includes one or more source tables, the user must have **select** privilege\n' + 'on all the source tables either explicitly or through a role.\n' + 'For example,\n' + '```sql\n' + 'CREATE VIEW view AS SELECT * FROM source_table\n' + 'CREATE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' + 'CREATE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' + 'CREATE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' + 'CREATE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' + 'CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.18.1.2') + +RQ_SRS_006_RBAC_View_Select = Requirement( + name='RQ.SRS-006.RBAC.View.Select', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully `SELECT` from a view if and only if\n' + 'the user has **select** privilege for that view either explicitly or through a role.\n' + '\n' + 'If the stored query includes one or more source tables, the user must have **select** privilege\n' + 'on all the source tables either explicitly or through a role.\n' + 'For example,\n' + '```sql\n' + 'CREATE VIEW view AS SELECT * FROM source_table\n' + 'CREATE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' + 'CREATE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' + 'CREATE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' + 'CREATE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' + 'CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' + '\n' + 'SELECT * FROM view\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.18.1.3') + +RQ_SRS_006_RBAC_View_Drop = Requirement( + name='RQ.SRS-006.RBAC.View.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if\n' + 'the user has **drop view** privilege on that view either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.1.4') + +RQ_SRS_006_RBAC_MaterializedView = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop**\n' + 'privileges for a materialized view for users or roles.\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.1') + +RQ_SRS_006_RBAC_MaterializedView_Create = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `CREATE MATERIALIZED VIEW` command if and only if\n' + 'the user has **create view** privilege either explicitly or through roles.\n' + '\n' + 'If `POPULATE` is specified, the user must have `INSERT` privilege on the view,\n' + 'either explicitly or through roles.\n' + 'For example,\n' + '```sql\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory POPULATE AS SELECT * FROM source_table\n' + '```\n' + '\n' + 'If the stored query includes one or more source tables, the user must have **select** privilege\n' + 'on all the source tables either explicitly or through a role.\n' + 'For example,\n' + '```sql\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM source_table\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 JOIN table1 USING column\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' + 'CREATE MATERIALIZED VIEW view0 ENGINE = Memory AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' + '```\n' + '\n' + 'If the materialized view has a target table explicitly declared in the `TO` clause, the user must have\n' + '**insert** and **select** privilege on the target table.\n' + 'For example,\n' + '```sql\n' + 'CREATE MATERIALIZED VIEW view TO target_table AS SELECT * FROM source_table\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.2') + +RQ_SRS_006_RBAC_MaterializedView_Select = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Select', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully `SELECT` from a materialized view if and only if\n' + 'the user has **select** privilege for that view either explicitly or through a role.\n' + '\n' + 'If the stored query includes one or more source tables, the user must have **select** privilege\n' + 'on all the source tables either explicitly or through a role.\n' + 'For example,\n' + '```sql\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM source_table\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 JOIN table1 USING column\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' + 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' + 'CREATE MATERIALIZED VIEW view0 ENGINE = Memory AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' + '\n' + 'SELECT * FROM view\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.3') + +RQ_SRS_006_RBAC_MaterializedView_Select_TargetTable = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully `SELECT` from the target table, implicit or explicit, of a materialized view if and only if\n' + 'the user has `SELECT` privilege for the table, either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.4') + +RQ_SRS_006_RBAC_MaterializedView_Select_SourceTable = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully `SELECT` from the source table of a materialized view if and only if\n' + 'the user has `SELECT` privilege for the table, either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.5') + +RQ_SRS_006_RBAC_MaterializedView_Drop = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if\n' + 'the user has **drop view** privilege on that view either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.6') + +RQ_SRS_006_RBAC_MaterializedView_ModifyQuery = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.ModifyQuery', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `MODIFY QUERY` command if and only if\n' + 'the user has **modify query** privilege on that view either explicitly or through a role.\n' + '\n' + 'If the new query includes one or more source tables, the user must have **select** privilege\n' + 'on all the source tables either explicitly or through a role.\n' + 'For example,\n' + '```sql\n' + 'ALTER TABLE view MODIFY QUERY SELECT * FROM source_table\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.7') + +RQ_SRS_006_RBAC_MaterializedView_Insert = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Insert', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only succesfully `INSERT` into a materialized view if and only if\n' + 'the user has `INSERT` privilege on the view, either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.8') + +RQ_SRS_006_RBAC_MaterializedView_Insert_SourceTable = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only succesfully `INSERT` into a source table of a materialized view if and only if\n' + 'the user has `INSERT` privilege on the source table, either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.9') + +RQ_SRS_006_RBAC_MaterializedView_Insert_TargetTable = Requirement( + name='RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only succesfully `INSERT` into a target table of a materialized view if and only if\n' + 'the user has `INSERT` privelege on the target table, either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.2.10') + +RQ_SRS_006_RBAC_LiveView = Requirement( + name='RQ.SRS-006.RBAC.LiveView', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop**\n' + 'privileges for a live view for users or roles.\n' + '\n' + ), + link=None, + level=4, + num='5.18.3.1') + +RQ_SRS_006_RBAC_LiveView_Create = Requirement( + name='RQ.SRS-006.RBAC.LiveView.Create', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `CREATE LIVE VIEW` command if and only if\n' + 'the user has **create view** privilege either explicitly or through roles.\n' + '\n' + 'If the stored query includes one or more source tables, the user must have **select** privilege\n' + 'on all the source tables either explicitly or through a role.\n' + 'For example,\n' + '```sql\n' + 'CREATE LIVE VIEW view AS SELECT * FROM source_table\n' + 'CREATE LIVE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' + 'CREATE LIVE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' + 'CREATE LIVE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' + 'CREATE LIVE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' + 'CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.18.3.2') + +RQ_SRS_006_RBAC_LiveView_Select = Requirement( + name='RQ.SRS-006.RBAC.LiveView.Select', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully `SELECT` from a live view if and only if\n' + 'the user has **select** privilege for that view either explicitly or through a role.\n' + '\n' + 'If the stored query includes one or more source tables, the user must have **select** privilege\n' + 'on all the source tables either explicitly or through a role.\n' + 'For example,\n' + '```sql\n' + 'CREATE LIVE VIEW view AS SELECT * FROM source_table\n' + 'CREATE LIVE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' + 'CREATE LIVE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' + 'CREATE LIVE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' + 'CREATE LIVE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' + 'CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' + '\n' + 'SELECT * FROM view\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.18.3.3') + +RQ_SRS_006_RBAC_LiveView_Drop = Requirement( + name='RQ.SRS-006.RBAC.LiveView.Drop', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if\n' + 'the user has **drop view** privilege on that view either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.3.4') + +RQ_SRS_006_RBAC_LiveView_Refresh = Requirement( + name='RQ.SRS-006.RBAC.LiveView.Refresh', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute an `ALTER LIVE VIEW REFRESH` command if and only if\n' + 'the user has **refresh** privilege on that view either explicitly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.18.3.5') + +RQ_SRS_006_RBAC_Select = Requirement( + name='RQ.SRS-006.RBAC.Select', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL execute `SELECT` if and only if the user\n' + 'has the **select** privilege for the destination table\n' + 'either because of the explicit grant or through one of the roles assigned to the user.\n' + '\n' + ), + link=None, + level=3, + num='5.19.1') + +RQ_SRS_006_RBAC_Select_Column = Requirement( + name='RQ.SRS-006.RBAC.Select.Column', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **select** privilege\n' + 'for one or more specified columns in a table to one or more **users** or **roles**.\n' + 'Any `SELECT` statements SHALL not to be executed, unless the user\n' + 'has the **select** privilege for the destination column\n' + 'either because of the explicit grant or through one of the roles assigned to the user.\n' + '\n' + ), + link=None, + level=3, + num='5.19.2') + +RQ_SRS_006_RBAC_Select_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Select.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **select** privilege\n' + 'on a specified cluster to one or more **users** or **roles**.\n' + 'Any `SELECT` statements SHALL succeed only on nodes where\n' + 'the table exists and privilege was granted.\n' + '\n' + ), + link=None, + level=3, + num='5.19.3') + +RQ_SRS_006_RBAC_Select_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Select.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **select** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=3, + num='5.19.4') + +RQ_SRS_006_RBAC_Insert = Requirement( + name='RQ.SRS-006.RBAC.Insert', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL execute `INSERT INTO` if and only if the user\n' + 'has the **insert** privilege for the destination table\n' + 'either because of the explicit grant or through one of the roles assigned to the user.\n' + '\n' + ), + link=None, + level=3, + num='5.20.1') + +RQ_SRS_006_RBAC_Insert_Column = Requirement( + name='RQ.SRS-006.RBAC.Insert.Column', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **insert** privilege\n' + 'for one or more specified columns in a table to one or more **users** or **roles**.\n' + 'Any `INSERT INTO` statements SHALL not to be executed, unless the user\n' + 'has the **insert** privilege for the destination column\n' + 'either because of the explicit grant or through one of the roles assigned to the user.\n' + '\n' + ), + link=None, + level=3, + num='5.20.2') + +RQ_SRS_006_RBAC_Insert_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Insert.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **insert** privilege\n' + 'on a specified cluster to one or more **users** or **roles**.\n' + 'Any `INSERT INTO` statements SHALL succeed only on nodes where\n' + 'the table exists and privilege was granted.\n' + '\n' + ), + link=None, + level=3, + num='5.20.3') + +RQ_SRS_006_RBAC_Insert_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Insert.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **insert** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=3, + num='5.20.4') + +RQ_SRS_006_RBAC_Privileges_AlterColumn = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterColumn', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter column** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL\n' + 'return an error, unless the user has the **alter column** privilege for\n' + 'the destination table either because of the explicit grant or through one of\n' + 'the roles assigned to the user.\n' + '\n' + ), + link=None, + level=4, + num='5.21.1.1') + +RQ_SRS_006_RBAC_Privileges_AlterColumn_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter column** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.1.2') + +RQ_SRS_006_RBAC_Privileges_AlterColumn_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter column** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**\n' + '\n' + ), + link=None, + level=4, + num='5.21.1.3') + +RQ_SRS_006_RBAC_Privileges_AlterColumn_Column = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Column', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **alter column** privilege\n' + 'for one or more specified columns in a table to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL return an error,\n' + 'unless the user has the **alter column** privilege for the destination column\n' + 'either because of the explicit grant or through one of the roles assigned to the user.\n' + '\n' + ), + link=None, + level=4, + num='5.21.1.4') + +RQ_SRS_006_RBAC_Privileges_AlterColumn_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **alter column** privilege\n' + 'on a specified cluster to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN`\n' + 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' + '\n' + ), + link=None, + level=4, + num='5.21.1.5') + +RQ_SRS_006_RBAC_Privileges_AlterColumn_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter column** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.1.6') + +RQ_SRS_006_RBAC_Privileges_AlterIndex = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterIndex', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter index** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ORDER BY | ADD|DROP|MATERIALIZE|CLEAR INDEX` statements SHALL\n' + 'return an error, unless the user has the **alter index** privilege for\n' + 'the destination table either because of the explicit grant or through one of\n' + 'the roles assigned to the user.\n' + '\n' + ), + link=None, + level=4, + num='5.21.2.1') + +RQ_SRS_006_RBAC_Privileges_AlterIndex_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter index** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.2.2') + +RQ_SRS_006_RBAC_Privileges_AlterIndex_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter index** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**\n' + '\n' + ), + link=None, + level=4, + num='5.21.2.3') + +RQ_SRS_006_RBAC_Privileges_AlterIndex_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **alter index** privilege\n' + 'on a specified cluster to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ORDER BY | ADD|DROP|MATERIALIZE|CLEAR INDEX`\n' + 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' + '\n' + ), + link=None, + level=4, + num='5.21.2.4') + +RQ_SRS_006_RBAC_Privileges_AlterIndex_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter index** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.2.5') + +RQ_SRS_006_RBAC_Privileges_AlterConstraint = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterConstraint', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter constraint** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ADD|CREATE CONSTRAINT` statements SHALL\n' + 'return an error, unless the user has the **alter constraint** privilege for\n' + 'the destination table either because of the explicit grant or through one of\n' + 'the roles assigned to the user.\n' + '\n' + ), + link=None, + level=4, + num='5.21.3.1') + +RQ_SRS_006_RBAC_Privileges_AlterConstraint_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter constraint** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.3.2') + +RQ_SRS_006_RBAC_Privileges_AlterConstraint_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter constraint** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**\n' + '\n' + ), + link=None, + level=4, + num='5.21.3.3') + +RQ_SRS_006_RBAC_Privileges_AlterConstraint_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **alter constraint** privilege\n' + 'on a specified cluster to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ADD|DROP CONSTRAINT`\n' + 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' + '\n' + ), + link=None, + level=4, + num='5.21.3.4') + +RQ_SRS_006_RBAC_Privileges_AlterConstraint_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter constraint** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.3.5') + +RQ_SRS_006_RBAC_Privileges_AlterTTL = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterTTL', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ALTER TTL | ALTER MATERIALIZE TTL` statements SHALL\n' + 'return an error, unless the user has the **alter ttl** or **alter materialize ttl** privilege for\n' + 'the destination table either because of the explicit grant or through one of\n' + 'the roles assigned to the user.\n' + '\n' + ), + link=None, + level=4, + num='5.21.4.1') + +RQ_SRS_006_RBAC_Privileges_AlterTTL_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter ttl** or **alter materialize ttl** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.4.2') + +RQ_SRS_006_RBAC_Privileges_AlterTTL_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter ttl** or **alter materialize ttl** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**\n' + '\n' + ), + link=None, + level=4, + num='5.21.4.3') + +RQ_SRS_006_RBAC_Privileges_AlterTTL_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **alter ttl** or **alter materialize ttl** privilege\n' + 'on a specified cluster to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... ALTER TTL | ALTER MATERIALIZE TTL`\n' + 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' + '\n' + ), + link=None, + level=4, + num='5.21.4.4') + +RQ_SRS_006_RBAC_Privileges_AlterTTL_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.4.5') + +RQ_SRS_006_RBAC_Privileges_AlterSettings = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterSettings', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter settings** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... MODIFY SETTING setting` statements SHALL\n' + 'return an error, unless the user has the **alter settings** privilege for\n' + 'the destination table either because of the explicit grant or through one of\n' + 'the roles assigned to the user. The **alter settings** privilege allows\n' + 'modifying table engine settings. It doesn’t affect settings or server configuration parameters.\n' + '\n' + ), + link=None, + level=4, + num='5.21.5.1') + +RQ_SRS_006_RBAC_Privileges_AlterSettings_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter settings** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.5.2') + +RQ_SRS_006_RBAC_Privileges_AlterSettings_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter settings** privilege\n' + 'for a database or a specific table to one or more **users** or **roles**\n' + '\n' + ), + link=None, + level=4, + num='5.21.5.3') + +RQ_SRS_006_RBAC_Privileges_AlterSettings_Cluster = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking **alter settings** privilege\n' + 'on a specified cluster to one or more **users** or **roles**.\n' + 'Any `ALTER TABLE ... MODIFY SETTING setting`\n' + 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' + '\n' + ), + link=None, + level=4, + num='5.21.5.4') + +RQ_SRS_006_RBAC_Privileges_AlterSettings_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter settings** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.5.5') + +RQ_SRS_006_RBAC_Privileges_AlterUpdate = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterUpdate', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER UPDATE` statement if and only if the user has **alter update** privilege for that column,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.21.6.1') + +RQ_SRS_006_RBAC_Privileges_AlterUpdate_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter update** privilege on a column level\n' + 'to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.6.2') + +RQ_SRS_006_RBAC_Privileges_AlterUpdate_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter update** privilege on a column level\n' + 'from one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.6.3') + +RQ_SRS_006_RBAC_Privileges_AlterUpdate_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter update** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.6.4') + +RQ_SRS_006_RBAC_Privileges_AlterDelete = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterDelete', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER DELETE` statement if and only if the user has **alter delete** privilege for that table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.21.7.1') + +RQ_SRS_006_RBAC_Privileges_AlterDelete_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter delete** privilege on a column level\n' + 'to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.7.2') + +RQ_SRS_006_RBAC_Privileges_AlterDelete_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter delete** privilege on a column level\n' + 'from one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.7.3') + +RQ_SRS_006_RBAC_Privileges_AlterDelete_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter delete** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.7.4') + +RQ_SRS_006_RBAC_Privileges_AlterFreeze = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFreeze', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER FREEZE` statement if and only if the user has **alter freeze** privilege for that table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.21.8.1') + +RQ_SRS_006_RBAC_Privileges_AlterFreeze_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter freeze** privilege on a column level\n' + 'to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.8.2') + +RQ_SRS_006_RBAC_Privileges_AlterFreeze_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter freeze** privilege on a column level\n' + 'from one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.8.3') + +RQ_SRS_006_RBAC_Privileges_AlterFreeze_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter freeze** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.8.4') + +RQ_SRS_006_RBAC_Privileges_AlterFetch = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFetch', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER FETCH` statement if and only if the user has **alter fetch** privilege for that table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.21.9.1') + +RQ_SRS_006_RBAC_Privileges_AlterFetch_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter fetch** privilege on a column level\n' + 'to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.9.2') + +RQ_SRS_006_RBAC_Privileges_AlterFetch_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter fetch** privilege on a column level\n' + 'from one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.9.3') + +RQ_SRS_006_RBAC_Privileges_AlterFetch_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter fetch** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.9.4') + +RQ_SRS_006_RBAC_Privileges_AlterMove = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterMove', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER MOVE` statement if and only if the user has **alter move**, **select**, and **alter delete** privilege on the source table\n' + 'and **insert** privilege on the target table, either directly or through a role.\n' + 'For example,\n' + '```sql\n' + 'ALTER TABLE source_table MOVE PARTITION 1 TO target_table\n' + '```\n' + '\n' + ), + link=None, + level=4, + num='5.21.10.1') + +RQ_SRS_006_RBAC_Privileges_AlterMove_Grant = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterMove.Grant', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting **alter move** privilege on a column level\n' + 'to one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.10.2') + +RQ_SRS_006_RBAC_Privileges_AlterMove_Revoke = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support revoking **alter move** privilege on a column level\n' + 'from one or more **users** or **roles**.\n' + '\n' + ), + link=None, + level=4, + num='5.21.10.3') + +RQ_SRS_006_RBAC_Privileges_AlterMove_TableEngines = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support controlling access to the **alter move** privilege\n' + 'on tables created using the following engines\n' + '\n' + '* MergeTree\n' + '* ReplacingMergeTree\n' + '* SummingMergeTree\n' + '* AggregatingMergeTree\n' + '* CollapsingMergeTree\n' + '* VersionedCollapsingMergeTree\n' + '* GraphiteMergeTree\n' + '* ReplicatedMergeTree\n' + '* ReplicatedSummingMergeTree\n' + '* ReplicatedReplacingMergeTree\n' + '* ReplicatedAggregatingMergeTree\n' + '* ReplicatedCollapsingMergeTree\n' + '* ReplicatedVersionedCollapsingMergeTree\n' + '* ReplicatedGraphiteMergeTree\n' + '\n' + ), + link=None, + level=4, + num='5.21.10.4') + +RQ_SRS_006_RBAC_Privileges_CreateTable = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL only successfully execute a `CREATE TABLE` command if and only if\n' + 'the user has **create table** privilege either explicitly or through roles.\n' + '\n' + 'If the stored query includes one or more source tables, the user must have **select** privilege\n' + "on all the source tables and **insert** for the table they're trying to create either explicitly or through a role.\n" + 'For example,\n' + '```sql\n' + 'CREATE TABLE table AS SELECT * FROM source_table\n' + 'CREATE TABLE table AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' + 'CREATE TABLE table AS SELECT * FROM table0 JOIN table1 USING column\n' + 'CREATE TABLE table AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' + 'CREATE TABLE table AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' + 'CREATE TABLE table0 AS SELECT column FROM table1 UNION ALL SELECT column FROM table2\n' + '```\n' + '\n' + ), + link=None, + level=3, + num='5.22.1') + +RQ_SRS_006_RBAC_Privileges_CreateDatabase = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateDatabase', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE DATABASE` statement if and only if the user has **create database** privilege on the database,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.22.2') + +RQ_SRS_006_RBAC_Privileges_CreateDictionary = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateDictionary', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE DICTIONARY` statement if and only if the user has **create dictionary** privilege on the dictionary,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.22.3') + +RQ_SRS_006_RBAC_Privileges_CreateTemporaryTable = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateTemporaryTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE TEMPORARY TABLE` statement if and only if the user has **create temporary table** privilege on the table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.22.4') + +RQ_SRS_006_RBAC_Privileges_AttachDatabase = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AttachDatabase', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ATTACH DATABASE` statement if and only if the user has **create database** privilege on the database,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.23.1') + +RQ_SRS_006_RBAC_Privileges_AttachDictionary = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AttachDictionary', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ATTACH DICTIONARY` statement if and only if the user has **create dictionary** privilege on the dictionary,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.23.2') + +RQ_SRS_006_RBAC_Privileges_AttachTemporaryTable = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AttachTemporaryTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ATTACH TEMPORARY TABLE` statement if and only if the user has **create temporary table** privilege on the table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.23.3') + +RQ_SRS_006_RBAC_Privileges_AttachTable = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AttachTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ATTACH TABLE` statement if and only if the user has **create table** privilege on the table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.23.4') + +RQ_SRS_006_RBAC_Privileges_DropTable = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP TABLE` statement if and only if the user has **drop table** privilege on the table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.24.1') + +RQ_SRS_006_RBAC_Privileges_DropDatabase = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropDatabase', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP DATABASE` statement if and only if the user has **drop database** privilege on the database,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.24.2') + +RQ_SRS_006_RBAC_Privileges_DropDictionary = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropDictionary', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.24.3') + +RQ_SRS_006_RBAC_Privileges_DetachTable = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DetachTable', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DETACH TABLE` statement if and only if the user has **drop table** privilege on the table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.25.1') + +RQ_SRS_006_RBAC_Privileges_DetachView = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DetachView', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DETACH VIEW` statement if and only if the user has **drop view** privilege on the view,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.25.2') + +RQ_SRS_006_RBAC_Privileges_DetachDatabase = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DetachDatabase', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DETACH DATABASE` statement if and only if the user has **drop database** privilege on the database,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.25.3') + +RQ_SRS_006_RBAC_Privileges_DetachDictionary = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DetachDictionary', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DETACH DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.25.4') + +RQ_SRS_006_RBAC_Privileges_Truncate = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Truncate', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `TRUNCATE TABLE` statement if and only if the user has **truncate table** privilege on the table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.26.1') + +RQ_SRS_006_RBAC_Privileges_Optimize = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Optimize', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `OPTIMIZE TABLE` statement if and only if the user has **optimize table** privilege on the table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.27.1') + +RQ_SRS_006_RBAC_Privileges_KillQuery = Requirement( + name='RQ.SRS-006.RBAC.Privileges.KillQuery', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `KILL QUERY` statement if and only if the user has **kill query** privilege,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.28.1') + +RQ_SRS_006_RBAC_Privileges_KillMutation = Requirement( + name='RQ.SRS-006.RBAC.Privileges.KillMutation', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `KILL MUTATION` statement if and only if\n' + 'the user has the privilege that created the mutation, either directly or through a role.\n' + 'For example, to `KILL MUTATION` after `ALTER UPDATE` query, the user needs `ALTER UPDATE` privilege.\n' + '\n' + ), + link=None, + level=3, + num='5.29.1') + +RQ_SRS_006_RBAC_Privileges_KillMutation_AlterUpdate = Requirement( + name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER UPDATE` mutation if and only if\n' + 'the user has `ALTER UPDATE` privilege on the table where the mutation was created, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.29.2') + +RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDelete = Requirement( + name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DELETE` mutation if and only if\n' + 'the user has `ALTER DELETE` privilege on the table where the mutation was created, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.29.3') + +RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDropColumn = Requirement( + name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DROP COLUMN` mutation if and only if\n' + 'the user has `ALTER DROP COLUMN` privilege on the table where the mutation was created, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.29.4') + +RQ_SRS_006_RBAC_ShowTables_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowTables.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL grant **show tables** privilege on a table to a user if that user has recieved any grant,\n' + 'including `SHOW TABLES`, on that table, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.1') + +RQ_SRS_006_RBAC_ShowTables_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW TABLES` statement if and only if the user has **show tables** privilege,\n' + 'or any privilege on the table either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.2') + +RQ_SRS_006_RBAC_ExistsTable_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `EXISTS table` statement if and only if the user has **show tables** privilege,\n' + 'or any privilege on the table either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.3') + +RQ_SRS_006_RBAC_CheckTable_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CHECK table` statement if and only if the user has **show tables** privilege,\n' + 'or any privilege on the table either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.4') + +RQ_SRS_006_RBAC_ShowDatabases_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowDatabases.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL grant **show databases** privilege on a database to a user if that user has recieved any grant,\n' + 'including `SHOW DATABASES`, on that table, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.5') + +RQ_SRS_006_RBAC_ShowDatabases_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW DATABASES` statement if and only if the user has **show databases** privilege,\n' + 'or any privilege on the database either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.6') + +RQ_SRS_006_RBAC_ShowCreateDatabase_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE DATABASE` statement if and only if the user has **show databases** privilege,\n' + 'or any privilege on the database either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.7') + +RQ_SRS_006_RBAC_UseDatabase_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `USE database` statement if and only if the user has **show databases** privilege,\n' + 'or any privilege on the database either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.8') + +RQ_SRS_006_RBAC_ShowColumns_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowColumns.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking the `SHOW COLUMNS` privilege.\n' + '\n' + ), + link=None, + level=3, + num='5.30.9') + +RQ_SRS_006_RBAC_ShowCreateTable_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE TABLE` statement if and only if the user has **show columns** privilege on that table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.10') + +RQ_SRS_006_RBAC_DescribeTable_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DESCRIBE table` statement if and only if the user has **show columns** privilege on that table,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.11') + +RQ_SRS_006_RBAC_ShowDictionaries_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowDictionaries.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL grant **show dictionaries** privilege on a dictionary to a user if that user has recieved any grant,\n' + 'including `SHOW DICTIONARIES`, on that dictionary, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.12') + +RQ_SRS_006_RBAC_ShowDictionaries_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW DICTIONARIES` statement if and only if the user has **show dictionaries** privilege,\n' + 'or any privilege on the dictionary either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.13') + +RQ_SRS_006_RBAC_ShowCreateDictionary_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE DICTIONARY` statement if and only if the user has **show dictionaries** privilege,\n' + 'or any privilege on the dictionary either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.14') + +RQ_SRS_006_RBAC_ExistsDictionary_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `EXISTS dictionary` statement if and only if the user has **show dictionaries** privilege,\n' + 'or any privilege on the dictionary either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.30.15') + +RQ_SRS_006_RBAC_Privileges_CreateUser = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE USER` statement if and only if the user has **create user** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.1') + +RQ_SRS_006_RBAC_Privileges_CreateUser_DefaultRole = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE USER` statement with `DEFAULT ROLE ` clause if and only if\n' + 'the user has **create user** privilege and the role with **admin option**, or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.2') + +RQ_SRS_006_RBAC_Privileges_AlterUser = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER USER` statement if and only if the user has **alter user** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.3') + +RQ_SRS_006_RBAC_Privileges_DropUser = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropUser', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP USER` statement if and only if the user has **drop user** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.4') + +RQ_SRS_006_RBAC_Privileges_CreateRole = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE ROLE` statement if and only if the user has **create role** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.5') + +RQ_SRS_006_RBAC_Privileges_AlterRole = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER ROLE` statement if and only if the user has **alter role** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.6') + +RQ_SRS_006_RBAC_Privileges_DropRole = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropRole', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP ROLE` statement if and only if the user has **drop role** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.7') + +RQ_SRS_006_RBAC_Privileges_CreateRowPolicy = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateRowPolicy', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE ROW POLICY` statement if and only if the user has **create row policy** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.8') + +RQ_SRS_006_RBAC_Privileges_AlterRowPolicy = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterRowPolicy', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER ROW POLICY` statement if and only if the user has **alter row policy** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.9') + +RQ_SRS_006_RBAC_Privileges_DropRowPolicy = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropRowPolicy', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP ROW POLICY` statement if and only if the user has **drop row policy** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.10') + +RQ_SRS_006_RBAC_Privileges_CreateQuota = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateQuota', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE QUOTA` statement if and only if the user has **create quota** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.11') + +RQ_SRS_006_RBAC_Privileges_AlterQuota = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterQuota', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER QUOTA` statement if and only if the user has **alter quota** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.12') + +RQ_SRS_006_RBAC_Privileges_DropQuota = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropQuota', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP QUOTA` statement if and only if the user has **drop quota** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.13') + +RQ_SRS_006_RBAC_Privileges_CreateSettingsProfile = Requirement( + name='RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `CREATE SETTINGS PROFILE` statement if and only if the user has **create settings profile** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.14') + +RQ_SRS_006_RBAC_Privileges_AlterSettingsProfile = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `ALTER SETTINGS PROFILE` statement if and only if the user has **alter settings profile** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.15') + +RQ_SRS_006_RBAC_Privileges_DropSettingsProfile = Requirement( + name='RQ.SRS-006.RBAC.Privileges.DropSettingsProfile', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `DROP SETTINGS PROFILE` statement if and only if the user has **drop settings profile** privilege,\n' + 'or either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.31.16') + +RQ_SRS_006_RBAC_Privileges_RoleAdmin = Requirement( + name='RQ.SRS-006.RBAC.Privileges.RoleAdmin', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute any role grant or revoke by a user with `ROLE ADMIN` privilege.\n' + '\n' + ), + link=None, + level=3, + num='5.31.17') + +RQ_SRS_006_RBAC_ShowUsers_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowUsers.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SHOW USERS` privilege when\n' + 'the user is granted `SHOW USERS`, `SHOW CREATE USER`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.1') + +RQ_SRS_006_RBAC_ShowUsers_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW USERS` statement if and only if the user has **show users** privilege,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.2') + +RQ_SRS_006_RBAC_ShowCreateUser_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE USER` statement if and only if the user has **show users** privilege,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.3') + +RQ_SRS_006_RBAC_ShowRoles_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowRoles.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SHOW ROLES` privilege when\n' + 'the user is granted `SHOW ROLES`, `SHOW CREATE ROLE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.4') + +RQ_SRS_006_RBAC_ShowRoles_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW ROLES` statement if and only if the user has **show roles** privilege,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.5') + +RQ_SRS_006_RBAC_ShowCreateRole_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE ROLE` statement if and only if the user has **show roles** privilege,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.6') + +RQ_SRS_006_RBAC_ShowRowPolicies_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowRowPolicies.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SHOW ROW POLICIES` privilege when\n' + 'the user is granted `SHOW ROW POLICIES`, `SHOW POLICIES`, `SHOW CREATE ROW POLICY`,\n' + '`SHOW CREATE POLICY`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.7') + +RQ_SRS_006_RBAC_ShowRowPolicies_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW ROW POLICIES` or `SHOW POLICIES` statement if and only if\n' + 'the user has **show row policies** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.8') + +RQ_SRS_006_RBAC_ShowCreateRowPolicy_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE ROW POLICY` or `SHOW CREATE POLICY` statement\n' + 'if and only if the user has **show row policies** privilege,either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.9') + +RQ_SRS_006_RBAC_ShowQuotas_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowQuotas.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SHOW QUOTAS` privilege when\n' + 'the user is granted `SHOW QUOTAS`, `SHOW CREATE QUOTA`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.10') + +RQ_SRS_006_RBAC_ShowQuotas_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW QUOTAS` statement if and only if the user has **show quotas** privilege,\n' + 'either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.11') + +RQ_SRS_006_RBAC_ShowCreateQuota_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE QUOTA` statement if and only if\n' + 'the user has **show quotas** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.12') + +RQ_SRS_006_RBAC_ShowSettingsProfiles_Privilege = Requirement( + name='RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SHOW SETTINGS PROFILES` privilege when\n' + 'the user is granted `SHOW SETTINGS PROFILES`, `SHOW PROFILES`, `SHOW CREATE SETTINGS PROFILE`,\n' + '`SHOW SETTINGS PROFILE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.13') + +RQ_SRS_006_RBAC_ShowSettingsProfiles_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW SETTINGS PROFILES` or `SHOW PROFILES` statement\n' + 'if and only if the user has **show settings profiles** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.14') + +RQ_SRS_006_RBAC_ShowCreateSettingsProfile_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `SHOW CREATE SETTINGS PROFILE` or `SHOW CREATE PROFILE` statement\n' + 'if and only if the user has **show settings profiles** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=4, + num='5.31.18.15') + +RQ_SRS_006_RBAC_dictGet_Privilege = Requirement( + name='RQ.SRS-006.RBAC.dictGet.Privilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `dictGet` privilege when\n' + 'the user is granted `dictGet`, `dictHas`, `dictGetHierarchy`, or `dictIsIn`.\n' + '\n' + ), + link=None, + level=3, + num='5.32.1') + +RQ_SRS_006_RBAC_dictGet_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.dictGet.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `dictGet` statement\n' + 'if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.32.2') + +RQ_SRS_006_RBAC_dictGet_Type_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `dictGet[TYPE]` statement\n' + 'if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role.\n' + 'Available types:\n' + '\n' + '* Int8\n' + '* Int16\n' + '* Int32\n' + '* Int64\n' + '* UInt8\n' + '* UInt16\n' + '* UInt32\n' + '* UInt64\n' + '* Float32\n' + '* Float64\n' + '* Date\n' + '* DateTime\n' + '* UUID\n' + '* String\n' + '\n' + ), + link=None, + level=3, + num='5.32.3') + +RQ_SRS_006_RBAC_dictGet_OrDefault_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `dictGetOrDefault` statement\n' + 'if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.32.4') + +RQ_SRS_006_RBAC_dictHas_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.dictHas.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `dictHas` statement\n' + 'if and only if the user has **dictGet** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.32.5') + +RQ_SRS_006_RBAC_dictGetHierarchy_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `dictGetHierarchy` statement\n' + 'if and only if the user has **dictGet** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.32.6') + +RQ_SRS_006_RBAC_dictIsIn_RequiredPrivilege = Requirement( + name='RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `dictIsIn` statement\n' + 'if and only if the user has **dictGet** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.32.7') + +RQ_SRS_006_RBAC_Privileges_Introspection = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Introspection', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `INTROSPECTION` privilege when\n' + 'the user is granted `INTROSPECTION` or `INTROSPECTION FUNCTIONS`.\n' + '\n' + ), + link=None, + level=3, + num='5.33.1') + +RQ_SRS_006_RBAC_Privileges_Introspection_addressToLine = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `addressToLine` statement if and only if\n' + 'the user has **introspection** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.33.2') + +RQ_SRS_006_RBAC_Privileges_Introspection_addressToSymbol = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `addressToSymbol` statement if and only if\n' + 'the user has **introspection** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.33.3') + +RQ_SRS_006_RBAC_Privileges_Introspection_demangle = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Introspection.demangle', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `demangle` statement if and only if\n' + 'the user has **introspection** privilege, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.33.4') + +RQ_SRS_006_RBAC_Privileges_System_Shutdown = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Shutdown', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM SHUTDOWN` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM SHUTDOWN`, `SHUTDOWN`,or `SYSTEM KILL`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.1') + +RQ_SRS_006_RBAC_Privileges_System_DropCache = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.DropCache', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM DROP CACHE` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, or `DROP CACHE`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.2') + +RQ_SRS_006_RBAC_Privileges_System_DropCache_DNS = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM DROP DNS CACHE` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP DNS CACHE`,\n' + '`SYSTEM DROP DNS`, `DROP DNS CACHE`, or `DROP DNS`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.3') + +RQ_SRS_006_RBAC_Privileges_System_DropCache_Mark = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM DROP MARK CACHE` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP MARK CACHE`,\n' + '`SYSTEM DROP MARK`, `DROP MARK CACHE`, or `DROP MARKS`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.4') + +RQ_SRS_006_RBAC_Privileges_System_DropCache_Uncompressed = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM DROP UNCOMPRESSED CACHE` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP UNCOMPRESSED CACHE`,\n' + '`SYSTEM DROP UNCOMPRESSED`, `DROP UNCOMPRESSED CACHE`, or `DROP UNCOMPRESSED`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.5') + +RQ_SRS_006_RBAC_Privileges_System_Reload = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Reload', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD` privilege when\n' + 'the user is granted `SYSTEM` or `SYSTEM RELOAD`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.6') + +RQ_SRS_006_RBAC_Privileges_System_Reload_Config = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Reload.Config', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD CONFIG` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD CONFIG`, or `RELOAD CONFIG`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.7') + +RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionary = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARY` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.8') + +RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionaries = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARIES` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.9') + +RQ_SRS_006_RBAC_Privileges_System_Reload_EmbeddedDictionaries = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD EMBEDDED DICTIONARIES` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARY ON *.*`, or `SYSTEM RELOAD EMBEDDED DICTIONARIES`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.10') + +RQ_SRS_006_RBAC_Privileges_System_Merges = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Merges', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM MERGES` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM MERGES`, `SYSTEM STOP MERGES`, `SYSTEM START MERGES`, `STOP MERGES`, or `START MERGES`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.11') + +RQ_SRS_006_RBAC_Privileges_System_TTLMerges = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.TTLMerges', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM TTL MERGES` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM TTL MERGES`, `SYSTEM STOP TTL MERGES`, `SYSTEM START TTL MERGES`, `STOP TTL MERGES`, or `START TTL MERGES`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.12') + +RQ_SRS_006_RBAC_Privileges_System_Fetches = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Fetches', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM FETCHES` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM FETCHES`, `SYSTEM STOP FETCHES`, `SYSTEM START FETCHES`, `STOP FETCHES`, or `START FETCHES`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.13') + +RQ_SRS_006_RBAC_Privileges_System_Moves = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Moves', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM MOVES` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM MOVES`, `SYSTEM STOP MOVES`, `SYSTEM START MOVES`, `STOP MOVES`, or `START MOVES`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.14') + +RQ_SRS_006_RBAC_Privileges_System_Sends = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Sends', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM SENDS` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM SENDS`, `SYSTEM STOP SENDS`, `SYSTEM START SENDS`, `STOP SENDS`, or `START SENDS`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.15') + +RQ_SRS_006_RBAC_Privileges_System_Sends_Distributed = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM DISTRIBUTED SENDS` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM DISTRIBUTED SENDS`, `SYSTEM STOP DISTRIBUTED SENDS`,\n' + '`SYSTEM START DISTRIBUTED SENDS`, `STOP DISTRIBUTED SENDS`, or `START DISTRIBUTED SENDS`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.16') + +RQ_SRS_006_RBAC_Privileges_System_Sends_Replicated = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM REPLICATED SENDS` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM REPLICATED SENDS`, `SYSTEM STOP REPLICATED SENDS`,\n' + '`SYSTEM START REPLICATED SENDS`, `STOP REPLICATED SENDS`, or `START REPLICATED SENDS`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.17') + +RQ_SRS_006_RBAC_Privileges_System_ReplicationQueues = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM REPLICATION QUEUES` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM REPLICATION QUEUES`, `SYSTEM STOP REPLICATION QUEUES`,\n' + '`SYSTEM START REPLICATION QUEUES`, `STOP REPLICATION QUEUES`, or `START REPLICATION QUEUES`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.18') + +RQ_SRS_006_RBAC_Privileges_System_SyncReplica = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.SyncReplica', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM SYNC REPLICA` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM SYNC REPLICA`, or `SYNC REPLICA`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.19') + +RQ_SRS_006_RBAC_Privileges_System_RestartReplica = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.RestartReplica', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM RESTART REPLICA` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM RESTART REPLICA`, or `RESTART REPLICA`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.20') + +RQ_SRS_006_RBAC_Privileges_System_Flush = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Flush', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM FLUSH` privilege when\n' + 'the user is granted `SYSTEM` or `SYSTEM FLUSH`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.21') + +RQ_SRS_006_RBAC_Privileges_System_Flush_Distributed = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM FLUSH DISTRIBUTED` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM FLUSH DISTRIBUTED`, or `FLUSH DISTRIBUTED`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.22') + +RQ_SRS_006_RBAC_Privileges_System_Flush_Logs = Requirement( + name='RQ.SRS-006.RBAC.Privileges.System.Flush.Logs', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully grant `SYSTEM FLUSH LOGS` privilege when\n' + 'the user is granted `SYSTEM`, `SYSTEM FLUSH LOGS`, or `FLUSH LOGS`.\n' + '\n' + ), + link=None, + level=3, + num='5.34.23') + +RQ_SRS_006_RBAC_Privileges_Sources = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking `SOURCES` privilege from\n' + 'the user, either directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.1') + +RQ_SRS_006_RBAC_Privileges_Sources_File = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.File', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `FILE` source by a user if and only if\n' + 'the user has `FILE` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.2') + +RQ_SRS_006_RBAC_Privileges_Sources_URL = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.URL', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `URL` source by a user if and only if\n' + 'the user has `URL` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.3') + +RQ_SRS_006_RBAC_Privileges_Sources_Remote = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.Remote', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `REMOTE` source by a user if and only if\n' + 'the user has `REMOTE` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.4') + +RQ_SRS_006_RBAC_Privileges_Sources_MySQL = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.MySQL', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `MySQL` source by a user if and only if\n' + 'the user has `MySQL` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.5') + +RQ_SRS_006_RBAC_Privileges_Sources_ODBC = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.ODBC', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `ODBC` source by a user if and only if\n' + 'the user has `ODBC` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.6') + +RQ_SRS_006_RBAC_Privileges_Sources_JDBC = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.JDBC', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `JDBC` source by a user if and only if\n' + 'the user has `JDBC` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.7') + +RQ_SRS_006_RBAC_Privileges_Sources_HDFS = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.HDFS', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `HDFS` source by a user if and only if\n' + 'the user has `HDFS` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.8') + +RQ_SRS_006_RBAC_Privileges_Sources_S3 = Requirement( + name='RQ.SRS-006.RBAC.Privileges.Sources.S3', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support the use of `S3` source by a user if and only if\n' + 'the user has `S3` or `SOURCES` privileges granted to them directly or through a role.\n' + '\n' + ), + link=None, + level=3, + num='5.35.9') + +RQ_SRS_006_RBAC_Privileges_GrantOption = Requirement( + name='RQ.SRS-006.RBAC.Privileges.GrantOption', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL successfully execute `GRANT` or `REVOKE` privilege statements by a user if and only if\n' + 'the user has that privilege with `GRANT OPTION`, either directly or through a role.\n' + '\n' + ), + link=None, + level=2, + num='5.36') + +RQ_SRS_006_RBAC_Privileges_All = Requirement( + name='RQ.SRS-006.RBAC.Privileges.All', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking `ALL` privilege\n' + 'using `GRANT ALL ON *.* TO user`.\n' + '\n' + ), + link=None, + level=2, + num='5.37') + +RQ_SRS_006_RBAC_Privileges_RoleAll = Requirement( + name='RQ.SRS-006.RBAC.Privileges.RoleAll', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting a role named `ALL` using `GRANT ALL TO user`.\n' + 'This shall only grant the user the privileges that have been granted to the role.\n' + '\n' + ), + link=None, + level=2, + num='5.38') + +RQ_SRS_006_RBAC_Privileges_None = Requirement( + name='RQ.SRS-006.RBAC.Privileges.None', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support granting or revoking `NONE` privilege\n' + 'using `GRANT NONE TO user` or `GRANT USAGE ON *.* TO user`.\n' + '\n' + ), + link=None, + level=2, + num='5.39') + +RQ_SRS_006_RBAC_Privileges_AdminOption = Requirement( + name='RQ.SRS-006.RBAC.Privileges.AdminOption', + version='1.0', + priority=None, + group=None, + type=None, + uid=None, + description=( + '[ClickHouse] SHALL support a user granting or revoking a role if and only if\n' + 'the user has that role with `ADMIN OPTION` privilege.\n' + '\n' + ), + link=None, + level=2, + num='5.40') + SRS_006_ClickHouse_Role_Based_Access_Control = Specification( - name='SRS-006 ClickHouse Role Based Access Control', - description=None, - author=None, - date=None, - status=None, - approved_by=None, - approved_date=None, - approved_version=None, - version=None, - group=None, - type=None, - link=None, - uid=None, - parent=None, - children=None, - content=''' + name='SRS-006 ClickHouse Role Based Access Control', + description=None, + author=None, + date=None, + status=None, + approved_by=None, + approved_date=None, + approved_version=None, + version=None, + group=None, + type=None, + link=None, + uid=None, + parent=None, + children=None, + headings=( + Heading(name='Revision History', level=1, num='1'), + Heading(name='Introduction', level=1, num='2'), + Heading(name='Terminology', level=1, num='3'), + Heading(name='Privilege Definitions', level=1, num='4'), + Heading(name='Requirements', level=1, num='5'), + Heading(name='Generic', level=2, num='5.1'), + Heading(name='RQ.SRS-006.RBAC', level=3, num='5.1.1'), + Heading(name='Login', level=2, num='5.2'), + Heading(name='RQ.SRS-006.RBAC.Login', level=3, num='5.2.1'), + Heading(name='RQ.SRS-006.RBAC.Login.DefaultUser', level=3, num='5.2.2'), + Heading(name='User', level=2, num='5.3'), + Heading(name='RQ.SRS-006.RBAC.User', level=3, num='5.3.1'), + Heading(name='RQ.SRS-006.RBAC.User.Roles', level=3, num='5.3.2'), + Heading(name='RQ.SRS-006.RBAC.User.Privileges', level=3, num='5.3.3'), + Heading(name='RQ.SRS-006.RBAC.User.Variables', level=3, num='5.3.4'), + Heading(name='RQ.SRS-006.RBAC.User.Variables.Constraints', level=3, num='5.3.5'), + Heading(name='RQ.SRS-006.RBAC.User.SettingsProfile', level=3, num='5.3.6'), + Heading(name='RQ.SRS-006.RBAC.User.Quotas', level=3, num='5.3.7'), + Heading(name='RQ.SRS-006.RBAC.User.RowPolicies', level=3, num='5.3.8'), + Heading(name='RQ.SRS-006.RBAC.User.DefaultRole', level=3, num='5.3.9'), + Heading(name='RQ.SRS-006.RBAC.User.RoleSelection', level=3, num='5.3.10'), + Heading(name='RQ.SRS-006.RBAC.User.ShowCreate', level=3, num='5.3.11'), + Heading(name='RQ.SRS-006.RBAC.User.ShowPrivileges', level=3, num='5.3.12'), + Heading(name='RQ.SRS-006.RBAC.User.Use.DefaultRole', level=3, num='5.3.13'), + Heading(name='RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole', level=3, num='5.3.14'), + Heading(name='Create User', level=3, num='5.3.15'), + Heading(name='RQ.SRS-006.RBAC.User.Create', level=4, num='5.3.15.1'), + Heading(name='RQ.SRS-006.RBAC.User.Create.IfNotExists', level=4, num='5.3.15.2'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Replace', level=4, num='5.3.15.3'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.NoPassword', level=4, num='5.3.15.4'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.NoPassword.Login', level=4, num='5.3.15.5'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.PlainText', level=4, num='5.3.15.6'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.PlainText.Login', level=4, num='5.3.15.7'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Password', level=4, num='5.3.15.8'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Password.Login', level=4, num='5.3.15.9'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash', level=4, num='5.3.15.10'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash.Login', level=4, num='5.3.15.11'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password', level=4, num='5.3.15.12'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password.Login', level=4, num='5.3.15.13'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash', level=4, num='5.3.15.14'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash.Login', level=4, num='5.3.15.15'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.Name', level=4, num='5.3.15.16'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.Regexp', level=4, num='5.3.15.17'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.IP', level=4, num='5.3.15.18'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.Any', level=4, num='5.3.15.19'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.None', level=4, num='5.3.15.20'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.Local', level=4, num='5.3.15.21'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.Like', level=4, num='5.3.15.22'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Host.Default', level=4, num='5.3.15.23'), + Heading(name='RQ.SRS-006.RBAC.User.Create.DefaultRole', level=4, num='5.3.15.24'), + Heading(name='RQ.SRS-006.RBAC.User.Create.DefaultRole.None', level=4, num='5.3.15.25'), + Heading(name='RQ.SRS-006.RBAC.User.Create.DefaultRole.All', level=4, num='5.3.15.26'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Settings', level=4, num='5.3.15.27'), + Heading(name='RQ.SRS-006.RBAC.User.Create.OnCluster', level=4, num='5.3.15.28'), + Heading(name='RQ.SRS-006.RBAC.User.Create.Syntax', level=4, num='5.3.15.29'), + Heading(name='Alter User', level=3, num='5.3.16'), + Heading(name='RQ.SRS-006.RBAC.User.Alter', level=4, num='5.3.16.1'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.OrderOfEvaluation', level=4, num='5.3.16.2'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.IfExists', level=4, num='5.3.16.3'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Cluster', level=4, num='5.3.16.4'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Rename', level=4, num='5.3.16.5'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Password.PlainText', level=4, num='5.3.16.6'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Password.Sha256Password', level=4, num='5.3.16.7'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Password.DoubleSha1Password', level=4, num='5.3.16.8'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.AddDrop', level=4, num='5.3.16.9'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.Local', level=4, num='5.3.16.10'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.Name', level=4, num='5.3.16.11'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.Regexp', level=4, num='5.3.16.12'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.IP', level=4, num='5.3.16.13'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.Like', level=4, num='5.3.16.14'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.Any', level=4, num='5.3.16.15'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Host.None', level=4, num='5.3.16.16'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.DefaultRole', level=4, num='5.3.16.17'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.DefaultRole.All', level=4, num='5.3.16.18'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.DefaultRole.AllExcept', level=4, num='5.3.16.19'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Settings', level=4, num='5.3.16.20'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Settings.Min', level=4, num='5.3.16.21'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Settings.Max', level=4, num='5.3.16.22'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Settings.Profile', level=4, num='5.3.16.23'), + Heading(name='RQ.SRS-006.RBAC.User.Alter.Syntax', level=4, num='5.3.16.24'), + Heading(name='Show Create User', level=3, num='5.3.17'), + Heading(name='RQ.SRS-006.RBAC.User.ShowCreateUser', level=4, num='5.3.17.1'), + Heading(name='RQ.SRS-006.RBAC.User.ShowCreateUser.For', level=4, num='5.3.17.2'), + Heading(name='RQ.SRS-006.RBAC.User.ShowCreateUser.Syntax', level=4, num='5.3.17.3'), + Heading(name='Drop User', level=3, num='5.3.18'), + Heading(name='RQ.SRS-006.RBAC.User.Drop', level=4, num='5.3.18.1'), + Heading(name='RQ.SRS-006.RBAC.User.Drop.IfExists', level=4, num='5.3.18.2'), + Heading(name='RQ.SRS-006.RBAC.User.Drop.OnCluster', level=4, num='5.3.18.3'), + Heading(name='RQ.SRS-006.RBAC.User.Drop.Syntax', level=4, num='5.3.18.4'), + Heading(name='Role', level=2, num='5.4'), + Heading(name='RQ.SRS-006.RBAC.Role', level=3, num='5.4.1'), + Heading(name='RQ.SRS-006.RBAC.Role.Privileges', level=3, num='5.4.2'), + Heading(name='RQ.SRS-006.RBAC.Role.Variables', level=3, num='5.4.3'), + Heading(name='RQ.SRS-006.RBAC.Role.SettingsProfile', level=3, num='5.4.4'), + Heading(name='RQ.SRS-006.RBAC.Role.Quotas', level=3, num='5.4.5'), + Heading(name='RQ.SRS-006.RBAC.Role.RowPolicies', level=3, num='5.4.6'), + Heading(name='Create Role', level=3, num='5.4.7'), + Heading(name='RQ.SRS-006.RBAC.Role.Create', level=4, num='5.4.7.1'), + Heading(name='RQ.SRS-006.RBAC.Role.Create.IfNotExists', level=4, num='5.4.7.2'), + Heading(name='RQ.SRS-006.RBAC.Role.Create.Replace', level=4, num='5.4.7.3'), + Heading(name='RQ.SRS-006.RBAC.Role.Create.Settings', level=4, num='5.4.7.4'), + Heading(name='RQ.SRS-006.RBAC.Role.Create.Syntax', level=4, num='5.4.7.5'), + Heading(name='Alter Role', level=3, num='5.4.8'), + Heading(name='RQ.SRS-006.RBAC.Role.Alter', level=4, num='5.4.8.1'), + Heading(name='RQ.SRS-006.RBAC.Role.Alter.IfExists', level=4, num='5.4.8.2'), + Heading(name='RQ.SRS-006.RBAC.Role.Alter.Cluster', level=4, num='5.4.8.3'), + Heading(name='RQ.SRS-006.RBAC.Role.Alter.Rename', level=4, num='5.4.8.4'), + Heading(name='RQ.SRS-006.RBAC.Role.Alter.Settings', level=4, num='5.4.8.5'), + Heading(name='RQ.SRS-006.RBAC.Role.Alter.Syntax', level=4, num='5.4.8.6'), + Heading(name='Drop Role', level=3, num='5.4.9'), + Heading(name='RQ.SRS-006.RBAC.Role.Drop', level=4, num='5.4.9.1'), + Heading(name='RQ.SRS-006.RBAC.Role.Drop.IfExists', level=4, num='5.4.9.2'), + Heading(name='RQ.SRS-006.RBAC.Role.Drop.Cluster', level=4, num='5.4.9.3'), + Heading(name='RQ.SRS-006.RBAC.Role.Drop.Syntax', level=4, num='5.4.9.4'), + Heading(name='Show Create Role', level=3, num='5.4.10'), + Heading(name='RQ.SRS-006.RBAC.Role.ShowCreate', level=4, num='5.4.10.1'), + Heading(name='RQ.SRS-006.RBAC.Role.ShowCreate.Syntax', level=4, num='5.4.10.2'), + Heading(name='Partial Revokes', level=2, num='5.5'), + Heading(name='RQ.SRS-006.RBAC.PartialRevokes', level=3, num='5.5.1'), + Heading(name='RQ.SRS-006.RBAC.PartialRevoke.Syntax', level=3, num='5.5.2'), + Heading(name='Settings Profile', level=2, num='5.6'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile', level=3, num='5.6.1'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Constraints', level=3, num='5.6.2'), + Heading(name='Create Settings Profile', level=3, num='5.6.3'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create', level=4, num='5.6.3.1'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.IfNotExists', level=4, num='5.6.3.2'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Replace', level=4, num='5.6.3.3'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables', level=4, num='5.6.3.4'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Value', level=4, num='5.6.3.5'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Constraints', level=4, num='5.6.3.6'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment', level=4, num='5.6.3.7'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.None', level=4, num='5.6.3.8'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.All', level=4, num='5.6.3.9'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.AllExcept', level=4, num='5.6.3.10'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Inherit', level=4, num='5.6.3.11'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.OnCluster', level=4, num='5.6.3.12'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Create.Syntax', level=4, num='5.6.3.13'), + Heading(name='Alter Settings Profile', level=3, num='5.6.4'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter', level=4, num='5.6.4.1'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.IfExists', level=4, num='5.6.4.2'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Rename', level=4, num='5.6.4.3'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables', level=4, num='5.6.4.4'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Value', level=4, num='5.6.4.5'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Constraints', level=4, num='5.6.4.6'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment', level=4, num='5.6.4.7'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.None', level=4, num='5.6.4.8'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.All', level=4, num='5.6.4.9'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.AllExcept', level=4, num='5.6.4.10'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.Inherit', level=4, num='5.6.4.11'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.OnCluster', level=4, num='5.6.4.12'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Syntax', level=4, num='5.6.4.13'), + Heading(name='Drop Settings Profile', level=3, num='5.6.5'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Drop', level=4, num='5.6.5.1'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Drop.IfExists', level=4, num='5.6.5.2'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Drop.OnCluster', level=4, num='5.6.5.3'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.Drop.Syntax', level=4, num='5.6.5.4'), + Heading(name='Show Create Settings Profile', level=3, num='5.6.6'), + Heading(name='RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile', level=4, num='5.6.6.1'), + Heading(name='Quotas', level=2, num='5.7'), + Heading(name='RQ.SRS-006.RBAC.Quotas', level=3, num='5.7.1'), + Heading(name='RQ.SRS-006.RBAC.Quotas.Keyed', level=3, num='5.7.2'), + Heading(name='RQ.SRS-006.RBAC.Quotas.Queries', level=3, num='5.7.3'), + Heading(name='RQ.SRS-006.RBAC.Quotas.Errors', level=3, num='5.7.4'), + Heading(name='RQ.SRS-006.RBAC.Quotas.ResultRows', level=3, num='5.7.5'), + Heading(name='RQ.SRS-006.RBAC.Quotas.ReadRows', level=3, num='5.7.6'), + Heading(name='RQ.SRS-006.RBAC.Quotas.ResultBytes', level=3, num='5.7.7'), + Heading(name='RQ.SRS-006.RBAC.Quotas.ReadBytes', level=3, num='5.7.8'), + Heading(name='RQ.SRS-006.RBAC.Quotas.ExecutionTime', level=3, num='5.7.9'), + Heading(name='Create Quotas', level=3, num='5.7.10'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create', level=4, num='5.7.10.1'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.IfNotExists', level=4, num='5.7.10.2'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Replace', level=4, num='5.7.10.3'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Cluster', level=4, num='5.7.10.4'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Interval', level=4, num='5.7.10.5'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized', level=4, num='5.7.10.6'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Queries', level=4, num='5.7.10.7'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Errors', level=4, num='5.7.10.8'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.ResultRows', level=4, num='5.7.10.9'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.ReadRows', level=4, num='5.7.10.10'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.ResultBytes', level=4, num='5.7.10.11'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.ReadBytes', level=4, num='5.7.10.12'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.ExecutionTime', level=4, num='5.7.10.13'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.NoLimits', level=4, num='5.7.10.14'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.TrackingOnly', level=4, num='5.7.10.15'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.KeyedBy', level=4, num='5.7.10.16'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.KeyedByOptions', level=4, num='5.7.10.17'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Assignment', level=4, num='5.7.10.18'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Assignment.None', level=4, num='5.7.10.19'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Assignment.All', level=4, num='5.7.10.20'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Assignment.Except', level=4, num='5.7.10.21'), + Heading(name='RQ.SRS-006.RBAC.Quota.Create.Syntax', level=4, num='5.7.10.22'), + Heading(name='Alter Quota', level=3, num='5.7.11'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter', level=4, num='5.7.11.1'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.IfExists', level=4, num='5.7.11.2'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Rename', level=4, num='5.7.11.3'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Cluster', level=4, num='5.7.11.4'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Interval', level=4, num='5.7.11.5'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Interval.Randomized', level=4, num='5.7.11.6'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Queries', level=4, num='5.7.11.7'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Errors', level=4, num='5.7.11.8'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.ResultRows', level=4, num='5.7.11.9'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.ReadRows', level=4, num='5.7.11.10'), + Heading(name='RQ.SRS-006.RBAC.Quota.ALter.ResultBytes', level=4, num='5.7.11.11'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.ReadBytes', level=4, num='5.7.11.12'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.ExecutionTime', level=4, num='5.7.11.13'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.NoLimits', level=4, num='5.7.11.14'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.TrackingOnly', level=4, num='5.7.11.15'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.KeyedBy', level=4, num='5.7.11.16'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.KeyedByOptions', level=4, num='5.7.11.17'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Assignment', level=4, num='5.7.11.18'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.None', level=4, num='5.7.11.19'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.All', level=4, num='5.7.11.20'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.Except', level=4, num='5.7.11.21'), + Heading(name='RQ.SRS-006.RBAC.Quota.Alter.Syntax', level=4, num='5.7.11.22'), + Heading(name='Drop Quota', level=3, num='5.7.12'), + Heading(name='RQ.SRS-006.RBAC.Quota.Drop', level=4, num='5.7.12.1'), + Heading(name='RQ.SRS-006.RBAC.Quota.Drop.IfExists', level=4, num='5.7.12.2'), + Heading(name='RQ.SRS-006.RBAC.Quota.Drop.Cluster', level=4, num='5.7.12.3'), + Heading(name='RQ.SRS-006.RBAC.Quota.Drop.Syntax', level=4, num='5.7.12.4'), + Heading(name='Show Quotas', level=3, num='5.7.13'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowQuotas', level=4, num='5.7.13.1'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowQuotas.IntoOutfile', level=4, num='5.7.13.2'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Format', level=4, num='5.7.13.3'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Settings', level=4, num='5.7.13.4'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax', level=4, num='5.7.13.5'), + Heading(name='Show Create Quota', level=3, num='5.7.14'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name', level=4, num='5.7.14.1'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Current', level=4, num='5.7.14.2'), + Heading(name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Syntax', level=4, num='5.7.14.3'), + Heading(name='Row Policy', level=2, num='5.8'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy', level=3, num='5.8.1'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Condition', level=3, num='5.8.2'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Restriction', level=3, num='5.8.3'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Nesting', level=3, num='5.8.4'), + Heading(name='Create Row Policy', level=3, num='5.8.5'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create', level=4, num='5.8.5.1'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.IfNotExists', level=4, num='5.8.5.2'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Replace', level=4, num='5.8.5.3'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.OnCluster', level=4, num='5.8.5.4'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.On', level=4, num='5.8.5.5'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Access', level=4, num='5.8.5.6'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Access.Permissive', level=4, num='5.8.5.7'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Access.Restrictive', level=4, num='5.8.5.8'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.ForSelect', level=4, num='5.8.5.9'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Condition', level=4, num='5.8.5.10'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment', level=4, num='5.8.5.11'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.None', level=4, num='5.8.5.12'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.All', level=4, num='5.8.5.13'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.AllExcept', level=4, num='5.8.5.14'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Create.Syntax', level=4, num='5.8.5.15'), + Heading(name='Alter Row Policy', level=3, num='5.8.6'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter', level=4, num='5.8.6.1'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.IfExists', level=4, num='5.8.6.2'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.ForSelect', level=4, num='5.8.6.3'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.OnCluster', level=4, num='5.8.6.4'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.On', level=4, num='5.8.6.5'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Rename', level=4, num='5.8.6.6'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access', level=4, num='5.8.6.7'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Permissive', level=4, num='5.8.6.8'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Restrictive', level=4, num='5.8.6.9'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Condition', level=4, num='5.8.6.10'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Condition.None', level=4, num='5.8.6.11'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment', level=4, num='5.8.6.12'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.None', level=4, num='5.8.6.13'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.All', level=4, num='5.8.6.14'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.AllExcept', level=4, num='5.8.6.15'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Alter.Syntax', level=4, num='5.8.6.16'), + Heading(name='Drop Row Policy', level=3, num='5.8.7'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Drop', level=4, num='5.8.7.1'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Drop.IfExists', level=4, num='5.8.7.2'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Drop.On', level=4, num='5.8.7.3'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Drop.OnCluster', level=4, num='5.8.7.4'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.Drop.Syntax', level=4, num='5.8.7.5'), + Heading(name='Show Create Row Policy', level=3, num='5.8.8'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy', level=4, num='5.8.8.1'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.On', level=4, num='5.8.8.2'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.Syntax', level=4, num='5.8.8.3'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies', level=4, num='5.8.8.4'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.On', level=4, num='5.8.8.5'), + Heading(name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.Syntax', level=4, num='5.8.8.6'), + Heading(name='Set Default Role', level=2, num='5.9'), + Heading(name='RQ.SRS-006.RBAC.SetDefaultRole', level=3, num='5.9.1'), + Heading(name='RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser', level=3, num='5.9.2'), + Heading(name='RQ.SRS-006.RBAC.SetDefaultRole.All', level=3, num='5.9.3'), + Heading(name='RQ.SRS-006.RBAC.SetDefaultRole.AllExcept', level=3, num='5.9.4'), + Heading(name='RQ.SRS-006.RBAC.SetDefaultRole.None', level=3, num='5.9.5'), + Heading(name='RQ.SRS-006.RBAC.SetDefaultRole.Syntax', level=3, num='5.9.6'), + Heading(name='Set Role', level=2, num='5.10'), + Heading(name='RQ.SRS-006.RBAC.SetRole', level=3, num='5.10.1'), + Heading(name='RQ.SRS-006.RBAC.SetRole.Default', level=3, num='5.10.2'), + Heading(name='RQ.SRS-006.RBAC.SetRole.None', level=3, num='5.10.3'), + Heading(name='RQ.SRS-006.RBAC.SetRole.All', level=3, num='5.10.4'), + Heading(name='RQ.SRS-006.RBAC.SetRole.AllExcept', level=3, num='5.10.5'), + Heading(name='RQ.SRS-006.RBAC.SetRole.Syntax', level=3, num='5.10.6'), + Heading(name='Grant', level=2, num='5.11'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.To', level=3, num='5.11.1'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser', level=3, num='5.11.2'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Select', level=3, num='5.11.3'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Insert', level=3, num='5.11.4'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Alter', level=3, num='5.11.5'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Create', level=3, num='5.11.6'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Drop', level=3, num='5.11.7'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Truncate', level=3, num='5.11.8'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Optimize', level=3, num='5.11.9'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Show', level=3, num='5.11.10'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.KillQuery', level=3, num='5.11.11'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement', level=3, num='5.11.12'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.System', level=3, num='5.11.13'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Introspection', level=3, num='5.11.14'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Sources', level=3, num='5.11.15'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.DictGet', level=3, num='5.11.16'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.None', level=3, num='5.11.17'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.All', level=3, num='5.11.18'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.GrantOption', level=3, num='5.11.19'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.On', level=3, num='5.11.20'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns', level=3, num='5.11.21'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.OnCluster', level=3, num='5.11.22'), + Heading(name='RQ.SRS-006.RBAC.Grant.Privilege.Syntax', level=3, num='5.11.23'), + Heading(name='Revoke', level=2, num='5.12'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Cluster', level=3, num='5.12.1'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Select', level=3, num='5.12.2'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Insert', level=3, num='5.12.3'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Alter', level=3, num='5.12.4'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Create', level=3, num='5.12.5'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Drop', level=3, num='5.12.6'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Truncate', level=3, num='5.12.7'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Optimize', level=3, num='5.12.8'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Show', level=3, num='5.12.9'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery', level=3, num='5.12.10'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement', level=3, num='5.12.11'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.System', level=3, num='5.12.12'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Introspection', level=3, num='5.12.13'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Sources', level=3, num='5.12.14'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.DictGet', level=3, num='5.12.15'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.PrivilegeColumns', level=3, num='5.12.16'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Multiple', level=3, num='5.12.17'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.All', level=3, num='5.12.18'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.None', level=3, num='5.12.19'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.On', level=3, num='5.12.20'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.From', level=3, num='5.12.21'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Privilege.Syntax', level=3, num='5.12.22'), + Heading(name='Grant Role', level=2, num='5.13'), + Heading(name='RQ.SRS-006.RBAC.Grant.Role', level=3, num='5.13.1'), + Heading(name='RQ.SRS-006.RBAC.Grant.Role.CurrentUser', level=3, num='5.13.2'), + Heading(name='RQ.SRS-006.RBAC.Grant.Role.AdminOption', level=3, num='5.13.3'), + Heading(name='RQ.SRS-006.RBAC.Grant.Role.OnCluster', level=3, num='5.13.4'), + Heading(name='RQ.SRS-006.RBAC.Grant.Role.Syntax', level=3, num='5.13.5'), + Heading(name='Revoke Role', level=2, num='5.14'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Role', level=3, num='5.14.1'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Role.Keywords', level=3, num='5.14.2'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Role.Cluster', level=3, num='5.14.3'), + Heading(name='RQ.SRS-006.RBAC.Revoke.AdminOption', level=3, num='5.14.4'), + Heading(name='RQ.SRS-006.RBAC.Revoke.Role.Syntax', level=3, num='5.14.5'), + Heading(name='Show Grants', level=2, num='5.15'), + Heading(name='RQ.SRS-006.RBAC.Show.Grants', level=3, num='5.15.1'), + Heading(name='RQ.SRS-006.RBAC.Show.Grants.For', level=3, num='5.15.2'), + Heading(name='RQ.SRS-006.RBAC.Show.Grants.Syntax', level=3, num='5.15.3'), + Heading(name='Table Privileges', level=2, num='5.16'), + Heading(name='RQ.SRS-006.RBAC.Table.PublicTables', level=3, num='5.16.1'), + Heading(name='RQ.SRS-006.RBAC.Table.SensitiveTables', level=3, num='5.16.2'), + Heading(name='Distributed Tables', level=2, num='5.17'), + Heading(name='RQ.SRS-006.RBAC.DistributedTable.Create', level=3, num='5.17.1'), + Heading(name='RQ.SRS-006.RBAC.DistributedTable.Select', level=3, num='5.17.2'), + Heading(name='RQ.SRS-006.RBAC.DistributedTable.Insert', level=3, num='5.17.3'), + Heading(name='RQ.SRS-006.RBAC.DistributedTable.SpecialTables', level=3, num='5.17.4'), + Heading(name='RQ.SRS-006.RBAC.DistributedTable.LocalUser', level=3, num='5.17.5'), + Heading(name='RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges', level=3, num='5.17.6'), + Heading(name='Views', level=2, num='5.18'), + Heading(name='View', level=3, num='5.18.1'), + Heading(name='RQ.SRS-006.RBAC.View', level=4, num='5.18.1.1'), + Heading(name='RQ.SRS-006.RBAC.View.Create', level=4, num='5.18.1.2'), + Heading(name='RQ.SRS-006.RBAC.View.Select', level=4, num='5.18.1.3'), + Heading(name='RQ.SRS-006.RBAC.View.Drop', level=4, num='5.18.1.4'), + Heading(name='Materialized View', level=3, num='5.18.2'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView', level=4, num='5.18.2.1'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Create', level=4, num='5.18.2.2'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Select', level=4, num='5.18.2.3'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable', level=4, num='5.18.2.4'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable', level=4, num='5.18.2.5'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Drop', level=4, num='5.18.2.6'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.ModifyQuery', level=4, num='5.18.2.7'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Insert', level=4, num='5.18.2.8'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable', level=4, num='5.18.2.9'), + Heading(name='RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable', level=4, num='5.18.2.10'), + Heading(name='Live View', level=3, num='5.18.3'), + Heading(name='RQ.SRS-006.RBAC.LiveView', level=4, num='5.18.3.1'), + Heading(name='RQ.SRS-006.RBAC.LiveView.Create', level=4, num='5.18.3.2'), + Heading(name='RQ.SRS-006.RBAC.LiveView.Select', level=4, num='5.18.3.3'), + Heading(name='RQ.SRS-006.RBAC.LiveView.Drop', level=4, num='5.18.3.4'), + Heading(name='RQ.SRS-006.RBAC.LiveView.Refresh', level=4, num='5.18.3.5'), + Heading(name='Select', level=2, num='5.19'), + Heading(name='RQ.SRS-006.RBAC.Select', level=3, num='5.19.1'), + Heading(name='RQ.SRS-006.RBAC.Select.Column', level=3, num='5.19.2'), + Heading(name='RQ.SRS-006.RBAC.Select.Cluster', level=3, num='5.19.3'), + Heading(name='RQ.SRS-006.RBAC.Select.TableEngines', level=3, num='5.19.4'), + Heading(name='Insert', level=2, num='5.20'), + Heading(name='RQ.SRS-006.RBAC.Insert', level=3, num='5.20.1'), + Heading(name='RQ.SRS-006.RBAC.Insert.Column', level=3, num='5.20.2'), + Heading(name='RQ.SRS-006.RBAC.Insert.Cluster', level=3, num='5.20.3'), + Heading(name='RQ.SRS-006.RBAC.Insert.TableEngines', level=3, num='5.20.4'), + Heading(name='Alter', level=2, num='5.21'), + Heading(name='Alter Column', level=3, num='5.21.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterColumn', level=4, num='5.21.1.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant', level=4, num='5.21.1.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke', level=4, num='5.21.1.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Column', level=4, num='5.21.1.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster', level=4, num='5.21.1.5'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines', level=4, num='5.21.1.6'), + Heading(name='Alter Index', level=3, num='5.21.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterIndex', level=4, num='5.21.2.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant', level=4, num='5.21.2.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke', level=4, num='5.21.2.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster', level=4, num='5.21.2.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines', level=4, num='5.21.2.5'), + Heading(name='Alter Constraint', level=3, num='5.21.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterConstraint', level=4, num='5.21.3.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant', level=4, num='5.21.3.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke', level=4, num='5.21.3.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster', level=4, num='5.21.3.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines', level=4, num='5.21.3.5'), + Heading(name='Alter TTL', level=3, num='5.21.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterTTL', level=4, num='5.21.4.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant', level=4, num='5.21.4.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke', level=4, num='5.21.4.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster', level=4, num='5.21.4.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines', level=4, num='5.21.4.5'), + Heading(name='Alter Settings', level=3, num='5.21.5'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterSettings', level=4, num='5.21.5.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant', level=4, num='5.21.5.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke', level=4, num='5.21.5.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster', level=4, num='5.21.5.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines', level=4, num='5.21.5.5'), + Heading(name='Alter Update', level=3, num='5.21.6'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterUpdate', level=4, num='5.21.6.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant', level=4, num='5.21.6.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke', level=4, num='5.21.6.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines', level=4, num='5.21.6.4'), + Heading(name='Alter Delete', level=3, num='5.21.7'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterDelete', level=4, num='5.21.7.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant', level=4, num='5.21.7.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke', level=4, num='5.21.7.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines', level=4, num='5.21.7.4'), + Heading(name='Alter Freeze Partition', level=3, num='5.21.8'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFreeze', level=4, num='5.21.8.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant', level=4, num='5.21.8.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke', level=4, num='5.21.8.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines', level=4, num='5.21.8.4'), + Heading(name='Alter Fetch Partition', level=3, num='5.21.9'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFetch', level=4, num='5.21.9.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant', level=4, num='5.21.9.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke', level=4, num='5.21.9.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines', level=4, num='5.21.9.4'), + Heading(name='Alter Move Partition', level=3, num='5.21.10'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterMove', level=4, num='5.21.10.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterMove.Grant', level=4, num='5.21.10.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke', level=4, num='5.21.10.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines', level=4, num='5.21.10.4'), + Heading(name='Create', level=2, num='5.22'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateTable', level=3, num='5.22.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateDatabase', level=3, num='5.22.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateDictionary', level=3, num='5.22.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateTemporaryTable', level=3, num='5.22.4'), + Heading(name='Attach', level=2, num='5.23'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AttachDatabase', level=3, num='5.23.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AttachDictionary', level=3, num='5.23.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AttachTemporaryTable', level=3, num='5.23.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AttachTable', level=3, num='5.23.4'), + Heading(name='Drop', level=2, num='5.24'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropTable', level=3, num='5.24.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropDatabase', level=3, num='5.24.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropDictionary', level=3, num='5.24.3'), + Heading(name='Detach', level=2, num='5.25'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DetachTable', level=3, num='5.25.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DetachView', level=3, num='5.25.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DetachDatabase', level=3, num='5.25.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DetachDictionary', level=3, num='5.25.4'), + Heading(name='Truncate', level=2, num='5.26'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Truncate', level=3, num='5.26.1'), + Heading(name='Optimize', level=2, num='5.27'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Optimize', level=3, num='5.27.1'), + Heading(name='Kill Query', level=2, num='5.28'), + Heading(name='RQ.SRS-006.RBAC.Privileges.KillQuery', level=3, num='5.28.1'), + Heading(name='Kill Mutation', level=2, num='5.29'), + Heading(name='RQ.SRS-006.RBAC.Privileges.KillMutation', level=3, num='5.29.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate', level=3, num='5.29.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete', level=3, num='5.29.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn', level=3, num='5.29.4'), + Heading(name='Show', level=2, num='5.30'), + Heading(name='RQ.SRS-006.RBAC.ShowTables.Privilege', level=3, num='5.30.1'), + Heading(name='RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege', level=3, num='5.30.2'), + Heading(name='RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege', level=3, num='5.30.3'), + Heading(name='RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege', level=3, num='5.30.4'), + Heading(name='RQ.SRS-006.RBAC.ShowDatabases.Privilege', level=3, num='5.30.5'), + Heading(name='RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege', level=3, num='5.30.6'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege', level=3, num='5.30.7'), + Heading(name='RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege', level=3, num='5.30.8'), + Heading(name='RQ.SRS-006.RBAC.ShowColumns.Privilege', level=3, num='5.30.9'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege', level=3, num='5.30.10'), + Heading(name='RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege', level=3, num='5.30.11'), + Heading(name='RQ.SRS-006.RBAC.ShowDictionaries.Privilege', level=3, num='5.30.12'), + Heading(name='RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege', level=3, num='5.30.13'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege', level=3, num='5.30.14'), + Heading(name='RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege', level=3, num='5.30.15'), + Heading(name='Access Management', level=2, num='5.31'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateUser', level=3, num='5.31.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole', level=3, num='5.31.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterUser', level=3, num='5.31.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropUser', level=3, num='5.31.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateRole', level=3, num='5.31.5'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterRole', level=3, num='5.31.6'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropRole', level=3, num='5.31.7'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateRowPolicy', level=3, num='5.31.8'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterRowPolicy', level=3, num='5.31.9'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropRowPolicy', level=3, num='5.31.10'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateQuota', level=3, num='5.31.11'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterQuota', level=3, num='5.31.12'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropQuota', level=3, num='5.31.13'), + Heading(name='RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile', level=3, num='5.31.14'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile', level=3, num='5.31.15'), + Heading(name='RQ.SRS-006.RBAC.Privileges.DropSettingsProfile', level=3, num='5.31.16'), + Heading(name='RQ.SRS-006.RBAC.Privileges.RoleAdmin', level=3, num='5.31.17'), + Heading(name='Show Access', level=3, num='5.31.18'), + Heading(name='RQ.SRS-006.RBAC.ShowUsers.Privilege', level=4, num='5.31.18.1'), + Heading(name='RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege', level=4, num='5.31.18.2'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege', level=4, num='5.31.18.3'), + Heading(name='RQ.SRS-006.RBAC.ShowRoles.Privilege', level=4, num='5.31.18.4'), + Heading(name='RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege', level=4, num='5.31.18.5'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege', level=4, num='5.31.18.6'), + Heading(name='RQ.SRS-006.RBAC.ShowRowPolicies.Privilege', level=4, num='5.31.18.7'), + Heading(name='RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege', level=4, num='5.31.18.8'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege', level=4, num='5.31.18.9'), + Heading(name='RQ.SRS-006.RBAC.ShowQuotas.Privilege', level=4, num='5.31.18.10'), + Heading(name='RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege', level=4, num='5.31.18.11'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege', level=4, num='5.31.18.12'), + Heading(name='RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege', level=4, num='5.31.18.13'), + Heading(name='RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege', level=4, num='5.31.18.14'), + Heading(name='RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege', level=4, num='5.31.18.15'), + Heading(name='dictGet', level=2, num='5.32'), + Heading(name='RQ.SRS-006.RBAC.dictGet.Privilege', level=3, num='5.32.1'), + Heading(name='RQ.SRS-006.RBAC.dictGet.RequiredPrivilege', level=3, num='5.32.2'), + Heading(name='RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege', level=3, num='5.32.3'), + Heading(name='RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege', level=3, num='5.32.4'), + Heading(name='RQ.SRS-006.RBAC.dictHas.RequiredPrivilege', level=3, num='5.32.5'), + Heading(name='RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege', level=3, num='5.32.6'), + Heading(name='RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege', level=3, num='5.32.7'), + Heading(name='Introspection', level=2, num='5.33'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Introspection', level=3, num='5.33.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine', level=3, num='5.33.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol', level=3, num='5.33.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Introspection.demangle', level=3, num='5.33.4'), + Heading(name='System', level=2, num='5.34'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Shutdown', level=3, num='5.34.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.DropCache', level=3, num='5.34.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS', level=3, num='5.34.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark', level=3, num='5.34.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed', level=3, num='5.34.5'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Reload', level=3, num='5.34.6'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Reload.Config', level=3, num='5.34.7'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary', level=3, num='5.34.8'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries', level=3, num='5.34.9'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries', level=3, num='5.34.10'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Merges', level=3, num='5.34.11'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.TTLMerges', level=3, num='5.34.12'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Fetches', level=3, num='5.34.13'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Moves', level=3, num='5.34.14'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Sends', level=3, num='5.34.15'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed', level=3, num='5.34.16'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated', level=3, num='5.34.17'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues', level=3, num='5.34.18'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.SyncReplica', level=3, num='5.34.19'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.RestartReplica', level=3, num='5.34.20'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Flush', level=3, num='5.34.21'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed', level=3, num='5.34.22'), + Heading(name='RQ.SRS-006.RBAC.Privileges.System.Flush.Logs', level=3, num='5.34.23'), + Heading(name='Sources', level=2, num='5.35'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources', level=3, num='5.35.1'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.File', level=3, num='5.35.2'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.URL', level=3, num='5.35.3'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.Remote', level=3, num='5.35.4'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.MySQL', level=3, num='5.35.5'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.ODBC', level=3, num='5.35.6'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.JDBC', level=3, num='5.35.7'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.HDFS', level=3, num='5.35.8'), + Heading(name='RQ.SRS-006.RBAC.Privileges.Sources.S3', level=3, num='5.35.9'), + Heading(name='RQ.SRS-006.RBAC.Privileges.GrantOption', level=2, num='5.36'), + Heading(name='RQ.SRS-006.RBAC.Privileges.All', level=2, num='5.37'), + Heading(name='RQ.SRS-006.RBAC.Privileges.RoleAll', level=2, num='5.38'), + Heading(name='RQ.SRS-006.RBAC.Privileges.None', level=2, num='5.39'), + Heading(name='RQ.SRS-006.RBAC.Privileges.AdminOption', level=2, num='5.40'), + Heading(name='References', level=1, num='6'), + ), + requirements=( + RQ_SRS_006_RBAC, + RQ_SRS_006_RBAC_Login, + RQ_SRS_006_RBAC_Login_DefaultUser, + RQ_SRS_006_RBAC_User, + RQ_SRS_006_RBAC_User_Roles, + RQ_SRS_006_RBAC_User_Privileges, + RQ_SRS_006_RBAC_User_Variables, + RQ_SRS_006_RBAC_User_Variables_Constraints, + RQ_SRS_006_RBAC_User_SettingsProfile, + RQ_SRS_006_RBAC_User_Quotas, + RQ_SRS_006_RBAC_User_RowPolicies, + RQ_SRS_006_RBAC_User_DefaultRole, + RQ_SRS_006_RBAC_User_RoleSelection, + RQ_SRS_006_RBAC_User_ShowCreate, + RQ_SRS_006_RBAC_User_ShowPrivileges, + RQ_SRS_006_RBAC_User_Use_DefaultRole, + RQ_SRS_006_RBAC_User_Use_AllRolesWhenNoDefaultRole, + RQ_SRS_006_RBAC_User_Create, + RQ_SRS_006_RBAC_User_Create_IfNotExists, + RQ_SRS_006_RBAC_User_Create_Replace, + RQ_SRS_006_RBAC_User_Create_Password_NoPassword, + RQ_SRS_006_RBAC_User_Create_Password_NoPassword_Login, + RQ_SRS_006_RBAC_User_Create_Password_PlainText, + RQ_SRS_006_RBAC_User_Create_Password_PlainText_Login, + RQ_SRS_006_RBAC_User_Create_Password_Sha256Password, + RQ_SRS_006_RBAC_User_Create_Password_Sha256Password_Login, + RQ_SRS_006_RBAC_User_Create_Password_Sha256Hash, + RQ_SRS_006_RBAC_User_Create_Password_Sha256Hash_Login, + RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Password, + RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Password_Login, + RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Hash, + RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Hash_Login, + RQ_SRS_006_RBAC_User_Create_Host_Name, + RQ_SRS_006_RBAC_User_Create_Host_Regexp, + RQ_SRS_006_RBAC_User_Create_Host_IP, + RQ_SRS_006_RBAC_User_Create_Host_Any, + RQ_SRS_006_RBAC_User_Create_Host_None, + RQ_SRS_006_RBAC_User_Create_Host_Local, + RQ_SRS_006_RBAC_User_Create_Host_Like, + RQ_SRS_006_RBAC_User_Create_Host_Default, + RQ_SRS_006_RBAC_User_Create_DefaultRole, + RQ_SRS_006_RBAC_User_Create_DefaultRole_None, + RQ_SRS_006_RBAC_User_Create_DefaultRole_All, + RQ_SRS_006_RBAC_User_Create_Settings, + RQ_SRS_006_RBAC_User_Create_OnCluster, + RQ_SRS_006_RBAC_User_Create_Syntax, + RQ_SRS_006_RBAC_User_Alter, + RQ_SRS_006_RBAC_User_Alter_OrderOfEvaluation, + RQ_SRS_006_RBAC_User_Alter_IfExists, + RQ_SRS_006_RBAC_User_Alter_Cluster, + RQ_SRS_006_RBAC_User_Alter_Rename, + RQ_SRS_006_RBAC_User_Alter_Password_PlainText, + RQ_SRS_006_RBAC_User_Alter_Password_Sha256Password, + RQ_SRS_006_RBAC_User_Alter_Password_DoubleSha1Password, + RQ_SRS_006_RBAC_User_Alter_Host_AddDrop, + RQ_SRS_006_RBAC_User_Alter_Host_Local, + RQ_SRS_006_RBAC_User_Alter_Host_Name, + RQ_SRS_006_RBAC_User_Alter_Host_Regexp, + RQ_SRS_006_RBAC_User_Alter_Host_IP, + RQ_SRS_006_RBAC_User_Alter_Host_Like, + RQ_SRS_006_RBAC_User_Alter_Host_Any, + RQ_SRS_006_RBAC_User_Alter_Host_None, + RQ_SRS_006_RBAC_User_Alter_DefaultRole, + RQ_SRS_006_RBAC_User_Alter_DefaultRole_All, + RQ_SRS_006_RBAC_User_Alter_DefaultRole_AllExcept, + RQ_SRS_006_RBAC_User_Alter_Settings, + RQ_SRS_006_RBAC_User_Alter_Settings_Min, + RQ_SRS_006_RBAC_User_Alter_Settings_Max, + RQ_SRS_006_RBAC_User_Alter_Settings_Profile, + RQ_SRS_006_RBAC_User_Alter_Syntax, + RQ_SRS_006_RBAC_User_ShowCreateUser, + RQ_SRS_006_RBAC_User_ShowCreateUser_For, + RQ_SRS_006_RBAC_User_ShowCreateUser_Syntax, + RQ_SRS_006_RBAC_User_Drop, + RQ_SRS_006_RBAC_User_Drop_IfExists, + RQ_SRS_006_RBAC_User_Drop_OnCluster, + RQ_SRS_006_RBAC_User_Drop_Syntax, + RQ_SRS_006_RBAC_Role, + RQ_SRS_006_RBAC_Role_Privileges, + RQ_SRS_006_RBAC_Role_Variables, + RQ_SRS_006_RBAC_Role_SettingsProfile, + RQ_SRS_006_RBAC_Role_Quotas, + RQ_SRS_006_RBAC_Role_RowPolicies, + RQ_SRS_006_RBAC_Role_Create, + RQ_SRS_006_RBAC_Role_Create_IfNotExists, + RQ_SRS_006_RBAC_Role_Create_Replace, + RQ_SRS_006_RBAC_Role_Create_Settings, + RQ_SRS_006_RBAC_Role_Create_Syntax, + RQ_SRS_006_RBAC_Role_Alter, + RQ_SRS_006_RBAC_Role_Alter_IfExists, + RQ_SRS_006_RBAC_Role_Alter_Cluster, + RQ_SRS_006_RBAC_Role_Alter_Rename, + RQ_SRS_006_RBAC_Role_Alter_Settings, + RQ_SRS_006_RBAC_Role_Alter_Syntax, + RQ_SRS_006_RBAC_Role_Drop, + RQ_SRS_006_RBAC_Role_Drop_IfExists, + RQ_SRS_006_RBAC_Role_Drop_Cluster, + RQ_SRS_006_RBAC_Role_Drop_Syntax, + RQ_SRS_006_RBAC_Role_ShowCreate, + RQ_SRS_006_RBAC_Role_ShowCreate_Syntax, + RQ_SRS_006_RBAC_PartialRevokes, + RQ_SRS_006_RBAC_PartialRevoke_Syntax, + RQ_SRS_006_RBAC_SettingsProfile, + RQ_SRS_006_RBAC_SettingsProfile_Constraints, + RQ_SRS_006_RBAC_SettingsProfile_Create, + RQ_SRS_006_RBAC_SettingsProfile_Create_IfNotExists, + RQ_SRS_006_RBAC_SettingsProfile_Create_Replace, + RQ_SRS_006_RBAC_SettingsProfile_Create_Variables, + RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Value, + RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints, + RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment, + RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_None, + RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_All, + RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_AllExcept, + RQ_SRS_006_RBAC_SettingsProfile_Create_Inherit, + RQ_SRS_006_RBAC_SettingsProfile_Create_OnCluster, + RQ_SRS_006_RBAC_SettingsProfile_Create_Syntax, + RQ_SRS_006_RBAC_SettingsProfile_Alter, + RQ_SRS_006_RBAC_SettingsProfile_Alter_IfExists, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Rename, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Value, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_None, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_All, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_AllExcept, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_Inherit, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_OnCluster, + RQ_SRS_006_RBAC_SettingsProfile_Alter_Syntax, + RQ_SRS_006_RBAC_SettingsProfile_Drop, + RQ_SRS_006_RBAC_SettingsProfile_Drop_IfExists, + RQ_SRS_006_RBAC_SettingsProfile_Drop_OnCluster, + RQ_SRS_006_RBAC_SettingsProfile_Drop_Syntax, + RQ_SRS_006_RBAC_SettingsProfile_ShowCreateSettingsProfile, + RQ_SRS_006_RBAC_Quotas, + RQ_SRS_006_RBAC_Quotas_Keyed, + RQ_SRS_006_RBAC_Quotas_Queries, + RQ_SRS_006_RBAC_Quotas_Errors, + RQ_SRS_006_RBAC_Quotas_ResultRows, + RQ_SRS_006_RBAC_Quotas_ReadRows, + RQ_SRS_006_RBAC_Quotas_ResultBytes, + RQ_SRS_006_RBAC_Quotas_ReadBytes, + RQ_SRS_006_RBAC_Quotas_ExecutionTime, + RQ_SRS_006_RBAC_Quota_Create, + RQ_SRS_006_RBAC_Quota_Create_IfNotExists, + RQ_SRS_006_RBAC_Quota_Create_Replace, + RQ_SRS_006_RBAC_Quota_Create_Cluster, + RQ_SRS_006_RBAC_Quota_Create_Interval, + RQ_SRS_006_RBAC_Quota_Create_Interval_Randomized, + RQ_SRS_006_RBAC_Quota_Create_Queries, + RQ_SRS_006_RBAC_Quota_Create_Errors, + RQ_SRS_006_RBAC_Quota_Create_ResultRows, + RQ_SRS_006_RBAC_Quota_Create_ReadRows, + RQ_SRS_006_RBAC_Quota_Create_ResultBytes, + RQ_SRS_006_RBAC_Quota_Create_ReadBytes, + RQ_SRS_006_RBAC_Quota_Create_ExecutionTime, + RQ_SRS_006_RBAC_Quota_Create_NoLimits, + RQ_SRS_006_RBAC_Quota_Create_TrackingOnly, + RQ_SRS_006_RBAC_Quota_Create_KeyedBy, + RQ_SRS_006_RBAC_Quota_Create_KeyedByOptions, + RQ_SRS_006_RBAC_Quota_Create_Assignment, + RQ_SRS_006_RBAC_Quota_Create_Assignment_None, + RQ_SRS_006_RBAC_Quota_Create_Assignment_All, + RQ_SRS_006_RBAC_Quota_Create_Assignment_Except, + RQ_SRS_006_RBAC_Quota_Create_Syntax, + RQ_SRS_006_RBAC_Quota_Alter, + RQ_SRS_006_RBAC_Quota_Alter_IfExists, + RQ_SRS_006_RBAC_Quota_Alter_Rename, + RQ_SRS_006_RBAC_Quota_Alter_Cluster, + RQ_SRS_006_RBAC_Quota_Alter_Interval, + RQ_SRS_006_RBAC_Quota_Alter_Interval_Randomized, + RQ_SRS_006_RBAC_Quota_Alter_Queries, + RQ_SRS_006_RBAC_Quota_Alter_Errors, + RQ_SRS_006_RBAC_Quota_Alter_ResultRows, + RQ_SRS_006_RBAC_Quota_Alter_ReadRows, + RQ_SRS_006_RBAC_Quota_ALter_ResultBytes, + RQ_SRS_006_RBAC_Quota_Alter_ReadBytes, + RQ_SRS_006_RBAC_Quota_Alter_ExecutionTime, + RQ_SRS_006_RBAC_Quota_Alter_NoLimits, + RQ_SRS_006_RBAC_Quota_Alter_TrackingOnly, + RQ_SRS_006_RBAC_Quota_Alter_KeyedBy, + RQ_SRS_006_RBAC_Quota_Alter_KeyedByOptions, + RQ_SRS_006_RBAC_Quota_Alter_Assignment, + RQ_SRS_006_RBAC_Quota_Alter_Assignment_None, + RQ_SRS_006_RBAC_Quota_Alter_Assignment_All, + RQ_SRS_006_RBAC_Quota_Alter_Assignment_Except, + RQ_SRS_006_RBAC_Quota_Alter_Syntax, + RQ_SRS_006_RBAC_Quota_Drop, + RQ_SRS_006_RBAC_Quota_Drop_IfExists, + RQ_SRS_006_RBAC_Quota_Drop_Cluster, + RQ_SRS_006_RBAC_Quota_Drop_Syntax, + RQ_SRS_006_RBAC_Quota_ShowQuotas, + RQ_SRS_006_RBAC_Quota_ShowQuotas_IntoOutfile, + RQ_SRS_006_RBAC_Quota_ShowQuotas_Format, + RQ_SRS_006_RBAC_Quota_ShowQuotas_Settings, + RQ_SRS_006_RBAC_Quota_ShowQuotas_Syntax, + RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Name, + RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Current, + RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Syntax, + RQ_SRS_006_RBAC_RowPolicy, + RQ_SRS_006_RBAC_RowPolicy_Condition, + RQ_SRS_006_RBAC_RowPolicy_Restriction, + RQ_SRS_006_RBAC_RowPolicy_Nesting, + RQ_SRS_006_RBAC_RowPolicy_Create, + RQ_SRS_006_RBAC_RowPolicy_Create_IfNotExists, + RQ_SRS_006_RBAC_RowPolicy_Create_Replace, + RQ_SRS_006_RBAC_RowPolicy_Create_OnCluster, + RQ_SRS_006_RBAC_RowPolicy_Create_On, + RQ_SRS_006_RBAC_RowPolicy_Create_Access, + RQ_SRS_006_RBAC_RowPolicy_Create_Access_Permissive, + RQ_SRS_006_RBAC_RowPolicy_Create_Access_Restrictive, + RQ_SRS_006_RBAC_RowPolicy_Create_ForSelect, + RQ_SRS_006_RBAC_RowPolicy_Create_Condition, + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment, + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_None, + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_All, + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_AllExcept, + RQ_SRS_006_RBAC_RowPolicy_Create_Syntax, + RQ_SRS_006_RBAC_RowPolicy_Alter, + RQ_SRS_006_RBAC_RowPolicy_Alter_IfExists, + RQ_SRS_006_RBAC_RowPolicy_Alter_ForSelect, + RQ_SRS_006_RBAC_RowPolicy_Alter_OnCluster, + RQ_SRS_006_RBAC_RowPolicy_Alter_On, + RQ_SRS_006_RBAC_RowPolicy_Alter_Rename, + RQ_SRS_006_RBAC_RowPolicy_Alter_Access, + RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Permissive, + RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Restrictive, + RQ_SRS_006_RBAC_RowPolicy_Alter_Condition, + RQ_SRS_006_RBAC_RowPolicy_Alter_Condition_None, + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment, + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_None, + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_All, + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_AllExcept, + RQ_SRS_006_RBAC_RowPolicy_Alter_Syntax, + RQ_SRS_006_RBAC_RowPolicy_Drop, + RQ_SRS_006_RBAC_RowPolicy_Drop_IfExists, + RQ_SRS_006_RBAC_RowPolicy_Drop_On, + RQ_SRS_006_RBAC_RowPolicy_Drop_OnCluster, + RQ_SRS_006_RBAC_RowPolicy_Drop_Syntax, + RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy, + RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_On, + RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_Syntax, + RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies, + RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_On, + RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_Syntax, + RQ_SRS_006_RBAC_SetDefaultRole, + RQ_SRS_006_RBAC_SetDefaultRole_CurrentUser, + RQ_SRS_006_RBAC_SetDefaultRole_All, + RQ_SRS_006_RBAC_SetDefaultRole_AllExcept, + RQ_SRS_006_RBAC_SetDefaultRole_None, + RQ_SRS_006_RBAC_SetDefaultRole_Syntax, + RQ_SRS_006_RBAC_SetRole, + RQ_SRS_006_RBAC_SetRole_Default, + RQ_SRS_006_RBAC_SetRole_None, + RQ_SRS_006_RBAC_SetRole_All, + RQ_SRS_006_RBAC_SetRole_AllExcept, + RQ_SRS_006_RBAC_SetRole_Syntax, + RQ_SRS_006_RBAC_Grant_Privilege_To, + RQ_SRS_006_RBAC_Grant_Privilege_ToCurrentUser, + RQ_SRS_006_RBAC_Grant_Privilege_Select, + RQ_SRS_006_RBAC_Grant_Privilege_Insert, + RQ_SRS_006_RBAC_Grant_Privilege_Alter, + RQ_SRS_006_RBAC_Grant_Privilege_Create, + RQ_SRS_006_RBAC_Grant_Privilege_Drop, + RQ_SRS_006_RBAC_Grant_Privilege_Truncate, + RQ_SRS_006_RBAC_Grant_Privilege_Optimize, + RQ_SRS_006_RBAC_Grant_Privilege_Show, + RQ_SRS_006_RBAC_Grant_Privilege_KillQuery, + RQ_SRS_006_RBAC_Grant_Privilege_AccessManagement, + RQ_SRS_006_RBAC_Grant_Privilege_System, + RQ_SRS_006_RBAC_Grant_Privilege_Introspection, + RQ_SRS_006_RBAC_Grant_Privilege_Sources, + RQ_SRS_006_RBAC_Grant_Privilege_DictGet, + RQ_SRS_006_RBAC_Grant_Privilege_None, + RQ_SRS_006_RBAC_Grant_Privilege_All, + RQ_SRS_006_RBAC_Grant_Privilege_GrantOption, + RQ_SRS_006_RBAC_Grant_Privilege_On, + RQ_SRS_006_RBAC_Grant_Privilege_PrivilegeColumns, + RQ_SRS_006_RBAC_Grant_Privilege_OnCluster, + RQ_SRS_006_RBAC_Grant_Privilege_Syntax, + RQ_SRS_006_RBAC_Revoke_Privilege_Cluster, + RQ_SRS_006_RBAC_Revoke_Privilege_Select, + RQ_SRS_006_RBAC_Revoke_Privilege_Insert, + RQ_SRS_006_RBAC_Revoke_Privilege_Alter, + RQ_SRS_006_RBAC_Revoke_Privilege_Create, + RQ_SRS_006_RBAC_Revoke_Privilege_Drop, + RQ_SRS_006_RBAC_Revoke_Privilege_Truncate, + RQ_SRS_006_RBAC_Revoke_Privilege_Optimize, + RQ_SRS_006_RBAC_Revoke_Privilege_Show, + RQ_SRS_006_RBAC_Revoke_Privilege_KillQuery, + RQ_SRS_006_RBAC_Revoke_Privilege_AccessManagement, + RQ_SRS_006_RBAC_Revoke_Privilege_System, + RQ_SRS_006_RBAC_Revoke_Privilege_Introspection, + RQ_SRS_006_RBAC_Revoke_Privilege_Sources, + RQ_SRS_006_RBAC_Revoke_Privilege_DictGet, + RQ_SRS_006_RBAC_Revoke_Privilege_PrivilegeColumns, + RQ_SRS_006_RBAC_Revoke_Privilege_Multiple, + RQ_SRS_006_RBAC_Revoke_Privilege_All, + RQ_SRS_006_RBAC_Revoke_Privilege_None, + RQ_SRS_006_RBAC_Revoke_Privilege_On, + RQ_SRS_006_RBAC_Revoke_Privilege_From, + RQ_SRS_006_RBAC_Revoke_Privilege_Syntax, + RQ_SRS_006_RBAC_Grant_Role, + RQ_SRS_006_RBAC_Grant_Role_CurrentUser, + RQ_SRS_006_RBAC_Grant_Role_AdminOption, + RQ_SRS_006_RBAC_Grant_Role_OnCluster, + RQ_SRS_006_RBAC_Grant_Role_Syntax, + RQ_SRS_006_RBAC_Revoke_Role, + RQ_SRS_006_RBAC_Revoke_Role_Keywords, + RQ_SRS_006_RBAC_Revoke_Role_Cluster, + RQ_SRS_006_RBAC_Revoke_AdminOption, + RQ_SRS_006_RBAC_Revoke_Role_Syntax, + RQ_SRS_006_RBAC_Show_Grants, + RQ_SRS_006_RBAC_Show_Grants_For, + RQ_SRS_006_RBAC_Show_Grants_Syntax, + RQ_SRS_006_RBAC_Table_PublicTables, + RQ_SRS_006_RBAC_Table_SensitiveTables, + RQ_SRS_006_RBAC_DistributedTable_Create, + RQ_SRS_006_RBAC_DistributedTable_Select, + RQ_SRS_006_RBAC_DistributedTable_Insert, + RQ_SRS_006_RBAC_DistributedTable_SpecialTables, + RQ_SRS_006_RBAC_DistributedTable_LocalUser, + RQ_SRS_006_RBAC_DistributedTable_SameUserDifferentNodesDifferentPrivileges, + RQ_SRS_006_RBAC_View, + RQ_SRS_006_RBAC_View_Create, + RQ_SRS_006_RBAC_View_Select, + RQ_SRS_006_RBAC_View_Drop, + RQ_SRS_006_RBAC_MaterializedView, + RQ_SRS_006_RBAC_MaterializedView_Create, + RQ_SRS_006_RBAC_MaterializedView_Select, + RQ_SRS_006_RBAC_MaterializedView_Select_TargetTable, + RQ_SRS_006_RBAC_MaterializedView_Select_SourceTable, + RQ_SRS_006_RBAC_MaterializedView_Drop, + RQ_SRS_006_RBAC_MaterializedView_ModifyQuery, + RQ_SRS_006_RBAC_MaterializedView_Insert, + RQ_SRS_006_RBAC_MaterializedView_Insert_SourceTable, + RQ_SRS_006_RBAC_MaterializedView_Insert_TargetTable, + RQ_SRS_006_RBAC_LiveView, + RQ_SRS_006_RBAC_LiveView_Create, + RQ_SRS_006_RBAC_LiveView_Select, + RQ_SRS_006_RBAC_LiveView_Drop, + RQ_SRS_006_RBAC_LiveView_Refresh, + RQ_SRS_006_RBAC_Select, + RQ_SRS_006_RBAC_Select_Column, + RQ_SRS_006_RBAC_Select_Cluster, + RQ_SRS_006_RBAC_Select_TableEngines, + RQ_SRS_006_RBAC_Insert, + RQ_SRS_006_RBAC_Insert_Column, + RQ_SRS_006_RBAC_Insert_Cluster, + RQ_SRS_006_RBAC_Insert_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterColumn, + RQ_SRS_006_RBAC_Privileges_AlterColumn_Grant, + RQ_SRS_006_RBAC_Privileges_AlterColumn_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterColumn_Column, + RQ_SRS_006_RBAC_Privileges_AlterColumn_Cluster, + RQ_SRS_006_RBAC_Privileges_AlterColumn_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterIndex, + RQ_SRS_006_RBAC_Privileges_AlterIndex_Grant, + RQ_SRS_006_RBAC_Privileges_AlterIndex_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterIndex_Cluster, + RQ_SRS_006_RBAC_Privileges_AlterIndex_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterConstraint, + RQ_SRS_006_RBAC_Privileges_AlterConstraint_Grant, + RQ_SRS_006_RBAC_Privileges_AlterConstraint_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterConstraint_Cluster, + RQ_SRS_006_RBAC_Privileges_AlterConstraint_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterTTL, + RQ_SRS_006_RBAC_Privileges_AlterTTL_Grant, + RQ_SRS_006_RBAC_Privileges_AlterTTL_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterTTL_Cluster, + RQ_SRS_006_RBAC_Privileges_AlterTTL_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterSettings, + RQ_SRS_006_RBAC_Privileges_AlterSettings_Grant, + RQ_SRS_006_RBAC_Privileges_AlterSettings_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterSettings_Cluster, + RQ_SRS_006_RBAC_Privileges_AlterSettings_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterUpdate, + RQ_SRS_006_RBAC_Privileges_AlterUpdate_Grant, + RQ_SRS_006_RBAC_Privileges_AlterUpdate_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterUpdate_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterDelete, + RQ_SRS_006_RBAC_Privileges_AlterDelete_Grant, + RQ_SRS_006_RBAC_Privileges_AlterDelete_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterDelete_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterFreeze, + RQ_SRS_006_RBAC_Privileges_AlterFreeze_Grant, + RQ_SRS_006_RBAC_Privileges_AlterFreeze_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterFreeze_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterFetch, + RQ_SRS_006_RBAC_Privileges_AlterFetch_Grant, + RQ_SRS_006_RBAC_Privileges_AlterFetch_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterFetch_TableEngines, + RQ_SRS_006_RBAC_Privileges_AlterMove, + RQ_SRS_006_RBAC_Privileges_AlterMove_Grant, + RQ_SRS_006_RBAC_Privileges_AlterMove_Revoke, + RQ_SRS_006_RBAC_Privileges_AlterMove_TableEngines, + RQ_SRS_006_RBAC_Privileges_CreateTable, + RQ_SRS_006_RBAC_Privileges_CreateDatabase, + RQ_SRS_006_RBAC_Privileges_CreateDictionary, + RQ_SRS_006_RBAC_Privileges_CreateTemporaryTable, + RQ_SRS_006_RBAC_Privileges_AttachDatabase, + RQ_SRS_006_RBAC_Privileges_AttachDictionary, + RQ_SRS_006_RBAC_Privileges_AttachTemporaryTable, + RQ_SRS_006_RBAC_Privileges_AttachTable, + RQ_SRS_006_RBAC_Privileges_DropTable, + RQ_SRS_006_RBAC_Privileges_DropDatabase, + RQ_SRS_006_RBAC_Privileges_DropDictionary, + RQ_SRS_006_RBAC_Privileges_DetachTable, + RQ_SRS_006_RBAC_Privileges_DetachView, + RQ_SRS_006_RBAC_Privileges_DetachDatabase, + RQ_SRS_006_RBAC_Privileges_DetachDictionary, + RQ_SRS_006_RBAC_Privileges_Truncate, + RQ_SRS_006_RBAC_Privileges_Optimize, + RQ_SRS_006_RBAC_Privileges_KillQuery, + RQ_SRS_006_RBAC_Privileges_KillMutation, + RQ_SRS_006_RBAC_Privileges_KillMutation_AlterUpdate, + RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDelete, + RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDropColumn, + RQ_SRS_006_RBAC_ShowTables_Privilege, + RQ_SRS_006_RBAC_ShowTables_RequiredPrivilege, + RQ_SRS_006_RBAC_ExistsTable_RequiredPrivilege, + RQ_SRS_006_RBAC_CheckTable_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowDatabases_Privilege, + RQ_SRS_006_RBAC_ShowDatabases_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowCreateDatabase_RequiredPrivilege, + RQ_SRS_006_RBAC_UseDatabase_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowColumns_Privilege, + RQ_SRS_006_RBAC_ShowCreateTable_RequiredPrivilege, + RQ_SRS_006_RBAC_DescribeTable_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowDictionaries_Privilege, + RQ_SRS_006_RBAC_ShowDictionaries_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowCreateDictionary_RequiredPrivilege, + RQ_SRS_006_RBAC_ExistsDictionary_RequiredPrivilege, + RQ_SRS_006_RBAC_Privileges_CreateUser, + RQ_SRS_006_RBAC_Privileges_CreateUser_DefaultRole, + RQ_SRS_006_RBAC_Privileges_AlterUser, + RQ_SRS_006_RBAC_Privileges_DropUser, + RQ_SRS_006_RBAC_Privileges_CreateRole, + RQ_SRS_006_RBAC_Privileges_AlterRole, + RQ_SRS_006_RBAC_Privileges_DropRole, + RQ_SRS_006_RBAC_Privileges_CreateRowPolicy, + RQ_SRS_006_RBAC_Privileges_AlterRowPolicy, + RQ_SRS_006_RBAC_Privileges_DropRowPolicy, + RQ_SRS_006_RBAC_Privileges_CreateQuota, + RQ_SRS_006_RBAC_Privileges_AlterQuota, + RQ_SRS_006_RBAC_Privileges_DropQuota, + RQ_SRS_006_RBAC_Privileges_CreateSettingsProfile, + RQ_SRS_006_RBAC_Privileges_AlterSettingsProfile, + RQ_SRS_006_RBAC_Privileges_DropSettingsProfile, + RQ_SRS_006_RBAC_Privileges_RoleAdmin, + RQ_SRS_006_RBAC_ShowUsers_Privilege, + RQ_SRS_006_RBAC_ShowUsers_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowCreateUser_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowRoles_Privilege, + RQ_SRS_006_RBAC_ShowRoles_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowCreateRole_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowRowPolicies_Privilege, + RQ_SRS_006_RBAC_ShowRowPolicies_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowCreateRowPolicy_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowQuotas_Privilege, + RQ_SRS_006_RBAC_ShowQuotas_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowCreateQuota_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowSettingsProfiles_Privilege, + RQ_SRS_006_RBAC_ShowSettingsProfiles_RequiredPrivilege, + RQ_SRS_006_RBAC_ShowCreateSettingsProfile_RequiredPrivilege, + RQ_SRS_006_RBAC_dictGet_Privilege, + RQ_SRS_006_RBAC_dictGet_RequiredPrivilege, + RQ_SRS_006_RBAC_dictGet_Type_RequiredPrivilege, + RQ_SRS_006_RBAC_dictGet_OrDefault_RequiredPrivilege, + RQ_SRS_006_RBAC_dictHas_RequiredPrivilege, + RQ_SRS_006_RBAC_dictGetHierarchy_RequiredPrivilege, + RQ_SRS_006_RBAC_dictIsIn_RequiredPrivilege, + RQ_SRS_006_RBAC_Privileges_Introspection, + RQ_SRS_006_RBAC_Privileges_Introspection_addressToLine, + RQ_SRS_006_RBAC_Privileges_Introspection_addressToSymbol, + RQ_SRS_006_RBAC_Privileges_Introspection_demangle, + RQ_SRS_006_RBAC_Privileges_System_Shutdown, + RQ_SRS_006_RBAC_Privileges_System_DropCache, + RQ_SRS_006_RBAC_Privileges_System_DropCache_DNS, + RQ_SRS_006_RBAC_Privileges_System_DropCache_Mark, + RQ_SRS_006_RBAC_Privileges_System_DropCache_Uncompressed, + RQ_SRS_006_RBAC_Privileges_System_Reload, + RQ_SRS_006_RBAC_Privileges_System_Reload_Config, + RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionary, + RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionaries, + RQ_SRS_006_RBAC_Privileges_System_Reload_EmbeddedDictionaries, + RQ_SRS_006_RBAC_Privileges_System_Merges, + RQ_SRS_006_RBAC_Privileges_System_TTLMerges, + RQ_SRS_006_RBAC_Privileges_System_Fetches, + RQ_SRS_006_RBAC_Privileges_System_Moves, + RQ_SRS_006_RBAC_Privileges_System_Sends, + RQ_SRS_006_RBAC_Privileges_System_Sends_Distributed, + RQ_SRS_006_RBAC_Privileges_System_Sends_Replicated, + RQ_SRS_006_RBAC_Privileges_System_ReplicationQueues, + RQ_SRS_006_RBAC_Privileges_System_SyncReplica, + RQ_SRS_006_RBAC_Privileges_System_RestartReplica, + RQ_SRS_006_RBAC_Privileges_System_Flush, + RQ_SRS_006_RBAC_Privileges_System_Flush_Distributed, + RQ_SRS_006_RBAC_Privileges_System_Flush_Logs, + RQ_SRS_006_RBAC_Privileges_Sources, + RQ_SRS_006_RBAC_Privileges_Sources_File, + RQ_SRS_006_RBAC_Privileges_Sources_URL, + RQ_SRS_006_RBAC_Privileges_Sources_Remote, + RQ_SRS_006_RBAC_Privileges_Sources_MySQL, + RQ_SRS_006_RBAC_Privileges_Sources_ODBC, + RQ_SRS_006_RBAC_Privileges_Sources_JDBC, + RQ_SRS_006_RBAC_Privileges_Sources_HDFS, + RQ_SRS_006_RBAC_Privileges_Sources_S3, + RQ_SRS_006_RBAC_Privileges_GrantOption, + RQ_SRS_006_RBAC_Privileges_All, + RQ_SRS_006_RBAC_Privileges_RoleAll, + RQ_SRS_006_RBAC_Privileges_None, + RQ_SRS_006_RBAC_Privileges_AdminOption, + ), + content=''' # SRS-006 ClickHouse Role Based Access Control # Software Requirements Specification @@ -34,556 +9989,588 @@ SRS_006_ClickHouse_Role_Based_Access_Control = Specification( * 5 [Requirements](#requirements) * 5.1 [Generic](#generic) * 5.1.1 [RQ.SRS-006.RBAC](#rqsrs-006rbac) - * 5.1.2 [Login](#login) - * 5.1.2.1 [RQ.SRS-006.RBAC.Login](#rqsrs-006rbaclogin) - * 5.1.2.2 [RQ.SRS-006.RBAC.Login.DefaultUser](#rqsrs-006rbaclogindefaultuser) - * 5.1.3 [User](#user) - * 5.1.3.1 [RQ.SRS-006.RBAC.User](#rqsrs-006rbacuser) - * 5.1.3.2 [RQ.SRS-006.RBAC.User.Roles](#rqsrs-006rbacuserroles) - * 5.1.3.3 [RQ.SRS-006.RBAC.User.Privileges](#rqsrs-006rbacuserprivileges) - * 5.1.3.4 [RQ.SRS-006.RBAC.User.Variables](#rqsrs-006rbacuservariables) - * 5.1.3.5 [RQ.SRS-006.RBAC.User.Variables.Constraints](#rqsrs-006rbacuservariablesconstraints) - * 5.1.3.6 [RQ.SRS-006.RBAC.User.SettingsProfile](#rqsrs-006rbacusersettingsprofile) - * 5.1.3.7 [RQ.SRS-006.RBAC.User.Quotas](#rqsrs-006rbacuserquotas) - * 5.1.3.8 [RQ.SRS-006.RBAC.User.RowPolicies](#rqsrs-006rbacuserrowpolicies) - * 5.1.3.9 [RQ.SRS-006.RBAC.User.AccountLock](#rqsrs-006rbacuseraccountlock) - * 5.1.3.10 [RQ.SRS-006.RBAC.User.AccountLock.DenyAccess](#rqsrs-006rbacuseraccountlockdenyaccess) - * 5.1.3.11 [RQ.SRS-006.RBAC.User.DefaultRole](#rqsrs-006rbacuserdefaultrole) - * 5.1.3.12 [RQ.SRS-006.RBAC.User.RoleSelection](#rqsrs-006rbacuserroleselection) - * 5.1.3.13 [RQ.SRS-006.RBAC.User.ShowCreate](#rqsrs-006rbacusershowcreate) - * 5.1.3.14 [RQ.SRS-006.RBAC.User.ShowPrivileges](#rqsrs-006rbacusershowprivileges) - * 5.1.4 [Role](#role) - * 5.1.4.1 [RQ.SRS-006.RBAC.Role](#rqsrs-006rbacrole) - * 5.1.4.2 [RQ.SRS-006.RBAC.Role.Privileges](#rqsrs-006rbacroleprivileges) - * 5.1.4.3 [RQ.SRS-006.RBAC.Role.Variables](#rqsrs-006rbacrolevariables) - * 5.1.4.4 [RQ.SRS-006.RBAC.Role.SettingsProfile](#rqsrs-006rbacrolesettingsprofile) - * 5.1.4.5 [RQ.SRS-006.RBAC.Role.Quotas](#rqsrs-006rbacrolequotas) - * 5.1.4.6 [RQ.SRS-006.RBAC.Role.RowPolicies](#rqsrs-006rbacrolerowpolicies) - * 5.1.5 [Partial Revokes](#partial-revokes) - * 5.1.5.1 [RQ.SRS-006.RBAC.PartialRevokes](#rqsrs-006rbacpartialrevokes) - * 5.1.6 [Settings Profile](#settings-profile) - * 5.1.6.1 [RQ.SRS-006.RBAC.SettingsProfile](#rqsrs-006rbacsettingsprofile) - * 5.1.6.2 [RQ.SRS-006.RBAC.SettingsProfile.Constraints](#rqsrs-006rbacsettingsprofileconstraints) - * 5.1.6.3 [RQ.SRS-006.RBAC.SettingsProfile.ShowCreate](#rqsrs-006rbacsettingsprofileshowcreate) - * 5.1.7 [Quotas](#quotas) - * 5.1.7.1 [RQ.SRS-006.RBAC.Quotas](#rqsrs-006rbacquotas) - * 5.1.7.2 [RQ.SRS-006.RBAC.Quotas.Keyed](#rqsrs-006rbacquotaskeyed) - * 5.1.7.3 [RQ.SRS-006.RBAC.Quotas.Queries](#rqsrs-006rbacquotasqueries) - * 5.1.7.4 [RQ.SRS-006.RBAC.Quotas.Errors](#rqsrs-006rbacquotaserrors) - * 5.1.7.5 [RQ.SRS-006.RBAC.Quotas.ResultRows](#rqsrs-006rbacquotasresultrows) - * 5.1.7.6 [RQ.SRS-006.RBAC.Quotas.ReadRows](#rqsrs-006rbacquotasreadrows) - * 5.1.7.7 [RQ.SRS-006.RBAC.Quotas.ResultBytes](#rqsrs-006rbacquotasresultbytes) - * 5.1.7.8 [RQ.SRS-006.RBAC.Quotas.ReadBytes](#rqsrs-006rbacquotasreadbytes) - * 5.1.7.9 [RQ.SRS-006.RBAC.Quotas.ExecutionTime](#rqsrs-006rbacquotasexecutiontime) - * 5.1.7.10 [RQ.SRS-006.RBAC.Quotas.ShowCreate](#rqsrs-006rbacquotasshowcreate) - * 5.1.8 [Row Policy](#row-policy) - * 5.1.8.1 [RQ.SRS-006.RBAC.RowPolicy](#rqsrs-006rbacrowpolicy) - * 5.1.8.2 [RQ.SRS-006.RBAC.RowPolicy.Condition](#rqsrs-006rbacrowpolicycondition) - * 5.1.8.3 [RQ.SRS-006.RBAC.RowPolicy.ShowCreate](#rqsrs-006rbacrowpolicyshowcreate) - * 5.2 [Specific](#specific) - * 5.2.8.1 [RQ.SRS-006.RBAC.User.Use.DefaultRole](#rqsrs-006rbacuserusedefaultrole) - * 5.2.8.2 [RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole](#rqsrs-006rbacuseruseallroleswhennodefaultrole) - * 5.2.8.3 [RQ.SRS-006.RBAC.User.Create](#rqsrs-006rbacusercreate) - * 5.2.8.4 [RQ.SRS-006.RBAC.User.Create.IfNotExists](#rqsrs-006rbacusercreateifnotexists) - * 5.2.8.5 [RQ.SRS-006.RBAC.User.Create.Replace](#rqsrs-006rbacusercreatereplace) - * 5.2.8.6 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword](#rqsrs-006rbacusercreatepasswordnopassword) - * 5.2.8.7 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword.Login](#rqsrs-006rbacusercreatepasswordnopasswordlogin) - * 5.2.8.8 [RQ.SRS-006.RBAC.User.Create.Password.PlainText](#rqsrs-006rbacusercreatepasswordplaintext) - * 5.2.8.9 [RQ.SRS-006.RBAC.User.Create.Password.PlainText.Login](#rqsrs-006rbacusercreatepasswordplaintextlogin) - * 5.2.8.10 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password](#rqsrs-006rbacusercreatepasswordsha256password) - * 5.2.8.11 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password.Login](#rqsrs-006rbacusercreatepasswordsha256passwordlogin) - * 5.2.8.12 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash](#rqsrs-006rbacusercreatepasswordsha256hash) - * 5.2.8.13 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash.Login](#rqsrs-006rbacusercreatepasswordsha256hashlogin) - * 5.2.8.14 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password](#rqsrs-006rbacusercreatepassworddoublesha1password) - * 5.2.8.15 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password.Login](#rqsrs-006rbacusercreatepassworddoublesha1passwordlogin) - * 5.2.8.16 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash](#rqsrs-006rbacusercreatepassworddoublesha1hash) - * 5.2.8.17 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash.Login](#rqsrs-006rbacusercreatepassworddoublesha1hashlogin) - * 5.2.8.18 [RQ.SRS-006.RBAC.User.Create.Host.Name](#rqsrs-006rbacusercreatehostname) - * 5.2.8.19 [RQ.SRS-006.RBAC.User.Create.Host.Regexp](#rqsrs-006rbacusercreatehostregexp) - * 5.2.8.20 [RQ.SRS-006.RBAC.User.Create.Host.IP](#rqsrs-006rbacusercreatehostip) - * 5.2.8.21 [RQ.SRS-006.RBAC.User.Create.Host.Any](#rqsrs-006rbacusercreatehostany) - * 5.2.8.22 [RQ.SRS-006.RBAC.User.Create.Host.None](#rqsrs-006rbacusercreatehostnone) - * 5.2.8.23 [RQ.SRS-006.RBAC.User.Create.Host.Local](#rqsrs-006rbacusercreatehostlocal) - * 5.2.8.24 [RQ.SRS-006.RBAC.User.Create.Host.Like](#rqsrs-006rbacusercreatehostlike) - * 5.2.8.25 [RQ.SRS-006.RBAC.User.Create.Host.Default](#rqsrs-006rbacusercreatehostdefault) - * 5.2.8.26 [RQ.SRS-006.RBAC.User.Create.DefaultRole](#rqsrs-006rbacusercreatedefaultrole) - * 5.2.8.27 [RQ.SRS-006.RBAC.User.Create.DefaultRole.None](#rqsrs-006rbacusercreatedefaultrolenone) - * 5.2.8.28 [RQ.SRS-006.RBAC.User.Create.DefaultRole.All](#rqsrs-006rbacusercreatedefaultroleall) - * 5.2.8.29 [RQ.SRS-006.RBAC.User.Create.Settings](#rqsrs-006rbacusercreatesettings) - * 5.2.8.30 [RQ.SRS-006.RBAC.User.Create.OnCluster](#rqsrs-006rbacusercreateoncluster) - * 5.2.8.31 [RQ.SRS-006.RBAC.User.Create.Syntax](#rqsrs-006rbacusercreatesyntax) - * 5.2.8.32 [RQ.SRS-006.RBAC.User.Alter](#rqsrs-006rbacuseralter) - * 5.2.8.33 [RQ.SRS-006.RBAC.User.Alter.OrderOfEvaluation](#rqsrs-006rbacuseralterorderofevaluation) - * 5.2.8.34 [RQ.SRS-006.RBAC.User.Alter.IfExists](#rqsrs-006rbacuseralterifexists) - * 5.2.8.35 [RQ.SRS-006.RBAC.User.Alter.Cluster](#rqsrs-006rbacuseraltercluster) - * 5.2.8.36 [RQ.SRS-006.RBAC.User.Alter.Rename](#rqsrs-006rbacuseralterrename) - * 5.2.8.37 [RQ.SRS-006.RBAC.User.Alter.Password.PlainText](#rqsrs-006rbacuseralterpasswordplaintext) - * 5.2.8.38 [RQ.SRS-006.RBAC.User.Alter.Password.Sha256Password](#rqsrs-006rbacuseralterpasswordsha256password) - * 5.2.8.39 [RQ.SRS-006.RBAC.User.Alter.Password.DoubleSha1Password](#rqsrs-006rbacuseralterpassworddoublesha1password) - * 5.2.8.40 [RQ.SRS-006.RBAC.User.Alter.Host.AddDrop](#rqsrs-006rbacuseralterhostadddrop) - * 5.2.8.41 [RQ.SRS-006.RBAC.User.Alter.Host.Local](#rqsrs-006rbacuseralterhostlocal) - * 5.2.8.42 [RQ.SRS-006.RBAC.User.Alter.Host.Name](#rqsrs-006rbacuseralterhostname) - * 5.2.8.43 [RQ.SRS-006.RBAC.User.Alter.Host.Regexp](#rqsrs-006rbacuseralterhostregexp) - * 5.2.8.44 [RQ.SRS-006.RBAC.User.Alter.Host.IP](#rqsrs-006rbacuseralterhostip) - * 5.2.8.45 [RQ.SRS-006.RBAC.User.Alter.Host.Like](#rqsrs-006rbacuseralterhostlike) - * 5.2.8.46 [RQ.SRS-006.RBAC.User.Alter.Host.Any](#rqsrs-006rbacuseralterhostany) - * 5.2.8.47 [RQ.SRS-006.RBAC.User.Alter.Host.None](#rqsrs-006rbacuseralterhostnone) - * 5.2.8.48 [RQ.SRS-006.RBAC.User.Alter.DefaultRole](#rqsrs-006rbacuseralterdefaultrole) - * 5.2.8.49 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.All](#rqsrs-006rbacuseralterdefaultroleall) - * 5.2.8.50 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.AllExcept](#rqsrs-006rbacuseralterdefaultroleallexcept) - * 5.2.8.51 [RQ.SRS-006.RBAC.User.Alter.Settings](#rqsrs-006rbacuseraltersettings) - * 5.2.8.52 [RQ.SRS-006.RBAC.User.Alter.Settings.Min](#rqsrs-006rbacuseraltersettingsmin) - * 5.2.8.53 [RQ.SRS-006.RBAC.User.Alter.Settings.Max](#rqsrs-006rbacuseraltersettingsmax) - * 5.2.8.54 [RQ.SRS-006.RBAC.User.Alter.Settings.Profile](#rqsrs-006rbacuseraltersettingsprofile) - * 5.2.8.55 [RQ.SRS-006.RBAC.User.Alter.Syntax](#rqsrs-006rbacuseraltersyntax) - * 5.2.8.56 [RQ.SRS-006.RBAC.SetDefaultRole](#rqsrs-006rbacsetdefaultrole) - * 5.2.8.57 [RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser](#rqsrs-006rbacsetdefaultrolecurrentuser) - * 5.2.8.58 [RQ.SRS-006.RBAC.SetDefaultRole.All](#rqsrs-006rbacsetdefaultroleall) - * 5.2.8.59 [RQ.SRS-006.RBAC.SetDefaultRole.AllExcept](#rqsrs-006rbacsetdefaultroleallexcept) - * 5.2.8.60 [RQ.SRS-006.RBAC.SetDefaultRole.None](#rqsrs-006rbacsetdefaultrolenone) - * 5.2.8.61 [RQ.SRS-006.RBAC.SetDefaultRole.Syntax](#rqsrs-006rbacsetdefaultrolesyntax) - * 5.2.8.62 [RQ.SRS-006.RBAC.SetRole](#rqsrs-006rbacsetrole) - * 5.2.8.63 [RQ.SRS-006.RBAC.SetRole.Default](#rqsrs-006rbacsetroledefault) - * 5.2.8.64 [RQ.SRS-006.RBAC.SetRole.None](#rqsrs-006rbacsetrolenone) - * 5.2.8.65 [RQ.SRS-006.RBAC.SetRole.All](#rqsrs-006rbacsetroleall) - * 5.2.8.66 [RQ.SRS-006.RBAC.SetRole.AllExcept](#rqsrs-006rbacsetroleallexcept) - * 5.2.8.67 [RQ.SRS-006.RBAC.SetRole.Syntax](#rqsrs-006rbacsetrolesyntax) - * 5.2.8.68 [RQ.SRS-006.RBAC.User.ShowCreateUser](#rqsrs-006rbacusershowcreateuser) - * 5.2.8.69 [RQ.SRS-006.RBAC.User.ShowCreateUser.For](#rqsrs-006rbacusershowcreateuserfor) - * 5.2.8.70 [RQ.SRS-006.RBAC.User.ShowCreateUser.Syntax](#rqsrs-006rbacusershowcreateusersyntax) - * 5.2.8.71 [RQ.SRS-006.RBAC.User.Drop](#rqsrs-006rbacuserdrop) - * 5.2.8.72 [RQ.SRS-006.RBAC.User.Drop.IfExists](#rqsrs-006rbacuserdropifexists) - * 5.2.8.73 [RQ.SRS-006.RBAC.User.Drop.OnCluster](#rqsrs-006rbacuserdroponcluster) - * 5.2.8.74 [RQ.SRS-006.RBAC.User.Drop.Syntax](#rqsrs-006rbacuserdropsyntax) - * 5.2.8.75 [RQ.SRS-006.RBAC.Role.Create](#rqsrs-006rbacrolecreate) - * 5.2.8.76 [RQ.SRS-006.RBAC.Role.Create.IfNotExists](#rqsrs-006rbacrolecreateifnotexists) - * 5.2.8.77 [RQ.SRS-006.RBAC.Role.Create.Replace](#rqsrs-006rbacrolecreatereplace) - * 5.2.8.78 [RQ.SRS-006.RBAC.Role.Create.Settings](#rqsrs-006rbacrolecreatesettings) - * 5.2.8.79 [RQ.SRS-006.RBAC.Role.Create.Syntax](#rqsrs-006rbacrolecreatesyntax) - * 5.2.8.80 [RQ.SRS-006.RBAC.Role.Alter](#rqsrs-006rbacrolealter) - * 5.2.8.81 [RQ.SRS-006.RBAC.Role.Alter.IfExists](#rqsrs-006rbacrolealterifexists) - * 5.2.8.82 [RQ.SRS-006.RBAC.Role.Alter.Cluster](#rqsrs-006rbacrolealtercluster) - * 5.2.8.83 [RQ.SRS-006.RBAC.Role.Alter.Rename](#rqsrs-006rbacrolealterrename) - * 5.2.8.84 [RQ.SRS-006.RBAC.Role.Alter.Settings](#rqsrs-006rbacrolealtersettings) - * 5.2.8.85 [RQ.SRS-006.RBAC.Role.Alter.Syntax](#rqsrs-006rbacrolealtersyntax) - * 5.2.8.86 [RQ.SRS-006.RBAC.Role.Drop](#rqsrs-006rbacroledrop) - * 5.2.8.87 [RQ.SRS-006.RBAC.Role.Drop.IfExists](#rqsrs-006rbacroledropifexists) - * 5.2.8.88 [RQ.SRS-006.RBAC.Role.Drop.Cluster](#rqsrs-006rbacroledropcluster) - * 5.2.8.89 [RQ.SRS-006.RBAC.Role.Drop.Syntax](#rqsrs-006rbacroledropsyntax) - * 5.2.8.90 [RQ.SRS-006.RBAC.Role.ShowCreate](#rqsrs-006rbacroleshowcreate) - * 5.2.8.91 [RQ.SRS-006.RBAC.Role.ShowCreate.Syntax](#rqsrs-006rbacroleshowcreatesyntax) - * 5.2.8.92 [RQ.SRS-006.RBAC.Grant.Privilege.To](#rqsrs-006rbacgrantprivilegeto) - * 5.2.8.93 [RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser](#rqsrs-006rbacgrantprivilegetocurrentuser) - * 5.2.8.94 [RQ.SRS-006.RBAC.Grant.Privilege.Select](#rqsrs-006rbacgrantprivilegeselect) - * 5.2.8.95 [RQ.SRS-006.RBAC.Grant.Privilege.Insert](#rqsrs-006rbacgrantprivilegeinsert) - * 5.2.8.96 [RQ.SRS-006.RBAC.Grant.Privilege.Alter](#rqsrs-006rbacgrantprivilegealter) - * 5.2.8.97 [RQ.SRS-006.RBAC.Grant.Privilege.Create](#rqsrs-006rbacgrantprivilegecreate) - * 5.2.8.98 [RQ.SRS-006.RBAC.Grant.Privilege.Drop](#rqsrs-006rbacgrantprivilegedrop) - * 5.2.8.99 [RQ.SRS-006.RBAC.Grant.Privilege.Truncate](#rqsrs-006rbacgrantprivilegetruncate) - * 5.2.8.100 [RQ.SRS-006.RBAC.Grant.Privilege.Optimize](#rqsrs-006rbacgrantprivilegeoptimize) - * 5.2.8.101 [RQ.SRS-006.RBAC.Grant.Privilege.Show](#rqsrs-006rbacgrantprivilegeshow) - * 5.2.8.102 [RQ.SRS-006.RBAC.Grant.Privilege.KillQuery](#rqsrs-006rbacgrantprivilegekillquery) - * 5.2.8.103 [RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement](#rqsrs-006rbacgrantprivilegeaccessmanagement) - * 5.2.8.104 [RQ.SRS-006.RBAC.Grant.Privilege.System](#rqsrs-006rbacgrantprivilegesystem) - * 5.2.8.105 [RQ.SRS-006.RBAC.Grant.Privilege.Introspection](#rqsrs-006rbacgrantprivilegeintrospection) - * 5.2.8.106 [RQ.SRS-006.RBAC.Grant.Privilege.Sources](#rqsrs-006rbacgrantprivilegesources) - * 5.2.8.107 [RQ.SRS-006.RBAC.Grant.Privilege.DictGet](#rqsrs-006rbacgrantprivilegedictget) - * 5.2.8.108 [RQ.SRS-006.RBAC.Grant.Privilege.None](#rqsrs-006rbacgrantprivilegenone) - * 5.2.8.109 [RQ.SRS-006.RBAC.Grant.Privilege.All](#rqsrs-006rbacgrantprivilegeall) - * 5.2.8.110 [RQ.SRS-006.RBAC.Grant.Privilege.GrantOption](#rqsrs-006rbacgrantprivilegegrantoption) - * 5.2.8.111 [RQ.SRS-006.RBAC.Grant.Privilege.On](#rqsrs-006rbacgrantprivilegeon) - * 5.2.8.112 [RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns](#rqsrs-006rbacgrantprivilegeprivilegecolumns) - * 5.2.8.113 [RQ.SRS-006.RBAC.Grant.Privilege.OnCluster](#rqsrs-006rbacgrantprivilegeoncluster) - * 5.2.8.114 [RQ.SRS-006.RBAC.Grant.Privilege.Syntax](#rqsrs-006rbacgrantprivilegesyntax) - * 5.2.8.115 [RQ.SRS-006.RBAC.Revoke.Privilege.Cluster](#rqsrs-006rbacrevokeprivilegecluster) - * 5.2.8.116 [RQ.SRS-006.RBAC.Revoke.Privilege.Any](#rqsrs-006rbacrevokeprivilegeany) - * 5.2.8.117 [RQ.SRS-006.RBAC.Revoke.Privilege.Select](#rqsrs-006rbacrevokeprivilegeselect) - * 5.2.8.118 [RQ.SRS-006.RBAC.Revoke.Privilege.Insert](#rqsrs-006rbacrevokeprivilegeinsert) - * 5.2.8.119 [RQ.SRS-006.RBAC.Revoke.Privilege.Alter](#rqsrs-006rbacrevokeprivilegealter) - * 5.2.8.120 [RQ.SRS-006.RBAC.Revoke.Privilege.Create](#rqsrs-006rbacrevokeprivilegecreate) - * 5.2.8.121 [RQ.SRS-006.RBAC.Revoke.Privilege.Drop](#rqsrs-006rbacrevokeprivilegedrop) - * 5.2.8.122 [RQ.SRS-006.RBAC.Revoke.Privilege.Truncate](#rqsrs-006rbacrevokeprivilegetruncate) - * 5.2.8.123 [RQ.SRS-006.RBAC.Revoke.Privilege.Optimize](#rqsrs-006rbacrevokeprivilegeoptimize) - * 5.2.8.124 [RQ.SRS-006.RBAC.Revoke.Privilege.Show](#rqsrs-006rbacrevokeprivilegeshow) - * 5.2.8.125 [RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery](#rqsrs-006rbacrevokeprivilegekillquery) - * 5.2.8.126 [RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement](#rqsrs-006rbacrevokeprivilegeaccessmanagement) - * 5.2.8.127 [RQ.SRS-006.RBAC.Revoke.Privilege.System](#rqsrs-006rbacrevokeprivilegesystem) - * 5.2.8.128 [RQ.SRS-006.RBAC.Revoke.Privilege.Introspection](#rqsrs-006rbacrevokeprivilegeintrospection) - * 5.2.8.129 [RQ.SRS-006.RBAC.Revoke.Privilege.Sources](#rqsrs-006rbacrevokeprivilegesources) - * 5.2.8.130 [RQ.SRS-006.RBAC.Revoke.Privilege.DictGet](#rqsrs-006rbacrevokeprivilegedictget) - * 5.2.8.131 [RQ.SRS-006.RBAC.Revoke.Privilege.PrivelegeColumns](#rqsrs-006rbacrevokeprivilegeprivelegecolumns) - * 5.2.8.132 [RQ.SRS-006.RBAC.Revoke.Privilege.Multiple](#rqsrs-006rbacrevokeprivilegemultiple) - * 5.2.8.133 [RQ.SRS-006.RBAC.Revoke.Privilege.All](#rqsrs-006rbacrevokeprivilegeall) - * 5.2.8.134 [RQ.SRS-006.RBAC.Revoke.Privilege.None](#rqsrs-006rbacrevokeprivilegenone) - * 5.2.8.135 [RQ.SRS-006.RBAC.Revoke.Privilege.On](#rqsrs-006rbacrevokeprivilegeon) - * 5.2.8.136 [RQ.SRS-006.RBAC.Revoke.Privilege.From](#rqsrs-006rbacrevokeprivilegefrom) - * 5.2.8.137 [RQ.SRS-006.RBAC.Revoke.Privilege.Syntax](#rqsrs-006rbacrevokeprivilegesyntax) - * 5.2.8.138 [RQ.SRS-006.RBAC.PartialRevoke.Syntax](#rqsrs-006rbacpartialrevokesyntax) - * 5.2.8.139 [RQ.SRS-006.RBAC.Grant.Role](#rqsrs-006rbacgrantrole) - * 5.2.8.140 [RQ.SRS-006.RBAC.Grant.Role.CurrentUser](#rqsrs-006rbacgrantrolecurrentuser) - * 5.2.8.141 [RQ.SRS-006.RBAC.Grant.Role.AdminOption](#rqsrs-006rbacgrantroleadminoption) - * 5.2.8.142 [RQ.SRS-006.RBAC.Grant.Role.OnCluster](#rqsrs-006rbacgrantroleoncluster) - * 5.2.8.143 [RQ.SRS-006.RBAC.Grant.Role.Syntax](#rqsrs-006rbacgrantrolesyntax) - * 5.2.8.144 [RQ.SRS-006.RBAC.Revoke.Role](#rqsrs-006rbacrevokerole) - * 5.2.8.145 [RQ.SRS-006.RBAC.Revoke.Role.Keywords](#rqsrs-006rbacrevokerolekeywords) - * 5.2.8.146 [RQ.SRS-006.RBAC.Revoke.Role.Cluster](#rqsrs-006rbacrevokerolecluster) - * 5.2.8.147 [RQ.SRS-006.RBAC.Revoke.AdminOption](#rqsrs-006rbacrevokeadminoption) - * 5.2.8.148 [RQ.SRS-006.RBAC.Revoke.Role.Syntax](#rqsrs-006rbacrevokerolesyntax) - * 5.2.8.149 [RQ.SRS-006.RBAC.Show.Grants](#rqsrs-006rbacshowgrants) - * 5.2.8.150 [RQ.SRS-006.RBAC.Show.Grants.For](#rqsrs-006rbacshowgrantsfor) - * 5.2.8.151 [RQ.SRS-006.RBAC.Show.Grants.Syntax](#rqsrs-006rbacshowgrantssyntax) - * 5.2.8.152 [RQ.SRS-006.RBAC.SettingsProfile.Create](#rqsrs-006rbacsettingsprofilecreate) - * 5.2.8.153 [RQ.SRS-006.RBAC.SettingsProfile.Create.IfNotExists](#rqsrs-006rbacsettingsprofilecreateifnotexists) - * 5.2.8.154 [RQ.SRS-006.RBAC.SettingsProfile.Create.Replace](#rqsrs-006rbacsettingsprofilecreatereplace) - * 5.2.8.155 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables](#rqsrs-006rbacsettingsprofilecreatevariables) - * 5.2.8.156 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Value](#rqsrs-006rbacsettingsprofilecreatevariablesvalue) - * 5.2.8.157 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Constraints](#rqsrs-006rbacsettingsprofilecreatevariablesconstraints) - * 5.2.8.158 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment](#rqsrs-006rbacsettingsprofilecreateassignment) - * 5.2.8.159 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.None](#rqsrs-006rbacsettingsprofilecreateassignmentnone) - * 5.2.8.160 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.All](#rqsrs-006rbacsettingsprofilecreateassignmentall) - * 5.2.8.161 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilecreateassignmentallexcept) - * 5.2.8.162 [RQ.SRS-006.RBAC.SettingsProfile.Create.Inherit](#rqsrs-006rbacsettingsprofilecreateinherit) - * 5.2.8.163 [RQ.SRS-006.RBAC.SettingsProfile.Create.OnCluster](#rqsrs-006rbacsettingsprofilecreateoncluster) - * 5.2.8.164 [RQ.SRS-006.RBAC.SettingsProfile.Create.Syntax](#rqsrs-006rbacsettingsprofilecreatesyntax) - * 5.2.8.165 [RQ.SRS-006.RBAC.SettingsProfile.Alter](#rqsrs-006rbacsettingsprofilealter) - * 5.2.8.166 [RQ.SRS-006.RBAC.SettingsProfile.Alter.IfExists](#rqsrs-006rbacsettingsprofilealterifexists) - * 5.2.8.167 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Rename](#rqsrs-006rbacsettingsprofilealterrename) - * 5.2.8.168 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables](#rqsrs-006rbacsettingsprofilealtervariables) - * 5.2.8.169 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Value](#rqsrs-006rbacsettingsprofilealtervariablesvalue) - * 5.2.8.170 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Constraints](#rqsrs-006rbacsettingsprofilealtervariablesconstraints) - * 5.2.8.171 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment](#rqsrs-006rbacsettingsprofilealterassignment) - * 5.2.8.172 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.None](#rqsrs-006rbacsettingsprofilealterassignmentnone) - * 5.2.8.173 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.All](#rqsrs-006rbacsettingsprofilealterassignmentall) - * 5.2.8.174 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilealterassignmentallexcept) - * 5.2.8.175 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.Inherit](#rqsrs-006rbacsettingsprofilealterassignmentinherit) - * 5.2.8.176 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.OnCluster](#rqsrs-006rbacsettingsprofilealterassignmentoncluster) - * 5.2.8.177 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Syntax](#rqsrs-006rbacsettingsprofilealtersyntax) - * 5.2.8.178 [RQ.SRS-006.RBAC.SettingsProfile.Drop](#rqsrs-006rbacsettingsprofiledrop) - * 5.2.8.179 [RQ.SRS-006.RBAC.SettingsProfile.Drop.IfExists](#rqsrs-006rbacsettingsprofiledropifexists) - * 5.2.8.180 [RQ.SRS-006.RBAC.SettingsProfile.Drop.OnCluster](#rqsrs-006rbacsettingsprofiledroponcluster) - * 5.2.8.181 [RQ.SRS-006.RBAC.SettingsProfile.Drop.Syntax](#rqsrs-006rbacsettingsprofiledropsyntax) - * 5.2.8.182 [RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile](#rqsrs-006rbacsettingsprofileshowcreatesettingsprofile) - * 5.2.8.183 [RQ.SRS-006.RBAC.Quota.Create](#rqsrs-006rbacquotacreate) - * 5.2.8.184 [RQ.SRS-006.RBAC.Quota.Create.IfNotExists](#rqsrs-006rbacquotacreateifnotexists) - * 5.2.8.185 [RQ.SRS-006.RBAC.Quota.Create.Replace](#rqsrs-006rbacquotacreatereplace) - * 5.2.8.186 [RQ.SRS-006.RBAC.Quota.Create.Cluster](#rqsrs-006rbacquotacreatecluster) - * 5.2.8.187 [RQ.SRS-006.RBAC.Quota.Create.Interval](#rqsrs-006rbacquotacreateinterval) - * 5.2.8.188 [RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized](#rqsrs-006rbacquotacreateintervalrandomized) - * 5.2.8.189 [RQ.SRS-006.RBAC.Quota.Create.Queries](#rqsrs-006rbacquotacreatequeries) - * 5.2.8.190 [RQ.SRS-006.RBAC.Quota.Create.Errors](#rqsrs-006rbacquotacreateerrors) - * 5.2.8.191 [RQ.SRS-006.RBAC.Quota.Create.ResultRows](#rqsrs-006rbacquotacreateresultrows) - * 5.2.8.192 [RQ.SRS-006.RBAC.Quota.Create.ReadRows](#rqsrs-006rbacquotacreatereadrows) - * 5.2.8.193 [RQ.SRS-006.RBAC.Quota.Create.ResultBytes](#rqsrs-006rbacquotacreateresultbytes) - * 5.2.8.194 [RQ.SRS-006.RBAC.Quota.Create.ReadBytes](#rqsrs-006rbacquotacreatereadbytes) - * 5.2.8.195 [RQ.SRS-006.RBAC.Quota.Create.ExecutionTime](#rqsrs-006rbacquotacreateexecutiontime) - * 5.2.8.196 [RQ.SRS-006.RBAC.Quota.Create.NoLimits](#rqsrs-006rbacquotacreatenolimits) - * 5.2.8.197 [RQ.SRS-006.RBAC.Quota.Create.TrackingOnly](#rqsrs-006rbacquotacreatetrackingonly) - * 5.2.8.198 [RQ.SRS-006.RBAC.Quota.Create.KeyedBy](#rqsrs-006rbacquotacreatekeyedby) - * 5.2.8.199 [RQ.SRS-006.RBAC.Quota.Create.KeyedByOptions](#rqsrs-006rbacquotacreatekeyedbyoptions) - * 5.2.8.200 [RQ.SRS-006.RBAC.Quota.Create.Assignment](#rqsrs-006rbacquotacreateassignment) - * 5.2.8.201 [RQ.SRS-006.RBAC.Quota.Create.Assignment.None](#rqsrs-006rbacquotacreateassignmentnone) - * 5.2.8.202 [RQ.SRS-006.RBAC.Quota.Create.Assignment.All](#rqsrs-006rbacquotacreateassignmentall) - * 5.2.8.203 [RQ.SRS-006.RBAC.Quota.Create.Assignment.Except](#rqsrs-006rbacquotacreateassignmentexcept) - * 5.2.8.204 [RQ.SRS-006.RBAC.Quota.Create.Syntax](#rqsrs-006rbacquotacreatesyntax) - * 5.2.8.205 [RQ.SRS-006.RBAC.Quota.Alter](#rqsrs-006rbacquotaalter) - * 5.2.8.206 [RQ.SRS-006.RBAC.Quota.Alter.IfExists](#rqsrs-006rbacquotaalterifexists) - * 5.2.8.207 [RQ.SRS-006.RBAC.Quota.Alter.Rename](#rqsrs-006rbacquotaalterrename) - * 5.2.8.208 [RQ.SRS-006.RBAC.Quota.Alter.Cluster](#rqsrs-006rbacquotaaltercluster) - * 5.2.8.209 [RQ.SRS-006.RBAC.Quota.Alter.Interval](#rqsrs-006rbacquotaalterinterval) - * 5.2.8.210 [RQ.SRS-006.RBAC.Quota.Alter.Interval.Randomized](#rqsrs-006rbacquotaalterintervalrandomized) - * 5.2.8.211 [RQ.SRS-006.RBAC.Quota.Alter.Queries](#rqsrs-006rbacquotaalterqueries) - * 5.2.8.212 [RQ.SRS-006.RBAC.Quota.Alter.Errors](#rqsrs-006rbacquotaaltererrors) - * 5.2.8.213 [RQ.SRS-006.RBAC.Quota.Alter.ResultRows](#rqsrs-006rbacquotaalterresultrows) - * 5.2.8.214 [RQ.SRS-006.RBAC.Quota.Alter.ReadRows](#rqsrs-006rbacquotaalterreadrows) - * 5.2.8.215 [RQ.SRS-006.RBAC.Quota.ALter.ResultBytes](#rqsrs-006rbacquotaalterresultbytes) - * 5.2.8.216 [RQ.SRS-006.RBAC.Quota.Alter.ReadBytes](#rqsrs-006rbacquotaalterreadbytes) - * 5.2.8.217 [RQ.SRS-006.RBAC.Quota.Alter.ExecutionTime](#rqsrs-006rbacquotaalterexecutiontime) - * 5.2.8.218 [RQ.SRS-006.RBAC.Quota.Alter.NoLimits](#rqsrs-006rbacquotaalternolimits) - * 5.2.8.219 [RQ.SRS-006.RBAC.Quota.Alter.TrackingOnly](#rqsrs-006rbacquotaaltertrackingonly) - * 5.2.8.220 [RQ.SRS-006.RBAC.Quota.Alter.KeyedBy](#rqsrs-006rbacquotaalterkeyedby) - * 5.2.8.221 [RQ.SRS-006.RBAC.Quota.Alter.KeyedByOptions](#rqsrs-006rbacquotaalterkeyedbyoptions) - * 5.2.8.222 [RQ.SRS-006.RBAC.Quota.Alter.Assignment](#rqsrs-006rbacquotaalterassignment) - * 5.2.8.223 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.None](#rqsrs-006rbacquotaalterassignmentnone) - * 5.2.8.224 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.All](#rqsrs-006rbacquotaalterassignmentall) - * 5.2.8.225 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.Except](#rqsrs-006rbacquotaalterassignmentexcept) - * 5.2.8.226 [RQ.SRS-006.RBAC.Quota.Alter.Syntax](#rqsrs-006rbacquotaaltersyntax) - * 5.2.8.227 [RQ.SRS-006.RBAC.Quota.Drop](#rqsrs-006rbacquotadrop) - * 5.2.8.228 [RQ.SRS-006.RBAC.Quota.Drop.IfExists](#rqsrs-006rbacquotadropifexists) - * 5.2.8.229 [RQ.SRS-006.RBAC.Quota.Drop.Cluster](#rqsrs-006rbacquotadropcluster) - * 5.2.8.230 [RQ.SRS-006.RBAC.Quota.Drop.Syntax](#rqsrs-006rbacquotadropsyntax) - * 5.2.8.231 [RQ.SRS-006.RBAC.Quota.ShowQuotas](#rqsrs-006rbacquotashowquotas) - * 5.2.8.232 [RQ.SRS-006.RBAC.Quota.ShowQuotas.IntoOutfile](#rqsrs-006rbacquotashowquotasintooutfile) - * 5.2.8.233 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Format](#rqsrs-006rbacquotashowquotasformat) - * 5.2.8.234 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Settings](#rqsrs-006rbacquotashowquotassettings) - * 5.2.8.235 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax](#rqsrs-006rbacquotashowquotassyntax) - * 5.2.8.236 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name](#rqsrs-006rbacquotashowcreatequotaname) - * 5.2.8.237 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Current](#rqsrs-006rbacquotashowcreatequotacurrent) - * 5.2.8.238 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Syntax](#rqsrs-006rbacquotashowcreatequotasyntax) - * 5.2.8.239 [RQ.SRS-006.RBAC.RowPolicy.Create](#rqsrs-006rbacrowpolicycreate) - * 5.2.8.240 [RQ.SRS-006.RBAC.RowPolicy.Create.IfNotExists](#rqsrs-006rbacrowpolicycreateifnotexists) - * 5.2.8.241 [RQ.SRS-006.RBAC.RowPolicy.Create.Replace](#rqsrs-006rbacrowpolicycreatereplace) - * 5.2.8.242 [RQ.SRS-006.RBAC.RowPolicy.Create.OnCluster](#rqsrs-006rbacrowpolicycreateoncluster) - * 5.2.8.243 [RQ.SRS-006.RBAC.RowPolicy.Create.On](#rqsrs-006rbacrowpolicycreateon) - * 5.2.8.244 [RQ.SRS-006.RBAC.RowPolicy.Create.Access](#rqsrs-006rbacrowpolicycreateaccess) - * 5.2.8.245 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Permissive](#rqsrs-006rbacrowpolicycreateaccesspermissive) - * 5.2.8.246 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Restrictive](#rqsrs-006rbacrowpolicycreateaccessrestrictive) - * 5.2.8.247 [RQ.SRS-006.RBAC.RowPolicy.Create.ForSelect](#rqsrs-006rbacrowpolicycreateforselect) - * 5.2.8.248 [RQ.SRS-006.RBAC.RowPolicy.Create.Condition](#rqsrs-006rbacrowpolicycreatecondition) - * 5.2.8.249 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment](#rqsrs-006rbacrowpolicycreateassignment) - * 5.2.8.250 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.None](#rqsrs-006rbacrowpolicycreateassignmentnone) - * 5.2.8.251 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.All](#rqsrs-006rbacrowpolicycreateassignmentall) - * 5.2.8.252 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.AllExcept](#rqsrs-006rbacrowpolicycreateassignmentallexcept) - * 5.2.8.253 [RQ.SRS-006.RBAC.RowPolicy.Create.Syntax](#rqsrs-006rbacrowpolicycreatesyntax) - * 5.2.8.254 [RQ.SRS-006.RBAC.RowPolicy.Alter](#rqsrs-006rbacrowpolicyalter) - * 5.2.8.255 [RQ.SRS-006.RBAC.RowPolicy.Alter.IfExists](#rqsrs-006rbacrowpolicyalterifexists) - * 5.2.8.256 [RQ.SRS-006.RBAC.RowPolicy.Alter.ForSelect](#rqsrs-006rbacrowpolicyalterforselect) - * 5.2.8.257 [RQ.SRS-006.RBAC.RowPolicy.Alter.OnCluster](#rqsrs-006rbacrowpolicyalteroncluster) - * 5.2.8.258 [RQ.SRS-006.RBAC.RowPolicy.Alter.On](#rqsrs-006rbacrowpolicyalteron) - * 5.2.8.259 [RQ.SRS-006.RBAC.RowPolicy.Alter.Rename](#rqsrs-006rbacrowpolicyalterrename) - * 5.2.8.260 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access](#rqsrs-006rbacrowpolicyalteraccess) - * 5.2.8.261 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Permissive](#rqsrs-006rbacrowpolicyalteraccesspermissive) - * 5.2.8.262 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Restrictive](#rqsrs-006rbacrowpolicyalteraccessrestrictive) - * 5.2.8.263 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition](#rqsrs-006rbacrowpolicyaltercondition) - * 5.2.8.264 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition.None](#rqsrs-006rbacrowpolicyalterconditionnone) - * 5.2.8.265 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment](#rqsrs-006rbacrowpolicyalterassignment) - * 5.2.8.266 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.None](#rqsrs-006rbacrowpolicyalterassignmentnone) - * 5.2.8.267 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.All](#rqsrs-006rbacrowpolicyalterassignmentall) - * 5.2.8.268 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.AllExcept](#rqsrs-006rbacrowpolicyalterassignmentallexcept) - * 5.2.8.269 [RQ.SRS-006.RBAC.RowPolicy.Alter.Syntax](#rqsrs-006rbacrowpolicyaltersyntax) - * 5.2.8.270 [RQ.SRS-006.RBAC.RowPolicy.Drop](#rqsrs-006rbacrowpolicydrop) - * 5.2.8.271 [RQ.SRS-006.RBAC.RowPolicy.Drop.IfExists](#rqsrs-006rbacrowpolicydropifexists) - * 5.2.8.272 [RQ.SRS-006.RBAC.RowPolicy.Drop.On](#rqsrs-006rbacrowpolicydropon) - * 5.2.8.273 [RQ.SRS-006.RBAC.RowPolicy.Drop.OnCluster](#rqsrs-006rbacrowpolicydroponcluster) - * 5.2.8.274 [RQ.SRS-006.RBAC.RowPolicy.Drop.Syntax](#rqsrs-006rbacrowpolicydropsyntax) - * 5.2.8.275 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy](#rqsrs-006rbacrowpolicyshowcreaterowpolicy) - * 5.2.8.276 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.On](#rqsrs-006rbacrowpolicyshowcreaterowpolicyon) - * 5.2.8.277 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.Syntax](#rqsrs-006rbacrowpolicyshowcreaterowpolicysyntax) - * 5.2.8.278 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies](#rqsrs-006rbacrowpolicyshowrowpolicies) - * 5.2.8.279 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.On](#rqsrs-006rbacrowpolicyshowrowpolicieson) - * 5.2.8.280 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.Syntax](#rqsrs-006rbacrowpolicyshowrowpoliciessyntax) - * 5.2.9 [Table Privileges](#table-privileges) - * 5.2.9.1 [RQ.SRS-006.RBAC.Table.PublicTables](#rqsrs-006rbactablepublictables) - * 5.2.9.2 [RQ.SRS-006.RBAC.Table.SensitiveTables](#rqsrs-006rbactablesensitivetables) - * 5.2.10 [Distributed Tables](#distributed-tables) - * 5.2.10.1 [RQ.SRS-006.RBAC.DistributedTable.Create](#rqsrs-006rbacdistributedtablecreate) - * 5.2.10.2 [RQ.SRS-006.RBAC.DistributedTable.Select](#rqsrs-006rbacdistributedtableselect) - * 5.2.10.3 [RQ.SRS-006.RBAC.DistributedTable.Insert](#rqsrs-006rbacdistributedtableinsert) - * 5.2.10.4 [RQ.SRS-006.RBAC.DistributedTable.SpecialTables](#rqsrs-006rbacdistributedtablespecialtables) - * 5.2.10.5 [RQ.SRS-006.RBAC.DistributedTable.LocalUser](#rqsrs-006rbacdistributedtablelocaluser) - * 5.2.10.6 [RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges](#rqsrs-006rbacdistributedtablesameuserdifferentnodesdifferentprivileges) - * 5.2.11 [Views](#views) - * 5.2.11.1 [View](#view) - * 5.2.11.1.1 [RQ.SRS-006.RBAC.View](#rqsrs-006rbacview) - * 5.2.11.1.2 [RQ.SRS-006.RBAC.View.Create](#rqsrs-006rbacviewcreate) - * 5.2.11.1.3 [RQ.SRS-006.RBAC.View.Select](#rqsrs-006rbacviewselect) - * 5.2.11.1.4 [RQ.SRS-006.RBAC.View.Drop](#rqsrs-006rbacviewdrop) - * 5.2.11.2 [Materialized View](#materialized-view) - * 5.2.11.2.1 [RQ.SRS-006.RBAC.MaterializedView](#rqsrs-006rbacmaterializedview) - * 5.2.11.2.2 [RQ.SRS-006.RBAC.MaterializedView.Create](#rqsrs-006rbacmaterializedviewcreate) - * 5.2.11.2.3 [RQ.SRS-006.RBAC.MaterializedView.Select](#rqsrs-006rbacmaterializedviewselect) - * 5.2.11.2.4 [RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable](#rqsrs-006rbacmaterializedviewselecttargettable) - * 5.2.11.2.5 [RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable](#rqsrs-006rbacmaterializedviewselectsourcetable) - * 5.2.11.2.6 [RQ.SRS-006.RBAC.MaterializedView.Drop](#rqsrs-006rbacmaterializedviewdrop) - * 5.2.11.2.7 [RQ.SRS-006.RBAC.MaterializedView.ModifyQuery](#rqsrs-006rbacmaterializedviewmodifyquery) - * 5.2.11.2.8 [RQ.SRS-006.RBAC.MaterializedView.Insert](#rqsrs-006rbacmaterializedviewinsert) - * 5.2.11.2.9 [RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable](#rqsrs-006rbacmaterializedviewinsertsourcetable) - * 5.2.11.2.10 [RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable](#rqsrs-006rbacmaterializedviewinserttargettable) - * 5.2.11.3 [Live View](#live-view) - * 5.2.11.3.1 [RQ.SRS-006.RBAC.LiveView](#rqsrs-006rbacliveview) - * 5.2.11.3.2 [RQ.SRS-006.RBAC.LiveView.Create](#rqsrs-006rbacliveviewcreate) - * 5.2.11.3.3 [RQ.SRS-006.RBAC.LiveView.Select](#rqsrs-006rbacliveviewselect) - * 5.2.11.3.4 [RQ.SRS-006.RBAC.LiveView.Drop](#rqsrs-006rbacliveviewdrop) - * 5.2.11.3.5 [RQ.SRS-006.RBAC.LiveView.Refresh](#rqsrs-006rbacliveviewrefresh) - * 5.2.12 [Select](#select) - * 5.2.12.1 [RQ.SRS-006.RBAC.Select](#rqsrs-006rbacselect) - * 5.2.12.2 [RQ.SRS-006.RBAC.Select.Column](#rqsrs-006rbacselectcolumn) - * 5.2.12.3 [RQ.SRS-006.RBAC.Select.Cluster](#rqsrs-006rbacselectcluster) - * 5.2.12.4 [RQ.SRS-006.RBAC.Select.TableEngines](#rqsrs-006rbacselecttableengines) - * 5.2.13 [Insert](#insert) - * 5.2.13.1 [RQ.SRS-006.RBAC.Insert](#rqsrs-006rbacinsert) - * 5.2.13.2 [RQ.SRS-006.RBAC.Insert.Column](#rqsrs-006rbacinsertcolumn) - * 5.2.13.3 [RQ.SRS-006.RBAC.Insert.Cluster](#rqsrs-006rbacinsertcluster) - * 5.2.13.4 [RQ.SRS-006.RBAC.Insert.TableEngines](#rqsrs-006rbacinserttableengines) - * 5.2.14 [Alter](#alter) - * 5.2.14.1 [Alter Column](#alter-column) - * 5.2.14.1.1 [RQ.SRS-006.RBAC.Privileges.AlterColumn](#rqsrs-006rbacprivilegesaltercolumn) - * 5.2.14.1.2 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant](#rqsrs-006rbacprivilegesaltercolumngrant) - * 5.2.14.1.3 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke](#rqsrs-006rbacprivilegesaltercolumnrevoke) - * 5.2.14.1.4 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Column](#rqsrs-006rbacprivilegesaltercolumncolumn) - * 5.2.14.1.5 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster](#rqsrs-006rbacprivilegesaltercolumncluster) - * 5.2.14.1.6 [RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines](#rqsrs-006rbacprivilegesaltercolumntableengines) - * 5.2.14.2 [Alter Index](#alter-index) - * 5.2.14.2.1 [RQ.SRS-006.RBAC.Privileges.AlterIndex](#rqsrs-006rbacprivilegesalterindex) - * 5.2.14.2.2 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant](#rqsrs-006rbacprivilegesalterindexgrant) - * 5.2.14.2.3 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke](#rqsrs-006rbacprivilegesalterindexrevoke) - * 5.2.14.2.4 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster](#rqsrs-006rbacprivilegesalterindexcluster) - * 5.2.14.2.5 [RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines](#rqsrs-006rbacprivilegesalterindextableengines) - * 5.2.14.3 [Alter Constraint](#alter-constraint) - * 5.2.14.3.1 [RQ.SRS-006.RBAC.Privileges.AlterConstraint](#rqsrs-006rbacprivilegesalterconstraint) - * 5.2.14.3.2 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant](#rqsrs-006rbacprivilegesalterconstraintgrant) - * 5.2.14.3.3 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke](#rqsrs-006rbacprivilegesalterconstraintrevoke) - * 5.2.14.3.4 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster](#rqsrs-006rbacprivilegesalterconstraintcluster) - * 5.2.14.3.5 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines](#rqsrs-006rbacprivilegesalterconstrainttableengines) - * 5.2.14.4 [Alter TTL](#alter-ttl) - * 5.2.14.4.1 [RQ.SRS-006.RBAC.Privileges.AlterTTL](#rqsrs-006rbacprivilegesalterttl) - * 5.2.14.4.2 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant](#rqsrs-006rbacprivilegesalterttlgrant) - * 5.2.14.4.3 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke](#rqsrs-006rbacprivilegesalterttlrevoke) - * 5.2.14.4.4 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster](#rqsrs-006rbacprivilegesalterttlcluster) - * 5.2.14.4.5 [RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines](#rqsrs-006rbacprivilegesalterttltableengines) - * 5.2.14.5 [Alter Settings](#alter-settings) - * 5.2.14.5.1 [RQ.SRS-006.RBAC.Privileges.AlterSettings](#rqsrs-006rbacprivilegesaltersettings) - * 5.2.14.5.2 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant](#rqsrs-006rbacprivilegesaltersettingsgrant) - * 5.2.14.5.3 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke](#rqsrs-006rbacprivilegesaltersettingsrevoke) - * 5.2.14.5.4 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster](#rqsrs-006rbacprivilegesaltersettingscluster) - * 5.2.14.5.5 [RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines](#rqsrs-006rbacprivilegesaltersettingstableengines) - * 5.2.14.6 [Alter Update](#alter-update) - * 5.2.14.6.1 [RQ.SRS-006.RBAC.Privileges.AlterUpdate](#rqsrs-006rbacprivilegesalterupdate) - * 5.2.14.6.2 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant](#rqsrs-006rbacprivilegesalterupdategrant) - * 5.2.14.6.3 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke](#rqsrs-006rbacprivilegesalterupdaterevoke) - * 5.2.14.6.4 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines](#rqsrs-006rbacprivilegesalterupdatetableengines) - * 5.2.14.7 [Alter Delete](#alter-delete) - * 5.2.14.7.1 [RQ.SRS-006.RBAC.Privileges.AlterDelete](#rqsrs-006rbacprivilegesalterdelete) - * 5.2.14.7.2 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant](#rqsrs-006rbacprivilegesalterdeletegrant) - * 5.2.14.7.3 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke](#rqsrs-006rbacprivilegesalterdeleterevoke) - * 5.2.14.7.4 [RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines](#rqsrs-006rbacprivilegesalterdeletetableengines) - * 5.2.14.8 [Alter Freeze Partition](#alter-freeze-partition) - * 5.2.14.8.1 [RQ.SRS-006.RBAC.Privileges.AlterFreeze](#rqsrs-006rbacprivilegesalterfreeze) - * 5.2.14.8.2 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant](#rqsrs-006rbacprivilegesalterfreezegrant) - * 5.2.14.8.3 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke](#rqsrs-006rbacprivilegesalterfreezerevoke) - * 5.2.14.8.4 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines](#rqsrs-006rbacprivilegesalterfreezetableengines) - * 5.2.14.9 [Alter Fetch Partition](#alter-fetch-partition) - * 5.2.14.9.1 [RQ.SRS-006.RBAC.Privileges.AlterFetch](#rqsrs-006rbacprivilegesalterfetch) - * 5.2.14.9.2 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant](#rqsrs-006rbacprivilegesalterfetchgrant) - * 5.2.14.9.3 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke](#rqsrs-006rbacprivilegesalterfetchrevoke) - * 5.2.14.9.4 [RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines](#rqsrs-006rbacprivilegesalterfetchtableengines) - * 5.2.14.10 [Alter Move Partition](#alter-move-partition) - * 5.2.14.10.1 [RQ.SRS-006.RBAC.Privileges.AlterMove](#rqsrs-006rbacprivilegesaltermove) - * 5.2.14.10.2 [RQ.SRS-006.RBAC.Privileges.AlterMove.Grant](#rqsrs-006rbacprivilegesaltermovegrant) - * 5.2.14.10.3 [RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke](#rqsrs-006rbacprivilegesaltermoverevoke) - * 5.2.14.10.4 [RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines](#rqsrs-006rbacprivilegesaltermovetableengines) - * 5.2.15 [RQ.SRS-006.RBAC.Privileges.CreateTable](#rqsrs-006rbacprivilegescreatetable) - * 5.2.16 [RQ.SRS-006.RBAC.Privileges.CreateDatabase](#rqsrs-006rbacprivilegescreatedatabase) - * 5.2.17 [RQ.SRS-006.RBAC.Privileges.CreateDictionary](#rqsrs-006rbacprivilegescreatedictionary) - * 5.2.18 [RQ.SRS-006.RBAC.Privileges.CreateTemporaryTable](#rqsrs-006rbacprivilegescreatetemporarytable) - * 5.2.19 [RQ.SRS-006.RBAC.Privileges.AttachDatabase](#rqsrs-006rbacprivilegesattachdatabase) - * 5.2.20 [RQ.SRS-006.RBAC.Privileges.AttachDictionary](#rqsrs-006rbacprivilegesattachdictionary) - * 5.2.21 [RQ.SRS-006.RBAC.Privileges.AttachTemporaryTable](#rqsrs-006rbacprivilegesattachtemporarytable) - * 5.2.22 [RQ.SRS-006.RBAC.Privileges.AttachTable](#rqsrs-006rbacprivilegesattachtable) - * 5.2.23 [RQ.SRS-006.RBAC.Privileges.DropTable](#rqsrs-006rbacprivilegesdroptable) - * 5.2.24 [RQ.SRS-006.RBAC.Privileges.DropDatabase](#rqsrs-006rbacprivilegesdropdatabase) - * 5.2.25 [RQ.SRS-006.RBAC.Privileges.DropDictionary](#rqsrs-006rbacprivilegesdropdictionary) - * 5.2.26 [RQ.SRS-006.RBAC.Privileges.DetachTable](#rqsrs-006rbacprivilegesdetachtable) - * 5.2.27 [RQ.SRS-006.RBAC.Privileges.DetachView](#rqsrs-006rbacprivilegesdetachview) - * 5.2.28 [RQ.SRS-006.RBAC.Privileges.DetachDatabase](#rqsrs-006rbacprivilegesdetachdatabase) - * 5.2.29 [RQ.SRS-006.RBAC.Privileges.DetachDictionary](#rqsrs-006rbacprivilegesdetachdictionary) - * 5.2.30 [RQ.SRS-006.RBAC.Privileges.Truncate](#rqsrs-006rbacprivilegestruncate) - * 5.2.31 [RQ.SRS-006.RBAC.Privileges.Optimize](#rqsrs-006rbacprivilegesoptimize) - * 5.2.32 [RQ.SRS-006.RBAC.Privileges.KillQuery](#rqsrs-006rbacprivilegeskillquery) - * 5.2.33 [Kill Mutation](#kill-mutation) - * 5.2.33.1 [RQ.SRS-006.RBAC.Privileges.KillMutation](#rqsrs-006rbacprivilegeskillmutation) - * 5.2.33.2 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate](#rqsrs-006rbacprivilegeskillmutationalterupdate) - * 5.2.33.3 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete](#rqsrs-006rbacprivilegeskillmutationalterdelete) - * 5.2.33.4 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn](#rqsrs-006rbacprivilegeskillmutationalterdropcolumn) - * 5.2.34 [Show](#show) - * 5.2.34.1 [RQ.SRS-006.RBAC.ShowTables.Privilege](#rqsrs-006rbacshowtablesprivilege) - * 5.2.34.2 [RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege](#rqsrs-006rbacshowtablesrequiredprivilege) - * 5.2.34.3 [RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege](#rqsrs-006rbacexiststablerequiredprivilege) - * 5.2.34.4 [RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege](#rqsrs-006rbacchecktablerequiredprivilege) - * 5.2.34.5 [RQ.SRS-006.RBAC.ShowDatabases.Privilege](#rqsrs-006rbacshowdatabasesprivilege) - * 5.2.34.6 [RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege](#rqsrs-006rbacshowdatabasesrequiredprivilege) - * 5.2.34.7 [RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege](#rqsrs-006rbacshowcreatedatabaserequiredprivilege) - * 5.2.34.8 [RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege](#rqsrs-006rbacusedatabaserequiredprivilege) - * 5.2.34.9 [RQ.SRS-006.RBAC.ShowColumns.Privilege](#rqsrs-006rbacshowcolumnsprivilege) - * 5.2.34.10 [RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege](#rqsrs-006rbacshowcreatetablerequiredprivilege) - * 5.2.34.11 [RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege](#rqsrs-006rbacdescribetablerequiredprivilege) - * 5.2.34.12 [RQ.SRS-006.RBAC.ShowDictionaries.Privilege](#rqsrs-006rbacshowdictionariesprivilege) - * 5.2.34.13 [RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege](#rqsrs-006rbacshowdictionariesrequiredprivilege) - * 5.2.34.14 [RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege](#rqsrs-006rbacshowcreatedictionaryrequiredprivilege) - * 5.2.34.15 [RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege](#rqsrs-006rbacexistsdictionaryrequiredprivilege) - * 5.2.35 [Access Management](#access-management) - * 5.2.35.1 [RQ.SRS-006.RBAC.Privileges.CreateUser](#rqsrs-006rbacprivilegescreateuser) - * 5.2.35.2 [RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole](#rqsrs-006rbacprivilegescreateuserdefaultrole) - * 5.2.35.3 [RQ.SRS-006.RBAC.Privileges.AlterUser](#rqsrs-006rbacprivilegesalteruser) - * 5.2.35.4 [RQ.SRS-006.RBAC.Privileges.DropUser](#rqsrs-006rbacprivilegesdropuser) - * 5.2.35.5 [RQ.SRS-006.RBAC.Privileges.CreateRole](#rqsrs-006rbacprivilegescreaterole) - * 5.2.35.6 [RQ.SRS-006.RBAC.Privileges.AlterRole](#rqsrs-006rbacprivilegesalterrole) - * 5.2.35.7 [RQ.SRS-006.RBAC.Privileges.DropRole](#rqsrs-006rbacprivilegesdroprole) - * 5.2.35.8 [RQ.SRS-006.RBAC.Privileges.CreateRowPolicy](#rqsrs-006rbacprivilegescreaterowpolicy) - * 5.2.35.9 [RQ.SRS-006.RBAC.Privileges.AlterRowPolicy](#rqsrs-006rbacprivilegesalterrowpolicy) - * 5.2.35.10 [RQ.SRS-006.RBAC.Privileges.DropRowPolicy](#rqsrs-006rbacprivilegesdroprowpolicy) - * 5.2.35.11 [RQ.SRS-006.RBAC.Privileges.CreateQuota](#rqsrs-006rbacprivilegescreatequota) - * 5.2.35.12 [RQ.SRS-006.RBAC.Privileges.AlterQuota](#rqsrs-006rbacprivilegesalterquota) - * 5.2.35.13 [RQ.SRS-006.RBAC.Privileges.DropQuota](#rqsrs-006rbacprivilegesdropquota) - * 5.2.35.14 [RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile](#rqsrs-006rbacprivilegescreatesettingsprofile) - * 5.2.35.15 [RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile](#rqsrs-006rbacprivilegesaltersettingsprofile) - * 5.2.35.16 [RQ.SRS-006.RBAC.Privileges.DropSettingsProfile](#rqsrs-006rbacprivilegesdropsettingsprofile) - * 5.2.35.17 [RQ.SRS-006.RBAC.Privileges.RoleAdmin](#rqsrs-006rbacprivilegesroleadmin) - * 5.2.35.18 [Show Access](#show-access) - * 5.2.35.18.1 [RQ.SRS-006.RBAC.ShowUsers.Privilege](#rqsrs-006rbacshowusersprivilege) - * 5.2.35.18.2 [RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege](#rqsrs-006rbacshowusersrequiredprivilege) - * 5.2.35.18.3 [RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege](#rqsrs-006rbacshowcreateuserrequiredprivilege) - * 5.2.35.18.4 [RQ.SRS-006.RBAC.ShowRoles.Privilege](#rqsrs-006rbacshowrolesprivilege) - * 5.2.35.18.5 [RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege](#rqsrs-006rbacshowrolesrequiredprivilege) - * 5.2.35.18.6 [RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege](#rqsrs-006rbacshowcreaterolerequiredprivilege) - * 5.2.35.18.7 [RQ.SRS-006.RBAC.ShowRowPolicies.Privilege](#rqsrs-006rbacshowrowpoliciesprivilege) - * 5.2.35.18.8 [RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege](#rqsrs-006rbacshowrowpoliciesrequiredprivilege) - * 5.2.35.18.9 [RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege](#rqsrs-006rbacshowcreaterowpolicyrequiredprivilege) - * 5.2.35.18.10 [RQ.SRS-006.RBAC.ShowQuotas.Privilege](#rqsrs-006rbacshowquotasprivilege) - * 5.2.35.18.11 [RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege](#rqsrs-006rbacshowquotasrequiredprivilege) - * 5.2.35.18.12 [RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege](#rqsrs-006rbacshowcreatequotarequiredprivilege) - * 5.2.35.18.13 [RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege](#rqsrs-006rbacshowsettingsprofilesprivilege) - * 5.2.35.18.14 [RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege](#rqsrs-006rbacshowsettingsprofilesrequiredprivilege) - * 5.2.35.18.15 [RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege](#rqsrs-006rbacshowcreatesettingsprofilerequiredprivilege) - * 5.2.36 [dictGet](#dictget) - * 5.2.36.1 [RQ.SRS-006.RBAC.dictGet.Privilege](#rqsrs-006rbacdictgetprivilege) - * 5.2.36.2 [RQ.SRS-006.RBAC.dictGet.RequiredPrivilege](#rqsrs-006rbacdictgetrequiredprivilege) - * 5.2.36.3 [RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege](#rqsrs-006rbacdictgettyperequiredprivilege) - * 5.2.36.4 [RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege](#rqsrs-006rbacdictgetordefaultrequiredprivilege) - * 5.2.36.5 [RQ.SRS-006.RBAC.dictHas.RequiredPrivilege](#rqsrs-006rbacdicthasrequiredprivilege) - * 5.2.36.6 [RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege](#rqsrs-006rbacdictgethierarchyrequiredprivilege) - * 5.2.36.7 [RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege](#rqsrs-006rbacdictisinrequiredprivilege) - * 5.2.37 [Introspection](#introspection) - * 5.2.37.1 [RQ.SRS-006.RBAC.Privileges.Introspection](#rqsrs-006rbacprivilegesintrospection) - * 5.2.37.2 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine](#rqsrs-006rbacprivilegesintrospectionaddresstoline) - * 5.2.37.3 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol](#rqsrs-006rbacprivilegesintrospectionaddresstosymbol) - * 5.2.37.4 [RQ.SRS-006.RBAC.Privileges.Introspection.demangle](#rqsrs-006rbacprivilegesintrospectiondemangle) - * 5.2.38 [System](#system) - * 5.2.38.1 [RQ.SRS-006.RBAC.Privileges.System.Shutdown](#rqsrs-006rbacprivilegessystemshutdown) - * 5.2.38.2 [RQ.SRS-006.RBAC.Privileges.System.DropCache](#rqsrs-006rbacprivilegessystemdropcache) - * 5.2.38.3 [RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS](#rqsrs-006rbacprivilegessystemdropcachedns) - * 5.2.38.4 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark](#rqsrs-006rbacprivilegessystemdropcachemark) - * 5.2.38.5 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed](#rqsrs-006rbacprivilegessystemdropcacheuncompressed) - * 5.2.38.6 [RQ.SRS-006.RBAC.Privileges.System.Reload](#rqsrs-006rbacprivilegessystemreload) - * 5.2.38.7 [RQ.SRS-006.RBAC.Privileges.System.Reload.Config](#rqsrs-006rbacprivilegessystemreloadconfig) - * 5.2.38.8 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary](#rqsrs-006rbacprivilegessystemreloaddictionary) - * 5.2.38.9 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries](#rqsrs-006rbacprivilegessystemreloaddictionaries) - * 5.2.38.10 [RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries](#rqsrs-006rbacprivilegessystemreloadembeddeddictionaries) - * 5.2.38.11 [RQ.SRS-006.RBAC.Privileges.System.Merges](#rqsrs-006rbacprivilegessystemmerges) - * 5.2.38.12 [RQ.SRS-006.RBAC.Privileges.System.TTLMerges](#rqsrs-006rbacprivilegessystemttlmerges) - * 5.2.38.13 [RQ.SRS-006.RBAC.Privileges.System.Fetches](#rqsrs-006rbacprivilegessystemfetches) - * 5.2.38.14 [RQ.SRS-006.RBAC.Privileges.System.Moves](#rqsrs-006rbacprivilegessystemmoves) - * 5.2.38.15 [RQ.SRS-006.RBAC.Privileges.System.Sends](#rqsrs-006rbacprivilegessystemsends) - * 5.2.38.16 [RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed](#rqsrs-006rbacprivilegessystemsendsdistributed) - * 5.2.38.17 [RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated](#rqsrs-006rbacprivilegessystemsendsreplicated) - * 5.2.38.18 [RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues](#rqsrs-006rbacprivilegessystemreplicationqueues) - * 5.2.38.19 [RQ.SRS-006.RBAC.Privileges.System.SyncReplica](#rqsrs-006rbacprivilegessystemsyncreplica) - * 5.2.38.20 [RQ.SRS-006.RBAC.Privileges.System.RestartReplica](#rqsrs-006rbacprivilegessystemrestartreplica) - * 5.2.38.21 [RQ.SRS-006.RBAC.Privileges.System.Flush](#rqsrs-006rbacprivilegessystemflush) - * 5.2.38.22 [RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed](#rqsrs-006rbacprivilegessystemflushdistributed) - * 5.2.38.23 [RQ.SRS-006.RBAC.Privileges.System.Flush.Logs](#rqsrs-006rbacprivilegessystemflushlogs) - * 5.2.39 [Sources](#sources) - * 5.2.39.1 [RQ.SRS-006.RBAC.Privileges.Sources](#rqsrs-006rbacprivilegessources) - * 5.2.39.2 [RQ.SRS-006.RBAC.Privileges.Sources.File](#rqsrs-006rbacprivilegessourcesfile) - * 5.2.39.3 [RQ.SRS-006.RBAC.Privileges.Sources.URL](#rqsrs-006rbacprivilegessourcesurl) - * 5.2.39.4 [RQ.SRS-006.RBAC.Privileges.Sources.Remote](#rqsrs-006rbacprivilegessourcesremote) - * 5.2.39.5 [RQ.SRS-006.RBAC.Privileges.Sources.MySQL](#rqsrs-006rbacprivilegessourcesmysql) - * 5.2.39.6 [RQ.SRS-006.RBAC.Privileges.Sources.ODBC](#rqsrs-006rbacprivilegessourcesodbc) - * 5.2.39.7 [RQ.SRS-006.RBAC.Privileges.Sources.JDBC](#rqsrs-006rbacprivilegessourcesjdbc) - * 5.2.39.8 [RQ.SRS-006.RBAC.Privileges.Sources.HDFS](#rqsrs-006rbacprivilegessourceshdfs) - * 5.2.39.9 [RQ.SRS-006.RBAC.Privileges.Sources.S3](#rqsrs-006rbacprivilegessourcess3) - * 5.2.40 [RQ.SRS-006.RBAC.Privileges.GrantOption](#rqsrs-006rbacprivilegesgrantoption) - * 5.2.41 [RQ.SRS-006.RBAC.Privileges.All](#rqsrs-006rbacprivilegesall) - * 5.2.42 [RQ.SRS-006.RBAC.Privileges.AdminOption](#rqsrs-006rbacprivilegesadminoption) + * 5.2 [Login](#login) + * 5.2.1 [RQ.SRS-006.RBAC.Login](#rqsrs-006rbaclogin) + * 5.2.2 [RQ.SRS-006.RBAC.Login.DefaultUser](#rqsrs-006rbaclogindefaultuser) + * 5.3 [User](#user) + * 5.3.1 [RQ.SRS-006.RBAC.User](#rqsrs-006rbacuser) + * 5.3.2 [RQ.SRS-006.RBAC.User.Roles](#rqsrs-006rbacuserroles) + * 5.3.3 [RQ.SRS-006.RBAC.User.Privileges](#rqsrs-006rbacuserprivileges) + * 5.3.4 [RQ.SRS-006.RBAC.User.Variables](#rqsrs-006rbacuservariables) + * 5.3.5 [RQ.SRS-006.RBAC.User.Variables.Constraints](#rqsrs-006rbacuservariablesconstraints) + * 5.3.6 [RQ.SRS-006.RBAC.User.SettingsProfile](#rqsrs-006rbacusersettingsprofile) + * 5.3.7 [RQ.SRS-006.RBAC.User.Quotas](#rqsrs-006rbacuserquotas) + * 5.3.8 [RQ.SRS-006.RBAC.User.RowPolicies](#rqsrs-006rbacuserrowpolicies) + * 5.3.9 [RQ.SRS-006.RBAC.User.DefaultRole](#rqsrs-006rbacuserdefaultrole) + * 5.3.10 [RQ.SRS-006.RBAC.User.RoleSelection](#rqsrs-006rbacuserroleselection) + * 5.3.11 [RQ.SRS-006.RBAC.User.ShowCreate](#rqsrs-006rbacusershowcreate) + * 5.3.12 [RQ.SRS-006.RBAC.User.ShowPrivileges](#rqsrs-006rbacusershowprivileges) + * 5.3.13 [RQ.SRS-006.RBAC.User.Use.DefaultRole](#rqsrs-006rbacuserusedefaultrole) + * 5.3.14 [RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole](#rqsrs-006rbacuseruseallroleswhennodefaultrole) + * 5.3.15 [Create User](#create-user) + * 5.3.15.1 [RQ.SRS-006.RBAC.User.Create](#rqsrs-006rbacusercreate) + * 5.3.15.2 [RQ.SRS-006.RBAC.User.Create.IfNotExists](#rqsrs-006rbacusercreateifnotexists) + * 5.3.15.3 [RQ.SRS-006.RBAC.User.Create.Replace](#rqsrs-006rbacusercreatereplace) + * 5.3.15.4 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword](#rqsrs-006rbacusercreatepasswordnopassword) + * 5.3.15.5 [RQ.SRS-006.RBAC.User.Create.Password.NoPassword.Login](#rqsrs-006rbacusercreatepasswordnopasswordlogin) + * 5.3.15.6 [RQ.SRS-006.RBAC.User.Create.Password.PlainText](#rqsrs-006rbacusercreatepasswordplaintext) + * 5.3.15.7 [RQ.SRS-006.RBAC.User.Create.Password.PlainText.Login](#rqsrs-006rbacusercreatepasswordplaintextlogin) + * 5.3.15.8 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password](#rqsrs-006rbacusercreatepasswordsha256password) + * 5.3.15.9 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Password.Login](#rqsrs-006rbacusercreatepasswordsha256passwordlogin) + * 5.3.15.10 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash](#rqsrs-006rbacusercreatepasswordsha256hash) + * 5.3.15.11 [RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash.Login](#rqsrs-006rbacusercreatepasswordsha256hashlogin) + * 5.3.15.12 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password](#rqsrs-006rbacusercreatepassworddoublesha1password) + * 5.3.15.13 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password.Login](#rqsrs-006rbacusercreatepassworddoublesha1passwordlogin) + * 5.3.15.14 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash](#rqsrs-006rbacusercreatepassworddoublesha1hash) + * 5.3.15.15 [RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash.Login](#rqsrs-006rbacusercreatepassworddoublesha1hashlogin) + * 5.3.15.16 [RQ.SRS-006.RBAC.User.Create.Host.Name](#rqsrs-006rbacusercreatehostname) + * 5.3.15.17 [RQ.SRS-006.RBAC.User.Create.Host.Regexp](#rqsrs-006rbacusercreatehostregexp) + * 5.3.15.18 [RQ.SRS-006.RBAC.User.Create.Host.IP](#rqsrs-006rbacusercreatehostip) + * 5.3.15.19 [RQ.SRS-006.RBAC.User.Create.Host.Any](#rqsrs-006rbacusercreatehostany) + * 5.3.15.20 [RQ.SRS-006.RBAC.User.Create.Host.None](#rqsrs-006rbacusercreatehostnone) + * 5.3.15.21 [RQ.SRS-006.RBAC.User.Create.Host.Local](#rqsrs-006rbacusercreatehostlocal) + * 5.3.15.22 [RQ.SRS-006.RBAC.User.Create.Host.Like](#rqsrs-006rbacusercreatehostlike) + * 5.3.15.23 [RQ.SRS-006.RBAC.User.Create.Host.Default](#rqsrs-006rbacusercreatehostdefault) + * 5.3.15.24 [RQ.SRS-006.RBAC.User.Create.DefaultRole](#rqsrs-006rbacusercreatedefaultrole) + * 5.3.15.25 [RQ.SRS-006.RBAC.User.Create.DefaultRole.None](#rqsrs-006rbacusercreatedefaultrolenone) + * 5.3.15.26 [RQ.SRS-006.RBAC.User.Create.DefaultRole.All](#rqsrs-006rbacusercreatedefaultroleall) + * 5.3.15.27 [RQ.SRS-006.RBAC.User.Create.Settings](#rqsrs-006rbacusercreatesettings) + * 5.3.15.28 [RQ.SRS-006.RBAC.User.Create.OnCluster](#rqsrs-006rbacusercreateoncluster) + * 5.3.15.29 [RQ.SRS-006.RBAC.User.Create.Syntax](#rqsrs-006rbacusercreatesyntax) + * 5.3.16 [Alter User](#alter-user) + * 5.3.16.1 [RQ.SRS-006.RBAC.User.Alter](#rqsrs-006rbacuseralter) + * 5.3.16.2 [RQ.SRS-006.RBAC.User.Alter.OrderOfEvaluation](#rqsrs-006rbacuseralterorderofevaluation) + * 5.3.16.3 [RQ.SRS-006.RBAC.User.Alter.IfExists](#rqsrs-006rbacuseralterifexists) + * 5.3.16.4 [RQ.SRS-006.RBAC.User.Alter.Cluster](#rqsrs-006rbacuseraltercluster) + * 5.3.16.5 [RQ.SRS-006.RBAC.User.Alter.Rename](#rqsrs-006rbacuseralterrename) + * 5.3.16.6 [RQ.SRS-006.RBAC.User.Alter.Password.PlainText](#rqsrs-006rbacuseralterpasswordplaintext) + * 5.3.16.7 [RQ.SRS-006.RBAC.User.Alter.Password.Sha256Password](#rqsrs-006rbacuseralterpasswordsha256password) + * 5.3.16.8 [RQ.SRS-006.RBAC.User.Alter.Password.DoubleSha1Password](#rqsrs-006rbacuseralterpassworddoublesha1password) + * 5.3.16.9 [RQ.SRS-006.RBAC.User.Alter.Host.AddDrop](#rqsrs-006rbacuseralterhostadddrop) + * 5.3.16.10 [RQ.SRS-006.RBAC.User.Alter.Host.Local](#rqsrs-006rbacuseralterhostlocal) + * 5.3.16.11 [RQ.SRS-006.RBAC.User.Alter.Host.Name](#rqsrs-006rbacuseralterhostname) + * 5.3.16.12 [RQ.SRS-006.RBAC.User.Alter.Host.Regexp](#rqsrs-006rbacuseralterhostregexp) + * 5.3.16.13 [RQ.SRS-006.RBAC.User.Alter.Host.IP](#rqsrs-006rbacuseralterhostip) + * 5.3.16.14 [RQ.SRS-006.RBAC.User.Alter.Host.Like](#rqsrs-006rbacuseralterhostlike) + * 5.3.16.15 [RQ.SRS-006.RBAC.User.Alter.Host.Any](#rqsrs-006rbacuseralterhostany) + * 5.3.16.16 [RQ.SRS-006.RBAC.User.Alter.Host.None](#rqsrs-006rbacuseralterhostnone) + * 5.3.16.17 [RQ.SRS-006.RBAC.User.Alter.DefaultRole](#rqsrs-006rbacuseralterdefaultrole) + * 5.3.16.18 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.All](#rqsrs-006rbacuseralterdefaultroleall) + * 5.3.16.19 [RQ.SRS-006.RBAC.User.Alter.DefaultRole.AllExcept](#rqsrs-006rbacuseralterdefaultroleallexcept) + * 5.3.16.20 [RQ.SRS-006.RBAC.User.Alter.Settings](#rqsrs-006rbacuseraltersettings) + * 5.3.16.21 [RQ.SRS-006.RBAC.User.Alter.Settings.Min](#rqsrs-006rbacuseraltersettingsmin) + * 5.3.16.22 [RQ.SRS-006.RBAC.User.Alter.Settings.Max](#rqsrs-006rbacuseraltersettingsmax) + * 5.3.16.23 [RQ.SRS-006.RBAC.User.Alter.Settings.Profile](#rqsrs-006rbacuseraltersettingsprofile) + * 5.3.16.24 [RQ.SRS-006.RBAC.User.Alter.Syntax](#rqsrs-006rbacuseraltersyntax) + * 5.3.17 [Show Create User](#show-create-user) + * 5.3.17.1 [RQ.SRS-006.RBAC.User.ShowCreateUser](#rqsrs-006rbacusershowcreateuser) + * 5.3.17.2 [RQ.SRS-006.RBAC.User.ShowCreateUser.For](#rqsrs-006rbacusershowcreateuserfor) + * 5.3.17.3 [RQ.SRS-006.RBAC.User.ShowCreateUser.Syntax](#rqsrs-006rbacusershowcreateusersyntax) + * 5.3.18 [Drop User](#drop-user) + * 5.3.18.1 [RQ.SRS-006.RBAC.User.Drop](#rqsrs-006rbacuserdrop) + * 5.3.18.2 [RQ.SRS-006.RBAC.User.Drop.IfExists](#rqsrs-006rbacuserdropifexists) + * 5.3.18.3 [RQ.SRS-006.RBAC.User.Drop.OnCluster](#rqsrs-006rbacuserdroponcluster) + * 5.3.18.4 [RQ.SRS-006.RBAC.User.Drop.Syntax](#rqsrs-006rbacuserdropsyntax) + * 5.4 [Role](#role) + * 5.4.1 [RQ.SRS-006.RBAC.Role](#rqsrs-006rbacrole) + * 5.4.2 [RQ.SRS-006.RBAC.Role.Privileges](#rqsrs-006rbacroleprivileges) + * 5.4.3 [RQ.SRS-006.RBAC.Role.Variables](#rqsrs-006rbacrolevariables) + * 5.4.4 [RQ.SRS-006.RBAC.Role.SettingsProfile](#rqsrs-006rbacrolesettingsprofile) + * 5.4.5 [RQ.SRS-006.RBAC.Role.Quotas](#rqsrs-006rbacrolequotas) + * 5.4.6 [RQ.SRS-006.RBAC.Role.RowPolicies](#rqsrs-006rbacrolerowpolicies) + * 5.4.7 [Create Role](#create-role) + * 5.4.7.1 [RQ.SRS-006.RBAC.Role.Create](#rqsrs-006rbacrolecreate) + * 5.4.7.2 [RQ.SRS-006.RBAC.Role.Create.IfNotExists](#rqsrs-006rbacrolecreateifnotexists) + * 5.4.7.3 [RQ.SRS-006.RBAC.Role.Create.Replace](#rqsrs-006rbacrolecreatereplace) + * 5.4.7.4 [RQ.SRS-006.RBAC.Role.Create.Settings](#rqsrs-006rbacrolecreatesettings) + * 5.4.7.5 [RQ.SRS-006.RBAC.Role.Create.Syntax](#rqsrs-006rbacrolecreatesyntax) + * 5.4.8 [Alter Role](#alter-role) + * 5.4.8.1 [RQ.SRS-006.RBAC.Role.Alter](#rqsrs-006rbacrolealter) + * 5.4.8.2 [RQ.SRS-006.RBAC.Role.Alter.IfExists](#rqsrs-006rbacrolealterifexists) + * 5.4.8.3 [RQ.SRS-006.RBAC.Role.Alter.Cluster](#rqsrs-006rbacrolealtercluster) + * 5.4.8.4 [RQ.SRS-006.RBAC.Role.Alter.Rename](#rqsrs-006rbacrolealterrename) + * 5.4.8.5 [RQ.SRS-006.RBAC.Role.Alter.Settings](#rqsrs-006rbacrolealtersettings) + * 5.4.8.6 [RQ.SRS-006.RBAC.Role.Alter.Syntax](#rqsrs-006rbacrolealtersyntax) + * 5.4.9 [Drop Role](#drop-role) + * 5.4.9.1 [RQ.SRS-006.RBAC.Role.Drop](#rqsrs-006rbacroledrop) + * 5.4.9.2 [RQ.SRS-006.RBAC.Role.Drop.IfExists](#rqsrs-006rbacroledropifexists) + * 5.4.9.3 [RQ.SRS-006.RBAC.Role.Drop.Cluster](#rqsrs-006rbacroledropcluster) + * 5.4.9.4 [RQ.SRS-006.RBAC.Role.Drop.Syntax](#rqsrs-006rbacroledropsyntax) + * 5.4.10 [Show Create Role](#show-create-role) + * 5.4.10.1 [RQ.SRS-006.RBAC.Role.ShowCreate](#rqsrs-006rbacroleshowcreate) + * 5.4.10.2 [RQ.SRS-006.RBAC.Role.ShowCreate.Syntax](#rqsrs-006rbacroleshowcreatesyntax) + * 5.5 [Partial Revokes](#partial-revokes) + * 5.5.1 [RQ.SRS-006.RBAC.PartialRevokes](#rqsrs-006rbacpartialrevokes) + * 5.5.2 [RQ.SRS-006.RBAC.PartialRevoke.Syntax](#rqsrs-006rbacpartialrevokesyntax) + * 5.6 [Settings Profile](#settings-profile) + * 5.6.1 [RQ.SRS-006.RBAC.SettingsProfile](#rqsrs-006rbacsettingsprofile) + * 5.6.2 [RQ.SRS-006.RBAC.SettingsProfile.Constraints](#rqsrs-006rbacsettingsprofileconstraints) + * 5.6.3 [Create Settings Profile](#create-settings-profile) + * 5.6.3.1 [RQ.SRS-006.RBAC.SettingsProfile.Create](#rqsrs-006rbacsettingsprofilecreate) + * 5.6.3.2 [RQ.SRS-006.RBAC.SettingsProfile.Create.IfNotExists](#rqsrs-006rbacsettingsprofilecreateifnotexists) + * 5.6.3.3 [RQ.SRS-006.RBAC.SettingsProfile.Create.Replace](#rqsrs-006rbacsettingsprofilecreatereplace) + * 5.6.3.4 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables](#rqsrs-006rbacsettingsprofilecreatevariables) + * 5.6.3.5 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Value](#rqsrs-006rbacsettingsprofilecreatevariablesvalue) + * 5.6.3.6 [RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Constraints](#rqsrs-006rbacsettingsprofilecreatevariablesconstraints) + * 5.6.3.7 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment](#rqsrs-006rbacsettingsprofilecreateassignment) + * 5.6.3.8 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.None](#rqsrs-006rbacsettingsprofilecreateassignmentnone) + * 5.6.3.9 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.All](#rqsrs-006rbacsettingsprofilecreateassignmentall) + * 5.6.3.10 [RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilecreateassignmentallexcept) + * 5.6.3.11 [RQ.SRS-006.RBAC.SettingsProfile.Create.Inherit](#rqsrs-006rbacsettingsprofilecreateinherit) + * 5.6.3.12 [RQ.SRS-006.RBAC.SettingsProfile.Create.OnCluster](#rqsrs-006rbacsettingsprofilecreateoncluster) + * 5.6.3.13 [RQ.SRS-006.RBAC.SettingsProfile.Create.Syntax](#rqsrs-006rbacsettingsprofilecreatesyntax) + * 5.6.4 [Alter Settings Profile](#alter-settings-profile) + * 5.6.4.1 [RQ.SRS-006.RBAC.SettingsProfile.Alter](#rqsrs-006rbacsettingsprofilealter) + * 5.6.4.2 [RQ.SRS-006.RBAC.SettingsProfile.Alter.IfExists](#rqsrs-006rbacsettingsprofilealterifexists) + * 5.6.4.3 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Rename](#rqsrs-006rbacsettingsprofilealterrename) + * 5.6.4.4 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables](#rqsrs-006rbacsettingsprofilealtervariables) + * 5.6.4.5 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Value](#rqsrs-006rbacsettingsprofilealtervariablesvalue) + * 5.6.4.6 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Constraints](#rqsrs-006rbacsettingsprofilealtervariablesconstraints) + * 5.6.4.7 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment](#rqsrs-006rbacsettingsprofilealterassignment) + * 5.6.4.8 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.None](#rqsrs-006rbacsettingsprofilealterassignmentnone) + * 5.6.4.9 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.All](#rqsrs-006rbacsettingsprofilealterassignmentall) + * 5.6.4.10 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.AllExcept](#rqsrs-006rbacsettingsprofilealterassignmentallexcept) + * 5.6.4.11 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.Inherit](#rqsrs-006rbacsettingsprofilealterassignmentinherit) + * 5.6.4.12 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.OnCluster](#rqsrs-006rbacsettingsprofilealterassignmentoncluster) + * 5.6.4.13 [RQ.SRS-006.RBAC.SettingsProfile.Alter.Syntax](#rqsrs-006rbacsettingsprofilealtersyntax) + * 5.6.5 [Drop Settings Profile](#drop-settings-profile) + * 5.6.5.1 [RQ.SRS-006.RBAC.SettingsProfile.Drop](#rqsrs-006rbacsettingsprofiledrop) + * 5.6.5.2 [RQ.SRS-006.RBAC.SettingsProfile.Drop.IfExists](#rqsrs-006rbacsettingsprofiledropifexists) + * 5.6.5.3 [RQ.SRS-006.RBAC.SettingsProfile.Drop.OnCluster](#rqsrs-006rbacsettingsprofiledroponcluster) + * 5.6.5.4 [RQ.SRS-006.RBAC.SettingsProfile.Drop.Syntax](#rqsrs-006rbacsettingsprofiledropsyntax) + * 5.6.6 [Show Create Settings Profile](#show-create-settings-profile) + * 5.6.6.1 [RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile](#rqsrs-006rbacsettingsprofileshowcreatesettingsprofile) + * 5.7 [Quotas](#quotas) + * 5.7.1 [RQ.SRS-006.RBAC.Quotas](#rqsrs-006rbacquotas) + * 5.7.2 [RQ.SRS-006.RBAC.Quotas.Keyed](#rqsrs-006rbacquotaskeyed) + * 5.7.3 [RQ.SRS-006.RBAC.Quotas.Queries](#rqsrs-006rbacquotasqueries) + * 5.7.4 [RQ.SRS-006.RBAC.Quotas.Errors](#rqsrs-006rbacquotaserrors) + * 5.7.5 [RQ.SRS-006.RBAC.Quotas.ResultRows](#rqsrs-006rbacquotasresultrows) + * 5.7.6 [RQ.SRS-006.RBAC.Quotas.ReadRows](#rqsrs-006rbacquotasreadrows) + * 5.7.7 [RQ.SRS-006.RBAC.Quotas.ResultBytes](#rqsrs-006rbacquotasresultbytes) + * 5.7.8 [RQ.SRS-006.RBAC.Quotas.ReadBytes](#rqsrs-006rbacquotasreadbytes) + * 5.7.9 [RQ.SRS-006.RBAC.Quotas.ExecutionTime](#rqsrs-006rbacquotasexecutiontime) + * 5.7.10 [Create Quotas](#create-quotas) + * 5.7.10.1 [RQ.SRS-006.RBAC.Quota.Create](#rqsrs-006rbacquotacreate) + * 5.7.10.2 [RQ.SRS-006.RBAC.Quota.Create.IfNotExists](#rqsrs-006rbacquotacreateifnotexists) + * 5.7.10.3 [RQ.SRS-006.RBAC.Quota.Create.Replace](#rqsrs-006rbacquotacreatereplace) + * 5.7.10.4 [RQ.SRS-006.RBAC.Quota.Create.Cluster](#rqsrs-006rbacquotacreatecluster) + * 5.7.10.5 [RQ.SRS-006.RBAC.Quota.Create.Interval](#rqsrs-006rbacquotacreateinterval) + * 5.7.10.6 [RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized](#rqsrs-006rbacquotacreateintervalrandomized) + * 5.7.10.7 [RQ.SRS-006.RBAC.Quota.Create.Queries](#rqsrs-006rbacquotacreatequeries) + * 5.7.10.8 [RQ.SRS-006.RBAC.Quota.Create.Errors](#rqsrs-006rbacquotacreateerrors) + * 5.7.10.9 [RQ.SRS-006.RBAC.Quota.Create.ResultRows](#rqsrs-006rbacquotacreateresultrows) + * 5.7.10.10 [RQ.SRS-006.RBAC.Quota.Create.ReadRows](#rqsrs-006rbacquotacreatereadrows) + * 5.7.10.11 [RQ.SRS-006.RBAC.Quota.Create.ResultBytes](#rqsrs-006rbacquotacreateresultbytes) + * 5.7.10.12 [RQ.SRS-006.RBAC.Quota.Create.ReadBytes](#rqsrs-006rbacquotacreatereadbytes) + * 5.7.10.13 [RQ.SRS-006.RBAC.Quota.Create.ExecutionTime](#rqsrs-006rbacquotacreateexecutiontime) + * 5.7.10.14 [RQ.SRS-006.RBAC.Quota.Create.NoLimits](#rqsrs-006rbacquotacreatenolimits) + * 5.7.10.15 [RQ.SRS-006.RBAC.Quota.Create.TrackingOnly](#rqsrs-006rbacquotacreatetrackingonly) + * 5.7.10.16 [RQ.SRS-006.RBAC.Quota.Create.KeyedBy](#rqsrs-006rbacquotacreatekeyedby) + * 5.7.10.17 [RQ.SRS-006.RBAC.Quota.Create.KeyedByOptions](#rqsrs-006rbacquotacreatekeyedbyoptions) + * 5.7.10.18 [RQ.SRS-006.RBAC.Quota.Create.Assignment](#rqsrs-006rbacquotacreateassignment) + * 5.7.10.19 [RQ.SRS-006.RBAC.Quota.Create.Assignment.None](#rqsrs-006rbacquotacreateassignmentnone) + * 5.7.10.20 [RQ.SRS-006.RBAC.Quota.Create.Assignment.All](#rqsrs-006rbacquotacreateassignmentall) + * 5.7.10.21 [RQ.SRS-006.RBAC.Quota.Create.Assignment.Except](#rqsrs-006rbacquotacreateassignmentexcept) + * 5.7.10.22 [RQ.SRS-006.RBAC.Quota.Create.Syntax](#rqsrs-006rbacquotacreatesyntax) + * 5.7.11 [Alter Quota](#alter-quota) + * 5.7.11.1 [RQ.SRS-006.RBAC.Quota.Alter](#rqsrs-006rbacquotaalter) + * 5.7.11.2 [RQ.SRS-006.RBAC.Quota.Alter.IfExists](#rqsrs-006rbacquotaalterifexists) + * 5.7.11.3 [RQ.SRS-006.RBAC.Quota.Alter.Rename](#rqsrs-006rbacquotaalterrename) + * 5.7.11.4 [RQ.SRS-006.RBAC.Quota.Alter.Cluster](#rqsrs-006rbacquotaaltercluster) + * 5.7.11.5 [RQ.SRS-006.RBAC.Quota.Alter.Interval](#rqsrs-006rbacquotaalterinterval) + * 5.7.11.6 [RQ.SRS-006.RBAC.Quota.Alter.Interval.Randomized](#rqsrs-006rbacquotaalterintervalrandomized) + * 5.7.11.7 [RQ.SRS-006.RBAC.Quota.Alter.Queries](#rqsrs-006rbacquotaalterqueries) + * 5.7.11.8 [RQ.SRS-006.RBAC.Quota.Alter.Errors](#rqsrs-006rbacquotaaltererrors) + * 5.7.11.9 [RQ.SRS-006.RBAC.Quota.Alter.ResultRows](#rqsrs-006rbacquotaalterresultrows) + * 5.7.11.10 [RQ.SRS-006.RBAC.Quota.Alter.ReadRows](#rqsrs-006rbacquotaalterreadrows) + * 5.7.11.11 [RQ.SRS-006.RBAC.Quota.ALter.ResultBytes](#rqsrs-006rbacquotaalterresultbytes) + * 5.7.11.12 [RQ.SRS-006.RBAC.Quota.Alter.ReadBytes](#rqsrs-006rbacquotaalterreadbytes) + * 5.7.11.13 [RQ.SRS-006.RBAC.Quota.Alter.ExecutionTime](#rqsrs-006rbacquotaalterexecutiontime) + * 5.7.11.14 [RQ.SRS-006.RBAC.Quota.Alter.NoLimits](#rqsrs-006rbacquotaalternolimits) + * 5.7.11.15 [RQ.SRS-006.RBAC.Quota.Alter.TrackingOnly](#rqsrs-006rbacquotaaltertrackingonly) + * 5.7.11.16 [RQ.SRS-006.RBAC.Quota.Alter.KeyedBy](#rqsrs-006rbacquotaalterkeyedby) + * 5.7.11.17 [RQ.SRS-006.RBAC.Quota.Alter.KeyedByOptions](#rqsrs-006rbacquotaalterkeyedbyoptions) + * 5.7.11.18 [RQ.SRS-006.RBAC.Quota.Alter.Assignment](#rqsrs-006rbacquotaalterassignment) + * 5.7.11.19 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.None](#rqsrs-006rbacquotaalterassignmentnone) + * 5.7.11.20 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.All](#rqsrs-006rbacquotaalterassignmentall) + * 5.7.11.21 [RQ.SRS-006.RBAC.Quota.Alter.Assignment.Except](#rqsrs-006rbacquotaalterassignmentexcept) + * 5.7.11.22 [RQ.SRS-006.RBAC.Quota.Alter.Syntax](#rqsrs-006rbacquotaaltersyntax) + * 5.7.12 [Drop Quota](#drop-quota) + * 5.7.12.1 [RQ.SRS-006.RBAC.Quota.Drop](#rqsrs-006rbacquotadrop) + * 5.7.12.2 [RQ.SRS-006.RBAC.Quota.Drop.IfExists](#rqsrs-006rbacquotadropifexists) + * 5.7.12.3 [RQ.SRS-006.RBAC.Quota.Drop.Cluster](#rqsrs-006rbacquotadropcluster) + * 5.7.12.4 [RQ.SRS-006.RBAC.Quota.Drop.Syntax](#rqsrs-006rbacquotadropsyntax) + * 5.7.13 [Show Quotas](#show-quotas) + * 5.7.13.1 [RQ.SRS-006.RBAC.Quota.ShowQuotas](#rqsrs-006rbacquotashowquotas) + * 5.7.13.2 [RQ.SRS-006.RBAC.Quota.ShowQuotas.IntoOutfile](#rqsrs-006rbacquotashowquotasintooutfile) + * 5.7.13.3 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Format](#rqsrs-006rbacquotashowquotasformat) + * 5.7.13.4 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Settings](#rqsrs-006rbacquotashowquotassettings) + * 5.7.13.5 [RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax](#rqsrs-006rbacquotashowquotassyntax) + * 5.7.14 [Show Create Quota](#show-create-quota) + * 5.7.14.1 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name](#rqsrs-006rbacquotashowcreatequotaname) + * 5.7.14.2 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Current](#rqsrs-006rbacquotashowcreatequotacurrent) + * 5.7.14.3 [RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Syntax](#rqsrs-006rbacquotashowcreatequotasyntax) + * 5.8 [Row Policy](#row-policy) + * 5.8.1 [RQ.SRS-006.RBAC.RowPolicy](#rqsrs-006rbacrowpolicy) + * 5.8.2 [RQ.SRS-006.RBAC.RowPolicy.Condition](#rqsrs-006rbacrowpolicycondition) + * 5.8.3 [RQ.SRS-006.RBAC.RowPolicy.Restriction](#rqsrs-006rbacrowpolicyrestriction) + * 5.8.4 [RQ.SRS-006.RBAC.RowPolicy.Nesting](#rqsrs-006rbacrowpolicynesting) + * 5.8.5 [Create Row Policy](#create-row-policy) + * 5.8.5.1 [RQ.SRS-006.RBAC.RowPolicy.Create](#rqsrs-006rbacrowpolicycreate) + * 5.8.5.2 [RQ.SRS-006.RBAC.RowPolicy.Create.IfNotExists](#rqsrs-006rbacrowpolicycreateifnotexists) + * 5.8.5.3 [RQ.SRS-006.RBAC.RowPolicy.Create.Replace](#rqsrs-006rbacrowpolicycreatereplace) + * 5.8.5.4 [RQ.SRS-006.RBAC.RowPolicy.Create.OnCluster](#rqsrs-006rbacrowpolicycreateoncluster) + * 5.8.5.5 [RQ.SRS-006.RBAC.RowPolicy.Create.On](#rqsrs-006rbacrowpolicycreateon) + * 5.8.5.6 [RQ.SRS-006.RBAC.RowPolicy.Create.Access](#rqsrs-006rbacrowpolicycreateaccess) + * 5.8.5.7 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Permissive](#rqsrs-006rbacrowpolicycreateaccesspermissive) + * 5.8.5.8 [RQ.SRS-006.RBAC.RowPolicy.Create.Access.Restrictive](#rqsrs-006rbacrowpolicycreateaccessrestrictive) + * 5.8.5.9 [RQ.SRS-006.RBAC.RowPolicy.Create.ForSelect](#rqsrs-006rbacrowpolicycreateforselect) + * 5.8.5.10 [RQ.SRS-006.RBAC.RowPolicy.Create.Condition](#rqsrs-006rbacrowpolicycreatecondition) + * 5.8.5.11 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment](#rqsrs-006rbacrowpolicycreateassignment) + * 5.8.5.12 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.None](#rqsrs-006rbacrowpolicycreateassignmentnone) + * 5.8.5.13 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.All](#rqsrs-006rbacrowpolicycreateassignmentall) + * 5.8.5.14 [RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.AllExcept](#rqsrs-006rbacrowpolicycreateassignmentallexcept) + * 5.8.5.15 [RQ.SRS-006.RBAC.RowPolicy.Create.Syntax](#rqsrs-006rbacrowpolicycreatesyntax) + * 5.8.6 [Alter Row Policy](#alter-row-policy) + * 5.8.6.1 [RQ.SRS-006.RBAC.RowPolicy.Alter](#rqsrs-006rbacrowpolicyalter) + * 5.8.6.2 [RQ.SRS-006.RBAC.RowPolicy.Alter.IfExists](#rqsrs-006rbacrowpolicyalterifexists) + * 5.8.6.3 [RQ.SRS-006.RBAC.RowPolicy.Alter.ForSelect](#rqsrs-006rbacrowpolicyalterforselect) + * 5.8.6.4 [RQ.SRS-006.RBAC.RowPolicy.Alter.OnCluster](#rqsrs-006rbacrowpolicyalteroncluster) + * 5.8.6.5 [RQ.SRS-006.RBAC.RowPolicy.Alter.On](#rqsrs-006rbacrowpolicyalteron) + * 5.8.6.6 [RQ.SRS-006.RBAC.RowPolicy.Alter.Rename](#rqsrs-006rbacrowpolicyalterrename) + * 5.8.6.7 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access](#rqsrs-006rbacrowpolicyalteraccess) + * 5.8.6.8 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Permissive](#rqsrs-006rbacrowpolicyalteraccesspermissive) + * 5.8.6.9 [RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Restrictive](#rqsrs-006rbacrowpolicyalteraccessrestrictive) + * 5.8.6.10 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition](#rqsrs-006rbacrowpolicyaltercondition) + * 5.8.6.11 [RQ.SRS-006.RBAC.RowPolicy.Alter.Condition.None](#rqsrs-006rbacrowpolicyalterconditionnone) + * 5.8.6.12 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment](#rqsrs-006rbacrowpolicyalterassignment) + * 5.8.6.13 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.None](#rqsrs-006rbacrowpolicyalterassignmentnone) + * 5.8.6.14 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.All](#rqsrs-006rbacrowpolicyalterassignmentall) + * 5.8.6.15 [RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.AllExcept](#rqsrs-006rbacrowpolicyalterassignmentallexcept) + * 5.8.6.16 [RQ.SRS-006.RBAC.RowPolicy.Alter.Syntax](#rqsrs-006rbacrowpolicyaltersyntax) + * 5.8.7 [Drop Row Policy](#drop-row-policy) + * 5.8.7.1 [RQ.SRS-006.RBAC.RowPolicy.Drop](#rqsrs-006rbacrowpolicydrop) + * 5.8.7.2 [RQ.SRS-006.RBAC.RowPolicy.Drop.IfExists](#rqsrs-006rbacrowpolicydropifexists) + * 5.8.7.3 [RQ.SRS-006.RBAC.RowPolicy.Drop.On](#rqsrs-006rbacrowpolicydropon) + * 5.8.7.4 [RQ.SRS-006.RBAC.RowPolicy.Drop.OnCluster](#rqsrs-006rbacrowpolicydroponcluster) + * 5.8.7.5 [RQ.SRS-006.RBAC.RowPolicy.Drop.Syntax](#rqsrs-006rbacrowpolicydropsyntax) + * 5.8.8 [Show Create Row Policy](#show-create-row-policy) + * 5.8.8.1 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy](#rqsrs-006rbacrowpolicyshowcreaterowpolicy) + * 5.8.8.2 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.On](#rqsrs-006rbacrowpolicyshowcreaterowpolicyon) + * 5.8.8.3 [RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.Syntax](#rqsrs-006rbacrowpolicyshowcreaterowpolicysyntax) + * 5.8.8.4 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies](#rqsrs-006rbacrowpolicyshowrowpolicies) + * 5.8.8.5 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.On](#rqsrs-006rbacrowpolicyshowrowpolicieson) + * 5.8.8.6 [RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.Syntax](#rqsrs-006rbacrowpolicyshowrowpoliciessyntax) + * 5.9 [Set Default Role](#set-default-role) + * 5.9.1 [RQ.SRS-006.RBAC.SetDefaultRole](#rqsrs-006rbacsetdefaultrole) + * 5.9.2 [RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser](#rqsrs-006rbacsetdefaultrolecurrentuser) + * 5.9.3 [RQ.SRS-006.RBAC.SetDefaultRole.All](#rqsrs-006rbacsetdefaultroleall) + * 5.9.4 [RQ.SRS-006.RBAC.SetDefaultRole.AllExcept](#rqsrs-006rbacsetdefaultroleallexcept) + * 5.9.5 [RQ.SRS-006.RBAC.SetDefaultRole.None](#rqsrs-006rbacsetdefaultrolenone) + * 5.9.6 [RQ.SRS-006.RBAC.SetDefaultRole.Syntax](#rqsrs-006rbacsetdefaultrolesyntax) + * 5.10 [Set Role](#set-role) + * 5.10.1 [RQ.SRS-006.RBAC.SetRole](#rqsrs-006rbacsetrole) + * 5.10.2 [RQ.SRS-006.RBAC.SetRole.Default](#rqsrs-006rbacsetroledefault) + * 5.10.3 [RQ.SRS-006.RBAC.SetRole.None](#rqsrs-006rbacsetrolenone) + * 5.10.4 [RQ.SRS-006.RBAC.SetRole.All](#rqsrs-006rbacsetroleall) + * 5.10.5 [RQ.SRS-006.RBAC.SetRole.AllExcept](#rqsrs-006rbacsetroleallexcept) + * 5.10.6 [RQ.SRS-006.RBAC.SetRole.Syntax](#rqsrs-006rbacsetrolesyntax) + * 5.11 [Grant](#grant) + * 5.11.1 [RQ.SRS-006.RBAC.Grant.Privilege.To](#rqsrs-006rbacgrantprivilegeto) + * 5.11.2 [RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser](#rqsrs-006rbacgrantprivilegetocurrentuser) + * 5.11.3 [RQ.SRS-006.RBAC.Grant.Privilege.Select](#rqsrs-006rbacgrantprivilegeselect) + * 5.11.4 [RQ.SRS-006.RBAC.Grant.Privilege.Insert](#rqsrs-006rbacgrantprivilegeinsert) + * 5.11.5 [RQ.SRS-006.RBAC.Grant.Privilege.Alter](#rqsrs-006rbacgrantprivilegealter) + * 5.11.6 [RQ.SRS-006.RBAC.Grant.Privilege.Create](#rqsrs-006rbacgrantprivilegecreate) + * 5.11.7 [RQ.SRS-006.RBAC.Grant.Privilege.Drop](#rqsrs-006rbacgrantprivilegedrop) + * 5.11.8 [RQ.SRS-006.RBAC.Grant.Privilege.Truncate](#rqsrs-006rbacgrantprivilegetruncate) + * 5.11.9 [RQ.SRS-006.RBAC.Grant.Privilege.Optimize](#rqsrs-006rbacgrantprivilegeoptimize) + * 5.11.10 [RQ.SRS-006.RBAC.Grant.Privilege.Show](#rqsrs-006rbacgrantprivilegeshow) + * 5.11.11 [RQ.SRS-006.RBAC.Grant.Privilege.KillQuery](#rqsrs-006rbacgrantprivilegekillquery) + * 5.11.12 [RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement](#rqsrs-006rbacgrantprivilegeaccessmanagement) + * 5.11.13 [RQ.SRS-006.RBAC.Grant.Privilege.System](#rqsrs-006rbacgrantprivilegesystem) + * 5.11.14 [RQ.SRS-006.RBAC.Grant.Privilege.Introspection](#rqsrs-006rbacgrantprivilegeintrospection) + * 5.11.15 [RQ.SRS-006.RBAC.Grant.Privilege.Sources](#rqsrs-006rbacgrantprivilegesources) + * 5.11.16 [RQ.SRS-006.RBAC.Grant.Privilege.DictGet](#rqsrs-006rbacgrantprivilegedictget) + * 5.11.17 [RQ.SRS-006.RBAC.Grant.Privilege.None](#rqsrs-006rbacgrantprivilegenone) + * 5.11.18 [RQ.SRS-006.RBAC.Grant.Privilege.All](#rqsrs-006rbacgrantprivilegeall) + * 5.11.19 [RQ.SRS-006.RBAC.Grant.Privilege.GrantOption](#rqsrs-006rbacgrantprivilegegrantoption) + * 5.11.20 [RQ.SRS-006.RBAC.Grant.Privilege.On](#rqsrs-006rbacgrantprivilegeon) + * 5.11.21 [RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns](#rqsrs-006rbacgrantprivilegeprivilegecolumns) + * 5.11.22 [RQ.SRS-006.RBAC.Grant.Privilege.OnCluster](#rqsrs-006rbacgrantprivilegeoncluster) + * 5.11.23 [RQ.SRS-006.RBAC.Grant.Privilege.Syntax](#rqsrs-006rbacgrantprivilegesyntax) + * 5.12 [Revoke](#revoke) + * 5.12.1 [RQ.SRS-006.RBAC.Revoke.Privilege.Cluster](#rqsrs-006rbacrevokeprivilegecluster) + * 5.12.2 [RQ.SRS-006.RBAC.Revoke.Privilege.Select](#rqsrs-006rbacrevokeprivilegeselect) + * 5.12.3 [RQ.SRS-006.RBAC.Revoke.Privilege.Insert](#rqsrs-006rbacrevokeprivilegeinsert) + * 5.12.4 [RQ.SRS-006.RBAC.Revoke.Privilege.Alter](#rqsrs-006rbacrevokeprivilegealter) + * 5.12.5 [RQ.SRS-006.RBAC.Revoke.Privilege.Create](#rqsrs-006rbacrevokeprivilegecreate) + * 5.12.6 [RQ.SRS-006.RBAC.Revoke.Privilege.Drop](#rqsrs-006rbacrevokeprivilegedrop) + * 5.12.7 [RQ.SRS-006.RBAC.Revoke.Privilege.Truncate](#rqsrs-006rbacrevokeprivilegetruncate) + * 5.12.8 [RQ.SRS-006.RBAC.Revoke.Privilege.Optimize](#rqsrs-006rbacrevokeprivilegeoptimize) + * 5.12.9 [RQ.SRS-006.RBAC.Revoke.Privilege.Show](#rqsrs-006rbacrevokeprivilegeshow) + * 5.12.10 [RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery](#rqsrs-006rbacrevokeprivilegekillquery) + * 5.12.11 [RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement](#rqsrs-006rbacrevokeprivilegeaccessmanagement) + * 5.12.12 [RQ.SRS-006.RBAC.Revoke.Privilege.System](#rqsrs-006rbacrevokeprivilegesystem) + * 5.12.13 [RQ.SRS-006.RBAC.Revoke.Privilege.Introspection](#rqsrs-006rbacrevokeprivilegeintrospection) + * 5.12.14 [RQ.SRS-006.RBAC.Revoke.Privilege.Sources](#rqsrs-006rbacrevokeprivilegesources) + * 5.12.15 [RQ.SRS-006.RBAC.Revoke.Privilege.DictGet](#rqsrs-006rbacrevokeprivilegedictget) + * 5.12.16 [RQ.SRS-006.RBAC.Revoke.Privilege.PrivilegeColumns](#rqsrs-006rbacrevokeprivilegeprivilegecolumns) + * 5.12.17 [RQ.SRS-006.RBAC.Revoke.Privilege.Multiple](#rqsrs-006rbacrevokeprivilegemultiple) + * 5.12.18 [RQ.SRS-006.RBAC.Revoke.Privilege.All](#rqsrs-006rbacrevokeprivilegeall) + * 5.12.19 [RQ.SRS-006.RBAC.Revoke.Privilege.None](#rqsrs-006rbacrevokeprivilegenone) + * 5.12.20 [RQ.SRS-006.RBAC.Revoke.Privilege.On](#rqsrs-006rbacrevokeprivilegeon) + * 5.12.21 [RQ.SRS-006.RBAC.Revoke.Privilege.From](#rqsrs-006rbacrevokeprivilegefrom) + * 5.12.22 [RQ.SRS-006.RBAC.Revoke.Privilege.Syntax](#rqsrs-006rbacrevokeprivilegesyntax) + * 5.13 [Grant Role](#grant-role) + * 5.13.1 [RQ.SRS-006.RBAC.Grant.Role](#rqsrs-006rbacgrantrole) + * 5.13.2 [RQ.SRS-006.RBAC.Grant.Role.CurrentUser](#rqsrs-006rbacgrantrolecurrentuser) + * 5.13.3 [RQ.SRS-006.RBAC.Grant.Role.AdminOption](#rqsrs-006rbacgrantroleadminoption) + * 5.13.4 [RQ.SRS-006.RBAC.Grant.Role.OnCluster](#rqsrs-006rbacgrantroleoncluster) + * 5.13.5 [RQ.SRS-006.RBAC.Grant.Role.Syntax](#rqsrs-006rbacgrantrolesyntax) + * 5.14 [Revoke Role](#revoke-role) + * 5.14.1 [RQ.SRS-006.RBAC.Revoke.Role](#rqsrs-006rbacrevokerole) + * 5.14.2 [RQ.SRS-006.RBAC.Revoke.Role.Keywords](#rqsrs-006rbacrevokerolekeywords) + * 5.14.3 [RQ.SRS-006.RBAC.Revoke.Role.Cluster](#rqsrs-006rbacrevokerolecluster) + * 5.14.4 [RQ.SRS-006.RBAC.Revoke.AdminOption](#rqsrs-006rbacrevokeadminoption) + * 5.14.5 [RQ.SRS-006.RBAC.Revoke.Role.Syntax](#rqsrs-006rbacrevokerolesyntax) + * 5.15 [Show Grants](#show-grants) + * 5.15.1 [RQ.SRS-006.RBAC.Show.Grants](#rqsrs-006rbacshowgrants) + * 5.15.2 [RQ.SRS-006.RBAC.Show.Grants.For](#rqsrs-006rbacshowgrantsfor) + * 5.15.3 [RQ.SRS-006.RBAC.Show.Grants.Syntax](#rqsrs-006rbacshowgrantssyntax) + * 5.16 [Table Privileges](#table-privileges) + * 5.16.1 [RQ.SRS-006.RBAC.Table.PublicTables](#rqsrs-006rbactablepublictables) + * 5.16.2 [RQ.SRS-006.RBAC.Table.SensitiveTables](#rqsrs-006rbactablesensitivetables) + * 5.17 [Distributed Tables](#distributed-tables) + * 5.17.1 [RQ.SRS-006.RBAC.DistributedTable.Create](#rqsrs-006rbacdistributedtablecreate) + * 5.17.2 [RQ.SRS-006.RBAC.DistributedTable.Select](#rqsrs-006rbacdistributedtableselect) + * 5.17.3 [RQ.SRS-006.RBAC.DistributedTable.Insert](#rqsrs-006rbacdistributedtableinsert) + * 5.17.4 [RQ.SRS-006.RBAC.DistributedTable.SpecialTables](#rqsrs-006rbacdistributedtablespecialtables) + * 5.17.5 [RQ.SRS-006.RBAC.DistributedTable.LocalUser](#rqsrs-006rbacdistributedtablelocaluser) + * 5.17.6 [RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges](#rqsrs-006rbacdistributedtablesameuserdifferentnodesdifferentprivileges) + * 5.18 [Views](#views) + * 5.18.1 [View](#view) + * 5.18.1.1 [RQ.SRS-006.RBAC.View](#rqsrs-006rbacview) + * 5.18.1.2 [RQ.SRS-006.RBAC.View.Create](#rqsrs-006rbacviewcreate) + * 5.18.1.3 [RQ.SRS-006.RBAC.View.Select](#rqsrs-006rbacviewselect) + * 5.18.1.4 [RQ.SRS-006.RBAC.View.Drop](#rqsrs-006rbacviewdrop) + * 5.18.2 [Materialized View](#materialized-view) + * 5.18.2.1 [RQ.SRS-006.RBAC.MaterializedView](#rqsrs-006rbacmaterializedview) + * 5.18.2.2 [RQ.SRS-006.RBAC.MaterializedView.Create](#rqsrs-006rbacmaterializedviewcreate) + * 5.18.2.3 [RQ.SRS-006.RBAC.MaterializedView.Select](#rqsrs-006rbacmaterializedviewselect) + * 5.18.2.4 [RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable](#rqsrs-006rbacmaterializedviewselecttargettable) + * 5.18.2.5 [RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable](#rqsrs-006rbacmaterializedviewselectsourcetable) + * 5.18.2.6 [RQ.SRS-006.RBAC.MaterializedView.Drop](#rqsrs-006rbacmaterializedviewdrop) + * 5.18.2.7 [RQ.SRS-006.RBAC.MaterializedView.ModifyQuery](#rqsrs-006rbacmaterializedviewmodifyquery) + * 5.18.2.8 [RQ.SRS-006.RBAC.MaterializedView.Insert](#rqsrs-006rbacmaterializedviewinsert) + * 5.18.2.9 [RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable](#rqsrs-006rbacmaterializedviewinsertsourcetable) + * 5.18.2.10 [RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable](#rqsrs-006rbacmaterializedviewinserttargettable) + * 5.18.3 [Live View](#live-view) + * 5.18.3.1 [RQ.SRS-006.RBAC.LiveView](#rqsrs-006rbacliveview) + * 5.18.3.2 [RQ.SRS-006.RBAC.LiveView.Create](#rqsrs-006rbacliveviewcreate) + * 5.18.3.3 [RQ.SRS-006.RBAC.LiveView.Select](#rqsrs-006rbacliveviewselect) + * 5.18.3.4 [RQ.SRS-006.RBAC.LiveView.Drop](#rqsrs-006rbacliveviewdrop) + * 5.18.3.5 [RQ.SRS-006.RBAC.LiveView.Refresh](#rqsrs-006rbacliveviewrefresh) + * 5.19 [Select](#select) + * 5.19.1 [RQ.SRS-006.RBAC.Select](#rqsrs-006rbacselect) + * 5.19.2 [RQ.SRS-006.RBAC.Select.Column](#rqsrs-006rbacselectcolumn) + * 5.19.3 [RQ.SRS-006.RBAC.Select.Cluster](#rqsrs-006rbacselectcluster) + * 5.19.4 [RQ.SRS-006.RBAC.Select.TableEngines](#rqsrs-006rbacselecttableengines) + * 5.20 [Insert](#insert) + * 5.20.1 [RQ.SRS-006.RBAC.Insert](#rqsrs-006rbacinsert) + * 5.20.2 [RQ.SRS-006.RBAC.Insert.Column](#rqsrs-006rbacinsertcolumn) + * 5.20.3 [RQ.SRS-006.RBAC.Insert.Cluster](#rqsrs-006rbacinsertcluster) + * 5.20.4 [RQ.SRS-006.RBAC.Insert.TableEngines](#rqsrs-006rbacinserttableengines) + * 5.21 [Alter](#alter) + * 5.21.1 [Alter Column](#alter-column) + * 5.21.1.1 [RQ.SRS-006.RBAC.Privileges.AlterColumn](#rqsrs-006rbacprivilegesaltercolumn) + * 5.21.1.2 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant](#rqsrs-006rbacprivilegesaltercolumngrant) + * 5.21.1.3 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke](#rqsrs-006rbacprivilegesaltercolumnrevoke) + * 5.21.1.4 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Column](#rqsrs-006rbacprivilegesaltercolumncolumn) + * 5.21.1.5 [RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster](#rqsrs-006rbacprivilegesaltercolumncluster) + * 5.21.1.6 [RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines](#rqsrs-006rbacprivilegesaltercolumntableengines) + * 5.21.2 [Alter Index](#alter-index) + * 5.21.2.1 [RQ.SRS-006.RBAC.Privileges.AlterIndex](#rqsrs-006rbacprivilegesalterindex) + * 5.21.2.2 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant](#rqsrs-006rbacprivilegesalterindexgrant) + * 5.21.2.3 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke](#rqsrs-006rbacprivilegesalterindexrevoke) + * 5.21.2.4 [RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster](#rqsrs-006rbacprivilegesalterindexcluster) + * 5.21.2.5 [RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines](#rqsrs-006rbacprivilegesalterindextableengines) + * 5.21.3 [Alter Constraint](#alter-constraint) + * 5.21.3.1 [RQ.SRS-006.RBAC.Privileges.AlterConstraint](#rqsrs-006rbacprivilegesalterconstraint) + * 5.21.3.2 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant](#rqsrs-006rbacprivilegesalterconstraintgrant) + * 5.21.3.3 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke](#rqsrs-006rbacprivilegesalterconstraintrevoke) + * 5.21.3.4 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster](#rqsrs-006rbacprivilegesalterconstraintcluster) + * 5.21.3.5 [RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines](#rqsrs-006rbacprivilegesalterconstrainttableengines) + * 5.21.4 [Alter TTL](#alter-ttl) + * 5.21.4.1 [RQ.SRS-006.RBAC.Privileges.AlterTTL](#rqsrs-006rbacprivilegesalterttl) + * 5.21.4.2 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant](#rqsrs-006rbacprivilegesalterttlgrant) + * 5.21.4.3 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke](#rqsrs-006rbacprivilegesalterttlrevoke) + * 5.21.4.4 [RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster](#rqsrs-006rbacprivilegesalterttlcluster) + * 5.21.4.5 [RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines](#rqsrs-006rbacprivilegesalterttltableengines) + * 5.21.5 [Alter Settings](#alter-settings) + * 5.21.5.1 [RQ.SRS-006.RBAC.Privileges.AlterSettings](#rqsrs-006rbacprivilegesaltersettings) + * 5.21.5.2 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant](#rqsrs-006rbacprivilegesaltersettingsgrant) + * 5.21.5.3 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke](#rqsrs-006rbacprivilegesaltersettingsrevoke) + * 5.21.5.4 [RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster](#rqsrs-006rbacprivilegesaltersettingscluster) + * 5.21.5.5 [RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines](#rqsrs-006rbacprivilegesaltersettingstableengines) + * 5.21.6 [Alter Update](#alter-update) + * 5.21.6.1 [RQ.SRS-006.RBAC.Privileges.AlterUpdate](#rqsrs-006rbacprivilegesalterupdate) + * 5.21.6.2 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant](#rqsrs-006rbacprivilegesalterupdategrant) + * 5.21.6.3 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke](#rqsrs-006rbacprivilegesalterupdaterevoke) + * 5.21.6.4 [RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines](#rqsrs-006rbacprivilegesalterupdatetableengines) + * 5.21.7 [Alter Delete](#alter-delete) + * 5.21.7.1 [RQ.SRS-006.RBAC.Privileges.AlterDelete](#rqsrs-006rbacprivilegesalterdelete) + * 5.21.7.2 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant](#rqsrs-006rbacprivilegesalterdeletegrant) + * 5.21.7.3 [RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke](#rqsrs-006rbacprivilegesalterdeleterevoke) + * 5.21.7.4 [RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines](#rqsrs-006rbacprivilegesalterdeletetableengines) + * 5.21.8 [Alter Freeze Partition](#alter-freeze-partition) + * 5.21.8.1 [RQ.SRS-006.RBAC.Privileges.AlterFreeze](#rqsrs-006rbacprivilegesalterfreeze) + * 5.21.8.2 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant](#rqsrs-006rbacprivilegesalterfreezegrant) + * 5.21.8.3 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke](#rqsrs-006rbacprivilegesalterfreezerevoke) + * 5.21.8.4 [RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines](#rqsrs-006rbacprivilegesalterfreezetableengines) + * 5.21.9 [Alter Fetch Partition](#alter-fetch-partition) + * 5.21.9.1 [RQ.SRS-006.RBAC.Privileges.AlterFetch](#rqsrs-006rbacprivilegesalterfetch) + * 5.21.9.2 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant](#rqsrs-006rbacprivilegesalterfetchgrant) + * 5.21.9.3 [RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke](#rqsrs-006rbacprivilegesalterfetchrevoke) + * 5.21.9.4 [RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines](#rqsrs-006rbacprivilegesalterfetchtableengines) + * 5.21.10 [Alter Move Partition](#alter-move-partition) + * 5.21.10.1 [RQ.SRS-006.RBAC.Privileges.AlterMove](#rqsrs-006rbacprivilegesaltermove) + * 5.21.10.2 [RQ.SRS-006.RBAC.Privileges.AlterMove.Grant](#rqsrs-006rbacprivilegesaltermovegrant) + * 5.21.10.3 [RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke](#rqsrs-006rbacprivilegesaltermoverevoke) + * 5.21.10.4 [RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines](#rqsrs-006rbacprivilegesaltermovetableengines) + * 5.22 [Create](#create) + * 5.22.1 [RQ.SRS-006.RBAC.Privileges.CreateTable](#rqsrs-006rbacprivilegescreatetable) + * 5.22.2 [RQ.SRS-006.RBAC.Privileges.CreateDatabase](#rqsrs-006rbacprivilegescreatedatabase) + * 5.22.3 [RQ.SRS-006.RBAC.Privileges.CreateDictionary](#rqsrs-006rbacprivilegescreatedictionary) + * 5.22.4 [RQ.SRS-006.RBAC.Privileges.CreateTemporaryTable](#rqsrs-006rbacprivilegescreatetemporarytable) + * 5.23 [Attach](#attach) + * 5.23.1 [RQ.SRS-006.RBAC.Privileges.AttachDatabase](#rqsrs-006rbacprivilegesattachdatabase) + * 5.23.2 [RQ.SRS-006.RBAC.Privileges.AttachDictionary](#rqsrs-006rbacprivilegesattachdictionary) + * 5.23.3 [RQ.SRS-006.RBAC.Privileges.AttachTemporaryTable](#rqsrs-006rbacprivilegesattachtemporarytable) + * 5.23.4 [RQ.SRS-006.RBAC.Privileges.AttachTable](#rqsrs-006rbacprivilegesattachtable) + * 5.24 [Drop](#drop) + * 5.24.1 [RQ.SRS-006.RBAC.Privileges.DropTable](#rqsrs-006rbacprivilegesdroptable) + * 5.24.2 [RQ.SRS-006.RBAC.Privileges.DropDatabase](#rqsrs-006rbacprivilegesdropdatabase) + * 5.24.3 [RQ.SRS-006.RBAC.Privileges.DropDictionary](#rqsrs-006rbacprivilegesdropdictionary) + * 5.25 [Detach](#detach) + * 5.25.1 [RQ.SRS-006.RBAC.Privileges.DetachTable](#rqsrs-006rbacprivilegesdetachtable) + * 5.25.2 [RQ.SRS-006.RBAC.Privileges.DetachView](#rqsrs-006rbacprivilegesdetachview) + * 5.25.3 [RQ.SRS-006.RBAC.Privileges.DetachDatabase](#rqsrs-006rbacprivilegesdetachdatabase) + * 5.25.4 [RQ.SRS-006.RBAC.Privileges.DetachDictionary](#rqsrs-006rbacprivilegesdetachdictionary) + * 5.26 [Truncate](#truncate) + * 5.26.1 [RQ.SRS-006.RBAC.Privileges.Truncate](#rqsrs-006rbacprivilegestruncate) + * 5.27 [Optimize](#optimize) + * 5.27.1 [RQ.SRS-006.RBAC.Privileges.Optimize](#rqsrs-006rbacprivilegesoptimize) + * 5.28 [Kill Query](#kill-query) + * 5.28.1 [RQ.SRS-006.RBAC.Privileges.KillQuery](#rqsrs-006rbacprivilegeskillquery) + * 5.29 [Kill Mutation](#kill-mutation) + * 5.29.1 [RQ.SRS-006.RBAC.Privileges.KillMutation](#rqsrs-006rbacprivilegeskillmutation) + * 5.29.2 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate](#rqsrs-006rbacprivilegeskillmutationalterupdate) + * 5.29.3 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete](#rqsrs-006rbacprivilegeskillmutationalterdelete) + * 5.29.4 [RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn](#rqsrs-006rbacprivilegeskillmutationalterdropcolumn) + * 5.30 [Show](#show) + * 5.30.1 [RQ.SRS-006.RBAC.ShowTables.Privilege](#rqsrs-006rbacshowtablesprivilege) + * 5.30.2 [RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege](#rqsrs-006rbacshowtablesrequiredprivilege) + * 5.30.3 [RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege](#rqsrs-006rbacexiststablerequiredprivilege) + * 5.30.4 [RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege](#rqsrs-006rbacchecktablerequiredprivilege) + * 5.30.5 [RQ.SRS-006.RBAC.ShowDatabases.Privilege](#rqsrs-006rbacshowdatabasesprivilege) + * 5.30.6 [RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege](#rqsrs-006rbacshowdatabasesrequiredprivilege) + * 5.30.7 [RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege](#rqsrs-006rbacshowcreatedatabaserequiredprivilege) + * 5.30.8 [RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege](#rqsrs-006rbacusedatabaserequiredprivilege) + * 5.30.9 [RQ.SRS-006.RBAC.ShowColumns.Privilege](#rqsrs-006rbacshowcolumnsprivilege) + * 5.30.10 [RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege](#rqsrs-006rbacshowcreatetablerequiredprivilege) + * 5.30.11 [RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege](#rqsrs-006rbacdescribetablerequiredprivilege) + * 5.30.12 [RQ.SRS-006.RBAC.ShowDictionaries.Privilege](#rqsrs-006rbacshowdictionariesprivilege) + * 5.30.13 [RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege](#rqsrs-006rbacshowdictionariesrequiredprivilege) + * 5.30.14 [RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege](#rqsrs-006rbacshowcreatedictionaryrequiredprivilege) + * 5.30.15 [RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege](#rqsrs-006rbacexistsdictionaryrequiredprivilege) + * 5.31 [Access Management](#access-management) + * 5.31.1 [RQ.SRS-006.RBAC.Privileges.CreateUser](#rqsrs-006rbacprivilegescreateuser) + * 5.31.2 [RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole](#rqsrs-006rbacprivilegescreateuserdefaultrole) + * 5.31.3 [RQ.SRS-006.RBAC.Privileges.AlterUser](#rqsrs-006rbacprivilegesalteruser) + * 5.31.4 [RQ.SRS-006.RBAC.Privileges.DropUser](#rqsrs-006rbacprivilegesdropuser) + * 5.31.5 [RQ.SRS-006.RBAC.Privileges.CreateRole](#rqsrs-006rbacprivilegescreaterole) + * 5.31.6 [RQ.SRS-006.RBAC.Privileges.AlterRole](#rqsrs-006rbacprivilegesalterrole) + * 5.31.7 [RQ.SRS-006.RBAC.Privileges.DropRole](#rqsrs-006rbacprivilegesdroprole) + * 5.31.8 [RQ.SRS-006.RBAC.Privileges.CreateRowPolicy](#rqsrs-006rbacprivilegescreaterowpolicy) + * 5.31.9 [RQ.SRS-006.RBAC.Privileges.AlterRowPolicy](#rqsrs-006rbacprivilegesalterrowpolicy) + * 5.31.10 [RQ.SRS-006.RBAC.Privileges.DropRowPolicy](#rqsrs-006rbacprivilegesdroprowpolicy) + * 5.31.11 [RQ.SRS-006.RBAC.Privileges.CreateQuota](#rqsrs-006rbacprivilegescreatequota) + * 5.31.12 [RQ.SRS-006.RBAC.Privileges.AlterQuota](#rqsrs-006rbacprivilegesalterquota) + * 5.31.13 [RQ.SRS-006.RBAC.Privileges.DropQuota](#rqsrs-006rbacprivilegesdropquota) + * 5.31.14 [RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile](#rqsrs-006rbacprivilegescreatesettingsprofile) + * 5.31.15 [RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile](#rqsrs-006rbacprivilegesaltersettingsprofile) + * 5.31.16 [RQ.SRS-006.RBAC.Privileges.DropSettingsProfile](#rqsrs-006rbacprivilegesdropsettingsprofile) + * 5.31.17 [RQ.SRS-006.RBAC.Privileges.RoleAdmin](#rqsrs-006rbacprivilegesroleadmin) + * 5.31.18 [Show Access](#show-access) + * 5.31.18.1 [RQ.SRS-006.RBAC.ShowUsers.Privilege](#rqsrs-006rbacshowusersprivilege) + * 5.31.18.2 [RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege](#rqsrs-006rbacshowusersrequiredprivilege) + * 5.31.18.3 [RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege](#rqsrs-006rbacshowcreateuserrequiredprivilege) + * 5.31.18.4 [RQ.SRS-006.RBAC.ShowRoles.Privilege](#rqsrs-006rbacshowrolesprivilege) + * 5.31.18.5 [RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege](#rqsrs-006rbacshowrolesrequiredprivilege) + * 5.31.18.6 [RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege](#rqsrs-006rbacshowcreaterolerequiredprivilege) + * 5.31.18.7 [RQ.SRS-006.RBAC.ShowRowPolicies.Privilege](#rqsrs-006rbacshowrowpoliciesprivilege) + * 5.31.18.8 [RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege](#rqsrs-006rbacshowrowpoliciesrequiredprivilege) + * 5.31.18.9 [RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege](#rqsrs-006rbacshowcreaterowpolicyrequiredprivilege) + * 5.31.18.10 [RQ.SRS-006.RBAC.ShowQuotas.Privilege](#rqsrs-006rbacshowquotasprivilege) + * 5.31.18.11 [RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege](#rqsrs-006rbacshowquotasrequiredprivilege) + * 5.31.18.12 [RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege](#rqsrs-006rbacshowcreatequotarequiredprivilege) + * 5.31.18.13 [RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege](#rqsrs-006rbacshowsettingsprofilesprivilege) + * 5.31.18.14 [RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege](#rqsrs-006rbacshowsettingsprofilesrequiredprivilege) + * 5.31.18.15 [RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege](#rqsrs-006rbacshowcreatesettingsprofilerequiredprivilege) + * 5.32 [dictGet](#dictget) + * 5.32.1 [RQ.SRS-006.RBAC.dictGet.Privilege](#rqsrs-006rbacdictgetprivilege) + * 5.32.2 [RQ.SRS-006.RBAC.dictGet.RequiredPrivilege](#rqsrs-006rbacdictgetrequiredprivilege) + * 5.32.3 [RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege](#rqsrs-006rbacdictgettyperequiredprivilege) + * 5.32.4 [RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege](#rqsrs-006rbacdictgetordefaultrequiredprivilege) + * 5.32.5 [RQ.SRS-006.RBAC.dictHas.RequiredPrivilege](#rqsrs-006rbacdicthasrequiredprivilege) + * 5.32.6 [RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege](#rqsrs-006rbacdictgethierarchyrequiredprivilege) + * 5.32.7 [RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege](#rqsrs-006rbacdictisinrequiredprivilege) + * 5.33 [Introspection](#introspection) + * 5.33.1 [RQ.SRS-006.RBAC.Privileges.Introspection](#rqsrs-006rbacprivilegesintrospection) + * 5.33.2 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine](#rqsrs-006rbacprivilegesintrospectionaddresstoline) + * 5.33.3 [RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol](#rqsrs-006rbacprivilegesintrospectionaddresstosymbol) + * 5.33.4 [RQ.SRS-006.RBAC.Privileges.Introspection.demangle](#rqsrs-006rbacprivilegesintrospectiondemangle) + * 5.34 [System](#system) + * 5.34.1 [RQ.SRS-006.RBAC.Privileges.System.Shutdown](#rqsrs-006rbacprivilegessystemshutdown) + * 5.34.2 [RQ.SRS-006.RBAC.Privileges.System.DropCache](#rqsrs-006rbacprivilegessystemdropcache) + * 5.34.3 [RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS](#rqsrs-006rbacprivilegessystemdropcachedns) + * 5.34.4 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark](#rqsrs-006rbacprivilegessystemdropcachemark) + * 5.34.5 [RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed](#rqsrs-006rbacprivilegessystemdropcacheuncompressed) + * 5.34.6 [RQ.SRS-006.RBAC.Privileges.System.Reload](#rqsrs-006rbacprivilegessystemreload) + * 5.34.7 [RQ.SRS-006.RBAC.Privileges.System.Reload.Config](#rqsrs-006rbacprivilegessystemreloadconfig) + * 5.34.8 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary](#rqsrs-006rbacprivilegessystemreloaddictionary) + * 5.34.9 [RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries](#rqsrs-006rbacprivilegessystemreloaddictionaries) + * 5.34.10 [RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries](#rqsrs-006rbacprivilegessystemreloadembeddeddictionaries) + * 5.34.11 [RQ.SRS-006.RBAC.Privileges.System.Merges](#rqsrs-006rbacprivilegessystemmerges) + * 5.34.12 [RQ.SRS-006.RBAC.Privileges.System.TTLMerges](#rqsrs-006rbacprivilegessystemttlmerges) + * 5.34.13 [RQ.SRS-006.RBAC.Privileges.System.Fetches](#rqsrs-006rbacprivilegessystemfetches) + * 5.34.14 [RQ.SRS-006.RBAC.Privileges.System.Moves](#rqsrs-006rbacprivilegessystemmoves) + * 5.34.15 [RQ.SRS-006.RBAC.Privileges.System.Sends](#rqsrs-006rbacprivilegessystemsends) + * 5.34.16 [RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed](#rqsrs-006rbacprivilegessystemsendsdistributed) + * 5.34.17 [RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated](#rqsrs-006rbacprivilegessystemsendsreplicated) + * 5.34.18 [RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues](#rqsrs-006rbacprivilegessystemreplicationqueues) + * 5.34.19 [RQ.SRS-006.RBAC.Privileges.System.SyncReplica](#rqsrs-006rbacprivilegessystemsyncreplica) + * 5.34.20 [RQ.SRS-006.RBAC.Privileges.System.RestartReplica](#rqsrs-006rbacprivilegessystemrestartreplica) + * 5.34.21 [RQ.SRS-006.RBAC.Privileges.System.Flush](#rqsrs-006rbacprivilegessystemflush) + * 5.34.22 [RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed](#rqsrs-006rbacprivilegessystemflushdistributed) + * 5.34.23 [RQ.SRS-006.RBAC.Privileges.System.Flush.Logs](#rqsrs-006rbacprivilegessystemflushlogs) + * 5.35 [Sources](#sources) + * 5.35.1 [RQ.SRS-006.RBAC.Privileges.Sources](#rqsrs-006rbacprivilegessources) + * 5.35.2 [RQ.SRS-006.RBAC.Privileges.Sources.File](#rqsrs-006rbacprivilegessourcesfile) + * 5.35.3 [RQ.SRS-006.RBAC.Privileges.Sources.URL](#rqsrs-006rbacprivilegessourcesurl) + * 5.35.4 [RQ.SRS-006.RBAC.Privileges.Sources.Remote](#rqsrs-006rbacprivilegessourcesremote) + * 5.35.5 [RQ.SRS-006.RBAC.Privileges.Sources.MySQL](#rqsrs-006rbacprivilegessourcesmysql) + * 5.35.6 [RQ.SRS-006.RBAC.Privileges.Sources.ODBC](#rqsrs-006rbacprivilegessourcesodbc) + * 5.35.7 [RQ.SRS-006.RBAC.Privileges.Sources.JDBC](#rqsrs-006rbacprivilegessourcesjdbc) + * 5.35.8 [RQ.SRS-006.RBAC.Privileges.Sources.HDFS](#rqsrs-006rbacprivilegessourceshdfs) + * 5.35.9 [RQ.SRS-006.RBAC.Privileges.Sources.S3](#rqsrs-006rbacprivilegessourcess3) + * 5.36 [RQ.SRS-006.RBAC.Privileges.GrantOption](#rqsrs-006rbacprivilegesgrantoption) + * 5.37 [RQ.SRS-006.RBAC.Privileges.All](#rqsrs-006rbacprivilegesall) + * 5.38 [RQ.SRS-006.RBAC.Privileges.RoleAll](#rqsrs-006rbacprivilegesroleall) + * 5.39 [RQ.SRS-006.RBAC.Privileges.None](#rqsrs-006rbacprivilegesnone) + * 5.40 [RQ.SRS-006.RBAC.Privileges.AdminOption](#rqsrs-006rbacprivilegesadminoption) * 6 [References](#references) ## Revision History @@ -656,256 +10643,103 @@ version: 1.0 [ClickHouse] SHALL support role based access control. -#### Login +### Login -##### RQ.SRS-006.RBAC.Login +#### RQ.SRS-006.RBAC.Login version: 1.0 [ClickHouse] SHALL only allow access to the server for a given user only when correct username and password are used during the connection to the server. -##### RQ.SRS-006.RBAC.Login.DefaultUser +#### RQ.SRS-006.RBAC.Login.DefaultUser version: 1.0 [ClickHouse] SHALL use the **default user** when no username and password are specified during the connection to the server. -#### User +### User -##### RQ.SRS-006.RBAC.User +#### RQ.SRS-006.RBAC.User version: 1.0 [ClickHouse] SHALL support creation and manipulation of one or more **user** accounts to which roles, privileges, settings profile, quotas and row policies can be assigned. -##### RQ.SRS-006.RBAC.User.Roles +#### RQ.SRS-006.RBAC.User.Roles version: 1.0 [ClickHouse] SHALL support assigning one or more **roles** to a **user**. -##### RQ.SRS-006.RBAC.User.Privileges +#### RQ.SRS-006.RBAC.User.Privileges version: 1.0 [ClickHouse] SHALL support assigning one or more privileges to a **user**. -##### RQ.SRS-006.RBAC.User.Variables +#### RQ.SRS-006.RBAC.User.Variables version: 1.0 [ClickHouse] SHALL support assigning one or more variables to a **user**. -##### RQ.SRS-006.RBAC.User.Variables.Constraints +#### RQ.SRS-006.RBAC.User.Variables.Constraints version: 1.0 [ClickHouse] SHALL support assigning min, max and read-only constraints for the variables that can be set and read by the **user**. -##### RQ.SRS-006.RBAC.User.SettingsProfile +#### RQ.SRS-006.RBAC.User.SettingsProfile version: 1.0 [ClickHouse] SHALL support assigning one or more **settings profiles** to a **user**. -##### RQ.SRS-006.RBAC.User.Quotas +#### RQ.SRS-006.RBAC.User.Quotas version: 1.0 [ClickHouse] SHALL support assigning one or more **quotas** to a **user**. -##### RQ.SRS-006.RBAC.User.RowPolicies +#### RQ.SRS-006.RBAC.User.RowPolicies version: 1.0 [ClickHouse] SHALL support assigning one or more **row policies** to a **user**. -##### RQ.SRS-006.RBAC.User.AccountLock -version: 1.0 - -[ClickHouse] SHALL support locking and unlocking of **user** accounts. - -##### RQ.SRS-006.RBAC.User.AccountLock.DenyAccess -version: 1.0 - -[ClickHouse] SHALL deny access to the user whose account is locked. - -##### RQ.SRS-006.RBAC.User.DefaultRole +#### RQ.SRS-006.RBAC.User.DefaultRole version: 1.0 [ClickHouse] SHALL support assigning a default role to a **user**. -##### RQ.SRS-006.RBAC.User.RoleSelection +#### RQ.SRS-006.RBAC.User.RoleSelection version: 1.0 [ClickHouse] SHALL support selection of one or more **roles** from the available roles -that are assigned to a **user**. +that are assigned to a **user** using `SET ROLE` statement. -##### RQ.SRS-006.RBAC.User.ShowCreate +#### RQ.SRS-006.RBAC.User.ShowCreate version: 1.0 [ClickHouse] SHALL support showing the command of how **user** account was created. -##### RQ.SRS-006.RBAC.User.ShowPrivileges +#### RQ.SRS-006.RBAC.User.ShowPrivileges version: 1.0 [ClickHouse] SHALL support listing the privileges of the **user**. -#### Role - -##### RQ.SRS-006.RBAC.Role -version: 1.0 - -[ClikHouse] SHALL support creation and manipulation of **roles** -to which privileges, settings profile, quotas and row policies can be -assigned. - -##### RQ.SRS-006.RBAC.Role.Privileges -version: 1.0 - -[ClickHouse] SHALL support assigning one or more privileges to a **role**. - -##### RQ.SRS-006.RBAC.Role.Variables -version: 1.0 - -[ClickHouse] SHALL support assigning one or more variables to a **role**. - -##### RQ.SRS-006.RBAC.Role.SettingsProfile -version: 1.0 - -[ClickHouse] SHALL support assigning one or more **settings profiles** -to a **role**. - -##### RQ.SRS-006.RBAC.Role.Quotas -version: 1.0 - -[ClickHouse] SHALL support assigning one or more **quotas** to a **role**. - -##### RQ.SRS-006.RBAC.Role.RowPolicies -version: 1.0 - -[ClickHouse] SHALL support assigning one or more **row policies** to a **role**. - -#### Partial Revokes - -##### RQ.SRS-006.RBAC.PartialRevokes -version: 1.0 - -[ClickHouse] SHALL support partial revoking of privileges granted -to a **user** or a **role**. - -#### Settings Profile - -##### RQ.SRS-006.RBAC.SettingsProfile -version: 1.0 - -[ClickHouse] SHALL support creation and manipulation of **settings profiles** -that can include value definition for one or more variables and can -can be assigned to one or more **users** or **roles**. - -##### RQ.SRS-006.RBAC.SettingsProfile.Constraints -version: 1.0 - -[ClickHouse] SHALL support assigning min, max and read-only constraints -for the variables specified in the **settings profile**. - -##### RQ.SRS-006.RBAC.SettingsProfile.ShowCreate -version: 1.0 - -[ClickHouse] SHALL support showing the command of how **setting profile** was created. - -#### Quotas - -##### RQ.SRS-006.RBAC.Quotas -version: 1.0 - -[ClickHouse] SHALL support creation and manipulation of **quotas** -that can be used to limit resource usage by a **user** or a **role** -over a period of time. - -##### RQ.SRS-006.RBAC.Quotas.Keyed -version: 1.0 - -[ClickHouse] SHALL support creating **quotas** that are keyed -so that a quota is tracked separately for each key value. - -##### RQ.SRS-006.RBAC.Quotas.Queries -version: 1.0 - -[ClickHouse] SHALL support setting **queries** quota to limit the total number of requests. - -##### RQ.SRS-006.RBAC.Quotas.Errors -version: 1.0 - -[ClickHouse] SHALL support setting **errors** quota to limit the number of queries that threw an exception. - -##### RQ.SRS-006.RBAC.Quotas.ResultRows -version: 1.0 - -[ClickHouse] SHALL support setting **result rows** quota to limit the -the total number of rows given as the result. - -##### RQ.SRS-006.RBAC.Quotas.ReadRows -version: 1.0 - -[ClickHouse] SHALL support setting **read rows** quota to limit the total -number of source rows read from tables for running the query on all remote servers. - -##### RQ.SRS-006.RBAC.Quotas.ResultBytes -version: 1.0 - -[ClickHouse] SHALL support setting **result bytes** quota to limit the total number -of bytes that can be returned as the result. - -##### RQ.SRS-006.RBAC.Quotas.ReadBytes -version: 1.0 - -[ClickHouse] SHALL support setting **read bytes** quota to limit the total number -of source bytes read from tables for running the query on all remote servers. - -##### RQ.SRS-006.RBAC.Quotas.ExecutionTime -version: 1.0 - -[ClickHouse] SHALL support setting **execution time** quota to limit the maximum -query execution time. - -##### RQ.SRS-006.RBAC.Quotas.ShowCreate -version: 1.0 - -[ClickHouse] SHALL support showing the command of how **quota** was created. - -#### Row Policy - -##### RQ.SRS-006.RBAC.RowPolicy -version: 1.0 - -[ClickHouse] SHALL support creation and manipulation of table **row policies** -that can be used to limit access to the table contents for a **user** or a **role** -using a specified **condition**. - -##### RQ.SRS-006.RBAC.RowPolicy.Condition -version: 1.0 - -[ClickHouse] SHALL support row policy **conditions** that can be any SQL -expression that returns a boolean. - -##### RQ.SRS-006.RBAC.RowPolicy.ShowCreate -version: 1.0 - -[ClickHouse] SHALL support showing the command of how **row policy** was created. - -### Specific - -##### RQ.SRS-006.RBAC.User.Use.DefaultRole +#### RQ.SRS-006.RBAC.User.Use.DefaultRole version: 1.0 [ClickHouse] SHALL by default use default role or roles assigned to the user if specified. -##### RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole +#### RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole version: 1.0 [ClickHouse] SHALL by default use all the roles assigned to the user if no default role or roles are specified for the user. +#### Create User + ##### RQ.SRS-006.RBAC.User.Create version: 1.0 @@ -1103,6 +10937,8 @@ CREATE USER [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name] [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` +#### Alter User + ##### RQ.SRS-006.RBAC.User.Alter version: 1.0 @@ -1119,7 +10955,8 @@ the left. version: 1.0 [ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER USER` statement -to skip raising an exception (producing a warning instead) if a user with the specified **name** does not exist. If the `IF EXISTS` clause is not specified then an exception SHALL be raised if a user with the **name** does not exist. +to skip raising an exception (producing a warning instead) if a user with the specified **name** does not exist. +If the `IF EXISTS` clause is not specified then an exception SHALL be raised if a user with the **name** does not exist. ##### RQ.SRS-006.RBAC.User.Alter.Cluster version: 1.0 @@ -1157,7 +10994,8 @@ to some password as identification when altering user account using ##### RQ.SRS-006.RBAC.User.Alter.Host.AddDrop version: 1.0 -[ClickHouse] SHALL support altering user by adding and dropping access to hosts with the `ADD HOST` or the `DROP HOST`in the `ALTER USER` statement. +[ClickHouse] SHALL support altering user by adding and dropping access to hosts +with the `ADD HOST` or the `DROP HOST` in the `ALTER USER` statement. ##### RQ.SRS-006.RBAC.User.Alter.Host.Local version: 1.0 @@ -1189,7 +11027,8 @@ which user can access the server using the `HOST IP` clause in the ##### RQ.SRS-006.RBAC.User.Alter.Host.Like version: 1.0 -[ClickHouse] SHALL support specifying sone or more similar hosts using `LIKE` command syntax using the `HOST LIKE` clause in the `ALTER USER` statement. +[ClickHouse] SHALL support specifying one or more similar hosts using `LIKE` command syntax +using the `HOST LIKE` clause in the `ALTER USER` statement. ##### RQ.SRS-006.RBAC.User.Alter.Host.Any version: 1.0 @@ -1232,7 +11071,6 @@ version: 1.0 [ClickHouse] SHALL support specifying a minimum value for the variable specifed using `SETTINGS` with `MIN` clause in the `ALTER USER` statement. - ##### RQ.SRS-006.RBAC.User.Alter.Settings.Max version: 1.0 @@ -1257,85 +11095,7 @@ ALTER USER [IF EXISTS] name [ON CLUSTER cluster_name] [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` -##### RQ.SRS-006.RBAC.SetDefaultRole -version: 1.0 - -[ClickHouse] SHALL support setting or changing granted roles to default for one or more -users using `SET DEFAULT ROLE` statement which -SHALL permanently change the default roles for the user or users if successful. - -##### RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser -version: 1.0 - -[ClickHouse] SHALL support setting or changing granted roles to default for -the current user using `CURRENT_USER` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.All -version: 1.0 - -[ClickHouse] SHALL support setting or changing all granted roles to default -for one or more users using `ALL` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.AllExcept -version: 1.0 - -[ClickHouse] SHALL support setting or changing all granted roles except those specified -to default for one or more users using `ALL EXCEPT` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.None -version: 1.0 - -[ClickHouse] SHALL support removing all granted roles from default -for one or more users using `NONE` clause in the `SET DEFAULT ROLE` statement. - -##### RQ.SRS-006.RBAC.SetDefaultRole.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `SET DEFAULT ROLE` statement. - -```sql -SET DEFAULT ROLE - {NONE | role [,...] | ALL | ALL EXCEPT role [,...]} - TO {user|CURRENT_USER} [,...] - -``` - -##### RQ.SRS-006.RBAC.SetRole -version: 1.0 - -[ClickHouse] SHALL support activating role or roles for the current user -using `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.Default -version: 1.0 - -[ClickHouse] SHALL support activating default roles for the current user -using `DEFAULT` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.None -version: 1.0 - -[ClickHouse] SHALL support activating no roles for the current user -using `NONE` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.All -version: 1.0 - -[ClickHouse] SHALL support activating all roles for the current user -using `ALL` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.AllExcept -version: 1.0 - -[ClickHouse] SHALL support activating all roles except those specified -for the current user using `ALL EXCEPT` clause in the `SET ROLE` statement. - -##### RQ.SRS-006.RBAC.SetRole.Syntax -version: 1.0 - -```sql -SET ROLE {DEFAULT | NONE | role [,...] | ALL | ALL EXCEPT role [,...]} -``` +#### Show Create User ##### RQ.SRS-006.RBAC.User.ShowCreateUser version: 1.0 @@ -1358,6 +11118,8 @@ version: 1.0 SHOW CREATE USER [name | CURRENT_USER] ``` +#### Drop User + ##### RQ.SRS-006.RBAC.User.Drop version: 1.0 @@ -1386,6 +11148,43 @@ version: 1.0 DROP USER [IF EXISTS] name [,...] [ON CLUSTER cluster_name] ``` +### Role + +#### RQ.SRS-006.RBAC.Role +version: 1.0 + +[ClikHouse] SHALL support creation and manipulation of **roles** +to which privileges, settings profile, quotas and row policies can be +assigned. + +#### RQ.SRS-006.RBAC.Role.Privileges +version: 1.0 + +[ClickHouse] SHALL support assigning one or more privileges to a **role**. + +#### RQ.SRS-006.RBAC.Role.Variables +version: 1.0 + +[ClickHouse] SHALL support assigning one or more variables to a **role**. + +#### RQ.SRS-006.RBAC.Role.SettingsProfile +version: 1.0 + +[ClickHouse] SHALL support assigning one or more **settings profiles** +to a **role**. + +#### RQ.SRS-006.RBAC.Role.Quotas +version: 1.0 + +[ClickHouse] SHALL support assigning one or more **quotas** to a **role**. + +#### RQ.SRS-006.RBAC.Role.RowPolicies +version: 1.0 + +[ClickHouse] SHALL support assigning one or more **row policies** to a **role**. + +#### Create Role + ##### RQ.SRS-006.RBAC.Role.Create version: 1.0 @@ -1421,6 +11220,8 @@ CREATE ROLE [IF NOT EXISTS | OR REPLACE] name [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` +#### Alter Role + ##### RQ.SRS-006.RBAC.Role.Alter version: 1.0 @@ -1467,6 +11268,8 @@ ALTER ROLE [IF EXISTS] name [ON CLUSTER cluster_name] [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...] ``` +#### Drop Role + ##### RQ.SRS-006.RBAC.Role.Drop version: 1.0 @@ -1494,6 +11297,8 @@ version: 1.0 DROP ROLE [IF EXISTS] name [,...] [ON CLUSTER cluster_name] ``` +#### Show Create Role + ##### RQ.SRS-006.RBAC.Role.ShowCreate version: 1.0 @@ -1509,326 +11314,15 @@ version: 1.0 SHOW CREATE ROLE name ``` -##### RQ.SRS-006.RBAC.Grant.Privilege.To +### Partial Revokes + +#### RQ.SRS-006.RBAC.PartialRevokes version: 1.0 -[ClickHouse] SHALL support granting privileges to one or more users or roles using `TO` clause -in the `GRANT PRIVILEGE` statement. +[ClickHouse] SHALL support partial revoking of privileges granted +to a **user** or a **role**. -##### RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser -version: 1.0 - -[ClickHouse] SHALL support granting privileges to current user using `TO CURRENT_USER` clause -in the `GRANT PRIVILEGE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Select -version: 1.0 - -[ClickHouse] SHALL support granting the **select** privilege to one or more users or roles -for a database or a table using the `GRANT SELECT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Insert -version: 1.0 - -[ClickHouse] SHALL support granting the **insert** privilege to one or more users or roles -for a database or a table using the `GRANT INSERT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Alter -version: 1.0 - -[ClickHouse] SHALL support granting the **alter** privilege to one or more users or roles -for a database or a table using the `GRANT ALTER` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Create -version: 1.0 - -[ClickHouse] SHALL support granting the **create** privilege to one or more users or roles -using the `GRANT CREATE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Drop -version: 1.0 - -[ClickHouse] SHALL support granting the **drop** privilege to one or more users or roles -using the `GRANT DROP` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Truncate -version: 1.0 - -[ClickHouse] SHALL support granting the **truncate** privilege to one or more users or roles -for a database or a table using `GRANT TRUNCATE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Optimize -version: 1.0 - -[ClickHouse] SHALL support granting the **optimize** privilege to one or more users or roles -for a database or a table using `GRANT OPTIMIZE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Show -version: 1.0 - -[ClickHouse] SHALL support granting the **show** privilege to one or more users or roles -for a database or a table using `GRANT SHOW` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.KillQuery -version: 1.0 - -[ClickHouse] SHALL support granting the **kill query** privilege to one or more users or roles -for a database or a table using `GRANT KILL QUERY` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement -version: 1.0 - -[ClickHouse] SHALL support granting the **access management** privileges to one or more users or roles -for a database or a table using `GRANT ACCESS MANAGEMENT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.System -version: 1.0 - -[ClickHouse] SHALL support granting the **system** privileges to one or more users or roles -for a database or a table using `GRANT SYSTEM` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Introspection -version: 1.0 - -[ClickHouse] SHALL support granting the **introspection** privileges to one or more users or roles -for a database or a table using `GRANT INTROSPECTION` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Sources -version: 1.0 - -[ClickHouse] SHALL support granting the **sources** privileges to one or more users or roles -for a database or a table using `GRANT SOURCES` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.DictGet -version: 1.0 - -[ClickHouse] SHALL support granting the **dictGet** privilege to one or more users or roles -for a database or a table using `GRANT dictGet` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.None -version: 1.0 - -[ClickHouse] SHALL support granting no privileges to one or more users or roles -for a database or a table using `GRANT NONE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.All -version: 1.0 - -[ClickHouse] SHALL support granting the **all** privileges to one or more users or roles -for a database or a table using the `GRANT ALL` or `GRANT ALL PRIVILEGES` statements. - -##### RQ.SRS-006.RBAC.Grant.Privilege.GrantOption -version: 1.0 - -[ClickHouse] SHALL support granting the **grant option** privilege to one or more users or roles -for a database or a table using the `WITH GRANT OPTION` clause in the `GRANT` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.On -version: 1.0 - -[ClickHouse] SHALL support the `ON` clause in the `GRANT` privilege statement -which SHALL allow to specify one or more tables to which the privilege SHALL -be granted using the following patterns - -* `*.*` any table in any database -* `database.*` any table in the specified database -* `database.table` specific table in the specified database -* `*` any table in the current database -* `table` specific table in the current database - -##### RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns -version: 1.0 - -[ClickHouse] SHALL support granting the privilege **some_privilege** to one or more users or roles -for a database or a table using the `GRANT some_privilege(column)` statement for one column. -Multiple columns will be supported with `GRANT some_privilege(column1, column2...)` statement. -The privileges will be granted for only the specified columns. - -##### RQ.SRS-006.RBAC.Grant.Privilege.OnCluster -version: 1.0 - -[ClickHouse] SHALL support specifying cluster on which to grant privileges using the `ON CLUSTER` -clause in the `GRANT PRIVILEGE` statement. - -##### RQ.SRS-006.RBAC.Grant.Privilege.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `GRANT` statement that -grants explicit privileges to a user or a role. - -```sql -GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] - ON {db.table|db.*|*.*|table|*} - TO {user | role | CURRENT_USER} [,...] - [WITH GRANT OPTION] -``` - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Cluster -version: 1.0 - -[ClickHouse] SHALL support revoking privileges to one or more users or roles -for a database or a table on some specific cluster using the `REVOKE ON CLUSTER cluster_name` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Any -version: 1.0 - -[ClickHouse] SHALL support revoking ANY privilege to one or more users or roles -for a database or a table using the `REVOKE some_privilege` statement. -**some_privilege** refers to any Clickhouse defined privilege, whose hierarchy includes -SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT, -SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Select -version: 1.0 - -[ClickHouse] SHALL support revoking the **select** privilege to one or more users or roles -for a database or a table using the `REVOKE SELECT` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Insert -version: 1.0 - -[ClickHouse] SHALL support revoking the **insert** privilege to one or more users or roles -for a database or a table using the `REVOKE INSERT` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Alter -version: 1.0 - -[ClickHouse] SHALL support revoking the **alter** privilege to one or more users or roles -for a database or a table using the `REVOKE ALTER` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Create -version: 1.0 - -[ClickHouse] SHALL support revoking the **create** privilege to one or more users or roles -using the `REVOKE CREATE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Drop -version: 1.0 - -[ClickHouse] SHALL support revoking the **drop** privilege to one or more users or roles -using the `REVOKE DROP` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Truncate -version: 1.0 - -[ClickHouse] SHALL support revoking the **truncate** privilege to one or more users or roles -for a database or a table using the `REVOKE TRUNCATE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Optimize -version: 1.0 - -[ClickHouse] SHALL support revoking the **optimize** privilege to one or more users or roles -for a database or a table using the `REVOKE OPTIMIZE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Show -version: 1.0 - -[ClickHouse] SHALL support revoking the **show** privilege to one or more users or roles -for a database or a table using the `REVOKE SHOW` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery -version: 1.0 - -[ClickHouse] SHALL support revoking the **kill query** privilege to one or more users or roles -for a database or a table using the `REVOKE KILL QUERY` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement -version: 1.0 - -[ClickHouse] SHALL support revoking the **access management** privilege to one or more users or roles -for a database or a table using the `REVOKE ACCESS MANAGEMENT` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.System -version: 1.0 - -[ClickHouse] SHALL support revoking the **system** privilege to one or more users or roles -for a database or a table using the `REVOKE SYSTEM` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Introspection -version: 1.0 - -[ClickHouse] SHALL support revoking the **introspection** privilege to one or more users or roles -for a database or a table using the `REVOKE INTROSPECTION` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Sources -version: 1.0 - -[ClickHouse] SHALL support revoking the **sources** privilege to one or more users or roles -for a database or a table using the `REVOKE SOURCES` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.DictGet -version: 1.0 - -[ClickHouse] SHALL support revoking the **dictGet** privilege to one or more users or roles -for a database or a table using the `REVOKE dictGet` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.PrivelegeColumns -version: 1.0 - -[ClickHouse] SHALL support revoking the privilege **some_privilege** to one or more users or roles -for a database or a table using the `REVOKE some_privilege(column)` statement for one column. -Multiple columns will be supported with `REVOKE some_privilege(column1, column2...)` statement. -The privileges will be revoked for only the specified columns. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Multiple -version: 1.0 - -[ClickHouse] SHALL support revoking MULTIPLE **privileges** to one or more users or roles -for a database or a table using the `REVOKE privilege1, privilege2...` statement. -**privileges** refers to any set of Clickhouse defined privilege, whose hierarchy includes -SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT, -SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.All -version: 1.0 - -[ClickHouse] SHALL support revoking **all** privileges to one or more users or roles -for a database or a table using the `REVOKE ALL` or `REVOKE ALL PRIVILEGES` statements. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.None -version: 1.0 - -[ClickHouse] SHALL support revoking **no** privileges to one or more users or roles -for a database or a table using the `REVOKE NONE` statement. - -##### RQ.SRS-006.RBAC.Revoke.Privilege.On -version: 1.0 - -[ClickHouse] SHALL support the `ON` clause in the `REVOKE` privilege statement -which SHALL allow to specify one or more tables to which the privilege SHALL -be revoked using the following patterns - -* `db.table` specific table in the specified database -* `db.*` any table in the specified database -* `*.*` any table in any database -* `table` specific table in the current database -* `*` any table in the current database - -##### RQ.SRS-006.RBAC.Revoke.Privilege.From -version: 1.0 - -[ClickHouse] SHALL support the `FROM` clause in the `REVOKE` privilege statement -which SHALL allow to specify one or more users to which the privilege SHALL -be revoked using the following patterns - -* `{user | CURRENT_USER} [,...]` some combination of users by name, which may include the current user -* `ALL` all users -* `ALL EXCEPT {user | CURRENT_USER} [,...]` the logical reverse of the first pattern - -##### RQ.SRS-006.RBAC.Revoke.Privilege.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `REVOKE` statement that -revokes explicit privileges of a user or a role. - -```sql -REVOKE [ON CLUSTER cluster_name] privilege - [(column_name [,...])] [,...] - ON {db.table|db.*|*.*|table|*} - FROM {user | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user | CURRENT_USER} [,...] -``` - -##### RQ.SRS-006.RBAC.PartialRevoke.Syntax +#### RQ.SRS-006.RBAC.PartialRevoke.Syntax version: 1.0 [ClickHouse] SHALL support partial revokes by using `partial_revokes` variable @@ -1846,102 +11340,22 @@ To enable partial revokes the `partial revokes` variable SHALL be set to `1` SET partial_revokes = 1 ``` -##### RQ.SRS-006.RBAC.Grant.Role +### Settings Profile + +#### RQ.SRS-006.RBAC.SettingsProfile version: 1.0 -[ClickHouse] SHALL support granting one or more roles to -one or more users or roles using the `GRANT` role statement. +[ClickHouse] SHALL support creation and manipulation of **settings profiles** +that can include value definition for one or more variables and can +can be assigned to one or more **users** or **roles**. -##### RQ.SRS-006.RBAC.Grant.Role.CurrentUser +#### RQ.SRS-006.RBAC.SettingsProfile.Constraints version: 1.0 -[ClickHouse] SHALL support granting one or more roles to current user using -`TO CURRENT_USER` clause in the `GRANT` role statement. +[ClickHouse] SHALL support assigning min, max and read-only constraints +for the variables specified in the **settings profile**. -##### RQ.SRS-006.RBAC.Grant.Role.AdminOption -version: 1.0 - -[ClickHouse] SHALL support granting `admin option` privilege -to one or more users or roles using the `WITH ADMIN OPTION` clause -in the `GRANT` role statement. - -##### RQ.SRS-006.RBAC.Grant.Role.OnCluster -version: 1.0 - -[ClickHouse] SHALL support specifying cluster on which the user is to be granted one or more roles -using `ON CLUSTER` clause in the `GRANT` statement. - -##### RQ.SRS-006.RBAC.Grant.Role.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for `GRANT` role statement - -``` sql -GRANT - ON CLUSTER cluster_name - role [, role ...] - TO {user | role | CURRENT_USER} [,...] - [WITH ADMIN OPTION] -``` - -##### RQ.SRS-006.RBAC.Revoke.Role -version: 1.0 - -[ClickHouse] SHALL support revoking one or more roles from -one or more users or roles using the `REVOKE` role statement. - -##### RQ.SRS-006.RBAC.Revoke.Role.Keywords -version: 1.0 - -[ClickHouse] SHALL support revoking one or more roles from -special groupings of one or more users or roles with the `ALL`, `ALL EXCEPT`, -and `CURRENT_USER` keywords. - -##### RQ.SRS-006.RBAC.Revoke.Role.Cluster -version: 1.0 - -[ClickHouse] SHALL support revoking one or more roles from -one or more users or roles from one or more clusters -using the `REVOKE ON CLUSTER` role statement. - -##### RQ.SRS-006.RBAC.Revoke.AdminOption -version: 1.0 - -[ClickHouse] SHALL support revoking `admin option` privilege -in one or more users or roles using the `ADMIN OPTION FOR` clause -in the `REVOKE` role statement. - -##### RQ.SRS-006.RBAC.Revoke.Role.Syntax -version: 1.0 - -[ClickHouse] SHALL support the following syntax for the `REVOKE` role statement - -```sql -REVOKE [ON CLUSTER cluster_name] [ADMIN OPTION FOR] - role [,...] - FROM {user | role | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user_name | role_name | CURRENT_USER} [,...] -``` - -##### RQ.SRS-006.RBAC.Show.Grants -version: 1.0 - -[ClickHouse] SHALL support listing all the privileges granted to current user and role -using the `SHOW GRANTS` statement. - -##### RQ.SRS-006.RBAC.Show.Grants.For -version: 1.0 - -[ClickHouse] SHALL support listing all the privileges granted to a user or a role -using the `FOR` clause in the `SHOW GRANTS` statement. - -##### RQ.SRS-006.RBAC.Show.Grants.Syntax -version: 1.0 - -[Clickhouse] SHALL use the following syntax for the `SHOW GRANTS` statement - -``` sql -SHOW GRANTS [FOR user_or_role] -``` +#### Create Settings Profile ##### RQ.SRS-006.RBAC.SettingsProfile.Create version: 1.0 @@ -2027,6 +11441,8 @@ CREATE SETTINGS PROFILE [IF NOT EXISTS | OR REPLACE] name [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]}] ``` +#### Alter Settings Profile + ##### RQ.SRS-006.RBAC.SettingsProfile.Alter version: 1.0 @@ -2112,6 +11528,8 @@ ALTER SETTINGS PROFILE [IF EXISTS] name [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]]} ``` +#### Drop Settings Profile + ##### RQ.SRS-006.RBAC.SettingsProfile.Drop version: 1.0 @@ -2140,6 +11558,8 @@ version: 1.0 DROP SETTINGS PROFILE [IF EXISTS] name [,name,...] ``` +#### Show Create Settings Profile + ##### RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile version: 1.0 @@ -2150,6 +11570,63 @@ using the `SHOW CREATE SETTINGS PROFILE` statement with the following syntax SHOW CREATE SETTINGS PROFILE name ``` +### Quotas + +#### RQ.SRS-006.RBAC.Quotas +version: 1.0 + +[ClickHouse] SHALL support creation and manipulation of **quotas** +that can be used to limit resource usage by a **user** or a **role** +over a period of time. + +#### RQ.SRS-006.RBAC.Quotas.Keyed +version: 1.0 + +[ClickHouse] SHALL support creating **quotas** that are keyed +so that a quota is tracked separately for each key value. + +#### RQ.SRS-006.RBAC.Quotas.Queries +version: 1.0 + +[ClickHouse] SHALL support setting **queries** quota to limit the total number of requests. + +#### RQ.SRS-006.RBAC.Quotas.Errors +version: 1.0 + +[ClickHouse] SHALL support setting **errors** quota to limit the number of queries that threw an exception. + +#### RQ.SRS-006.RBAC.Quotas.ResultRows +version: 1.0 + +[ClickHouse] SHALL support setting **result rows** quota to limit the +the total number of rows given as the result. + +#### RQ.SRS-006.RBAC.Quotas.ReadRows +version: 1.0 + +[ClickHouse] SHALL support setting **read rows** quota to limit the total +number of source rows read from tables for running the query on all remote servers. + +#### RQ.SRS-006.RBAC.Quotas.ResultBytes +version: 1.0 + +[ClickHouse] SHALL support setting **result bytes** quota to limit the total number +of bytes that can be returned as the result. + +#### RQ.SRS-006.RBAC.Quotas.ReadBytes +version: 1.0 + +[ClickHouse] SHALL support setting **read bytes** quota to limit the total number +of source bytes read from tables for running the query on all remote servers. + +#### RQ.SRS-006.RBAC.Quotas.ExecutionTime +version: 1.0 + +[ClickHouse] SHALL support setting **execution time** quota to limit the maximum +query execution time. + +#### Create Quotas + ##### RQ.SRS-006.RBAC.Quota.Create version: 1.0 @@ -2188,7 +11665,6 @@ of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be: `FOR INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some real number to define the interval. - ##### RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized version: 1.0 @@ -2311,6 +11787,8 @@ CREATE QUOTA [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name] [TO {role [,...] | ALL | ALL EXCEPT role [,...]}] ``` +#### Alter Quota + ##### RQ.SRS-006.RBAC.Quota.Alter version: 1.0 @@ -2469,6 +11947,8 @@ ALTER QUOTA [IF EXIST] name [TO {user_or_role [,...] | NONE | ALL} [EXCEPT user_or_role [,...]]] ``` +#### Drop Quota + ##### RQ.SRS-006.RBAC.Quota.Drop version: 1.0 @@ -2497,6 +11977,8 @@ version: 1.0 DROP QUOTA [IF EXISTS] name [,name...] ``` +#### Show Quotas + ##### RQ.SRS-006.RBAC.Quota.ShowQuotas version: 1.0 @@ -2521,7 +12003,6 @@ version: 1.0 [ClickHouse] SHALL support the `SETTINGS` clause in the `SHOW QUOTAS` statement to define settings in the showing of all quotas. - ##### RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax version: 1.0 @@ -2530,6 +12011,9 @@ with the following syntax ``` sql SHOW QUOTAS ``` + +#### Show Create Quota + ##### RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name version: 1.0 @@ -2557,6 +12041,34 @@ using the `SHOW CREATE QUOTA` statement. SHOW CREATE QUOTA [name | CURRENT] ``` +### Row Policy + +#### RQ.SRS-006.RBAC.RowPolicy +version: 1.0 + +[ClickHouse] SHALL support creation and manipulation of table **row policies** +that can be used to limit access to the table contents for a **user** or a **role** +using a specified **condition**. + +#### RQ.SRS-006.RBAC.RowPolicy.Condition +version: 1.0 + +[ClickHouse] SHALL support row policy **conditions** that can be any SQL +expression that returns a boolean. + +#### RQ.SRS-006.RBAC.RowPolicy.Restriction +version: 1.0 + +[ClickHouse] SHALL restrict all access to a table when a row policy with a condition is created on that table. +All users require a permissive row policy in order to view the table. + +#### RQ.SRS-006.RBAC.RowPolicy.Nesting +version: 1.0 + +[ClickHouse] SHALL restrict rows of tables or views created on top of a table with row policies according to those policies. + +#### Create Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.Create version: 1.0 @@ -2611,14 +12123,14 @@ version: 1.0 [ClickHouse] SHALL support specifying which rows are affected using the `FOR SELECT` clause in the `CREATE ROW POLICY` statement. -REQUIRES CONFIRMATION +REQUIRES CONDITION. ##### RQ.SRS-006.RBAC.RowPolicy.Create.Condition version: 1.0 [ClickHouse] SHALL support specifying a condition that that can be any SQL expression which returns a boolean using the `USING` -clause in the `CREATE ROW POLOCY` statement. +clause in the `CREATE ROW POLICY` statement. ##### RQ.SRS-006.RBAC.RowPolicy.Create.Assignment version: 1.0 @@ -2657,6 +12169,8 @@ CREATE [ROW] POLICY [IF NOT EXISTS | OR REPLACE] policy_name [ON CLUSTER cluster [TO {role [,...] | ALL | ALL EXCEPT role [,...]}] ``` +#### Alter Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.Alter version: 1.0 @@ -2763,6 +12277,8 @@ ALTER [ROW] POLICY [IF EXISTS] name [ON CLUSTER cluster_name] ON [database.]tabl [TO {role [,...] | ALL | ALL EXCEPT role [,...]}] ``` +#### Drop Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.Drop version: 1.0 @@ -2797,6 +12313,8 @@ version: 1.0 DROP [ROW] POLICY [IF EXISTS] name [,...] ON [database.]table [,...] [ON CLUSTER cluster_name] ``` +#### Show Create Row Policy + ##### RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy version: 1.0 @@ -2838,9 +12356,510 @@ version: 1.0 SHOW [ROW] POLICIES [ON [database.]table] ``` -#### Table Privileges +### Set Default Role -##### RQ.SRS-006.RBAC.Table.PublicTables +#### RQ.SRS-006.RBAC.SetDefaultRole +version: 1.0 + +[ClickHouse] SHALL support setting or changing granted roles to default for one or more +users using `SET DEFAULT ROLE` statement which +SHALL permanently change the default roles for the user or users if successful. + +#### RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser +version: 1.0 + +[ClickHouse] SHALL support setting or changing granted roles to default for +the current user using `CURRENT_USER` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.All +version: 1.0 + +[ClickHouse] SHALL support setting or changing all granted roles to default +for one or more users using `ALL` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.AllExcept +version: 1.0 + +[ClickHouse] SHALL support setting or changing all granted roles except those specified +to default for one or more users using `ALL EXCEPT` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.None +version: 1.0 + +[ClickHouse] SHALL support removing all granted roles from default +for one or more users using `NONE` clause in the `SET DEFAULT ROLE` statement. + +#### RQ.SRS-006.RBAC.SetDefaultRole.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `SET DEFAULT ROLE` statement. + +```sql +SET DEFAULT ROLE + {NONE | role [,...] | ALL | ALL EXCEPT role [,...]} + TO {user|CURRENT_USER} [,...] + +``` + +### Set Role + +#### RQ.SRS-006.RBAC.SetRole +version: 1.0 + +[ClickHouse] SHALL support activating role or roles for the current user +using `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.Default +version: 1.0 + +[ClickHouse] SHALL support activating default roles for the current user +using `DEFAULT` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.None +version: 1.0 + +[ClickHouse] SHALL support activating no roles for the current user +using `NONE` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.All +version: 1.0 + +[ClickHouse] SHALL support activating all roles for the current user +using `ALL` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.AllExcept +version: 1.0 + +[ClickHouse] SHALL support activating all roles except those specified +for the current user using `ALL EXCEPT` clause in the `SET ROLE` statement. + +#### RQ.SRS-006.RBAC.SetRole.Syntax +version: 1.0 + +```sql +SET ROLE {DEFAULT | NONE | role [,...] | ALL | ALL EXCEPT role [,...]} +``` + +### Grant + +#### RQ.SRS-006.RBAC.Grant.Privilege.To +version: 1.0 + +[ClickHouse] SHALL support granting privileges to one or more users or roles using `TO` clause +in the `GRANT PRIVILEGE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser +version: 1.0 + +[ClickHouse] SHALL support granting privileges to current user using `TO CURRENT_USER` clause +in the `GRANT PRIVILEGE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Select +version: 1.0 + +[ClickHouse] SHALL support granting the **select** privilege to one or more users or roles +for a database or a table using the `GRANT SELECT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Insert +version: 1.0 + +[ClickHouse] SHALL support granting the **insert** privilege to one or more users or roles +for a database or a table using the `GRANT INSERT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Alter +version: 1.0 + +[ClickHouse] SHALL support granting the **alter** privilege to one or more users or roles +for a database or a table using the `GRANT ALTER` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Create +version: 1.0 + +[ClickHouse] SHALL support granting the **create** privilege to one or more users or roles +using the `GRANT CREATE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Drop +version: 1.0 + +[ClickHouse] SHALL support granting the **drop** privilege to one or more users or roles +using the `GRANT DROP` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Truncate +version: 1.0 + +[ClickHouse] SHALL support granting the **truncate** privilege to one or more users or roles +for a database or a table using `GRANT TRUNCATE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Optimize +version: 1.0 + +[ClickHouse] SHALL support granting the **optimize** privilege to one or more users or roles +for a database or a table using `GRANT OPTIMIZE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Show +version: 1.0 + +[ClickHouse] SHALL support granting the **show** privilege to one or more users or roles +for a database or a table using `GRANT SHOW` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.KillQuery +version: 1.0 + +[ClickHouse] SHALL support granting the **kill query** privilege to one or more users or roles +for a database or a table using `GRANT KILL QUERY` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement +version: 1.0 + +[ClickHouse] SHALL support granting the **access management** privileges to one or more users or roles +for a database or a table using `GRANT ACCESS MANAGEMENT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.System +version: 1.0 + +[ClickHouse] SHALL support granting the **system** privileges to one or more users or roles +for a database or a table using `GRANT SYSTEM` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Introspection +version: 1.0 + +[ClickHouse] SHALL support granting the **introspection** privileges to one or more users or roles +for a database or a table using `GRANT INTROSPECTION` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Sources +version: 1.0 + +[ClickHouse] SHALL support granting the **sources** privileges to one or more users or roles +for a database or a table using `GRANT SOURCES` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.DictGet +version: 1.0 + +[ClickHouse] SHALL support granting the **dictGet** privilege to one or more users or roles +for a database or a table using `GRANT dictGet` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.None +version: 1.0 + +[ClickHouse] SHALL support granting no privileges to one or more users or roles +for a database or a table using `GRANT NONE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.All +version: 1.0 + +[ClickHouse] SHALL support granting the **all** privileges to one or more users or roles +using the `GRANT ALL` or `GRANT ALL PRIVILEGES` statements. + +#### RQ.SRS-006.RBAC.Grant.Privilege.GrantOption +version: 1.0 + +[ClickHouse] SHALL support granting the **grant option** privilege to one or more users or roles +for a database or a table using the `WITH GRANT OPTION` clause in the `GRANT` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.On +version: 1.0 + +[ClickHouse] SHALL support the `ON` clause in the `GRANT` privilege statement +which SHALL allow to specify one or more tables to which the privilege SHALL +be granted using the following patterns + +* `*.*` any table in any database +* `database.*` any table in the specified database +* `database.table` specific table in the specified database +* `*` any table in the current database +* `table` specific table in the current database + +#### RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns +version: 1.0 + +[ClickHouse] SHALL support granting the privilege **some_privilege** to one or more users or roles +for a database or a table using the `GRANT some_privilege(column)` statement for one column. +Multiple columns will be supported with `GRANT some_privilege(column1, column2...)` statement. +The privileges will be granted for only the specified columns. + +#### RQ.SRS-006.RBAC.Grant.Privilege.OnCluster +version: 1.0 + +[ClickHouse] SHALL support specifying cluster on which to grant privileges using the `ON CLUSTER` +clause in the `GRANT PRIVILEGE` statement. + +#### RQ.SRS-006.RBAC.Grant.Privilege.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `GRANT` statement that +grants explicit privileges to a user or a role. + +```sql +GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] + ON {db.table|db.*|*.*|table|*} + TO {user | role | CURRENT_USER} [,...] + [WITH GRANT OPTION] +``` + +### Revoke + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Cluster +version: 1.0 + +[ClickHouse] SHALL support revoking privileges to one or more users or roles +for a database or a table on some specific cluster using the `REVOKE ON CLUSTER cluster_name` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Select +version: 1.0 + +[ClickHouse] SHALL support revoking the **select** privilege to one or more users or roles +for a database or a table using the `REVOKE SELECT` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Insert +version: 1.0 + +[ClickHouse] SHALL support revoking the **insert** privilege to one or more users or roles +for a database or a table using the `REVOKE INSERT` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Alter +version: 1.0 + +[ClickHouse] SHALL support revoking the **alter** privilege to one or more users or roles +for a database or a table using the `REVOKE ALTER` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Create +version: 1.0 + +[ClickHouse] SHALL support revoking the **create** privilege to one or more users or roles +using the `REVOKE CREATE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Drop +version: 1.0 + +[ClickHouse] SHALL support revoking the **drop** privilege to one or more users or roles +using the `REVOKE DROP` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Truncate +version: 1.0 + +[ClickHouse] SHALL support revoking the **truncate** privilege to one or more users or roles +for a database or a table using the `REVOKE TRUNCATE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Optimize +version: 1.0 + +[ClickHouse] SHALL support revoking the **optimize** privilege to one or more users or roles +for a database or a table using the `REVOKE OPTIMIZE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Show +version: 1.0 + +[ClickHouse] SHALL support revoking the **show** privilege to one or more users or roles +for a database or a table using the `REVOKE SHOW` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery +version: 1.0 + +[ClickHouse] SHALL support revoking the **kill query** privilege to one or more users or roles +for a database or a table using the `REVOKE KILL QUERY` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement +version: 1.0 + +[ClickHouse] SHALL support revoking the **access management** privilege to one or more users or roles +for a database or a table using the `REVOKE ACCESS MANAGEMENT` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.System +version: 1.0 + +[ClickHouse] SHALL support revoking the **system** privilege to one or more users or roles +for a database or a table using the `REVOKE SYSTEM` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Introspection +version: 1.0 + +[ClickHouse] SHALL support revoking the **introspection** privilege to one or more users or roles +for a database or a table using the `REVOKE INTROSPECTION` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Sources +version: 1.0 + +[ClickHouse] SHALL support revoking the **sources** privilege to one or more users or roles +for a database or a table using the `REVOKE SOURCES` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.DictGet +version: 1.0 + +[ClickHouse] SHALL support revoking the **dictGet** privilege to one or more users or roles +for a database or a table using the `REVOKE dictGet` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.PrivilegeColumns +version: 1.0 + +[ClickHouse] SHALL support revoking the privilege **some_privilege** to one or more users or roles +for a database or a table using the `REVOKE some_privilege(column)` statement for one column. +Multiple columns will be supported with `REVOKE some_privilege(column1, column2...)` statement. +The privileges will be revoked for only the specified columns. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Multiple +version: 1.0 + +[ClickHouse] SHALL support revoking MULTIPLE **privileges** to one or more users or roles +for a database or a table using the `REVOKE privilege1, privilege2...` statement. +**privileges** refers to any set of Clickhouse defined privilege, whose hierarchy includes +SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT, +SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.All +version: 1.0 + +[ClickHouse] SHALL support revoking **all** privileges to one or more users or roles +for a database or a table using the `REVOKE ALL` or `REVOKE ALL PRIVILEGES` statements. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.None +version: 1.0 + +[ClickHouse] SHALL support revoking **no** privileges to one or more users or roles +for a database or a table using the `REVOKE NONE` statement. + +#### RQ.SRS-006.RBAC.Revoke.Privilege.On +version: 1.0 + +[ClickHouse] SHALL support the `ON` clause in the `REVOKE` privilege statement +which SHALL allow to specify one or more tables to which the privilege SHALL +be revoked using the following patterns + +* `db.table` specific table in the specified database +* `db.*` any table in the specified database +* `*.*` any table in any database +* `table` specific table in the current database +* `*` any table in the current database + +#### RQ.SRS-006.RBAC.Revoke.Privilege.From +version: 1.0 + +[ClickHouse] SHALL support the `FROM` clause in the `REVOKE` privilege statement +which SHALL allow to specify one or more users to which the privilege SHALL +be revoked using the following patterns + +* `{user | CURRENT_USER} [,...]` some combination of users by name, which may include the current user +* `ALL` all users +* `ALL EXCEPT {user | CURRENT_USER} [,...]` the logical reverse of the first pattern + +#### RQ.SRS-006.RBAC.Revoke.Privilege.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `REVOKE` statement that +revokes explicit privileges of a user or a role. + +```sql +REVOKE [ON CLUSTER cluster_name] privilege + [(column_name [,...])] [,...] + ON {db.table|db.*|*.*|table|*} + FROM {user | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user | CURRENT_USER} [,...] +``` + +### Grant Role + +#### RQ.SRS-006.RBAC.Grant.Role +version: 1.0 + +[ClickHouse] SHALL support granting one or more roles to +one or more users or roles using the `GRANT` role statement. + +#### RQ.SRS-006.RBAC.Grant.Role.CurrentUser +version: 1.0 + +[ClickHouse] SHALL support granting one or more roles to current user using +`TO CURRENT_USER` clause in the `GRANT` role statement. + +#### RQ.SRS-006.RBAC.Grant.Role.AdminOption +version: 1.0 + +[ClickHouse] SHALL support granting `admin option` privilege +to one or more users or roles using the `WITH ADMIN OPTION` clause +in the `GRANT` role statement. + +#### RQ.SRS-006.RBAC.Grant.Role.OnCluster +version: 1.0 + +[ClickHouse] SHALL support specifying cluster on which the user is to be granted one or more roles +using `ON CLUSTER` clause in the `GRANT` statement. + +#### RQ.SRS-006.RBAC.Grant.Role.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for `GRANT` role statement + +``` sql +GRANT + ON CLUSTER cluster_name + role [, role ...] + TO {user | role | CURRENT_USER} [,...] + [WITH ADMIN OPTION] +``` + +### Revoke Role + +#### RQ.SRS-006.RBAC.Revoke.Role +version: 1.0 + +[ClickHouse] SHALL support revoking one or more roles from +one or more users or roles using the `REVOKE` role statement. + +#### RQ.SRS-006.RBAC.Revoke.Role.Keywords +version: 1.0 + +[ClickHouse] SHALL support revoking one or more roles from +special groupings of one or more users or roles with the `ALL`, `ALL EXCEPT`, +and `CURRENT_USER` keywords. + +#### RQ.SRS-006.RBAC.Revoke.Role.Cluster +version: 1.0 + +[ClickHouse] SHALL support revoking one or more roles from +one or more users or roles from one or more clusters +using the `REVOKE ON CLUSTER` role statement. + +#### RQ.SRS-006.RBAC.Revoke.AdminOption +version: 1.0 + +[ClickHouse] SHALL support revoking `admin option` privilege +in one or more users or roles using the `ADMIN OPTION FOR` clause +in the `REVOKE` role statement. + +#### RQ.SRS-006.RBAC.Revoke.Role.Syntax +version: 1.0 + +[ClickHouse] SHALL support the following syntax for the `REVOKE` role statement + +```sql +REVOKE [ON CLUSTER cluster_name] [ADMIN OPTION FOR] + role [,...] + FROM {user | role | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user_name | role_name | CURRENT_USER} [,...] +``` + +### Show Grants + +#### RQ.SRS-006.RBAC.Show.Grants +version: 1.0 + +[ClickHouse] SHALL support listing all the privileges granted to current user and role +using the `SHOW GRANTS` statement. + +#### RQ.SRS-006.RBAC.Show.Grants.For +version: 1.0 + +[ClickHouse] SHALL support listing all the privileges granted to a user or a role +using the `FOR` clause in the `SHOW GRANTS` statement. + +#### RQ.SRS-006.RBAC.Show.Grants.Syntax +version: 1.0 + +[Clickhouse] SHALL use the following syntax for the `SHOW GRANTS` statement + +``` sql +SHOW GRANTS [FOR user_or_role] +``` + +### Table Privileges + +#### RQ.SRS-006.RBAC.Table.PublicTables version: 1.0 [ClickHouse] SHALL support that a user without any privileges will be able to access the following tables @@ -2850,7 +12869,7 @@ version: 1.0 * system.contributors * system.functions -##### RQ.SRS-006.RBAC.Table.SensitiveTables +#### RQ.SRS-006.RBAC.Table.SensitiveTables version: 1.0 [ClickHouse] SHALL not support a user with no privileges accessing the following `system` tables: @@ -2867,15 +12886,15 @@ version: 1.0 * zookeeper * macros -#### Distributed Tables +### Distributed Tables -##### RQ.SRS-006.RBAC.DistributedTable.Create +#### RQ.SRS-006.RBAC.DistributedTable.Create version: 1.0 [ClickHouse] SHALL successfully `CREATE` a distributed table if and only if the user has **create table** privilege on the table and **remote** privilege on *.* -##### RQ.SRS-006.RBAC.DistributedTable.Select +#### RQ.SRS-006.RBAC.DistributedTable.Select version: 1.0 [ClickHouse] SHALL successfully `SELECT` from a distributed table if and only if @@ -2883,7 +12902,7 @@ the user has **select** privilege on the table and on the remote table specified Does not require **select** privilege for the remote table if the remote table does not exist on the same server as the user. -##### RQ.SRS-006.RBAC.DistributedTable.Insert +#### RQ.SRS-006.RBAC.DistributedTable.Insert version: 1.0 [ClickHouse] SHALL successfully `INSERT` into a distributed table if and only if @@ -2892,7 +12911,7 @@ the user has **insert** privilege on the table and on the remote table specified Does not require **insert** privilege for the remote table if the remote table does not exist on the same server as the user, insert executes into the remote table on a different server. -##### RQ.SRS-006.RBAC.DistributedTable.SpecialTables +#### RQ.SRS-006.RBAC.DistributedTable.SpecialTables version: 1.0 [ClickHouse] SHALL successfully execute a query using a distributed table that uses one of the special tables if and only if @@ -2902,29 +12921,29 @@ Special tables include: * distributed table * source table of a materialized view -##### RQ.SRS-006.RBAC.DistributedTable.LocalUser +#### RQ.SRS-006.RBAC.DistributedTable.LocalUser version: 1.0 [ClickHouse] SHALL successfully execute a query using a distributed table from a user present locally, but not remotely. -##### RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges +#### RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges version: 1.0 [ClickHouse] SHALL successfully execute a query using a distributed table by a user that exists on multiple nodes if and only if the user has the required privileges on the node the query is being executed from. -#### Views +### Views -##### View +#### View -###### RQ.SRS-006.RBAC.View +##### RQ.SRS-006.RBAC.View version: 1.0 [ClickHouse] SHALL support controlling access to **create**, **select** and **drop** privileges for a view for users or roles. -###### RQ.SRS-006.RBAC.View.Create +##### RQ.SRS-006.RBAC.View.Create version: 1.0 [ClickHouse] SHALL only successfully execute a `CREATE VIEW` command if and only if @@ -2942,7 +12961,7 @@ CREATE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2 ``` -###### RQ.SRS-006.RBAC.View.Select +##### RQ.SRS-006.RBAC.View.Select version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from a view if and only if @@ -2962,21 +12981,21 @@ CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2 SELECT * FROM view ``` -###### RQ.SRS-006.RBAC.View.Drop +##### RQ.SRS-006.RBAC.View.Drop version: 1.0 [ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if the user has **drop view** privilege on that view either explicitly or through a role. -##### Materialized View +#### Materialized View -###### RQ.SRS-006.RBAC.MaterializedView +##### RQ.SRS-006.RBAC.MaterializedView version: 1.0 [ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop** privileges for a materialized view for users or roles. -###### RQ.SRS-006.RBAC.MaterializedView.Create +##### RQ.SRS-006.RBAC.MaterializedView.Create version: 1.0 [ClickHouse] SHALL only successfully execute a `CREATE MATERIALIZED VIEW` command if and only if @@ -3008,7 +13027,7 @@ For example, CREATE MATERIALIZED VIEW view TO target_table AS SELECT * FROM source_table ``` -###### RQ.SRS-006.RBAC.MaterializedView.Select +##### RQ.SRS-006.RBAC.MaterializedView.Select version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from a materialized view if and only if @@ -3028,25 +13047,25 @@ CREATE MATERIALIZED VIEW view0 ENGINE = Memory AS SELECT column FROM view1 UNION SELECT * FROM view ``` -###### RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable +##### RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from the target table, implicit or explicit, of a materialized view if and only if the user has `SELECT` privilege for the table, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable +##### RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from the source table of a materialized view if and only if the user has `SELECT` privilege for the table, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Drop +##### RQ.SRS-006.RBAC.MaterializedView.Drop version: 1.0 [ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if the user has **drop view** privilege on that view either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.ModifyQuery +##### RQ.SRS-006.RBAC.MaterializedView.ModifyQuery version: 1.0 [ClickHouse] SHALL only successfully execute a `MODIFY QUERY` command if and only if @@ -3059,33 +13078,33 @@ For example, ALTER TABLE view MODIFY QUERY SELECT * FROM source_table ``` -###### RQ.SRS-006.RBAC.MaterializedView.Insert +##### RQ.SRS-006.RBAC.MaterializedView.Insert version: 1.0 [ClickHouse] SHALL only succesfully `INSERT` into a materialized view if and only if the user has `INSERT` privilege on the view, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable +##### RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable version: 1.0 [ClickHouse] SHALL only succesfully `INSERT` into a source table of a materialized view if and only if the user has `INSERT` privilege on the source table, either explicitly or through a role. -###### RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable +##### RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable version: 1.0 [ClickHouse] SHALL only succesfully `INSERT` into a target table of a materialized view if and only if the user has `INSERT` privelege on the target table, either explicitly or through a role. -##### Live View +#### Live View -###### RQ.SRS-006.RBAC.LiveView +##### RQ.SRS-006.RBAC.LiveView version: 1.0 [ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop** privileges for a live view for users or roles. -###### RQ.SRS-006.RBAC.LiveView.Create +##### RQ.SRS-006.RBAC.LiveView.Create version: 1.0 [ClickHouse] SHALL only successfully execute a `CREATE LIVE VIEW` command if and only if @@ -3103,7 +13122,7 @@ CREATE LIVE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNIO CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2 ``` -###### RQ.SRS-006.RBAC.LiveView.Select +##### RQ.SRS-006.RBAC.LiveView.Select version: 1.0 [ClickHouse] SHALL only successfully `SELECT` from a live view if and only if @@ -3123,28 +13142,28 @@ CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM SELECT * FROM view ``` -###### RQ.SRS-006.RBAC.LiveView.Drop +##### RQ.SRS-006.RBAC.LiveView.Drop version: 1.0 [ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if the user has **drop view** privilege on that view either explicitly or through a role. -###### RQ.SRS-006.RBAC.LiveView.Refresh +##### RQ.SRS-006.RBAC.LiveView.Refresh version: 1.0 [ClickHouse] SHALL only successfully execute an `ALTER LIVE VIEW REFRESH` command if and only if the user has **refresh** privilege on that view either explicitly or through a role. -#### Select +### Select -##### RQ.SRS-006.RBAC.Select +#### RQ.SRS-006.RBAC.Select version: 1.0 [ClickHouse] SHALL execute `SELECT` if and only if the user has the **select** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Select.Column +#### RQ.SRS-006.RBAC.Select.Column version: 1.0 [ClickHouse] SHALL support granting or revoking **select** privilege @@ -3153,7 +13172,7 @@ Any `SELECT` statements SHALL not to be executed, unless the user has the **select** privilege for the destination column either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Select.Cluster +#### RQ.SRS-006.RBAC.Select.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **select** privilege @@ -3161,7 +13180,7 @@ on a specified cluster to one or more **users** or **roles**. Any `SELECT` statements SHALL succeed only on nodes where the table exists and privilege was granted. -##### RQ.SRS-006.RBAC.Select.TableEngines +#### RQ.SRS-006.RBAC.Select.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **select** privilege @@ -3182,16 +13201,16 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -#### Insert +### Insert -##### RQ.SRS-006.RBAC.Insert +#### RQ.SRS-006.RBAC.Insert version: 1.0 [ClickHouse] SHALL execute `INSERT INTO` if and only if the user has the **insert** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Insert.Column +#### RQ.SRS-006.RBAC.Insert.Column version: 1.0 [ClickHouse] SHALL support granting or revoking **insert** privilege @@ -3200,7 +13219,7 @@ Any `INSERT INTO` statements SHALL not to be executed, unless the user has the **insert** privilege for the destination column either because of the explicit grant or through one of the roles assigned to the user. -##### RQ.SRS-006.RBAC.Insert.Cluster +#### RQ.SRS-006.RBAC.Insert.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **insert** privilege @@ -3208,7 +13227,7 @@ on a specified cluster to one or more **users** or **roles**. Any `INSERT INTO` statements SHALL succeed only on nodes where the table exists and privilege was granted. -##### RQ.SRS-006.RBAC.Insert.TableEngines +#### RQ.SRS-006.RBAC.Insert.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **insert** privilege @@ -3229,11 +13248,11 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -#### Alter +### Alter -##### Alter Column +#### Alter Column -###### RQ.SRS-006.RBAC.Privileges.AlterColumn +##### RQ.SRS-006.RBAC.Privileges.AlterColumn version: 1.0 [ClickHouse] SHALL support controlling access to the **alter column** privilege @@ -3243,19 +13262,19 @@ return an error, unless the user has the **alter column** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant version: 1.0 [ClickHouse] SHALL support granting **alter column** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter column** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Column +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Column version: 1.0 [ClickHouse] SHALL support granting or revoking **alter column** privilege @@ -3264,7 +13283,7 @@ Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL retu unless the user has the **alter column** privilege for the destination column either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter column** privilege @@ -3272,7 +13291,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter column** privilege @@ -3293,9 +13312,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Index +#### Alter Index -###### RQ.SRS-006.RBAC.Privileges.AlterIndex +##### RQ.SRS-006.RBAC.Privileges.AlterIndex version: 1.0 [ClickHouse] SHALL support controlling access to the **alter index** privilege @@ -3305,19 +13324,19 @@ return an error, unless the user has the **alter index** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant version: 1.0 [ClickHouse] SHALL support granting **alter index** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter index** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter index** privilege @@ -3325,7 +13344,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ORDER BY | ADD|DROP|MATERIALIZE|CLEAR INDEX` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter index** privilege @@ -3346,9 +13365,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Constraint +#### Alter Constraint -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint version: 1.0 [ClickHouse] SHALL support controlling access to the **alter constraint** privilege @@ -3358,19 +13377,19 @@ return an error, unless the user has the **alter constraint** privilege for the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant version: 1.0 [ClickHouse] SHALL support granting **alter constraint** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter constraint** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter constraint** privilege @@ -3378,7 +13397,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ADD|DROP CONSTRAINT` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter constraint** privilege @@ -3399,9 +13418,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter TTL +#### Alter TTL -###### RQ.SRS-006.RBAC.Privileges.AlterTTL +##### RQ.SRS-006.RBAC.Privileges.AlterTTL version: 1.0 [ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege @@ -3411,19 +13430,19 @@ return an error, unless the user has the **alter ttl** or **alter materialize tt the destination table either because of the explicit grant or through one of the roles assigned to the user. -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant version: 1.0 [ClickHouse] SHALL support granting **alter ttl** or **alter materialize ttl** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter ttl** or **alter materialize ttl** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter ttl** or **alter materialize ttl** privilege @@ -3431,7 +13450,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... ALTER TTL | ALTER MATERIALIZE TTL` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege @@ -3439,9 +13458,9 @@ on tables created using the following engines * MergeTree -##### Alter Settings +#### Alter Settings -###### RQ.SRS-006.RBAC.Privileges.AlterSettings +##### RQ.SRS-006.RBAC.Privileges.AlterSettings version: 1.0 [ClickHouse] SHALL support controlling access to the **alter settings** privilege @@ -3452,19 +13471,19 @@ the destination table either because of the explicit grant or through one of the roles assigned to the user. The **alter settings** privilege allows modifying table engine settings. It doesn’t affect settings or server configuration parameters. -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant version: 1.0 [ClickHouse] SHALL support granting **alter settings** privilege for a database or a specific table to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter settings** privilege for a database or a specific table to one or more **users** or **roles** -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster version: 1.0 [ClickHouse] SHALL support granting or revoking **alter settings** privilege @@ -3472,7 +13491,7 @@ on a specified cluster to one or more **users** or **roles**. Any `ALTER TABLE ... MODIFY SETTING setting` statements SHALL succeed only on nodes where the table exists and privilege was granted. -###### RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter settings** privilege @@ -3493,27 +13512,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Update +#### Alter Update -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate version: 1.0 [ClickHouse] SHALL successfully execute `ALTER UPDATE` statement if and only if the user has **alter update** privilege for that column, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant version: 1.0 [ClickHouse] SHALL support granting **alter update** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter update** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter update** privilege @@ -3534,27 +13553,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Delete +#### Alter Delete -###### RQ.SRS-006.RBAC.Privileges.AlterDelete +##### RQ.SRS-006.RBAC.Privileges.AlterDelete version: 1.0 [ClickHouse] SHALL successfully execute `ALTER DELETE` statement if and only if the user has **alter delete** privilege for that table, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant version: 1.0 [ClickHouse] SHALL support granting **alter delete** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter delete** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter delete** privilege @@ -3575,27 +13594,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Freeze Partition +#### Alter Freeze Partition -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze version: 1.0 [ClickHouse] SHALL successfully execute `ALTER FREEZE` statement if and only if the user has **alter freeze** privilege for that table, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant version: 1.0 [ClickHouse] SHALL support granting **alter freeze** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter freeze** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter freeze** privilege @@ -3616,27 +13635,27 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Fetch Partition +#### Alter Fetch Partition -###### RQ.SRS-006.RBAC.Privileges.AlterFetch +##### RQ.SRS-006.RBAC.Privileges.AlterFetch version: 1.0 [ClickHouse] SHALL successfully execute `ALTER FETCH` statement if and only if the user has **alter fetch** privilege for that table, either directly or through a role. -###### RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant version: 1.0 [ClickHouse] SHALL support granting **alter fetch** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter fetch** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter fetch** privilege @@ -3650,9 +13669,9 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree -##### Alter Move Partition +#### Alter Move Partition -###### RQ.SRS-006.RBAC.Privileges.AlterMove +##### RQ.SRS-006.RBAC.Privileges.AlterMove version: 1.0 [ClickHouse] SHALL successfully execute `ALTER MOVE` statement if and only if the user has **alter move**, **select**, and **alter delete** privilege on the source table @@ -3662,19 +13681,19 @@ For example, ALTER TABLE source_table MOVE PARTITION 1 TO target_table ``` -###### RQ.SRS-006.RBAC.Privileges.AlterMove.Grant +##### RQ.SRS-006.RBAC.Privileges.AlterMove.Grant version: 1.0 [ClickHouse] SHALL support granting **alter move** privilege on a column level to one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke +##### RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke version: 1.0 [ClickHouse] SHALL support revoking **alter move** privilege on a column level from one or more **users** or **roles**. -###### RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines +##### RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines version: 1.0 [ClickHouse] SHALL support controlling access to the **alter move** privilege @@ -3695,6 +13714,8 @@ on tables created using the following engines * ReplicatedVersionedCollapsingMergeTree * ReplicatedGraphiteMergeTree +### Create + #### RQ.SRS-006.RBAC.Privileges.CreateTable version: 1.0 @@ -3731,6 +13752,8 @@ version: 1.0 [ClickHouse] SHALL successfully execute `CREATE TEMPORARY TABLE` statement if and only if the user has **create temporary table** privilege on the table, either directly or through a role. +### Attach + #### RQ.SRS-006.RBAC.Privileges.AttachDatabase version: 1.0 @@ -3755,6 +13778,8 @@ version: 1.0 [ClickHouse] SHALL successfully execute `ATTACH TABLE` statement if and only if the user has **create table** privilege on the table, either directly or through a role. +### Drop + #### RQ.SRS-006.RBAC.Privileges.DropTable version: 1.0 @@ -3773,6 +13798,8 @@ version: 1.0 [ClickHouse] SHALL successfully execute `DROP DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary, either directly or through a role. +### Detach + #### RQ.SRS-006.RBAC.Privileges.DetachTable version: 1.0 @@ -3797,354 +13824,360 @@ version: 1.0 [ClickHouse] SHALL successfully execute `DETACH DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary, either directly or through a role. +### Truncate + #### RQ.SRS-006.RBAC.Privileges.Truncate version: 1.0 [ClickHouse] SHALL successfully execute `TRUNCATE TABLE` statement if and only if the user has **truncate table** privilege on the table, either directly or through a role. +### Optimize + #### RQ.SRS-006.RBAC.Privileges.Optimize version: 1.0 [ClickHouse] SHALL successfully execute `OPTIMIZE TABLE` statement if and only if the user has **optimize table** privilege on the table, either directly or through a role. +### Kill Query + #### RQ.SRS-006.RBAC.Privileges.KillQuery version: 1.0 [ClickHouse] SHALL successfully execute `KILL QUERY` statement if and only if the user has **kill query** privilege, either directly or through a role. -#### Kill Mutation +### Kill Mutation -##### RQ.SRS-006.RBAC.Privileges.KillMutation +#### RQ.SRS-006.RBAC.Privileges.KillMutation version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` statement if and only if the user has the privilege that created the mutation, either directly or through a role. For example, to `KILL MUTATION` after `ALTER UPDATE` query, the user needs `ALTER UPDATE` privilege. -##### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate +#### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER UPDATE` mutation if and only if the user has `ALTER UPDATE` privilege on the table where the mutation was created, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete +#### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DELETE` mutation if and only if the user has `ALTER DELETE` privilege on the table where the mutation was created, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn +#### RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn version: 1.0 [ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DROP COLUMN` mutation if and only if the user has `ALTER DROP COLUMN` privilege on the table where the mutation was created, either directly or through a role. -#### Show +### Show -##### RQ.SRS-006.RBAC.ShowTables.Privilege +#### RQ.SRS-006.RBAC.ShowTables.Privilege version: 1.0 [ClickHouse] SHALL grant **show tables** privilege on a table to a user if that user has recieved any grant, including `SHOW TABLES`, on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW TABLES` statement if and only if the user has **show tables** privilege, or any privilege on the table either directly or through a role. -##### RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `EXISTS table` statement if and only if the user has **show tables** privilege, or any privilege on the table either directly or through a role. -##### RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `CHECK table` statement if and only if the user has **show tables** privilege, or any privilege on the table either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDatabases.Privilege +#### RQ.SRS-006.RBAC.ShowDatabases.Privilege version: 1.0 [ClickHouse] SHALL grant **show databases** privilege on a database to a user if that user has recieved any grant, including `SHOW DATABASES`, on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW DATABASES` statement if and only if the user has **show databases** privilege, or any privilege on the database either directly or through a role. -##### RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE DATABASE` statement if and only if the user has **show databases** privilege, or any privilege on the database either directly or through a role. -##### RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege +#### RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `USE database` statement if and only if the user has **show databases** privilege, or any privilege on the database either directly or through a role. -##### RQ.SRS-006.RBAC.ShowColumns.Privilege +#### RQ.SRS-006.RBAC.ShowColumns.Privilege version: 1.0 [ClickHouse] SHALL support granting or revoking the `SHOW COLUMNS` privilege. -##### RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE TABLE` statement if and only if the user has **show columns** privilege on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege +#### RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `DESCRIBE table` statement if and only if the user has **show columns** privilege on that table, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDictionaries.Privilege +#### RQ.SRS-006.RBAC.ShowDictionaries.Privilege version: 1.0 [ClickHouse] SHALL grant **show dictionaries** privilege on a dictionary to a user if that user has recieved any grant, including `SHOW DICTIONARIES`, on that dictionary, either directly or through a role. -##### RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW DICTIONARIES` statement if and only if the user has **show dictionaries** privilege, or any privilege on the dictionary either directly or through a role. -##### RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege +#### RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE DICTIONARY` statement if and only if the user has **show dictionaries** privilege, or any privilege on the dictionary either directly or through a role. -##### RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege +#### RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `EXISTS dictionary` statement if and only if the user has **show dictionaries** privilege, or any privilege on the dictionary either directly or through a role. -#### Access Management +### Access Management -##### RQ.SRS-006.RBAC.Privileges.CreateUser +#### RQ.SRS-006.RBAC.Privileges.CreateUser version: 1.0 [ClickHouse] SHALL successfully execute `CREATE USER` statement if and only if the user has **create user** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole +#### RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole version: 1.0 [ClickHouse] SHALL successfully execute `CREATE USER` statement with `DEFAULT ROLE ` clause if and only if the user has **create user** privilege and the role with **admin option**, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterUser +#### RQ.SRS-006.RBAC.Privileges.AlterUser version: 1.0 [ClickHouse] SHALL successfully execute `ALTER USER` statement if and only if the user has **alter user** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropUser +#### RQ.SRS-006.RBAC.Privileges.DropUser version: 1.0 [ClickHouse] SHALL successfully execute `DROP USER` statement if and only if the user has **drop user** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateRole +#### RQ.SRS-006.RBAC.Privileges.CreateRole version: 1.0 [ClickHouse] SHALL successfully execute `CREATE ROLE` statement if and only if the user has **create role** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterRole +#### RQ.SRS-006.RBAC.Privileges.AlterRole version: 1.0 [ClickHouse] SHALL successfully execute `ALTER ROLE` statement if and only if the user has **alter role** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropRole +#### RQ.SRS-006.RBAC.Privileges.DropRole version: 1.0 [ClickHouse] SHALL successfully execute `DROP ROLE` statement if and only if the user has **drop role** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateRowPolicy +#### RQ.SRS-006.RBAC.Privileges.CreateRowPolicy version: 1.0 [ClickHouse] SHALL successfully execute `CREATE ROW POLICY` statement if and only if the user has **create row policy** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterRowPolicy +#### RQ.SRS-006.RBAC.Privileges.AlterRowPolicy version: 1.0 [ClickHouse] SHALL successfully execute `ALTER ROW POLICY` statement if and only if the user has **alter row policy** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropRowPolicy +#### RQ.SRS-006.RBAC.Privileges.DropRowPolicy version: 1.0 [ClickHouse] SHALL successfully execute `DROP ROW POLICY` statement if and only if the user has **drop row policy** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateQuota +#### RQ.SRS-006.RBAC.Privileges.CreateQuota version: 1.0 [ClickHouse] SHALL successfully execute `CREATE QUOTA` statement if and only if the user has **create quota** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterQuota +#### RQ.SRS-006.RBAC.Privileges.AlterQuota version: 1.0 [ClickHouse] SHALL successfully execute `ALTER QUOTA` statement if and only if the user has **alter quota** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropQuota +#### RQ.SRS-006.RBAC.Privileges.DropQuota version: 1.0 [ClickHouse] SHALL successfully execute `DROP QUOTA` statement if and only if the user has **drop quota** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile +#### RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile version: 1.0 [ClickHouse] SHALL successfully execute `CREATE SETTINGS PROFILE` statement if and only if the user has **create settings profile** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile +#### RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile version: 1.0 [ClickHouse] SHALL successfully execute `ALTER SETTINGS PROFILE` statement if and only if the user has **alter settings profile** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.DropSettingsProfile +#### RQ.SRS-006.RBAC.Privileges.DropSettingsProfile version: 1.0 [ClickHouse] SHALL successfully execute `DROP SETTINGS PROFILE` statement if and only if the user has **drop settings profile** privilege, or either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.RoleAdmin +#### RQ.SRS-006.RBAC.Privileges.RoleAdmin version: 1.0 [ClickHouse] SHALL successfully execute any role grant or revoke by a user with `ROLE ADMIN` privilege. -##### Show Access +#### Show Access -###### RQ.SRS-006.RBAC.ShowUsers.Privilege +##### RQ.SRS-006.RBAC.ShowUsers.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW USERS` privilege when the user is granted `SHOW USERS`, `SHOW CREATE USER`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW USERS` statement if and only if the user has **show users** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE USER` statement if and only if the user has **show users** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowRoles.Privilege +##### RQ.SRS-006.RBAC.ShowRoles.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW ROLES` privilege when the user is granted `SHOW ROLES`, `SHOW CREATE ROLE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW ROLES` statement if and only if the user has **show roles** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE ROLE` statement if and only if the user has **show roles** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowRowPolicies.Privilege +##### RQ.SRS-006.RBAC.ShowRowPolicies.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW ROW POLICIES` privilege when the user is granted `SHOW ROW POLICIES`, `SHOW POLICIES`, `SHOW CREATE ROW POLICY`, `SHOW CREATE POLICY`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW ROW POLICIES` or `SHOW POLICIES` statement if and only if the user has **show row policies** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE ROW POLICY` or `SHOW CREATE POLICY` statement if and only if the user has **show row policies** privilege,either directly or through a role. -###### RQ.SRS-006.RBAC.ShowQuotas.Privilege +##### RQ.SRS-006.RBAC.ShowQuotas.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW QUOTAS` privilege when the user is granted `SHOW QUOTAS`, `SHOW CREATE QUOTA`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW QUOTAS` statement if and only if the user has **show quotas** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE QUOTA` statement if and only if the user has **show quotas** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege +##### RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `SHOW SETTINGS PROFILES` privilege when the user is granted `SHOW SETTINGS PROFILES`, `SHOW PROFILES`, `SHOW CREATE SETTINGS PROFILE`, `SHOW SETTINGS PROFILE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`. -###### RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW SETTINGS PROFILES` or `SHOW PROFILES` statement if and only if the user has **show settings profiles** privilege, either directly or through a role. -###### RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege +##### RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `SHOW CREATE SETTINGS PROFILE` or `SHOW CREATE PROFILE` statement if and only if the user has **show settings profiles** privilege, either directly or through a role. -#### dictGet +### dictGet -##### RQ.SRS-006.RBAC.dictGet.Privilege +#### RQ.SRS-006.RBAC.dictGet.Privilege version: 1.0 [ClickHouse] SHALL successfully grant `dictGet` privilege when the user is granted `dictGet`, `dictHas`, `dictGetHierarchy`, or `dictIsIn`. -##### RQ.SRS-006.RBAC.dictGet.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGet.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGet` statement if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role. -##### RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGet[TYPE]` statement @@ -4166,270 +14199,283 @@ Available types: * UUID * String -##### RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGetOrDefault` statement if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role. -##### RQ.SRS-006.RBAC.dictHas.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictHas.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictHas` statement if and only if the user has **dictGet** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictGetHierarchy` statement if and only if the user has **dictGet** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege +#### RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege version: 1.0 [ClickHouse] SHALL successfully execute `dictIsIn` statement if and only if the user has **dictGet** privilege, either directly or through a role. -#### Introspection +### Introspection -##### RQ.SRS-006.RBAC.Privileges.Introspection +#### RQ.SRS-006.RBAC.Privileges.Introspection version: 1.0 [ClickHouse] SHALL successfully grant `INTROSPECTION` privilege when the user is granted `INTROSPECTION` or `INTROSPECTION FUNCTIONS`. -##### RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine +#### RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine version: 1.0 [ClickHouse] SHALL successfully execute `addressToLine` statement if and only if the user has **introspection** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol +#### RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol version: 1.0 [ClickHouse] SHALL successfully execute `addressToSymbol` statement if and only if the user has **introspection** privilege, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Introspection.demangle +#### RQ.SRS-006.RBAC.Privileges.Introspection.demangle version: 1.0 [ClickHouse] SHALL successfully execute `demangle` statement if and only if the user has **introspection** privilege, either directly or through a role. -#### System +### System -##### RQ.SRS-006.RBAC.Privileges.System.Shutdown +#### RQ.SRS-006.RBAC.Privileges.System.Shutdown version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM SHUTDOWN` privilege when the user is granted `SYSTEM`, `SYSTEM SHUTDOWN`, `SHUTDOWN`,or `SYSTEM KILL`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache +#### RQ.SRS-006.RBAC.Privileges.System.DropCache version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, or `DROP CACHE`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS +#### RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP DNS CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP DNS CACHE`, `SYSTEM DROP DNS`, `DROP DNS CACHE`, or `DROP DNS`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark +#### RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP MARK CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP MARK CACHE`, `SYSTEM DROP MARK`, `DROP MARK CACHE`, or `DROP MARKS`. -##### RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed +#### RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DROP UNCOMPRESSED CACHE` privilege when the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP UNCOMPRESSED CACHE`, `SYSTEM DROP UNCOMPRESSED`, `DROP UNCOMPRESSED CACHE`, or `DROP UNCOMPRESSED`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload +#### RQ.SRS-006.RBAC.Privileges.System.Reload version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD` privilege when the user is granted `SYSTEM` or `SYSTEM RELOAD`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.Config +#### RQ.SRS-006.RBAC.Privileges.System.Reload.Config version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD CONFIG` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD CONFIG`, or `RELOAD CONFIG`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary +#### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARY` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries +#### RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARIES` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`. -##### RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries +#### RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RELOAD EMBEDDED DICTIONARIES` privilege when the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARY ON *.*`, or `SYSTEM RELOAD EMBEDDED DICTIONARIES`. -##### RQ.SRS-006.RBAC.Privileges.System.Merges +#### RQ.SRS-006.RBAC.Privileges.System.Merges version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM MERGES` privilege when the user is granted `SYSTEM`, `SYSTEM MERGES`, `SYSTEM STOP MERGES`, `SYSTEM START MERGES`, `STOP MERGES`, or `START MERGES`. -##### RQ.SRS-006.RBAC.Privileges.System.TTLMerges +#### RQ.SRS-006.RBAC.Privileges.System.TTLMerges version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM TTL MERGES` privilege when the user is granted `SYSTEM`, `SYSTEM TTL MERGES`, `SYSTEM STOP TTL MERGES`, `SYSTEM START TTL MERGES`, `STOP TTL MERGES`, or `START TTL MERGES`. -##### RQ.SRS-006.RBAC.Privileges.System.Fetches +#### RQ.SRS-006.RBAC.Privileges.System.Fetches version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FETCHES` privilege when the user is granted `SYSTEM`, `SYSTEM FETCHES`, `SYSTEM STOP FETCHES`, `SYSTEM START FETCHES`, `STOP FETCHES`, or `START FETCHES`. -##### RQ.SRS-006.RBAC.Privileges.System.Moves +#### RQ.SRS-006.RBAC.Privileges.System.Moves version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM MOVES` privilege when the user is granted `SYSTEM`, `SYSTEM MOVES`, `SYSTEM STOP MOVES`, `SYSTEM START MOVES`, `STOP MOVES`, or `START MOVES`. -##### RQ.SRS-006.RBAC.Privileges.System.Sends +#### RQ.SRS-006.RBAC.Privileges.System.Sends version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM SENDS` privilege when the user is granted `SYSTEM`, `SYSTEM SENDS`, `SYSTEM STOP SENDS`, `SYSTEM START SENDS`, `STOP SENDS`, or `START SENDS`. -##### RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed +#### RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM DISTRIBUTED SENDS` privilege when the user is granted `SYSTEM`, `SYSTEM DISTRIBUTED SENDS`, `SYSTEM STOP DISTRIBUTED SENDS`, `SYSTEM START DISTRIBUTED SENDS`, `STOP DISTRIBUTED SENDS`, or `START DISTRIBUTED SENDS`. -##### RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated +#### RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM REPLICATED SENDS` privilege when the user is granted `SYSTEM`, `SYSTEM REPLICATED SENDS`, `SYSTEM STOP REPLICATED SENDS`, `SYSTEM START REPLICATED SENDS`, `STOP REPLICATED SENDS`, or `START REPLICATED SENDS`. -##### RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues +#### RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM REPLICATION QUEUES` privilege when the user is granted `SYSTEM`, `SYSTEM REPLICATION QUEUES`, `SYSTEM STOP REPLICATION QUEUES`, `SYSTEM START REPLICATION QUEUES`, `STOP REPLICATION QUEUES`, or `START REPLICATION QUEUES`. -##### RQ.SRS-006.RBAC.Privileges.System.SyncReplica +#### RQ.SRS-006.RBAC.Privileges.System.SyncReplica version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM SYNC REPLICA` privilege when the user is granted `SYSTEM`, `SYSTEM SYNC REPLICA`, or `SYNC REPLICA`. -##### RQ.SRS-006.RBAC.Privileges.System.RestartReplica +#### RQ.SRS-006.RBAC.Privileges.System.RestartReplica version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM RESTART REPLICA` privilege when the user is granted `SYSTEM`, `SYSTEM RESTART REPLICA`, or `RESTART REPLICA`. -##### RQ.SRS-006.RBAC.Privileges.System.Flush +#### RQ.SRS-006.RBAC.Privileges.System.Flush version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FLUSH` privilege when the user is granted `SYSTEM` or `SYSTEM FLUSH`. -##### RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed +#### RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FLUSH DISTRIBUTED` privilege when the user is granted `SYSTEM`, `SYSTEM FLUSH DISTRIBUTED`, or `FLUSH DISTRIBUTED`. -##### RQ.SRS-006.RBAC.Privileges.System.Flush.Logs +#### RQ.SRS-006.RBAC.Privileges.System.Flush.Logs version: 1.0 [ClickHouse] SHALL successfully grant `SYSTEM FLUSH LOGS` privilege when the user is granted `SYSTEM`, `SYSTEM FLUSH LOGS`, or `FLUSH LOGS`. -#### Sources +### Sources -##### RQ.SRS-006.RBAC.Privileges.Sources +#### RQ.SRS-006.RBAC.Privileges.Sources version: 1.0 [ClickHouse] SHALL support granting or revoking `SOURCES` privilege from the user, either directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.File +#### RQ.SRS-006.RBAC.Privileges.Sources.File version: 1.0 [ClickHouse] SHALL support the use of `FILE` source by a user if and only if the user has `FILE` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.URL +#### RQ.SRS-006.RBAC.Privileges.Sources.URL version: 1.0 [ClickHouse] SHALL support the use of `URL` source by a user if and only if the user has `URL` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.Remote +#### RQ.SRS-006.RBAC.Privileges.Sources.Remote version: 1.0 [ClickHouse] SHALL support the use of `REMOTE` source by a user if and only if the user has `REMOTE` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.MySQL +#### RQ.SRS-006.RBAC.Privileges.Sources.MySQL version: 1.0 [ClickHouse] SHALL support the use of `MySQL` source by a user if and only if the user has `MySQL` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.ODBC +#### RQ.SRS-006.RBAC.Privileges.Sources.ODBC version: 1.0 [ClickHouse] SHALL support the use of `ODBC` source by a user if and only if the user has `ODBC` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.JDBC +#### RQ.SRS-006.RBAC.Privileges.Sources.JDBC version: 1.0 [ClickHouse] SHALL support the use of `JDBC` source by a user if and only if the user has `JDBC` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.HDFS +#### RQ.SRS-006.RBAC.Privileges.Sources.HDFS version: 1.0 [ClickHouse] SHALL support the use of `HDFS` source by a user if and only if the user has `HDFS` or `SOURCES` privileges granted to them directly or through a role. -##### RQ.SRS-006.RBAC.Privileges.Sources.S3 +#### RQ.SRS-006.RBAC.Privileges.Sources.S3 version: 1.0 [ClickHouse] SHALL support the use of `S3` source by a user if and only if the user has `S3` or `SOURCES` privileges granted to them directly or through a role. -#### RQ.SRS-006.RBAC.Privileges.GrantOption +### RQ.SRS-006.RBAC.Privileges.GrantOption version: 1.0 [ClickHouse] SHALL successfully execute `GRANT` or `REVOKE` privilege statements by a user if and only if the user has that privilege with `GRANT OPTION`, either directly or through a role. -#### RQ.SRS-006.RBAC.Privileges.All +### RQ.SRS-006.RBAC.Privileges.All version: 1.0 -[ClickHouse] SHALL support granting or revoking `ALL` privilege. +[ClickHouse] SHALL support granting or revoking `ALL` privilege +using `GRANT ALL ON *.* TO user`. -#### RQ.SRS-006.RBAC.Privileges.AdminOption +### RQ.SRS-006.RBAC.Privileges.RoleAll +version: 1.0 + +[ClickHouse] SHALL support granting a role named `ALL` using `GRANT ALL TO user`. +This shall only grant the user the privileges that have been granted to the role. + +### RQ.SRS-006.RBAC.Privileges.None +version: 1.0 + +[ClickHouse] SHALL support granting or revoking `NONE` privilege +using `GRANT NONE TO user` or `GRANT USAGE ON *.* TO user`. + +### RQ.SRS-006.RBAC.Privileges.AdminOption version: 1.0 [ClickHouse] SHALL support a user granting or revoking a role if and only if @@ -4451,7845 +14497,3 @@ the user has that role with `ADMIN OPTION` privilege. [MySQL]: https://dev.mysql.com/doc/refman/8.0/en/account-management-statements.html [PostgreSQL]: https://www.postgresql.org/docs/12/user-manag.html ''') - -RQ_SRS_006_RBAC = Requirement( - name='RQ.SRS-006.RBAC', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support role based access control.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Login = Requirement( - name='RQ.SRS-006.RBAC.Login', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only allow access to the server for a given\n' - 'user only when correct username and password are used during\n' - 'the connection to the server.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Login_DefaultUser = Requirement( - name='RQ.SRS-006.RBAC.Login.DefaultUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL use the **default user** when no username and password\n' - 'are specified during the connection to the server.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User = Requirement( - name='RQ.SRS-006.RBAC.User', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creation and manipulation of\n' - 'one or more **user** accounts to which roles, privileges,\n' - 'settings profile, quotas and row policies can be assigned.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Roles = Requirement( - name='RQ.SRS-006.RBAC.User.Roles', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more **roles**\n' - 'to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Privileges = Requirement( - name='RQ.SRS-006.RBAC.User.Privileges', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more privileges to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Variables = Requirement( - name='RQ.SRS-006.RBAC.User.Variables', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more variables to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Variables_Constraints = Requirement( - name='RQ.SRS-006.RBAC.User.Variables.Constraints', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning min, max and read-only constraints\n' - 'for the variables that can be set and read by the **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_SettingsProfile = Requirement( - name='RQ.SRS-006.RBAC.User.SettingsProfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more **settings profiles**\n' - 'to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Quotas = Requirement( - name='RQ.SRS-006.RBAC.User.Quotas', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more **quotas** to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_RowPolicies = Requirement( - name='RQ.SRS-006.RBAC.User.RowPolicies', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more **row policies** to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_AccountLock = Requirement( - name='RQ.SRS-006.RBAC.User.AccountLock', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support locking and unlocking of **user** accounts.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_AccountLock_DenyAccess = Requirement( - name='RQ.SRS-006.RBAC.User.AccountLock.DenyAccess', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL deny access to the user whose account is locked.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_DefaultRole = Requirement( - name='RQ.SRS-006.RBAC.User.DefaultRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning a default role to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_RoleSelection = Requirement( - name='RQ.SRS-006.RBAC.User.RoleSelection', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support selection of one or more **roles** from the available roles\n' - 'that are assigned to a **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_ShowCreate = Requirement( - name='RQ.SRS-006.RBAC.User.ShowCreate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the command of how **user** account was created.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_ShowPrivileges = Requirement( - name='RQ.SRS-006.RBAC.User.ShowPrivileges', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support listing the privileges of the **user**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role = Requirement( - name='RQ.SRS-006.RBAC.Role', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClikHouse] SHALL support creation and manipulation of **roles**\n' - 'to which privileges, settings profile, quotas and row policies can be\n' - 'assigned.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Privileges = Requirement( - name='RQ.SRS-006.RBAC.Role.Privileges', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more privileges to a **role**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Variables = Requirement( - name='RQ.SRS-006.RBAC.Role.Variables', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more variables to a **role**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_SettingsProfile = Requirement( - name='RQ.SRS-006.RBAC.Role.SettingsProfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more **settings profiles**\n' - 'to a **role**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Quotas = Requirement( - name='RQ.SRS-006.RBAC.Role.Quotas', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more **quotas** to a **role**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_RowPolicies = Requirement( - name='RQ.SRS-006.RBAC.Role.RowPolicies', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning one or more **row policies** to a **role**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_PartialRevokes = Requirement( - name='RQ.SRS-006.RBAC.PartialRevokes', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support partial revoking of privileges granted\n' - 'to a **user** or a **role**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creation and manipulation of **settings profiles**\n' - 'that can include value definition for one or more variables and can\n' - 'can be assigned to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Constraints = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Constraints', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning min, max and read-only constraints\n' - 'for the variables specified in the **settings profile**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_ShowCreate = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.ShowCreate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the command of how **setting profile** was created.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas = Requirement( - name='RQ.SRS-006.RBAC.Quotas', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creation and manipulation of **quotas**\n' - 'that can be used to limit resource usage by a **user** or a **role**\n' - 'over a period of time.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_Keyed = Requirement( - name='RQ.SRS-006.RBAC.Quotas.Keyed', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creating **quotas** that are keyed\n' - 'so that a quota is tracked separately for each key value.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_Queries = Requirement( - name='RQ.SRS-006.RBAC.Quotas.Queries', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting **queries** quota to limit the total number of requests.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_Errors = Requirement( - name='RQ.SRS-006.RBAC.Quotas.Errors', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting **errors** quota to limit the number of queries that threw an exception.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_ResultRows = Requirement( - name='RQ.SRS-006.RBAC.Quotas.ResultRows', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting **result rows** quota to limit the\n' - 'the total number of rows given as the result.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_ReadRows = Requirement( - name='RQ.SRS-006.RBAC.Quotas.ReadRows', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting **read rows** quota to limit the total\n' - 'number of source rows read from tables for running the query on all remote servers.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_ResultBytes = Requirement( - name='RQ.SRS-006.RBAC.Quotas.ResultBytes', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting **result bytes** quota to limit the total number\n' - 'of bytes that can be returned as the result.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_ReadBytes = Requirement( - name='RQ.SRS-006.RBAC.Quotas.ReadBytes', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting **read bytes** quota to limit the total number\n' - 'of source bytes read from tables for running the query on all remote servers.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_ExecutionTime = Requirement( - name='RQ.SRS-006.RBAC.Quotas.ExecutionTime', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting **execution time** quota to limit the maximum\n' - 'query execution time.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quotas_ShowCreate = Requirement( - name='RQ.SRS-006.RBAC.Quotas.ShowCreate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the command of how **quota** was created.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creation and manipulation of table **row policies**\n' - 'that can be used to limit access to the table contents for a **user** or a **role**\n' - 'using a specified **condition**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Condition = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Condition', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support row policy **conditions** that can be any SQL\n' - 'expression that returns a boolean.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_ShowCreate = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.ShowCreate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the command of how **row policy** was created.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Use_DefaultRole = Requirement( - name='RQ.SRS-006.RBAC.User.Use.DefaultRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL by default use default role or roles assigned\n' - 'to the user if specified.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Use_AllRolesWhenNoDefaultRole = Requirement( - name='RQ.SRS-006.RBAC.User.Use.AllRolesWhenNoDefaultRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL by default use all the roles assigned to the user\n' - 'if no default role or roles are specified for the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create = Requirement( - name='RQ.SRS-006.RBAC.User.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creating **user** accounts using `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_IfNotExists = Requirement( - name='RQ.SRS-006.RBAC.User.Create.IfNotExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE USER` statement\n' - 'to skip raising an exception if a user with the same **name** already exists.\n' - 'If the `IF NOT EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if a user with the same **name** already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Replace = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Replace', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE USER` statement\n' - 'to replace existing user account if already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_NoPassword = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.NoPassword', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying no password when creating\n' - 'user account using `IDENTIFIED WITH NO_PASSWORD` clause .\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_NoPassword_Login = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.NoPassword.Login', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL use no password for the user when connecting to the server\n' - 'when an account was created with `IDENTIFIED WITH NO_PASSWORD` clause.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_PlainText = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.PlainText', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying plaintext password when creating\n' - 'user account using `IDENTIFIED WITH PLAINTEXT_PASSWORD BY` clause.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_PlainText_Login = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.PlainText.Login', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL use the plaintext password passed by the user when connecting to the server\n' - 'when an account was created with `IDENTIFIED WITH PLAINTEXT_PASSWORD` clause\n' - 'and compare the password with the one used in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_Sha256Password = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Password', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the result of applying SHA256\n' - 'to some password when creating user account using `IDENTIFIED WITH SHA256_PASSWORD BY` or `IDENTIFIED BY`\n' - 'clause.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_Sha256Password_Login = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Password.Login', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL calculate `SHA256` of the password passed by the user when connecting to the server\n' - "when an account was created with `IDENTIFIED WITH SHA256_PASSWORD` or with 'IDENTIFIED BY' clause\n" - 'and compare the calculated hash to the one used in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_Sha256Hash = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the result of applying SHA256\n' - 'to some already calculated hash when creating user account using `IDENTIFIED WITH SHA256_HASH`\n' - 'clause.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_Sha256Hash_Login = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.Sha256Hash.Login', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL calculate `SHA256` of the already calculated hash passed by\n' - 'the user when connecting to the server\n' - 'when an account was created with `IDENTIFIED WITH SHA256_HASH` clause\n' - 'and compare the calculated hash to the one used in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Password = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the result of applying SHA1 two times\n' - 'to a password when creating user account using `IDENTIFIED WITH DOUBLE_SHA1_PASSWORD`\n' - 'clause.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Password_Login = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Password.Login', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL calculate `SHA1` two times over the password passed by\n' - 'the user when connecting to the server\n' - 'when an account was created with `IDENTIFIED WITH DOUBLE_SHA1_PASSWORD` clause\n' - 'and compare the calculated value to the one used in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Hash = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the result of applying SHA1 two times\n' - 'to a hash when creating user account using `IDENTIFIED WITH DOUBLE_SHA1_HASH`\n' - 'clause.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Hash_Login = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Password.DoubleSha1Hash.Login', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL calculate `SHA1` two times over the hash passed by\n' - 'the user when connecting to the server\n' - 'when an account was created with `IDENTIFIED WITH DOUBLE_SHA1_HASH` clause\n' - 'and compare the calculated value to the one used in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_Name = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.Name', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more hostnames from\n' - 'which user can access the server using the `HOST NAME` clause\n' - 'in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_Regexp = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.Regexp', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more regular expressions\n' - 'to match hostnames from which user can access the server\n' - 'using the `HOST REGEXP` clause in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_IP = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.IP', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more IP address or subnet from\n' - 'which user can access the server using the `HOST IP` clause in the\n' - '`CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_Any = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.Any', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying `HOST ANY` clause in the `CREATE USER` statement\n' - 'to indicate that user can access the server from any host.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_None = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support fobidding access from any host using `HOST NONE` clause in the\n' - '`CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_Local = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.Local', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting user access to local only using `HOST LOCAL` clause in the\n' - '`CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_Like = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.Like', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying host using `LIKE` command syntax using the\n' - '`HOST LIKE` clause in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Host_Default = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Host.Default', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support user access to server from any host\n' - 'if no `HOST` clause is specified in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_DefaultRole = Requirement( - name='RQ.SRS-006.RBAC.User.Create.DefaultRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more default roles\n' - 'using `DEFAULT ROLE` clause in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_DefaultRole_None = Requirement( - name='RQ.SRS-006.RBAC.User.Create.DefaultRole.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying no default roles\n' - 'using `DEFAULT ROLE NONE` clause in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_DefaultRole_All = Requirement( - name='RQ.SRS-006.RBAC.User.Create.DefaultRole.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying all roles to be used as default\n' - 'using `DEFAULT ROLE ALL` clause in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Settings = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Settings', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying settings and profile\n' - 'using `SETTINGS` clause in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.User.Create.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying cluster on which the user\n' - 'will be created using `ON CLUSTER` clause in the `CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Create_Syntax = Requirement( - name='RQ.SRS-006.RBAC.User.Create.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for `CREATE USER` statement.\n' - '\n' - '```sql\n' - 'CREATE USER [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name]\n' - " [IDENTIFIED [WITH {NO_PASSWORD|PLAINTEXT_PASSWORD|SHA256_PASSWORD|SHA256_HASH|DOUBLE_SHA1_PASSWORD|DOUBLE_SHA1_HASH}] BY {'password'|'hash'}]\n" - " [HOST {LOCAL | NAME 'name' | NAME REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]\n" - ' [DEFAULT ROLE role [,...]]\n' - " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter = Requirement( - name='RQ.SRS-006.RBAC.User.Alter', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering **user** accounts using `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_OrderOfEvaluation = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.OrderOfEvaluation', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support evaluating `ALTER USER` statement from left to right\n' - 'where things defined on the right override anything that was previously defined on\n' - 'the left.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_IfExists = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER USER` statement\n' - 'to skip raising an exception (producing a warning instead) if a user with the specified **name** does not exist. If the `IF EXISTS` clause is not specified then an exception SHALL be raised if a user with the **name** does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Cluster = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the cluster the user is on\n' - 'when altering user account using `ON CLUSTER` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Rename = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Rename', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying a new name for the user when\n' - 'altering user account using `RENAME` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Password_PlainText = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Password.PlainText', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying plaintext password when altering\n' - 'user account using `IDENTIFIED WITH PLAINTEXT_PASSWORD BY` or\n' - 'using shorthand `IDENTIFIED BY` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Password_Sha256Password = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Password.Sha256Password', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the result of applying SHA256\n' - 'to some password as identification when altering user account using\n' - '`IDENTIFIED WITH SHA256_PASSWORD` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Password_DoubleSha1Password = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Password.DoubleSha1Password', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the result of applying Double SHA1\n' - 'to some password as identification when altering user account using\n' - '`IDENTIFIED WITH DOUBLE_SHA1_PASSWORD` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_AddDrop = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.AddDrop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering user by adding and dropping access to hosts with the `ADD HOST` or the `DROP HOST`in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_Local = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.Local', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting user access to local only using `HOST LOCAL` clause in the\n' - '`ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_Name = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.Name', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more hostnames from\n' - 'which user can access the server using the `HOST NAME` clause\n' - 'in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_Regexp = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.Regexp', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more regular expressions\n' - 'to match hostnames from which user can access the server\n' - 'using the `HOST REGEXP` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_IP = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.IP', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more IP address or subnet from\n' - 'which user can access the server using the `HOST IP` clause in the\n' - '`ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_Like = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.Like', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying sone or more similar hosts using `LIKE` command syntax using the `HOST LIKE` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_Any = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.Any', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying `HOST ANY` clause in the `ALTER USER` statement\n' - 'to indicate that user can access the server from any host.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Host_None = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Host.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support fobidding access from any host using `HOST NONE` clause in the\n' - '`ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_DefaultRole = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.DefaultRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more default roles\n' - 'using `DEFAULT ROLE` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_DefaultRole_All = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.DefaultRole.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying all roles to be used as default\n' - 'using `DEFAULT ROLE ALL` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_DefaultRole_AllExcept = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.DefaultRole.AllExcept', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more roles which will not be used as default\n' - 'using `DEFAULT ROLE ALL EXCEPT` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Settings = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Settings', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying one or more variables\n' - 'using `SETTINGS` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Settings_Min = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Settings.Min', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying a minimum value for the variable specifed using `SETTINGS` with `MIN` clause in the `ALTER USER` statement.\n' - '\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Settings_Max = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Settings.Max', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying a maximum value for the variable specifed using `SETTINGS` with `MAX` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Settings_Profile = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Settings.Profile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying the name of a profile for the variable specifed using `SETTINGS` with `PROFILE` clause in the `ALTER USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Alter_Syntax = Requirement( - name='RQ.SRS-006.RBAC.User.Alter.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `ALTER USER` statement.\n' - '\n' - '```sql\n' - 'ALTER USER [IF EXISTS] name [ON CLUSTER cluster_name]\n' - ' [RENAME TO new_name]\n' - " [IDENTIFIED [WITH {PLAINTEXT_PASSWORD|SHA256_PASSWORD|DOUBLE_SHA1_PASSWORD}] BY {'password'|'hash'}]\n" - " [[ADD|DROP] HOST {LOCAL | NAME 'name' | REGEXP 'name_regexp' | IP 'address' | LIKE 'pattern'} [,...] | ANY | NONE]\n" - ' [DEFAULT ROLE role [,...] | ALL | ALL EXCEPT role [,...] ]\n' - " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetDefaultRole = Requirement( - name='RQ.SRS-006.RBAC.SetDefaultRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting or changing granted roles to default for one or more\n' - 'users using `SET DEFAULT ROLE` statement which\n' - 'SHALL permanently change the default roles for the user or users if successful.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetDefaultRole_CurrentUser = Requirement( - name='RQ.SRS-006.RBAC.SetDefaultRole.CurrentUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting or changing granted roles to default for\n' - 'the current user using `CURRENT_USER` clause in the `SET DEFAULT ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetDefaultRole_All = Requirement( - name='RQ.SRS-006.RBAC.SetDefaultRole.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting or changing all granted roles to default\n' - 'for one or more users using `ALL` clause in the `SET DEFAULT ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetDefaultRole_AllExcept = Requirement( - name='RQ.SRS-006.RBAC.SetDefaultRole.AllExcept', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting or changing all granted roles except those specified\n' - 'to default for one or more users using `ALL EXCEPT` clause in the `SET DEFAULT ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetDefaultRole_None = Requirement( - name='RQ.SRS-006.RBAC.SetDefaultRole.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing all granted roles from default\n' - 'for one or more users using `NONE` clause in the `SET DEFAULT ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetDefaultRole_Syntax = Requirement( - name='RQ.SRS-006.RBAC.SetDefaultRole.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `SET DEFAULT ROLE` statement.\n' - '\n' - '```sql\n' - 'SET DEFAULT ROLE\n' - ' {NONE | role [,...] | ALL | ALL EXCEPT role [,...]}\n' - ' TO {user|CURRENT_USER} [,...]\n' - '\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetRole = Requirement( - name='RQ.SRS-006.RBAC.SetRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support activating role or roles for the current user\n' - 'using `SET ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetRole_Default = Requirement( - name='RQ.SRS-006.RBAC.SetRole.Default', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support activating default roles for the current user\n' - 'using `DEFAULT` clause in the `SET ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetRole_None = Requirement( - name='RQ.SRS-006.RBAC.SetRole.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support activating no roles for the current user\n' - 'using `NONE` clause in the `SET ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetRole_All = Requirement( - name='RQ.SRS-006.RBAC.SetRole.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support activating all roles for the current user\n' - 'using `ALL` clause in the `SET ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetRole_AllExcept = Requirement( - name='RQ.SRS-006.RBAC.SetRole.AllExcept', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support activating all roles except those specified\n' - 'for the current user using `ALL EXCEPT` clause in the `SET ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SetRole_Syntax = Requirement( - name='RQ.SRS-006.RBAC.SetRole.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '```sql\n' - 'SET ROLE {DEFAULT | NONE | role [,...] | ALL | ALL EXCEPT role [,...]}\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_ShowCreateUser = Requirement( - name='RQ.SRS-006.RBAC.User.ShowCreateUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the `CREATE USER` statement used to create the current user object\n' - 'using the `SHOW CREATE USER` statement with `CURRENT_USER` or no argument.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_ShowCreateUser_For = Requirement( - name='RQ.SRS-006.RBAC.User.ShowCreateUser.For', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the `CREATE USER` statement used to create the specified user object\n' - 'using the `FOR` clause in the `SHOW CREATE USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_ShowCreateUser_Syntax = Requirement( - name='RQ.SRS-006.RBAC.User.ShowCreateUser.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the following syntax for `SHOW CREATE USER` statement.\n' - '\n' - '```sql\n' - 'SHOW CREATE USER [name | CURRENT_USER]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Drop = Requirement( - name='RQ.SRS-006.RBAC.User.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing a user account using `DROP USER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Drop_IfExists = Requirement( - name='RQ.SRS-006.RBAC.User.Drop.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP USER` statement\n' - 'to skip raising an exception if the user account does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if a user does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Drop_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.User.Drop.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using `ON CLUSTER` clause in the `DROP USER` statement\n' - 'to specify the name of the cluster the user should be dropped from.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_User_Drop_Syntax = Requirement( - name='RQ.SRS-006.RBAC.User.Drop.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for `DROP USER` statement\n' - '\n' - '```sql\n' - 'DROP USER [IF EXISTS] name [,...] [ON CLUSTER cluster_name]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Create = Requirement( - name='RQ.SRS-006.RBAC.Role.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creating a **role** using `CREATE ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Create_IfNotExists = Requirement( - name='RQ.SRS-006.RBAC.Role.Create.IfNotExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE ROLE` statement\n' - 'to raising an exception if a role with the same **name** already exists.\n' - 'If the `IF NOT EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if a role with the same **name** already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Create_Replace = Requirement( - name='RQ.SRS-006.RBAC.Role.Create.Replace', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE ROLE` statement\n' - 'to replace existing role if it already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Create_Settings = Requirement( - name='RQ.SRS-006.RBAC.Role.Create.Settings', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying settings and profile using `SETTINGS`\n' - 'clause in the `CREATE ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Create_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Role.Create.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `CREATE ROLE` statement\n' - '\n' - '``` sql\n' - 'CREATE ROLE [IF NOT EXISTS | OR REPLACE] name\n' - " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Alter = Requirement( - name='RQ.SRS-006.RBAC.Role.Alter', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Alter_IfExists = Requirement( - name='RQ.SRS-006.RBAC.Role.Alter.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE IF EXISTS` statement, where no exception\n' - 'will be thrown if the role does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Alter_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Role.Alter.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE role ON CLUSTER` statement to specify the\n' - 'cluster location of the specified role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Alter_Rename = Requirement( - name='RQ.SRS-006.RBAC.Role.Alter.Rename', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering one **role** using `ALTER ROLE role RENAME TO` statement which renames the\n' - 'role to a specified new name. If the new name already exists, that an exception SHALL be raised unless the\n' - '`IF EXISTS` clause is specified, by which no exception will be raised and nothing will change.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Alter_Settings = Requirement( - name='RQ.SRS-006.RBAC.Role.Alter.Settings', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the settings of one **role** using `ALTER ROLE role SETTINGS ...` statement.\n' - 'Altering variable values, creating max and min values, specifying readonly or writable, and specifying the\n' - 'profiles for which this alter change shall be applied to, are all supported, using the following syntax.\n' - '\n' - '```sql\n' - "[SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" - '```\n' - '\n' - 'One or more variables and profiles may be specified as shown above.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Alter_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Role.Alter.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '```sql\n' - 'ALTER ROLE [IF EXISTS] name [ON CLUSTER cluster_name]\n' - ' [RENAME TO new_name]\n' - " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | PROFILE 'profile_name'] [,...]\n" - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Drop = Requirement( - name='RQ.SRS-006.RBAC.Role.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing one or more roles using `DROP ROLE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Drop_IfExists = Requirement( - name='RQ.SRS-006.RBAC.Role.Drop.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP ROLE` statement\n' - 'to skip raising an exception if the role does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if a role does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Drop_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Role.Drop.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using `ON CLUSTER` clause in the `DROP ROLE` statement to specify the cluster from which to drop the specified role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_Drop_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Role.Drop.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `DROP ROLE` statement\n' - '\n' - '``` sql\n' - 'DROP ROLE [IF EXISTS] name [,...] [ON CLUSTER cluster_name]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_ShowCreate = Requirement( - name='RQ.SRS-006.RBAC.Role.ShowCreate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support viewing the settings for a role upon creation with the `SHOW CREATE ROLE`\n' - 'statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Role_ShowCreate_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Role.ShowCreate.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `SHOW CREATE ROLE` command.\n' - '\n' - '```sql\n' - 'SHOW CREATE ROLE name\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_To = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.To', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting privileges to one or more users or roles using `TO` clause\n' - 'in the `GRANT PRIVILEGE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_ToCurrentUser = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.ToCurrentUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting privileges to current user using `TO CURRENT_USER` clause\n' - 'in the `GRANT PRIVILEGE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Select = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Select', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **select** privilege to one or more users or roles\n' - 'for a database or a table using the `GRANT SELECT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Insert = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Insert', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **insert** privilege to one or more users or roles\n' - 'for a database or a table using the `GRANT INSERT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Alter = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Alter', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **alter** privilege to one or more users or roles\n' - 'for a database or a table using the `GRANT ALTER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Create = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **create** privilege to one or more users or roles\n' - 'using the `GRANT CREATE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Drop = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **drop** privilege to one or more users or roles\n' - 'using the `GRANT DROP` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Truncate = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Truncate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **truncate** privilege to one or more users or roles\n' - 'for a database or a table using `GRANT TRUNCATE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Optimize = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Optimize', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **optimize** privilege to one or more users or roles\n' - 'for a database or a table using `GRANT OPTIMIZE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Show = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Show', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **show** privilege to one or more users or roles\n' - 'for a database or a table using `GRANT SHOW` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_KillQuery = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.KillQuery', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **kill query** privilege to one or more users or roles\n' - 'for a database or a table using `GRANT KILL QUERY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_AccessManagement = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.AccessManagement', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **access management** privileges to one or more users or roles\n' - 'for a database or a table using `GRANT ACCESS MANAGEMENT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_System = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.System', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **system** privileges to one or more users or roles\n' - 'for a database or a table using `GRANT SYSTEM` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Introspection = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Introspection', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **introspection** privileges to one or more users or roles\n' - 'for a database or a table using `GRANT INTROSPECTION` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Sources = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Sources', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **sources** privileges to one or more users or roles\n' - 'for a database or a table using `GRANT SOURCES` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_DictGet = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.DictGet', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **dictGet** privilege to one or more users or roles\n' - 'for a database or a table using `GRANT dictGet` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_None = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting no privileges to one or more users or roles\n' - 'for a database or a table using `GRANT NONE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_All = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **all** privileges to one or more users or roles\n' - 'for a database or a table using the `GRANT ALL` or `GRANT ALL PRIVILEGES` statements.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_GrantOption = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.GrantOption', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the **grant option** privilege to one or more users or roles\n' - 'for a database or a table using the `WITH GRANT OPTION` clause in the `GRANT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_On = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.On', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the `ON` clause in the `GRANT` privilege statement\n' - 'which SHALL allow to specify one or more tables to which the privilege SHALL\n' - 'be granted using the following patterns\n' - '\n' - '* `*.*` any table in any database\n' - '* `database.*` any table in the specified database\n' - '* `database.table` specific table in the specified database\n' - '* `*` any table in the current database\n' - '* `table` specific table in the current database\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_PrivilegeColumns = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.PrivilegeColumns', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting the privilege **some_privilege** to one or more users or roles\n' - 'for a database or a table using the `GRANT some_privilege(column)` statement for one column.\n' - 'Multiple columns will be supported with `GRANT some_privilege(column1, column2...)` statement.\n' - 'The privileges will be granted for only the specified columns.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying cluster on which to grant privileges using the `ON CLUSTER`\n' - 'clause in the `GRANT PRIVILEGE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Privilege_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Grant.Privilege.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `GRANT` statement that\n' - 'grants explicit privileges to a user or a role.\n' - '\n' - '```sql\n' - 'GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...]\n' - ' ON {db.table|db.*|*.*|table|*}\n' - ' TO {user | role | CURRENT_USER} [,...]\n' - ' [WITH GRANT OPTION]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking privileges to one or more users or roles\n' - 'for a database or a table on some specific cluster using the `REVOKE ON CLUSTER cluster_name` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Any = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Any', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking ANY privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE some_privilege` statement.\n' - '**some_privilege** refers to any Clickhouse defined privilege, whose hierarchy includes\n' - 'SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT,\n' - 'SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Select = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Select', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **select** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE SELECT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Insert = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Insert', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **insert** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE INSERT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Alter = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Alter', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **alter** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE ALTER` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Create = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **create** privilege to one or more users or roles\n' - 'using the `REVOKE CREATE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Drop = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **drop** privilege to one or more users or roles\n' - 'using the `REVOKE DROP` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Truncate = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Truncate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **truncate** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE TRUNCATE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Optimize = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Optimize', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **optimize** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE OPTIMIZE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Show = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Show', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **show** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE SHOW` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_KillQuery = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.KillQuery', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **kill query** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE KILL QUERY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_AccessManagement = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.AccessManagement', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **access management** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE ACCESS MANAGEMENT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_System = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.System', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **system** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE SYSTEM` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Introspection = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Introspection', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **introspection** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE INTROSPECTION` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Sources = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Sources', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **sources** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE SOURCES` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_DictGet = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.DictGet', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the **dictGet** privilege to one or more users or roles\n' - 'for a database or a table using the `REVOKE dictGet` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_PrivelegeColumns = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.PrivelegeColumns', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking the privilege **some_privilege** to one or more users or roles\n' - 'for a database or a table using the `REVOKE some_privilege(column)` statement for one column.\n' - 'Multiple columns will be supported with `REVOKE some_privilege(column1, column2...)` statement.\n' - 'The privileges will be revoked for only the specified columns.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Multiple = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Multiple', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking MULTIPLE **privileges** to one or more users or roles\n' - 'for a database or a table using the `REVOKE privilege1, privilege2...` statement.\n' - '**privileges** refers to any set of Clickhouse defined privilege, whose hierarchy includes\n' - 'SELECT, INSERT, ALTER, CREATE, DROP, TRUNCATE, OPTIMIZE, SHOW, KILL QUERY, ACCESS MANAGEMENT,\n' - 'SYSTEM, INTROSPECTION, SOURCES, dictGet and all of their sub-privileges.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_All = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **all** privileges to one or more users or roles\n' - 'for a database or a table using the `REVOKE ALL` or `REVOKE ALL PRIVILEGES` statements.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_None = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **no** privileges to one or more users or roles\n' - 'for a database or a table using the `REVOKE NONE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_On = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.On', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the `ON` clause in the `REVOKE` privilege statement\n' - 'which SHALL allow to specify one or more tables to which the privilege SHALL\n' - 'be revoked using the following patterns\n' - '\n' - '* `db.table` specific table in the specified database\n' - '* `db.*` any table in the specified database\n' - '* `*.*` any table in any database\n' - '* `table` specific table in the current database\n' - '* `*` any table in the current database\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_From = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.From', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the `FROM` clause in the `REVOKE` privilege statement\n' - 'which SHALL allow to specify one or more users to which the privilege SHALL\n' - 'be revoked using the following patterns\n' - '\n' - '* `{user | CURRENT_USER} [,...]` some combination of users by name, which may include the current user\n' - '* `ALL` all users\n' - '* `ALL EXCEPT {user | CURRENT_USER} [,...]` the logical reverse of the first pattern\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Privilege_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Privilege.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `REVOKE` statement that\n' - 'revokes explicit privileges of a user or a role.\n' - '\n' - '```sql\n' - 'REVOKE [ON CLUSTER cluster_name] privilege\n' - ' [(column_name [,...])] [,...]\n' - ' ON {db.table|db.*|*.*|table|*}\n' - ' FROM {user | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user | CURRENT_USER} [,...]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_PartialRevoke_Syntax = Requirement( - name='RQ.SRS-006.RBAC.PartialRevoke.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support partial revokes by using `partial_revokes` variable\n' - 'that can be set or unset using the following syntax.\n' - '\n' - 'To disable partial revokes the `partial_revokes` variable SHALL be set to `0`\n' - '\n' - '```sql\n' - 'SET partial_revokes = 0\n' - '```\n' - '\n' - 'To enable partial revokes the `partial revokes` variable SHALL be set to `1`\n' - '\n' - '```sql\n' - 'SET partial_revokes = 1\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Role = Requirement( - name='RQ.SRS-006.RBAC.Grant.Role', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting one or more roles to\n' - 'one or more users or roles using the `GRANT` role statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Role_CurrentUser = Requirement( - name='RQ.SRS-006.RBAC.Grant.Role.CurrentUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting one or more roles to current user using\n' - '`TO CURRENT_USER` clause in the `GRANT` role statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Role_AdminOption = Requirement( - name='RQ.SRS-006.RBAC.Grant.Role.AdminOption', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting `admin option` privilege\n' - 'to one or more users or roles using the `WITH ADMIN OPTION` clause\n' - 'in the `GRANT` role statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Role_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.Grant.Role.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying cluster on which the user is to be granted one or more roles\n' - 'using `ON CLUSTER` clause in the `GRANT` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Grant_Role_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Grant.Role.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for `GRANT` role statement\n' - '\n' - '``` sql\n' - 'GRANT\n' - ' ON CLUSTER cluster_name\n' - ' role [, role ...]\n' - ' TO {user | role | CURRENT_USER} [,...]\n' - ' [WITH ADMIN OPTION]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Role = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Role', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking one or more roles from\n' - 'one or more users or roles using the `REVOKE` role statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Role_Keywords = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Role.Keywords', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking one or more roles from\n' - 'special groupings of one or more users or roles with the `ALL`, `ALL EXCEPT`,\n' - 'and `CURRENT_USER` keywords.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Role_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Role.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking one or more roles from\n' - 'one or more users or roles from one or more clusters\n' - 'using the `REVOKE ON CLUSTER` role statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_AdminOption = Requirement( - name='RQ.SRS-006.RBAC.Revoke.AdminOption', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking `admin option` privilege\n' - 'in one or more users or roles using the `ADMIN OPTION FOR` clause\n' - 'in the `REVOKE` role statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Revoke_Role_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Revoke.Role.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `REVOKE` role statement\n' - '\n' - '```sql\n' - 'REVOKE [ON CLUSTER cluster_name] [ADMIN OPTION FOR]\n' - ' role [,...]\n' - ' FROM {user | role | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user_name | role_name | CURRENT_USER} [,...]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Show_Grants = Requirement( - name='RQ.SRS-006.RBAC.Show.Grants', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support listing all the privileges granted to current user and role\n' - 'using the `SHOW GRANTS` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Show_Grants_For = Requirement( - name='RQ.SRS-006.RBAC.Show.Grants.For', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support listing all the privileges granted to a user or a role\n' - 'using the `FOR` clause in the `SHOW GRANTS` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Show_Grants_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Show.Grants.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[Clickhouse] SHALL use the following syntax for the `SHOW GRANTS` statement\n' - '\n' - '``` sql\n' - 'SHOW GRANTS [FOR user_or_role]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creating settings profile using the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_IfNotExists = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.IfNotExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE SETTINGS PROFILE` statement\n' - 'to skip raising an exception if a settings profile with the same **name** already exists.\n' - 'If `IF NOT EXISTS` clause is not specified then an exception SHALL be raised if\n' - 'a settings profile with the same **name** already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Replace = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Replace', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE SETTINGS PROFILE` statement\n' - 'to replace existing settings profile if it already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Variables = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning values and constraints to one or more\n' - 'variables in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Value = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Value', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning variable value in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Variables.Constraints', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support setting `MIN`, `MAX`, `READONLY`, and `WRITABLE`\n' - 'constraints for the variables in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning settings profile to one or more users\n' - 'or roles in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_None = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning settings profile to no users or roles using\n' - '`TO NONE` clause in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_All = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning settings profile to all current users and roles\n' - 'using `TO ALL` clause in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_AllExcept = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Assignment.AllExcept', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support excluding assignment to one or more users or roles using\n' - 'the `ALL EXCEPT` clause in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Inherit = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Inherit', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support inheriting profile settings from indicated profile using\n' - 'the `INHERIT` clause in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying what cluster to create settings profile on\n' - 'using `ON CLUSTER` clause in the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Create_Syntax = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Create.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `CREATE SETTINGS PROFILE` statement.\n' - '\n' - '``` sql\n' - 'CREATE SETTINGS PROFILE [IF NOT EXISTS | OR REPLACE] name\n' - ' [ON CLUSTER cluster_name]\n' - " [SET varname [= value] [MIN min] [MAX max] [READONLY|WRITABLE] | [INHERIT 'profile_name'] [,...]]\n" - ' [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]}]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering settings profile using the `ALTER STETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_IfExists = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER SETTINGS PROFILE` statement\n' - 'to not raise exception if a settings profile does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if a settings profile does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Rename = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Rename', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support renaming settings profile using the `RANAME TO` clause\n' - 'in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering values and constraints of one or more\n' - 'variables in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Value = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Value', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering value of the variable in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Variables.Constraints', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering `MIN`, `MAX`, `READONLY`, and `WRITABLE`\n' - 'constraints for the variables in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning settings profile to one or more users\n' - 'or roles using the `TO` clause in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_None = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning settings profile to no users or roles using the\n' - '`TO NONE` clause in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_All = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning settings profile to all current users and roles\n' - 'using the `TO ALL` clause in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_AllExcept = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.AllExcept', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support excluding assignment to one or more users or roles using\n' - 'the `TO ALL EXCEPT` clause in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_Inherit = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.Inherit', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the settings profile by inheriting settings from\n' - 'specified profile using `INHERIT` clause in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Assignment.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the settings profile on a specified cluster using\n' - '`ON CLUSTER` clause in the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Alter_Syntax = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Alter.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `ALTER SETTINGS PROFILE` statement.\n' - '\n' - '``` sql\n' - 'ALTER SETTINGS PROFILE [IF EXISTS] name\n' - ' [ON CLUSTER cluster_name]\n' - ' [RENAME TO new_name]\n' - " [SETTINGS variable [= value] [MIN [=] min_value] [MAX [=] max_value] [READONLY|WRITABLE] | INHERIT 'profile_name'] [,...]\n" - ' [TO {user_or_role [,...] | NONE | ALL | ALL EXCEPT user_or_role [,...]]}\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Drop = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing one or more settings profiles using the `DROP SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Drop_IfExists = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Drop.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP SETTINGS PROFILE` statement\n' - 'to skip raising an exception if the settings profile does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if a settings profile does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Drop_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Drop.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support dropping one or more settings profiles on specified cluster using\n' - '`ON CLUSTER` clause in the `DROP SETTINGS PROFILE` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_Drop_Syntax = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.Drop.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `DROP SETTINGS PROFILE` statement\n' - '\n' - '``` sql\n' - 'DROP SETTINGS PROFILE [IF EXISTS] name [,name,...]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_SettingsProfile_ShowCreateSettingsProfile = Requirement( - name='RQ.SRS-006.RBAC.SettingsProfile.ShowCreateSettingsProfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the `CREATE SETTINGS PROFILE` statement used to create the settings profile\n' - 'using the `SHOW CREATE SETTINGS PROFILE` statement with the following syntax\n' - '\n' - '``` sql\n' - 'SHOW CREATE SETTINGS PROFILE name\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creating quotas using the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_IfNotExists = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.IfNotExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE QUOTA` statement\n' - 'to skip raising an exception if a quota with the same **name** already exists.\n' - 'If `IF NOT EXISTS` clause is not specified then an exception SHALL be raised if\n' - 'a quota with the same **name** already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Replace = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Replace', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE QUOTA` statement\n' - 'to replace existing quota if it already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creating quotas on a specific cluster with the\n' - '`ON CLUSTER` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Interval = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Interval', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support defining the quota interval that specifies\n' - 'a period of time over for which the quota SHALL apply using the\n' - '`FOR INTERVAL` clause in the `CREATE QUOTA` statement.\n' - '\n' - 'This statement SHALL also support a number and a time period which will be one\n' - 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' - '\n' - '`FOR INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some real number\n' - 'to define the interval.\n' - '\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Interval_Randomized = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Interval.Randomized', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support defining the quota randomized interval that specifies\n' - 'a period of time over for which the quota SHALL apply using the\n' - '`FOR RANDOMIZED INTERVAL` clause in the `CREATE QUOTA` statement.\n' - '\n' - 'This statement SHALL also support a number and a time period which will be one\n' - 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' - '\n' - '`FOR [RANDOMIZED] INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some\n' - 'real number to define the interval.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Queries = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Queries', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting number of requests over a period of time\n' - 'using the `QUERIES` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Errors = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Errors', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting number of queries that threw an exception\n' - 'using the `ERRORS` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_ResultRows = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.ResultRows', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the total number of rows given as the result\n' - 'using the `RESULT ROWS` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_ReadRows = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.ReadRows', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the total number of source rows read from tables\n' - 'for running the query on all remote servers\n' - 'using the `READ ROWS` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_ResultBytes = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.ResultBytes', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the total number of bytes that can be returned as the result\n' - 'using the `RESULT BYTES` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_ReadBytes = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.ReadBytes', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the total number of source bytes read from tables\n' - 'for running the query on all remote servers\n' - 'using the `READ BYTES` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_ExecutionTime = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.ExecutionTime', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the maximum query execution time\n' - 'using the `EXECUTION TIME` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_NoLimits = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.NoLimits', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the maximum query execution time\n' - 'using the `NO LIMITS` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_TrackingOnly = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.TrackingOnly', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the maximum query execution time\n' - 'using the `TRACKING ONLY` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_KeyedBy = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.KeyedBy', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support to track quota for some key\n' - 'following the `KEYED BY` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_KeyedByOptions = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.KeyedByOptions', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support to track quota separately for some parameter\n' - "using the `KEYED BY 'parameter'` clause in the `CREATE QUOTA` statement.\n" - '\n' - "'parameter' can be one of:\n" - "`{'none' | 'user name' | 'ip address' | 'client key' | 'client key or user name' | 'client key or ip address'}`\n" - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Assignment = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Assignment', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning quota to one or more users\n' - 'or roles using the `TO` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Assignment_None = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Assignment.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning quota to no users or roles using\n' - '`TO NONE` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Assignment_All = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Assignment.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning quota to all current users and roles\n' - 'using `TO ALL` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Assignment_Except = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Assignment.Except', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support excluding assignment of quota to one or more users or roles using\n' - 'the `EXCEPT` clause in the `CREATE QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Create_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Quota.Create.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `CREATE QUOTA` statement\n' - '\n' - '```sql\n' - 'CREATE QUOTA [IF NOT EXISTS | OR REPLACE] name [ON CLUSTER cluster_name]\n' - " [KEYED BY {'none' | 'user name' | 'ip address' | 'client key' | 'client key or user name' | 'client key or ip address'}]\n" - ' [FOR [RANDOMIZED] INTERVAL number {SECOND | MINUTE | HOUR | DAY}\n' - ' {MAX { {QUERIES | ERRORS | RESULT ROWS | RESULT BYTES | READ ROWS | READ BYTES | EXECUTION TIME} = number } [,...] |\n' - ' NO LIMITS | TRACKING ONLY} [,...]]\n' - ' [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering quotas using the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_IfExists = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF EXISTS` clause in the `ALTER QUOTA` statement\n' - 'to skip raising an exception if a quota does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be raised if\n' - 'a quota does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Rename = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Rename', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `RENAME TO` clause in the `ALTER QUOTA` statement\n' - 'to rename the quota to the specified name.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering quotas on a specific cluster with the\n' - '`ON CLUSTER` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Interval = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Interval', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support redefining the quota interval that specifies\n' - 'a period of time over for which the quota SHALL apply using the\n' - '`FOR INTERVAL` clause in the `ALTER QUOTA` statement.\n' - '\n' - 'This statement SHALL also support a number and a time period which will be one\n' - 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' - '\n' - '`FOR INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some real number\n' - 'to define the interval.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Interval_Randomized = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Interval.Randomized', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support redefining the quota randomized interval that specifies\n' - 'a period of time over for which the quota SHALL apply using the\n' - '`FOR RANDOMIZED INTERVAL` clause in the `ALTER QUOTA` statement.\n' - '\n' - 'This statement SHALL also support a number and a time period which will be one\n' - 'of `{SECOND | MINUTE | HOUR | DAY | MONTH}`. Thus, the complete syntax SHALL be:\n' - '\n' - '`FOR [RANDOMIZED] INTERVAL number {SECOND | MINUTE | HOUR | DAY}` where number is some\n' - 'real number to define the interval.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Queries = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Queries', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the limit of number of requests over a period of time\n' - 'using the `QUERIES` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Errors = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Errors', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the limit of number of queries that threw an exception\n' - 'using the `ERRORS` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_ResultRows = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.ResultRows', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the limit of the total number of rows given as the result\n' - 'using the `RESULT ROWS` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_ReadRows = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.ReadRows', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the limit of the total number of source rows read from tables\n' - 'for running the query on all remote servers\n' - 'using the `READ ROWS` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ALter_ResultBytes = Requirement( - name='RQ.SRS-006.RBAC.Quota.ALter.ResultBytes', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the limit of the total number of bytes that can be returned as the result\n' - 'using the `RESULT BYTES` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_ReadBytes = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.ReadBytes', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the limit of the total number of source bytes read from tables\n' - 'for running the query on all remote servers\n' - 'using the `READ BYTES` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_ExecutionTime = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.ExecutionTime', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering the limit of the maximum query execution time\n' - 'using the `EXECUTION TIME` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_NoLimits = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.NoLimits', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the maximum query execution time\n' - 'using the `NO LIMITS` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_TrackingOnly = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.TrackingOnly', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support limiting the maximum query execution time\n' - 'using the `TRACKING ONLY` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_KeyedBy = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.KeyedBy', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering quota to track quota separately for some key\n' - 'following the `KEYED BY` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_KeyedByOptions = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.KeyedByOptions', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering quota to track quota separately for some parameter\n' - "using the `KEYED BY 'parameter'` clause in the `ALTER QUOTA` statement.\n" - '\n' - "'parameter' can be one of:\n" - "`{'none' | 'user name' | 'ip address' | 'client key' | 'client key or user name' | 'client key or ip address'}`\n" - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Assignment = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Assignment', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning quota to one or more users\n' - 'or roles using the `TO` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Assignment_None = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning quota to no users or roles using\n' - '`TO NONE` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Assignment_All = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning quota to all current users and roles\n' - 'using `TO ALL` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Assignment_Except = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Assignment.Except', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support excluding assignment of quota to one or more users or roles using\n' - 'the `EXCEPT` clause in the `ALTER QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Alter_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Quota.Alter.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `ALTER QUOTA` statement\n' - '\n' - '``` sql\n' - 'ALTER QUOTA [IF EXIST] name\n' - ' {{{QUERIES | ERRORS | RESULT ROWS | READ ROWS | RESULT BYTES | READ BYTES | EXECUTION TIME} number} [, ...] FOR INTERVAL number time_unit} [, ...]\n' - ' [KEYED BY USERNAME | KEYED BY IP | NOT KEYED] [ALLOW CUSTOM KEY | DISALLOW CUSTOM KEY]\n' - ' [TO {user_or_role [,...] | NONE | ALL} [EXCEPT user_or_role [,...]]]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Drop = Requirement( - name='RQ.SRS-006.RBAC.Quota.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing one or more quotas using the `DROP QUOTA` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Drop_IfExists = Requirement( - name='RQ.SRS-006.RBAC.Quota.Drop.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using `IF EXISTS` clause in the `DROP QUOTA` statement\n' - 'to skip raising an exception when the quota does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if the quota does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Drop_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Quota.Drop.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using `ON CLUSTER` clause in the `DROP QUOTA` statement\n' - 'to indicate the cluster the quota to be dropped is located on.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_Drop_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Quota.Drop.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `DROP QUOTA` statement\n' - '\n' - '``` sql\n' - 'DROP QUOTA [IF EXISTS] name [,name...]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowQuotas = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowQuotas', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing all of the current quotas\n' - 'using the `SHOW QUOTAS` statement with the following syntax\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowQuotas_IntoOutfile = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowQuotas.IntoOutfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the `INTO OUTFILE` clause in the `SHOW QUOTAS` statement to define an outfile by some given string literal.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowQuotas_Format = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Format', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the `FORMAT` clause in the `SHOW QUOTAS` statement to define a format for the output quota list.\n' - '\n' - 'The types of valid formats are many, listed in output column:\n' - 'https://clickhouse.tech/docs/en/interfaces/formats/\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowQuotas_Settings = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Settings', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the `SETTINGS` clause in the `SHOW QUOTAS` statement to define settings in the showing of all quotas.\n' - '\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowQuotas_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowQuotas.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using the `SHOW QUOTAS` statement\n' - 'with the following syntax\n' - '``` sql\n' - 'SHOW QUOTAS\n' - '```\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Name = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Name', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the `CREATE QUOTA` statement used to create the quota with some given name\n' - 'using the `SHOW CREATE QUOTA` statement with the following syntax\n' - '\n' - '``` sql\n' - 'SHOW CREATE QUOTA name\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Current = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Current', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the `CREATE QUOTA` statement used to create the CURRENT quota\n' - 'using the `SHOW CREATE QUOTA CURRENT` statement or the shorthand form\n' - '`SHOW CREATE QUOTA`\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Syntax = Requirement( - name='RQ.SRS-006.RBAC.Quota.ShowCreateQuota.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax when\n' - 'using the `SHOW CREATE QUOTA` statement.\n' - '\n' - '```sql\n' - 'SHOW CREATE QUOTA [name | CURRENT]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support creating row policy using the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_IfNotExists = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.IfNotExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `IF NOT EXISTS` clause in the `CREATE ROW POLICY` statement\n' - 'to skip raising an exception if a row policy with the same **name** already exists.\n' - 'If the `IF NOT EXISTS` clause is not specified then an exception SHALL be raised if\n' - 'a row policy with the same **name** already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Replace = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Replace', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support `OR REPLACE` clause in the `CREATE ROW POLICY` statement\n' - 'to replace existing row policy if it already exists.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying cluster on which to create the role policy\n' - 'using the `ON CLUSTER` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_On = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.On', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying table on which to create the role policy\n' - 'using the `ON` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Access = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Access', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support allowing or restricting access to rows using the\n' - '`AS` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Access_Permissive = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Access.Permissive', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support allowing access to rows using the\n' - '`AS PERMISSIVE` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Access_Restrictive = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Access.Restrictive', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support restricting access to rows using the\n' - '`AS RESTRICTIVE` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_ForSelect = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.ForSelect', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying which rows are affected\n' - 'using the `FOR SELECT` clause in the `CREATE ROW POLICY` statement.\n' - 'REQUIRES CONFIRMATION\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Condition = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Condition', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying a condition that\n' - 'that can be any SQL expression which returns a boolean using the `USING`\n' - 'clause in the `CREATE ROW POLOCY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Assignment = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning row policy to one or more users\n' - 'or roles using the `TO` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_None = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning row policy to no users or roles using\n' - 'the `TO NONE` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_All = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support assigning row policy to all current users and roles\n' - 'using `TO ALL` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_AllExcept = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Assignment.AllExcept', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support excluding assignment of row policy to one or more users or roles using\n' - 'the `ALL EXCEPT` clause in the `CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Create_Syntax = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Create.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `CRETE ROW POLICY` statement\n' - '\n' - '``` sql\n' - 'CREATE [ROW] POLICY [IF NOT EXISTS | OR REPLACE] policy_name [ON CLUSTER cluster_name] ON [db.]table\n' - ' [AS {PERMISSIVE | RESTRICTIVE}]\n' - ' [FOR SELECT]\n' - ' [USING condition]\n' - ' [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering row policy using the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_IfExists = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the `IF EXISTS` clause in the `ALTER ROW POLICY` statement\n' - 'to skip raising an exception if a row policy does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be raised if\n' - 'a row policy does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_ForSelect = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.ForSelect', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support modifying rows on which to apply the row policy\n' - 'using the `FOR SELECT` clause in the `ALTER ROW POLICY` statement.\n' - 'REQUIRES FUNCTION CONFIRMATION.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying cluster on which to alter the row policy\n' - 'using the `ON CLUSTER` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_On = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.On', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support specifying table on which to alter the row policy\n' - 'using the `ON` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Rename = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Rename', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support renaming the row policy using the `RENAME` clause\n' - 'in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Access = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support altering access to rows using the\n' - '`AS` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Permissive = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Permissive', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support permitting access to rows using the\n' - '`AS PERMISSIVE` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Restrictive = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Access.Restrictive', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support restricting access to rows using the\n' - '`AS RESTRICTIVE` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Condition = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Condition', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support re-specifying the row policy condition\n' - 'using the `USING` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Condition_None = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Condition.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing the row policy condition\n' - 'using the `USING NONE` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning row policy to one or more users\n' - 'or roles using the `TO` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_None = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.None', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning row policy to no users or roles using\n' - 'the `TO NONE` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_All = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support reassigning row policy to all current users and roles\n' - 'using the `TO ALL` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_AllExcept = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Assignment.AllExcept', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support excluding assignment of row policy to one or more users or roles using\n' - 'the `ALL EXCEPT` clause in the `ALTER ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Alter_Syntax = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Alter.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `ALTER ROW POLICY` statement\n' - '\n' - '``` sql\n' - 'ALTER [ROW] POLICY [IF EXISTS] name [ON CLUSTER cluster_name] ON [database.]table\n' - ' [RENAME TO new_name]\n' - ' [AS {PERMISSIVE | RESTRICTIVE}]\n' - ' [FOR SELECT]\n' - ' [USING {condition | NONE}][,...]\n' - ' [TO {role [,...] | ALL | ALL EXCEPT role [,...]}]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Drop = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing one or more row policies using the `DROP ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Drop_IfExists = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Drop.IfExists', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support using the `IF EXISTS` clause in the `DROP ROW POLICY` statement\n' - 'to skip raising an exception when the row policy does not exist.\n' - 'If the `IF EXISTS` clause is not specified then an exception SHALL be\n' - 'raised if the row policy does not exist.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Drop_On = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Drop.On', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing row policy from one or more specified tables\n' - 'using the `ON` clause in the `DROP ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Drop_OnCluster = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Drop.OnCluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support removing row policy from specified cluster\n' - 'using the `ON CLUSTER` clause in the `DROP ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_Drop_Syntax = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.Drop.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for the `DROP ROW POLICY` statement.\n' - '\n' - '``` sql\n' - 'DROP [ROW] POLICY [IF EXISTS] name [,...] ON [database.]table [,...] [ON CLUSTER cluster_name]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing the `CREATE ROW POLICY` statement used to create the row policy\n' - 'using the `SHOW CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_On = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.On', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing statement used to create row policy on specific table\n' - 'using the `ON` in the `SHOW CREATE ROW POLICY` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_Syntax = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.ShowCreateRowPolicy.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for `SHOW CREATE ROW POLICY`.\n' - '\n' - '``` sql\n' - 'SHOW CREATE [ROW] POLICY name ON [database.]table\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing row policies using the `SHOW ROW POLICIES` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_On = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.On', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support showing row policies on a specific table\n' - 'using the `ON` clause in the `SHOW ROW POLICIES` statement.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_Syntax = Requirement( - name='RQ.SRS-006.RBAC.RowPolicy.ShowRowPolicies.Syntax', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the following syntax for `SHOW ROW POLICIES`.\n' - '\n' - '```sql\n' - 'SHOW [ROW] POLICIES [ON [database.]table]\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Table_PublicTables = Requirement( - name='RQ.SRS-006.RBAC.Table.PublicTables', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support that a user without any privileges will be able to access the following tables\n' - '\n' - '* system.one\n' - '* system.numbers\n' - '* system.contributors\n' - '* system.functions\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Table_SensitiveTables = Requirement( - name='RQ.SRS-006.RBAC.Table.SensitiveTables', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL not support a user with no privileges accessing the following `system` tables:\n' - '\n' - '* processes\n' - '* query_log\n' - '* query_thread_log\n' - '* clusters\n' - '* events\n' - '* graphite_retentions\n' - '* stack_trace\n' - '* trace_log\n' - '* user_directories\n' - '* zookeeper\n' - '* macros\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_DistributedTable_Create = Requirement( - name='RQ.SRS-006.RBAC.DistributedTable.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully `CREATE` a distributed table if and only if\n' - 'the user has **create table** privilege on the table and **remote** privilege on *.*\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_DistributedTable_Select = Requirement( - name='RQ.SRS-006.RBAC.DistributedTable.Select', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully `SELECT` from a distributed table if and only if\n' - 'the user has **select** privilege on the table and on the remote table specified in the `CREATE` query of the distributed table.\n' - '\n' - 'Does not require **select** privilege for the remote table if the remote table does not exist on the same server as the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_DistributedTable_Insert = Requirement( - name='RQ.SRS-006.RBAC.DistributedTable.Insert', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully `INSERT` into a distributed table if and only if\n' - 'the user has **insert** privilege on the table and on the remote table specified in the `CREATE` query of the distributed table.\n' - '\n' - 'Does not require **insert** privilege for the remote table if the remote table does not exist on the same server as the user,\n' - 'insert executes into the remote table on a different server.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_DistributedTable_SpecialTables = Requirement( - name='RQ.SRS-006.RBAC.DistributedTable.SpecialTables', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute a query using a distributed table that uses one of the special tables if and only if\n' - 'the user has the necessary privileges to interact with that special table, either granted directly or through a role.\n' - 'Special tables include:\n' - '* materialized view\n' - '* distributed table\n' - '* source table of a materialized view\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_DistributedTable_LocalUser = Requirement( - name='RQ.SRS-006.RBAC.DistributedTable.LocalUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute a query using a distributed table from\n' - 'a user present locally, but not remotely.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_DistributedTable_SameUserDifferentNodesDifferentPrivileges = Requirement( - name='RQ.SRS-006.RBAC.DistributedTable.SameUserDifferentNodesDifferentPrivileges', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute a query using a distributed table by a user that exists on multiple nodes\n' - 'if and only if the user has the required privileges on the node the query is being executed from.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_View = Requirement( - name='RQ.SRS-006.RBAC.View', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to **create**, **select** and **drop**\n' - 'privileges for a view for users or roles.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_View_Create = Requirement( - name='RQ.SRS-006.RBAC.View.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `CREATE VIEW` command if and only if\n' - 'the user has **create view** privilege either explicitly or through roles.\n' - '\n' - 'If the stored query includes one or more source tables, the user must have **select** privilege\n' - 'on all the source tables either explicitly or through a role.\n' - 'For example,\n' - '```sql\n' - 'CREATE VIEW view AS SELECT * FROM source_table\n' - 'CREATE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' - 'CREATE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' - 'CREATE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' - 'CREATE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' - 'CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_View_Select = Requirement( - name='RQ.SRS-006.RBAC.View.Select', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully `SELECT` from a view if and only if\n' - 'the user has **select** privilege for that view either explicitly or through a role.\n' - '\n' - 'If the stored query includes one or more source tables, the user must have **select** privilege\n' - 'on all the source tables either explicitly or through a role.\n' - 'For example,\n' - '```sql\n' - 'CREATE VIEW view AS SELECT * FROM source_table\n' - 'CREATE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' - 'CREATE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' - 'CREATE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' - 'CREATE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' - 'CREATE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' - '\n' - 'SELECT * FROM view\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_View_Drop = Requirement( - name='RQ.SRS-006.RBAC.View.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if\n' - 'the user has **drop view** privilege on that view either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop**\n' - 'privileges for a materialized view for users or roles.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Create = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `CREATE MATERIALIZED VIEW` command if and only if\n' - 'the user has **create view** privilege either explicitly or through roles.\n' - '\n' - 'If `POPULATE` is specified, the user must have `INSERT` privilege on the view,\n' - 'either explicitly or through roles.\n' - 'For example,\n' - '```sql\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory POPULATE AS SELECT * FROM source_table\n' - '```\n' - '\n' - 'If the stored query includes one or more source tables, the user must have **select** privilege\n' - 'on all the source tables either explicitly or through a role.\n' - 'For example,\n' - '```sql\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM source_table\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 JOIN table1 USING column\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' - 'CREATE MATERIALIZED VIEW view0 ENGINE = Memory AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' - '```\n' - '\n' - 'If the materialized view has a target table explicitly declared in the `TO` clause, the user must have\n' - '**insert** and **select** privilege on the target table.\n' - 'For example,\n' - '```sql\n' - 'CREATE MATERIALIZED VIEW view TO target_table AS SELECT * FROM source_table\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Select = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Select', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully `SELECT` from a materialized view if and only if\n' - 'the user has **select** privilege for that view either explicitly or through a role.\n' - '\n' - 'If the stored query includes one or more source tables, the user must have **select** privilege\n' - 'on all the source tables either explicitly or through a role.\n' - 'For example,\n' - '```sql\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM source_table\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 JOIN table1 USING column\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' - 'CREATE MATERIALIZED VIEW view ENGINE = Memory AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' - 'CREATE MATERIALIZED VIEW view0 ENGINE = Memory AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' - '\n' - 'SELECT * FROM view\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Select_TargetTable = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Select.TargetTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully `SELECT` from the target table, implicit or explicit, of a materialized view if and only if\n' - 'the user has `SELECT` privilege for the table, either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Select_SourceTable = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Select.SourceTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully `SELECT` from the source table of a materialized view if and only if\n' - 'the user has `SELECT` privilege for the table, either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Drop = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if\n' - 'the user has **drop view** privilege on that view either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_ModifyQuery = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.ModifyQuery', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `MODIFY QUERY` command if and only if\n' - 'the user has **modify query** privilege on that view either explicitly or through a role.\n' - '\n' - 'If the new query includes one or more source tables, the user must have **select** privilege\n' - 'on all the source tables either explicitly or through a role.\n' - 'For example,\n' - '```sql\n' - 'ALTER TABLE view MODIFY QUERY SELECT * FROM source_table\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Insert = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Insert', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only succesfully `INSERT` into a materialized view if and only if\n' - 'the user has `INSERT` privilege on the view, either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Insert_SourceTable = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Insert.SourceTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only succesfully `INSERT` into a source table of a materialized view if and only if\n' - 'the user has `INSERT` privilege on the source table, either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_MaterializedView_Insert_TargetTable = Requirement( - name='RQ.SRS-006.RBAC.MaterializedView.Insert.TargetTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only succesfully `INSERT` into a target table of a materialized view if and only if\n' - 'the user has `INSERT` privelege on the target table, either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_LiveView = Requirement( - name='RQ.SRS-006.RBAC.LiveView', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to **create**, **select**, **alter** and **drop**\n' - 'privileges for a live view for users or roles.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_LiveView_Create = Requirement( - name='RQ.SRS-006.RBAC.LiveView.Create', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `CREATE LIVE VIEW` command if and only if\n' - 'the user has **create view** privilege either explicitly or through roles.\n' - '\n' - 'If the stored query includes one or more source tables, the user must have **select** privilege\n' - 'on all the source tables either explicitly or through a role.\n' - 'For example,\n' - '```sql\n' - 'CREATE LIVE VIEW view AS SELECT * FROM source_table\n' - 'CREATE LIVE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' - 'CREATE LIVE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' - 'CREATE LIVE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' - 'CREATE LIVE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' - 'CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_LiveView_Select = Requirement( - name='RQ.SRS-006.RBAC.LiveView.Select', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully `SELECT` from a live view if and only if\n' - 'the user has **select** privilege for that view either explicitly or through a role.\n' - '\n' - 'If the stored query includes one or more source tables, the user must have **select** privilege\n' - 'on all the source tables either explicitly or through a role.\n' - 'For example,\n' - '```sql\n' - 'CREATE LIVE VIEW view AS SELECT * FROM source_table\n' - 'CREATE LIVE VIEW view AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' - 'CREATE LIVE VIEW view AS SELECT * FROM table0 JOIN table1 USING column\n' - 'CREATE LIVE VIEW view AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' - 'CREATE LIVE VIEW view AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' - 'CREATE LIVE VIEW view0 AS SELECT column FROM view1 UNION ALL SELECT column FROM view2\n' - '\n' - 'SELECT * FROM view\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_LiveView_Drop = Requirement( - name='RQ.SRS-006.RBAC.LiveView.Drop', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `DROP VIEW` command if and only if\n' - 'the user has **drop view** privilege on that view either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_LiveView_Refresh = Requirement( - name='RQ.SRS-006.RBAC.LiveView.Refresh', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute an `ALTER LIVE VIEW REFRESH` command if and only if\n' - 'the user has **refresh** privilege on that view either explicitly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Select = Requirement( - name='RQ.SRS-006.RBAC.Select', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL execute `SELECT` if and only if the user\n' - 'has the **select** privilege for the destination table\n' - 'either because of the explicit grant or through one of the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Select_Column = Requirement( - name='RQ.SRS-006.RBAC.Select.Column', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **select** privilege\n' - 'for one or more specified columns in a table to one or more **users** or **roles**.\n' - 'Any `SELECT` statements SHALL not to be executed, unless the user\n' - 'has the **select** privilege for the destination column\n' - 'either because of the explicit grant or through one of the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Select_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Select.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **select** privilege\n' - 'on a specified cluster to one or more **users** or **roles**.\n' - 'Any `SELECT` statements SHALL succeed only on nodes where\n' - 'the table exists and privilege was granted.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Select_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Select.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **select** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Insert = Requirement( - name='RQ.SRS-006.RBAC.Insert', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL execute `INSERT INTO` if and only if the user\n' - 'has the **insert** privilege for the destination table\n' - 'either because of the explicit grant or through one of the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Insert_Column = Requirement( - name='RQ.SRS-006.RBAC.Insert.Column', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **insert** privilege\n' - 'for one or more specified columns in a table to one or more **users** or **roles**.\n' - 'Any `INSERT INTO` statements SHALL not to be executed, unless the user\n' - 'has the **insert** privilege for the destination column\n' - 'either because of the explicit grant or through one of the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Insert_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Insert.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **insert** privilege\n' - 'on a specified cluster to one or more **users** or **roles**.\n' - 'Any `INSERT INTO` statements SHALL succeed only on nodes where\n' - 'the table exists and privilege was granted.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Insert_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Insert.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **insert** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterColumn = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterColumn', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter column** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL\n' - 'return an error, unless the user has the **alter column** privilege for\n' - 'the destination table either because of the explicit grant or through one of\n' - 'the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterColumn_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter column** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterColumn_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter column** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterColumn_Column = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Column', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **alter column** privilege\n' - 'for one or more specified columns in a table to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN` statements SHALL return an error,\n' - 'unless the user has the **alter column** privilege for the destination column\n' - 'either because of the explicit grant or through one of the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterColumn_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterColumn.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **alter column** privilege\n' - 'on a specified cluster to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ADD|DROP|CLEAR|COMMENT|MODIFY COLUMN`\n' - 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterColumn_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterColumn.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter column** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterIndex = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterIndex', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter index** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ORDER BY | ADD|DROP|MATERIALIZE|CLEAR INDEX` statements SHALL\n' - 'return an error, unless the user has the **alter index** privilege for\n' - 'the destination table either because of the explicit grant or through one of\n' - 'the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterIndex_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter index** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterIndex_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter index** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterIndex_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterIndex.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **alter index** privilege\n' - 'on a specified cluster to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ORDER BY | ADD|DROP|MATERIALIZE|CLEAR INDEX`\n' - 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterIndex_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterIndex.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter index** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterConstraint = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterConstraint', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter constraint** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ADD|CREATE CONSTRAINT` statements SHALL\n' - 'return an error, unless the user has the **alter constraint** privilege for\n' - 'the destination table either because of the explicit grant or through one of\n' - 'the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterConstraint_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter constraint** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterConstraint_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter constraint** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterConstraint_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **alter constraint** privilege\n' - 'on a specified cluster to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ADD|DROP CONSTRAINT`\n' - 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterConstraint_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterConstraint.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter constraint** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterTTL = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterTTL', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ALTER TTL | ALTER MATERIALIZE TTL` statements SHALL\n' - 'return an error, unless the user has the **alter ttl** or **alter materialize ttl** privilege for\n' - 'the destination table either because of the explicit grant or through one of\n' - 'the roles assigned to the user.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterTTL_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter ttl** or **alter materialize ttl** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterTTL_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter ttl** or **alter materialize ttl** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterTTL_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterTTL.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **alter ttl** or **alter materialize ttl** privilege\n' - 'on a specified cluster to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... ALTER TTL | ALTER MATERIALIZE TTL`\n' - 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterTTL_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterTTL.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter ttl** or **alter materialize ttl** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterSettings = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterSettings', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter settings** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... MODIFY SETTING setting` statements SHALL\n' - 'return an error, unless the user has the **alter settings** privilege for\n' - 'the destination table either because of the explicit grant or through one of\n' - 'the roles assigned to the user. The **alter settings** privilege allows\n' - 'modifying table engine settings. It doesn’t affect settings or server configuration parameters.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterSettings_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter settings** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterSettings_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter settings** privilege\n' - 'for a database or a specific table to one or more **users** or **roles**\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterSettings_Cluster = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterSettings.Cluster', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking **alter settings** privilege\n' - 'on a specified cluster to one or more **users** or **roles**.\n' - 'Any `ALTER TABLE ... MODIFY SETTING setting`\n' - 'statements SHALL succeed only on nodes where the table exists and privilege was granted.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterSettings_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterSettings.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter settings** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterUpdate = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterUpdate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER UPDATE` statement if and only if the user has **alter update** privilege for that column,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterUpdate_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter update** privilege on a column level\n' - 'to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterUpdate_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter update** privilege on a column level\n' - 'from one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterUpdate_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterUpdate.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter update** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterDelete = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterDelete', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER DELETE` statement if and only if the user has **alter delete** privilege for that table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterDelete_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterDelete.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter delete** privilege on a column level\n' - 'to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterDelete_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterDelete.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter delete** privilege on a column level\n' - 'from one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterDelete_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterDelete.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter delete** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFreeze = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFreeze', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER FREEZE` statement if and only if the user has **alter freeze** privilege for that table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFreeze_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter freeze** privilege on a column level\n' - 'to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFreeze_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter freeze** privilege on a column level\n' - 'from one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFreeze_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFreeze.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter freeze** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFetch = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFetch', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER FETCH` statement if and only if the user has **alter fetch** privilege for that table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFetch_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFetch.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter fetch** privilege on a column level\n' - 'to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFetch_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFetch.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter fetch** privilege on a column level\n' - 'from one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterFetch_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterFetch.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter fetch** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterMove = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterMove', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER MOVE` statement if and only if the user has **alter move**, **select**, and **alter delete** privilege on the source table\n' - 'and **insert** privilege on the target table, either directly or through a role.\n' - 'For example,\n' - '```sql\n' - 'ALTER TABLE source_table MOVE PARTITION 1 TO target_table\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterMove_Grant = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterMove.Grant', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting **alter move** privilege on a column level\n' - 'to one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterMove_Revoke = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterMove.Revoke', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support revoking **alter move** privilege on a column level\n' - 'from one or more **users** or **roles**.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterMove_TableEngines = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterMove.TableEngines', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support controlling access to the **alter move** privilege\n' - 'on tables created using the following engines\n' - '\n' - '* MergeTree\n' - '* ReplacingMergeTree\n' - '* SummingMergeTree\n' - '* AggregatingMergeTree\n' - '* CollapsingMergeTree\n' - '* VersionedCollapsingMergeTree\n' - '* GraphiteMergeTree\n' - '* ReplicatedMergeTree\n' - '* ReplicatedSummingMergeTree\n' - '* ReplicatedReplacingMergeTree\n' - '* ReplicatedAggregatingMergeTree\n' - '* ReplicatedCollapsingMergeTree\n' - '* ReplicatedVersionedCollapsingMergeTree\n' - '* ReplicatedGraphiteMergeTree\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateTable = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL only successfully execute a `CREATE TABLE` command if and only if\n' - 'the user has **create table** privilege either explicitly or through roles.\n' - '\n' - 'If the stored query includes one or more source tables, the user must have **select** privilege\n' - "on all the source tables and **insert** for the table they're trying to create either explicitly or through a role.\n" - 'For example,\n' - '```sql\n' - 'CREATE TABLE table AS SELECT * FROM source_table\n' - 'CREATE TABLE table AS SELECT * FROM table0 WHERE column IN (SELECT column FROM table1 WHERE column IN (SELECT column FROM table2 WHERE expression))\n' - 'CREATE TABLE table AS SELECT * FROM table0 JOIN table1 USING column\n' - 'CREATE TABLE table AS SELECT * FROM table0 UNION ALL SELECT * FROM table1 UNION ALL SELECT * FROM table2\n' - 'CREATE TABLE table AS SELECT column FROM table0 JOIN table1 USING column UNION ALL SELECT column FROM table2 WHERE column IN (SELECT column FROM table3 WHERE column IN (SELECT column FROM table4 WHERE expression))\n' - 'CREATE TABLE table0 AS SELECT column FROM table1 UNION ALL SELECT column FROM table2\n' - '```\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateDatabase = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateDatabase', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE DATABASE` statement if and only if the user has **create database** privilege on the database,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateDictionary = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateDictionary', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE DICTIONARY` statement if and only if the user has **create dictionary** privilege on the dictionary,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateTemporaryTable = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateTemporaryTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE TEMPORARY TABLE` statement if and only if the user has **create temporary table** privilege on the table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AttachDatabase = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AttachDatabase', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ATTACH DATABASE` statement if and only if the user has **create database** privilege on the database,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AttachDictionary = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AttachDictionary', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ATTACH DICTIONARY` statement if and only if the user has **create dictionary** privilege on the dictionary,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AttachTemporaryTable = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AttachTemporaryTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ATTACH TEMPORARY TABLE` statement if and only if the user has **create temporary table** privilege on the table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AttachTable = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AttachTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ATTACH TABLE` statement if and only if the user has **create table** privilege on the table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropTable = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP TABLE` statement if and only if the user has **drop table** privilege on the table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropDatabase = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropDatabase', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP DATABASE` statement if and only if the user has **drop database** privilege on the database,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropDictionary = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropDictionary', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DetachTable = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DetachTable', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DETACH TABLE` statement if and only if the user has **drop table** privilege on the table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DetachView = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DetachView', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DETACH VIEW` statement if and only if the user has **drop view** privilege on the view,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DetachDatabase = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DetachDatabase', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DETACH DATABASE` statement if and only if the user has **drop database** privilege on the database,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DetachDictionary = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DetachDictionary', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DETACH DICTIONARY` statement if and only if the user has **drop dictionary** privilege on the dictionary,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Truncate = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Truncate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `TRUNCATE TABLE` statement if and only if the user has **truncate table** privilege on the table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Optimize = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Optimize', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `OPTIMIZE TABLE` statement if and only if the user has **optimize table** privilege on the table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_KillQuery = Requirement( - name='RQ.SRS-006.RBAC.Privileges.KillQuery', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `KILL QUERY` statement if and only if the user has **kill query** privilege,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_KillMutation = Requirement( - name='RQ.SRS-006.RBAC.Privileges.KillMutation', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `KILL MUTATION` statement if and only if\n' - 'the user has the privilege that created the mutation, either directly or through a role.\n' - 'For example, to `KILL MUTATION` after `ALTER UPDATE` query, the user needs `ALTER UPDATE` privilege.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_KillMutation_AlterUpdate = Requirement( - name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterUpdate', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER UPDATE` mutation if and only if\n' - 'the user has `ALTER UPDATE` privilege on the table where the mutation was created, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDelete = Requirement( - name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDelete', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DELETE` mutation if and only if\n' - 'the user has `ALTER DELETE` privilege on the table where the mutation was created, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDropColumn = Requirement( - name='RQ.SRS-006.RBAC.Privileges.KillMutation.AlterDropColumn', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `KILL MUTATION` query on an `ALTER DROP COLUMN` mutation if and only if\n' - 'the user has `ALTER DROP COLUMN` privilege on the table where the mutation was created, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowTables_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowTables.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL grant **show tables** privilege on a table to a user if that user has recieved any grant,\n' - 'including `SHOW TABLES`, on that table, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowTables_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowTables.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW TABLES` statement if and only if the user has **show tables** privilege,\n' - 'or any privilege on the table either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ExistsTable_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ExistsTable.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `EXISTS table` statement if and only if the user has **show tables** privilege,\n' - 'or any privilege on the table either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_CheckTable_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.CheckTable.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CHECK table` statement if and only if the user has **show tables** privilege,\n' - 'or any privilege on the table either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowDatabases_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowDatabases.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL grant **show databases** privilege on a database to a user if that user has recieved any grant,\n' - 'including `SHOW DATABASES`, on that table, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowDatabases_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowDatabases.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW DATABASES` statement if and only if the user has **show databases** privilege,\n' - 'or any privilege on the database either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateDatabase_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateDatabase.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE DATABASE` statement if and only if the user has **show databases** privilege,\n' - 'or any privilege on the database either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_UseDatabase_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.UseDatabase.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `USE database` statement if and only if the user has **show databases** privilege,\n' - 'or any privilege on the database either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowColumns_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowColumns.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking the `SHOW COLUMNS` privilege.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateTable_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateTable.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE TABLE` statement if and only if the user has **show columns** privilege on that table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_DescribeTable_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.DescribeTable.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DESCRIBE table` statement if and only if the user has **show columns** privilege on that table,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowDictionaries_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowDictionaries.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL grant **show dictionaries** privilege on a dictionary to a user if that user has recieved any grant,\n' - 'including `SHOW DICTIONARIES`, on that dictionary, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowDictionaries_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowDictionaries.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW DICTIONARIES` statement if and only if the user has **show dictionaries** privilege,\n' - 'or any privilege on the dictionary either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateDictionary_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateDictionary.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE DICTIONARY` statement if and only if the user has **show dictionaries** privilege,\n' - 'or any privilege on the dictionary either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ExistsDictionary_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ExistsDictionary.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `EXISTS dictionary` statement if and only if the user has **show dictionaries** privilege,\n' - 'or any privilege on the dictionary either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateUser = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE USER` statement if and only if the user has **create user** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateUser_DefaultRole = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateUser.DefaultRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE USER` statement with `DEFAULT ROLE ` clause if and only if\n' - 'the user has **create user** privilege and the role with **admin option**, or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterUser = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER USER` statement if and only if the user has **alter user** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropUser = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropUser', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP USER` statement if and only if the user has **drop user** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateRole = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE ROLE` statement if and only if the user has **create role** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterRole = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER ROLE` statement if and only if the user has **alter role** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropRole = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropRole', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP ROLE` statement if and only if the user has **drop role** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateRowPolicy = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateRowPolicy', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE ROW POLICY` statement if and only if the user has **create row policy** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterRowPolicy = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterRowPolicy', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER ROW POLICY` statement if and only if the user has **alter row policy** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropRowPolicy = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropRowPolicy', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP ROW POLICY` statement if and only if the user has **drop row policy** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateQuota = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateQuota', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE QUOTA` statement if and only if the user has **create quota** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterQuota = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterQuota', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER QUOTA` statement if and only if the user has **alter quota** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropQuota = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropQuota', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP QUOTA` statement if and only if the user has **drop quota** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_CreateSettingsProfile = Requirement( - name='RQ.SRS-006.RBAC.Privileges.CreateSettingsProfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `CREATE SETTINGS PROFILE` statement if and only if the user has **create settings profile** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AlterSettingsProfile = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AlterSettingsProfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `ALTER SETTINGS PROFILE` statement if and only if the user has **alter settings profile** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_DropSettingsProfile = Requirement( - name='RQ.SRS-006.RBAC.Privileges.DropSettingsProfile', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `DROP SETTINGS PROFILE` statement if and only if the user has **drop settings profile** privilege,\n' - 'or either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_RoleAdmin = Requirement( - name='RQ.SRS-006.RBAC.Privileges.RoleAdmin', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute any role grant or revoke by a user with `ROLE ADMIN` privilege.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowUsers_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowUsers.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SHOW USERS` privilege when\n' - 'the user is granted `SHOW USERS`, `SHOW CREATE USER`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowUsers_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowUsers.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW USERS` statement if and only if the user has **show users** privilege,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateUser_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateUser.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE USER` statement if and only if the user has **show users** privilege,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowRoles_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowRoles.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SHOW ROLES` privilege when\n' - 'the user is granted `SHOW ROLES`, `SHOW CREATE ROLE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowRoles_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowRoles.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW ROLES` statement if and only if the user has **show roles** privilege,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateRole_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateRole.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE ROLE` statement if and only if the user has **show roles** privilege,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowRowPolicies_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowRowPolicies.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SHOW ROW POLICIES` privilege when\n' - 'the user is granted `SHOW ROW POLICIES`, `SHOW POLICIES`, `SHOW CREATE ROW POLICY`,\n' - '`SHOW CREATE POLICY`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowRowPolicies_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowRowPolicies.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW ROW POLICIES` or `SHOW POLICIES` statement if and only if\n' - 'the user has **show row policies** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateRowPolicy_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateRowPolicy.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE ROW POLICY` or `SHOW CREATE POLICY` statement\n' - 'if and only if the user has **show row policies** privilege,either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowQuotas_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowQuotas.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SHOW QUOTAS` privilege when\n' - 'the user is granted `SHOW QUOTAS`, `SHOW CREATE QUOTA`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowQuotas_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowQuotas.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW QUOTAS` statement if and only if the user has **show quotas** privilege,\n' - 'either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateQuota_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateQuota.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE QUOTA` statement if and only if\n' - 'the user has **show quotas** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowSettingsProfiles_Privilege = Requirement( - name='RQ.SRS-006.RBAC.ShowSettingsProfiles.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SHOW SETTINGS PROFILES` privilege when\n' - 'the user is granted `SHOW SETTINGS PROFILES`, `SHOW PROFILES`, `SHOW CREATE SETTINGS PROFILE`,\n' - '`SHOW SETTINGS PROFILE`, `SHOW ACCESS`, or `ACCESS MANAGEMENT`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowSettingsProfiles_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowSettingsProfiles.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW SETTINGS PROFILES` or `SHOW PROFILES` statement\n' - 'if and only if the user has **show settings profiles** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_ShowCreateSettingsProfile_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.ShowCreateSettingsProfile.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `SHOW CREATE SETTINGS PROFILE` or `SHOW CREATE PROFILE` statement\n' - 'if and only if the user has **show settings profiles** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_dictGet_Privilege = Requirement( - name='RQ.SRS-006.RBAC.dictGet.Privilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `dictGet` privilege when\n' - 'the user is granted `dictGet`, `dictHas`, `dictGetHierarchy`, or `dictIsIn`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_dictGet_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.dictGet.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `dictGet` statement\n' - 'if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_dictGet_Type_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.dictGet.Type.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `dictGet[TYPE]` statement\n' - 'if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role.\n' - 'Available types:\n' - '\n' - '* Int8\n' - '* Int16\n' - '* Int32\n' - '* Int64\n' - '* UInt8\n' - '* UInt16\n' - '* UInt32\n' - '* UInt64\n' - '* Float32\n' - '* Float64\n' - '* Date\n' - '* DateTime\n' - '* UUID\n' - '* String\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_dictGet_OrDefault_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.dictGet.OrDefault.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `dictGetOrDefault` statement\n' - 'if and only if the user has **dictGet** privilege on that dictionary, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_dictHas_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.dictHas.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `dictHas` statement\n' - 'if and only if the user has **dictGet** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_dictGetHierarchy_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.dictGetHierarchy.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `dictGetHierarchy` statement\n' - 'if and only if the user has **dictGet** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_dictIsIn_RequiredPrivilege = Requirement( - name='RQ.SRS-006.RBAC.dictIsIn.RequiredPrivilege', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `dictIsIn` statement\n' - 'if and only if the user has **dictGet** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Introspection = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Introspection', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `INTROSPECTION` privilege when\n' - 'the user is granted `INTROSPECTION` or `INTROSPECTION FUNCTIONS`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Introspection_addressToLine = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Introspection.addressToLine', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `addressToLine` statement if and only if\n' - 'the user has **introspection** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Introspection_addressToSymbol = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Introspection.addressToSymbol', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `addressToSymbol` statement if and only if\n' - 'the user has **introspection** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Introspection_demangle = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Introspection.demangle', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `demangle` statement if and only if\n' - 'the user has **introspection** privilege, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Shutdown = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Shutdown', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM SHUTDOWN` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM SHUTDOWN`, `SHUTDOWN`,or `SYSTEM KILL`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_DropCache = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.DropCache', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM DROP CACHE` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, or `DROP CACHE`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_DropCache_DNS = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.DropCache.DNS', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM DROP DNS CACHE` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP DNS CACHE`,\n' - '`SYSTEM DROP DNS`, `DROP DNS CACHE`, or `DROP DNS`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_DropCache_Mark = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.DropCache.Mark', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM DROP MARK CACHE` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP MARK CACHE`,\n' - '`SYSTEM DROP MARK`, `DROP MARK CACHE`, or `DROP MARKS`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_DropCache_Uncompressed = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.DropCache.Uncompressed', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM DROP UNCOMPRESSED CACHE` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM DROP CACHE`, `DROP CACHE`, `SYSTEM DROP UNCOMPRESSED CACHE`,\n' - '`SYSTEM DROP UNCOMPRESSED`, `DROP UNCOMPRESSED CACHE`, or `DROP UNCOMPRESSED`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Reload = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Reload', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD` privilege when\n' - 'the user is granted `SYSTEM` or `SYSTEM RELOAD`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Reload_Config = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Reload.Config', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD CONFIG` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD CONFIG`, or `RELOAD CONFIG`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionary = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionary', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARY` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionaries = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Reload.Dictionaries', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD DICTIONARIES` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARIES`, `RELOAD DICTIONARIES`, or `RELOAD DICTIONARY`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Reload_EmbeddedDictionaries = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Reload.EmbeddedDictionaries', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM RELOAD EMBEDDED DICTIONARIES` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM RELOAD`, `SYSTEM RELOAD DICTIONARY ON *.*`, or `SYSTEM RELOAD EMBEDDED DICTIONARIES`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Merges = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Merges', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM MERGES` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM MERGES`, `SYSTEM STOP MERGES`, `SYSTEM START MERGES`, `STOP MERGES`, or `START MERGES`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_TTLMerges = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.TTLMerges', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM TTL MERGES` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM TTL MERGES`, `SYSTEM STOP TTL MERGES`, `SYSTEM START TTL MERGES`, `STOP TTL MERGES`, or `START TTL MERGES`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Fetches = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Fetches', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM FETCHES` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM FETCHES`, `SYSTEM STOP FETCHES`, `SYSTEM START FETCHES`, `STOP FETCHES`, or `START FETCHES`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Moves = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Moves', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM MOVES` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM MOVES`, `SYSTEM STOP MOVES`, `SYSTEM START MOVES`, `STOP MOVES`, or `START MOVES`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Sends = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Sends', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM SENDS` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM SENDS`, `SYSTEM STOP SENDS`, `SYSTEM START SENDS`, `STOP SENDS`, or `START SENDS`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Sends_Distributed = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Sends.Distributed', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM DISTRIBUTED SENDS` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM DISTRIBUTED SENDS`, `SYSTEM STOP DISTRIBUTED SENDS`,\n' - '`SYSTEM START DISTRIBUTED SENDS`, `STOP DISTRIBUTED SENDS`, or `START DISTRIBUTED SENDS`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Sends_Replicated = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Sends.Replicated', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM REPLICATED SENDS` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM REPLICATED SENDS`, `SYSTEM STOP REPLICATED SENDS`,\n' - '`SYSTEM START REPLICATED SENDS`, `STOP REPLICATED SENDS`, or `START REPLICATED SENDS`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_ReplicationQueues = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.ReplicationQueues', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM REPLICATION QUEUES` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM REPLICATION QUEUES`, `SYSTEM STOP REPLICATION QUEUES`,\n' - '`SYSTEM START REPLICATION QUEUES`, `STOP REPLICATION QUEUES`, or `START REPLICATION QUEUES`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_SyncReplica = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.SyncReplica', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM SYNC REPLICA` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM SYNC REPLICA`, or `SYNC REPLICA`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_RestartReplica = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.RestartReplica', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM RESTART REPLICA` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM RESTART REPLICA`, or `RESTART REPLICA`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Flush = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Flush', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM FLUSH` privilege when\n' - 'the user is granted `SYSTEM` or `SYSTEM FLUSH`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Flush_Distributed = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Flush.Distributed', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM FLUSH DISTRIBUTED` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM FLUSH DISTRIBUTED`, or `FLUSH DISTRIBUTED`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_System_Flush_Logs = Requirement( - name='RQ.SRS-006.RBAC.Privileges.System.Flush.Logs', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully grant `SYSTEM FLUSH LOGS` privilege when\n' - 'the user is granted `SYSTEM`, `SYSTEM FLUSH LOGS`, or `FLUSH LOGS`.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking `SOURCES` privilege from\n' - 'the user, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_File = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.File', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `FILE` source by a user if and only if\n' - 'the user has `FILE` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_URL = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.URL', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `URL` source by a user if and only if\n' - 'the user has `URL` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_Remote = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.Remote', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `REMOTE` source by a user if and only if\n' - 'the user has `REMOTE` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_MySQL = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.MySQL', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `MySQL` source by a user if and only if\n' - 'the user has `MySQL` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_ODBC = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.ODBC', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `ODBC` source by a user if and only if\n' - 'the user has `ODBC` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_JDBC = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.JDBC', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `JDBC` source by a user if and only if\n' - 'the user has `JDBC` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_HDFS = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.HDFS', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `HDFS` source by a user if and only if\n' - 'the user has `HDFS` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_Sources_S3 = Requirement( - name='RQ.SRS-006.RBAC.Privileges.Sources.S3', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support the use of `S3` source by a user if and only if\n' - 'the user has `S3` or `SOURCES` privileges granted to them directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_GrantOption = Requirement( - name='RQ.SRS-006.RBAC.Privileges.GrantOption', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL successfully execute `GRANT` or `REVOKE` privilege statements by a user if and only if\n' - 'the user has that privilege with `GRANT OPTION`, either directly or through a role.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_All = Requirement( - name='RQ.SRS-006.RBAC.Privileges.All', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support granting or revoking `ALL` privilege.\n' - '\n' - ), - link=None) - -RQ_SRS_006_RBAC_Privileges_AdminOption = Requirement( - name='RQ.SRS-006.RBAC.Privileges.AdminOption', - version='1.0', - priority=None, - group=None, - type=None, - uid=None, - description=( - '[ClickHouse] SHALL support a user granting or revoking a role if and only if\n' - 'the user has that role with `ADMIN OPTION` privilege.\n' - '\n' - ), - link=None) diff --git a/tests/testflows/rbac/tests/privileges/admin_option.py b/tests/testflows/rbac/tests/privileges/admin_option.py index 88dadc8522c..f6115839bf5 100644 --- a/tests/testflows/rbac/tests/privileges/admin_option.py +++ b/tests/testflows/rbac/tests/privileges/admin_option.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(test=grant_role, flags=TE)(grant_target_name=user_name, user_name=user_name) + Suite(test=grant_role)(grant_target_name=user_name, user_name=user_name) @TestSuite def privileges_granted_via_role(self, node=None): @@ -35,7 +35,7 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(test=grant_role, flags=TE)(grant_target_name=role_name, user_name=user_name) + Suite(test=grant_role)(grant_target_name=role_name, user_name=user_name) @TestSuite def grant_role(self, grant_target_name, user_name, node=None): @@ -52,7 +52,13 @@ def grant_role(self, grant_target_name, user_name, node=None): with user(node, target_user_name), role(node, grant_role_name): - with When("I check the user can't grant a role"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't grant a role"): node.query(f"GRANT {grant_role_name} TO {target_user_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -109,6 +115,7 @@ def grant_role(self, grant_target_name, user_name, node=None): @Name("admin option") @Requirements( RQ_SRS_006_RBAC_Privileges_AdminOption("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of ADMIN OPTION. diff --git a/tests/testflows/rbac/tests/privileges/all_role.py b/tests/testflows/rbac/tests/privileges/all_role.py new file mode 100644 index 00000000000..629848a2746 --- /dev/null +++ b/tests/testflows/rbac/tests/privileges/all_role.py @@ -0,0 +1,37 @@ +from testflows.core import * +from testflows.asserts import error + +from rbac.requirements import * +from rbac.helper.common import * +import rbac.helper.errors as errors + +@TestScenario +def privilege_check(self, node=None): + '''Check that a role named ALL only grants privileges that it already has. + ''' + + user_name = f"user_{getuid()}" + + if node is None: + node = self.context.node + + with user(node, f"{user_name}"), role(node, "ALL"): + + with When("I grant the ALL role to the user"): + node.query(f"GRANT ALL TO {user_name}") + + with Then("I check the user doesn't have any privileges"): + output = node.query("SHOW TABLES", settings=[("user",user_name)]).output + assert output == '', error() + +@TestFeature +@Name("all role") +@Requirements( + RQ_SRS_006_RBAC_Privileges_RoleAll("1.0"), +) +def feature(self, node="clickhouse1"): + """Check the RBAC functionality of the role 'ALL'. + """ + self.context.node = self.context.cluster.node(node) + + Scenario(run=privilege_check, setup=instrument_clickhouse_server_log) diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_column.py b/tests/testflows/rbac/tests/privileges/alter/alter_column.py index 430872029b5..fe767ec15fa 100755 --- a/tests/testflows/rbac/tests/privileges/alter/alter_column.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_column.py @@ -354,6 +354,10 @@ def check_add_column_when_privilege_is_not_granted(table, user, node, column=Non node.query(f"ALTER TABLE {table} ADD COLUMN {column} String", settings = [("user", user)], exitcode=exitcode, message=message) + with Then("I try to ADD COLUMN"): + node.query(f"ALTER TABLE {table} ADD COLUMN {column} String", + settings = [("user", user)], exitcode=exitcode, message=message) + def check_clear_column_when_privilege_is_not_granted(table, user, node, column=None): """Ensures CLEAR COLUMN errors as expected without the required privilege for the specified user. @@ -366,6 +370,13 @@ def check_clear_column_when_privilege_is_not_granted(table, user, node, column=N node.query(f"ALTER TABLE {table} CLEAR COLUMN {column}", settings = [("user", user)], exitcode=exitcode, message=message) + with And(f"I grant NONE to the user"): + node.query(f"GRANT NONE TO {user}") + + with Then("I try to CLEAR COLUMN"): + node.query(f"ALTER TABLE {table} CLEAR COLUMN {column}", + settings = [("user", user)], exitcode=exitcode, message=message) + def check_modify_column_when_privilege_is_not_granted(table, user, node, column=None): """Ensures MODIFY COLUMN errors as expected without the required privilege for the specified user. @@ -378,6 +389,13 @@ def check_modify_column_when_privilege_is_not_granted(table, user, node, column= node.query(f"ALTER TABLE {table} MODIFY COLUMN {column} String", settings = [("user", user)], exitcode=exitcode, message=message) + with And(f"I grant NONE to the user"): + node.query(f"GRANT NONE TO {user}") + + with Then("I try to MODIFY COLUMN"): + node.query(f"ALTER TABLE {table} MODIFY COLUMN {column} String", + settings = [("user", user)], exitcode=exitcode, message=message) + def check_rename_column_when_privilege_is_not_granted(table, user, node, column=None): """Ensures RENAME COLUMN errors as expected without the required privilege for the specified user. @@ -392,6 +410,13 @@ def check_rename_column_when_privilege_is_not_granted(table, user, node, column= node.query(f"ALTER TABLE {table} RENAME COLUMN {column} TO {new_column}", settings = [("user", user)], exitcode=exitcode, message=message) + with And(f"I grant NONE to the user"): + node.query(f"GRANT NONE TO {user}") + + with Then("I try to RENAME COLUMN"): + node.query(f"ALTER TABLE {table} RENAME COLUMN {column} TO {new_column}", + settings = [("user", user)], exitcode=exitcode, message=message) + def check_comment_column_when_privilege_is_not_granted(table, user, node, column=None): """Ensures COMMENT COLUMN errors as expected without the required privilege for the specified user. @@ -404,6 +429,13 @@ def check_comment_column_when_privilege_is_not_granted(table, user, node, column node.query(f"ALTER TABLE {table} COMMENT COLUMN {column} 'This is a comment.'", settings = [("user", user)], exitcode=exitcode, message=message) + with And(f"I grant NONE to the user"): + node.query(f"GRANT NONE TO {user}") + + with When("I try to COMMENT COLUMN"): + node.query(f"ALTER TABLE {table} COMMENT COLUMN {column} 'This is a comment.'", + settings = [("user", user)], exitcode=exitcode, message=message) + def check_drop_column_when_privilege_is_not_granted(table, user, node, column=None): """Ensures DROP COLUMN errors as expected without the required privilege for the specified user. @@ -416,6 +448,13 @@ def check_drop_column_when_privilege_is_not_granted(table, user, node, column=No node.query(f"ALTER TABLE {table} DROP COLUMN {column}", settings = [("user", user)], exitcode=exitcode, message=message) + with And(f"I grant NONE to the user"): + node.query(f"GRANT NONE TO {user}") + + with Then("I try to DROP COLUMN"): + node.query(f"ALTER TABLE {table} DROP COLUMN {column}", + settings = [("user", user)], exitcode=exitcode, message=message) + @TestScenario def user_with_some_privileges(self, permutation, table_type, node=None): """Check that user with some privileges of ALTER COLUMN is able @@ -676,7 +715,8 @@ def scenario_parallelization(self, table_type, permutation): @Requirements( RQ_SRS_006_RBAC_Privileges_AlterColumn("1.0"), RQ_SRS_006_RBAC_Privileges_AlterColumn_TableEngines("1.0"), - RQ_SRS_006_RBAC_Privileges_All("1.0") + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_constraint.py b/tests/testflows/rbac/tests/privileges/alter/alter_constraint.py index 59ff1828222..58f4349459c 100755 --- a/tests/testflows/rbac/tests/privileges/alter/alter_constraint.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_constraint.py @@ -275,7 +275,8 @@ def user_with_privileges_on_cluster(self, table_type, node=None): @Requirements( RQ_SRS_006_RBAC_Privileges_AlterConstraint("1.0"), RQ_SRS_006_RBAC_Privileges_AlterConstraint_TableEngines("1.0"), - RQ_SRS_006_RBAC_Privileges_All("1.0") + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_delete.py b/tests/testflows/rbac/tests/privileges/alter/alter_delete.py index 9f46e6cdb3d..93d520f91bd 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_delete.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_delete.py @@ -1,5 +1,3 @@ -from multiprocessing.dummy import Pool - from testflows.core import * from testflows.asserts import error @@ -11,7 +9,8 @@ aliases = {"ALTER DELETE", "DELETE", "ALL"} @TestSuite def privilege_granted_directly_or_via_role(self, table_type, privilege, node=None): - """Check that user is only able to execute ALTER DELETE when they have required privilege, either directly or via role. + """Check that user is only able to execute ALTER DELETE when they have required privilege, + either directly or via role. """ role_name = f"role_{getuid()}" user_name = f"user_{getuid()}" @@ -21,13 +20,16 @@ def privilege_granted_directly_or_via_role(self, table_type, privilege, node=Non with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): with user(node, user_name): + with When(f"I run checks that {user_name} is only able to execute ALTER DELETE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, table_type=table_type, privilege=privilege, node=node) with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): with user(node, user_name), role(node, role_name): + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") + with And(f"I run checks that {user_name} with {role_name} is only able to execute ALTER DELETE with required privileges"): privilege_check(grant_target_name=role_name, user_name=user_name, table_type=table_type, privilege=privilege, node=node) @@ -38,26 +40,41 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No with Scenario("user without privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): - with When("I attempt to delete columns without privilege"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to delete columns without privilege"): node.query(f"ALTER TABLE {table_name} DELETE WHERE 1", settings = [("user", user_name)], exitcode=exitcode, message=message) with Scenario("user with privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): + with When("I grant the delete privilege"): node.query(f"GRANT {privilege} ON {table_name} TO {grant_target_name}") + with Then("I attempt to delete columns"): node.query(f"ALTER TABLE {table_name} DELETE WHERE 1", settings = [("user", user_name)]) with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): + with When("I grant the delete privilege"): node.query(f"GRANT {privilege} ON {table_name} TO {grant_target_name}") + with And("I revoke the delete privilege"): node.query(f"REVOKE {privilege} ON {table_name} FROM {grant_target_name}") + with Then("I attempt to delete columns"): node.query(f"ALTER TABLE {table_name} DELETE WHERE 1", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -65,7 +82,8 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterDelete("1.0"), - RQ_SRS_006_RBAC_Privileges_All("1.0") + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_fetch.py b/tests/testflows/rbac/tests/privileges/alter/alter_fetch.py index 56f2d48e7d2..b4ff0b65fd4 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_fetch.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_fetch.py @@ -1,5 +1,3 @@ -from multiprocessing.dummy import Pool - from testflows.core import * from testflows.asserts import error @@ -41,9 +39,16 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No with Scenario("user without privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): - with When("I attempt to fetch a partition without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to fetch a partition without privilege"): node.query(f"ALTER TABLE {table_name} FETCH PARTITION 1 FROM '/clickhouse/'", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -75,7 +80,8 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterFetch("1.0"), - RQ_SRS_006_RBAC_Privileges_All("1.0") + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type",[ ("ReplicatedMergeTree-sharded_cluster",), diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_freeze.py b/tests/testflows/rbac/tests/privileges/alter/alter_freeze.py index 32bd4602044..775e2be270d 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_freeze.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_freeze.py @@ -1,5 +1,3 @@ -from multiprocessing.dummy import Pool - from testflows.core import * from testflows.asserts import error @@ -38,14 +36,22 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No with Scenario("user without privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): - with When("I attempt to freeze partitions without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to freeze partitions without privilege"): node.query(f"ALTER TABLE {table_name} FREEZE", settings = [("user", user_name)], exitcode=exitcode, message=message) with Scenario("user with privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): with When("I grant the freeze privilege"): @@ -56,6 +62,7 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): with When("I grant the freeze privilege"): @@ -70,7 +77,8 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterFreeze("1.0"), - RQ_SRS_006_RBAC_Privileges_All("1.0") + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_index.py b/tests/testflows/rbac/tests/privileges/alter/alter_index.py index cd2729f5641..eeb126e95a5 100755 --- a/tests/testflows/rbac/tests/privileges/alter/alter_index.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_index.py @@ -26,7 +26,7 @@ aliases = { "MATERIALIZE INDEX" : ["ALTER MATERIALIZE INDEX", "MATERIALIZE INDEX"], "CLEAR INDEX": ["ALTER CLEAR INDEX", "CLEAR INDEX"], "DROP INDEX": ["ALTER DROP INDEX", "DROP INDEX"], - "ALTER INDEX": ["ALTER INDEX", "INDEX"] # super-privilege + "ALTER INDEX": ["ALTER INDEX", "INDEX", "ALL"] # super-privilege } # Extra permutation is for 'ALTER INDEX' super-privilege @@ -302,7 +302,6 @@ def check_drop_index_when_privilege_is_not_granted(table, user, node): settings = [("user", user)], exitcode=exitcode, message=message) @TestScenario -@Flags(TE) def user_with_some_privileges(self, table_type, node=None): """Check that user with any permutation of ALTER INDEX subprivileges is able to alter the table for privileges granted, and not for privileges not granted. @@ -325,7 +324,6 @@ def user_with_some_privileges(self, table_type, node=None): alter_index_privilege_handler(permutation, table_name, user_name, node) @TestScenario -@Flags(TE) @Requirements( RQ_SRS_006_RBAC_Privileges_AlterIndex_Revoke("1.0"), ) @@ -355,7 +353,6 @@ def user_with_revoked_privileges(self, table_type, node=None): alter_index_privilege_handler(0, table_name, user_name, node) @TestScenario -@Flags(TE) @Requirements( RQ_SRS_006_RBAC_Privileges_AlterIndex_Grant("1.0"), ) @@ -385,7 +382,6 @@ def role_with_some_privileges(self, table_type, node=None): alter_index_privilege_handler(permutation, table_name, user_name, node) @TestScenario -@Flags(TE) def user_with_revoked_role(self, table_type, node=None): """Check that user with a role that has ALTER INDEX privilege on a table is unable to ALTER INDEX from that table after the role with privilege has been revoked from the user. @@ -416,7 +412,6 @@ def user_with_revoked_role(self, table_type, node=None): alter_index_privilege_handler(0, table_name, user_name, node) @TestScenario -@Flags(TE) @Requirements( RQ_SRS_006_RBAC_Privileges_AlterIndex_Cluster("1.0"), ) @@ -451,12 +446,13 @@ def user_with_privileges_on_cluster(self, table_type, node=None): @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterIndex("1.0"), - RQ_SRS_006_RBAC_Privileges_AlterIndex_TableEngines("1.0") + RQ_SRS_006_RBAC_Privileges_AlterIndex_TableEngines("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() ]) -@Flags(TE) @Name("alter index") def feature(self, node="clickhouse1", stress=None, parallel=None): self.context.node = self.context.cluster.node(node) diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_move.py b/tests/testflows/rbac/tests/privileges/alter/alter_move.py index b53375434fe..d370edc35de 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_move.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_move.py @@ -7,7 +7,7 @@ from rbac.requirements import * from rbac.helper.common import * import rbac.helper.errors as errors -aliases = {"ALTER MOVE PARTITION", "ALTER MOVE PART", "MOVE PARTITION", "MOVE PART"} +aliases = {"ALTER MOVE PARTITION", "ALTER MOVE PART", "MOVE PARTITION", "MOVE PART", "ALL"} @TestSuite def privilege_granted_directly_or_via_role(self, table_type, privilege, node=None): @@ -45,7 +45,13 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No with table(node, f"{source_table_name},{target_table_name}", table_type): - with When("I attempt to move partition without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to move partition without privilege"): node.query(f"ALTER TABLE {source_table_name} MOVE PARTITION 1 TO TABLE {target_table_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -151,6 +157,8 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterMove("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_quota.py b/tests/testflows/rbac/tests/privileges/alter/alter_quota.py index 4d0d55c86de..faad7c001f4 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_quota.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_quota.py @@ -31,7 +31,7 @@ def alter_quota_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=alter_quota, flags=TE, + Suite(run=alter_quota, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in alter_quota.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -52,13 +52,14 @@ def alter_quota_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=alter_quota, flags=TE, + Suite(run=alter_quota, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in alter_quota.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("ALTER QUOTA",), ]) @@ -75,7 +76,13 @@ def alter_quota(self, privilege, grant_target_name, user_name, node=None): with quota(node, alter_quota_name): - with When("I check the user can't alter a quota"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't alter a quota"): node.query(f"ALTER QUOTA {alter_quota_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -127,6 +134,8 @@ def alter_quota(self, privilege, grant_target_name, user_name, node=None): @Name("alter quota") @Requirements( RQ_SRS_006_RBAC_Privileges_AlterQuota("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of ALTER QUOTA. diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_role.py b/tests/testflows/rbac/tests/privileges/alter/alter_role.py index cf98d66a689..49e8baa191b 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_role.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_role.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=alter_role, flags=TE, + Suite(run=alter_role, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in alter_role.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=alter_role, flags=TE, + Suite(run=alter_role, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in alter_role.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("ALTER ROLE",), ]) @@ -58,14 +59,22 @@ def alter_role(self, privilege, grant_target_name, user_name, node=None): with Scenario("ALTER ROLE without privilege"): alter_role_name = f"alter_role_{getuid()}" + with role(node, alter_role_name): - with When("I check the user can't alter a role"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't alter a role"): node.query(f"ALTER ROLE {alter_role_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("ALTER ROLE with privilege"): alter_role_name = f"alter_role_{getuid()}" + with role(node, alter_role_name): with When(f"I grant {privilege}"): @@ -93,6 +102,7 @@ def alter_role(self, privilege, grant_target_name, user_name, node=None): with Scenario("ALTER ROLE with revoked privilege"): alter_role_name = f"alter_role_{getuid()}" + with role(node, alter_role_name): with When(f"I grant {privilege} on the database"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -108,6 +118,8 @@ def alter_role(self, privilege, grant_target_name, user_name, node=None): @Name("alter role") @Requirements( RQ_SRS_006_RBAC_Privileges_AlterRole("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of ALTER ROLE. diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_row_policy.py b/tests/testflows/rbac/tests/privileges/alter/alter_row_policy.py index 6d13d30b823..a0d1e4271bc 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_row_policy.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_row_policy.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=alter_row_policy, flags=TE, + Suite(run=alter_row_policy, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in alter_row_policy.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=alter_row_policy, flags=TE, + Suite(run=alter_row_policy, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in alter_row_policy.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("ALTER ROW POLICY",), ("ALTER POLICY",), @@ -65,7 +66,13 @@ def alter_row_policy(self, privilege, grant_target_name, user_name, node=None): with Given("I have a row policy"): node.query(f"CREATE ROW POLICY {alter_row_policy_name} ON {table_name}") - with When("I check the user can't alter a row policy"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't alter a row policy"): node.query(f"ALTER ROW POLICY {alter_row_policy_name} ON {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -130,15 +137,986 @@ def alter_row_policy(self, privilege, grant_target_name, user_name, node=None): with Finally("I drop the row policy"): node.query(f"DROP ROW POLICY IF EXISTS {alter_row_policy_name} ON {table_name}") +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Restriction("1.0") +) +def no_grants(self, node=None): + """Check that user is unable to select from a table without a row policy + after a row policy has been altered to have a condition. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + with When("I alter the row policy to have a condition"): + node.query(f"ALTER POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Permissive("1.0"), +) +def permissive(self, node=None): + """Check that user is able to see from a table when they have a PERMISSIVE policy. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1), (2)") + + with When("I alter a row policy to be permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' not in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Restrictive("1.0") +) +def restrictive(self, node=None): + """Check that user is able to see values they have a RESTRICTIVE policy for. + """ + + table_name = f"table_{getuid()}" + perm_pol_name = f"perm_pol_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("I have a second row policy"): + row_policy(name=perm_pol_name, table=table_name) + + with And("I alter a row policy to be permissive"): + node.query(f"ALTER ROW POLICY {perm_pol_name} ON {table_name} FOR SELECT USING y=1 OR y=2 TO default") + + with And("I alter a row policy to be restrictive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} AS RESTRICTIVE FOR SELECT USING y=1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1), (2)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' not in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_ForSelect("1.0"), +) +def for_select(self, node=None): + """Check that user is able to see values allowed by the row policy condition in the FOR SELECT clause. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Given("I alter therow policy to use FOR SELECT"): + node.query(f"Alter ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1 TO default") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Condition("1.0") +) +def condition(self, node=None): + """Check that user is able to see values allowed by the row policy condition. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with When("I alter a row policy to be permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Condition_None("1.0") +) +def remove_condition(self, node=None): + """Check that user is able to see the table after row policy condition has been removed. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The row policy has a condition"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with When("I alter a row policy to not have a condition"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING NONE") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_IfExists("1.0") +) +def if_exists(self, node=None): + """Check that a row policy altered using IF EXISTS restricts rows as expected. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with When("I have alter a row policy to be permissive using IF EXISTS clause"): + node.query(f"ALTER ROW POLICY IF EXISTS {pol_name} ON {table_name} FOR SELECT USING 1 TO default") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Rename("1.0") +) +def rename(self, node=None): + """Check that a row policy altered using RENAME restricts rows as expected. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + pol_new_name = f"pol_new_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with And("The row policy is permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with When("I have alter a row policy by renaming it"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} RENAME TO {pol_new_name}") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_new_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_OnCluster("1.0") +) +def on_cluster(self, node=None): + """Check that a row policy altered using ON CLUSTER applies to the nodes of the cluster correctly. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy on a cluster on that table"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("The table has some values on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with And("The table has some values on the second node"): + node2.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with When("I alter the row policy to have a condition"): + node.query(f"ALTER ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name} FOR SELECT USING 1") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + with And("I select from another node on the cluster"): + output = node2.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE {table_name} ON CLUSTER sharded_cluster") + +@TestScenario +def diff_policies_on_diff_nodes(self, node=None): + """Check that a row policy altered on a node, does not effect row policy on a different node. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy on the cluster"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("The table has some values on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with And("The table has some values on the second node"): + node2.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with When("I alter the row policy on the first node"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + with And("I select from another node on the cluster"): + output = node2.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE {table_name} ON CLUSTER sharded_cluster") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment("1.0"), +) +def assignment(self, node=None): + """Check that user is able to see rows from a table when they have PERMISSIVE policy assigned to them. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The row policy is permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with When("I alter a row policy to be assigned to default"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} TO default") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_None("1.0"), +) +def assignment_none(self, node=None): + """Check that no one is affected when a row policy is altered to be assigned to NONE. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The row policy is permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with When("I alter a row policy to be assigned to NONE"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} TO NONE") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_All("1.0"), +) +def assignment_all(self, node=None): + """Check that everyone is effected with a row policy is altered to be assigned to ALL. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The row policy is permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with When("I alter a row policy to be assigned to ALL"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} TO ALL") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_AllExcept("1.0"), +) +def assignment_all_except(self, node=None): + """Check that everyone is except the specified user is effect by a row policy is altered to be assigned to ALL EXCEPT. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The row policy is permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with When("I alter a row policy to be assigned to ALL EXCEPT default"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} TO ALL EXCEPT default") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def nested_view(self, node=None): + """Check that if a user has a row policy on a table and a view is altered to use a condition on that table, + the user is only able to access the rows specified by the assigned policies. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + + try: + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with And("There is a view on the table"): + node.query(f"CREATE VIEW {view_name} AS SELECT * FROM {table_name}") + + with When("I alter the row policy to be permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def nested_live_view_before_policy(self, node=None): + """Check that if a live view exists on a table and then a row policy is created, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I add allow_experimental_live_view to the default query settings"): + default_query_settings = getsattr(current().context, "default_query_settings", []) + default_query_settings.append(("allow_experimental_live_view", 1)) + + with And("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with And("There exists a live view on the table"): + node.query(f"CREATE LIVE VIEW {view_name} AS SELECT * FROM {table_name}") + + with When("I alter the row policy to be permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the live view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + + with And("I remove allow_experimental_live_view from the default query settings", flags=TE): + if default_query_settings: + try: + default_query_settings.pop(default_query_settings.index(("allow_experimental_live_view", 1))) + except ValueError: + pass + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def nested_live_view_after_policy(self, node=None): + """Check that if a user has a row policy on a table and a materialized view is created on that table, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I add allow_experimental_live_view to the default query settings"): + default_query_settings = getsattr(current().context, "default_query_settings", []) + default_query_settings.append(("allow_experimental_live_view", 1)) + + with And("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with When("I alter the row policy to be permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with And("I create a live view on the table"): + node.query(f"CREATE LIVE VIEW {view_name} AS SELECT * FROM {table_name}") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the live view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + + with And("I remove allow_experimental_live_view from the default query settings", flags=TE): + if default_query_settings: + try: + default_query_settings.pop(default_query_settings.index(("allow_experimental_live_view", 1))) + except ValueError: + pass + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def nested_mat_view_before_policy(self, node=None): + """Check that if a materialized view exists on a table and then a row policy is created, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("There exists a mat view on the table"): + node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory AS SELECT * FROM {table_name}") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with When("I alter the row policy"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the materialized view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def nested_mat_view_after_policy(self, node=None): + """Check that if a user has a row policy on a table and a materialized view is created on that table, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("I alter the row policy"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with When("I create a mat view on the table"): + node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory AS SELECT * FROM {table_name}") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the materialized view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def populate_mat_view(self, node=None): + """Check that if a user has a row policy on a table and a materialized view is created using POPULATE from that table, + the user can only select the rows from the materialized view specified in the row policy. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("I alter a row policy on the table"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with When("I create a mat view populated by the table"): + node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory POPULATE AS SELECT * FROM {table_name}") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the materialized view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def dist_table(self, node=None): + """Check that if a user has a row policy on a table and a distributed table is created on that table, + the user is only able to access the rows specified by the assigned policies. + """ + + table_name = f"table_{getuid()}" + dist_table_name = f"dist_table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I have a distributed table"): + node.query(f"CREATE TABLE {dist_table_name} (x UInt64) ENGINE = Distributed(sharded_cluster, default, {table_name}, rand())") + + with And("The table has some values on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with When("I alter the row policy to be permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} ON CLUSTER sharded_cluster FOR SELECT USING 1") + + with Then("I select from the distributed table"): + output = node.query(f"SELECT * FROM {dist_table_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster") + + with And("I drop the distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def dist_table_diff_policies_on_diff_nodes(self, node=None): + """Check that user is only able to select from the distributed table what is allowed by the row policies on each node. + """ + + table_name = f"table_{getuid()}" + dist_table_name = f"dist_table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I have a distributed table"): + node.query(f"CREATE TABLE {dist_table_name} (x UInt64) ENGINE = Distributed(sharded_cluster, default, {table_name}, rand())") + + with And("The table has some values on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with And("The table has some values on the second node"): + node2.query(f"INSERT INTO {table_name} (x) VALUES (2)") + + with When("I alter the row policy to be permissive on the first node"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with Then("I select from the distributed table"): + output = node.query(f"SELECT * FROM {dist_table_name}").output + assert '1' not in output and '2' in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name} ON CLUSTER sharded_cluster") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster") + + with And("I drop the distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def dist_table_on_dist_table(self, node=None): + """Check that if a user has a row policy on a table and a distributed table is created on that table, + and another distributed table is created on top of that, + the user is only able to access rows on any of the tables specified by the assigned policies. + """ + table_name = f"table_{getuid()}" + dist_table_name = f"dist_table_{getuid()}" + dist_table_2_name = f"dist_table_2_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I have a distributed table on a cluster"): + node.query(f"CREATE TABLE {dist_table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Distributed(sharded_cluster, default, {table_name}, rand())") + + with And("I have a distributed table on the other distributed table"): + node.query(f"CREATE TABLE {dist_table_2_name} (x UInt64) ENGINE = Distributed(sharded_cluster, default, {dist_table_name}, rand())") + + with And("The table has some values on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with When("I alter the row policy to be permissive on the first node"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with Then("I select from the second distributed table"): + output = node.query(f"SELECT * FROM {dist_table_2_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster") + + with And("I drop the distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_name} ON CLUSTER sharded_cluster") + + with And("I drop the outer distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_2_name}") + +@TestScenario +def policy_before_table(self, node=None): + """Check that if the policy is created and altered before the table, + then it is still applied correctly. + """ + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("I alter the row policy"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with table(node, table_name): + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1), (2)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' not in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0"), +) +def dict(self, node=None): + """Check that if a user has a row policy on a table and a dictionary is created on that table, + the user is only able to access the rows specified by the assigned policies. + """ + + table_name = f"table_{getuid()}" + dict_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + try: + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("I have a table"): + node.query(f"CREATE TABLE {table_name} (key UInt64, val UInt64 DEFAULT 5) ENGINE = Memory") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (key) VALUES (1),(2)") + + with And("I create a dict on the table"): + node.query(f"CREATE DICTIONARY {dict_name} (key UInt64 DEFAULT 0, val UInt64 DEFAULT 5) PRIMARY KEY key SOURCE(CLICKHOUSE(HOST 'localhost' PORT tcpPort() USER 'default' TABLE {table_name} PASSWORD '' DB 'default')) LIFETIME(MIN 0 MAX 0) LAYOUT(FLAT())") + + with When("I alter the row policy to be permissive"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING key=1 TO default") + + with Then("I try to select from the dict"): + output = node.query(f"SELECT * FROM {dict_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the materialized view", flags=TE): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name}") + + @TestFeature @Name("alter row policy") @Requirements( RQ_SRS_006_RBAC_Privileges_AlterRowPolicy("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of ALTER ROW POLICY. """ self.context.node = self.context.cluster.node(node) + self.context.node2 = self.context.cluster.node("clickhouse2") Suite(run=privileges_granted_directly, setup=instrument_clickhouse_server_log) Suite(run=privileges_granted_via_role, setup=instrument_clickhouse_server_log) + + Scenario(run=no_grants, setup=instrument_clickhouse_server_log) + Scenario(run=permissive, setup=instrument_clickhouse_server_log) + Scenario(run=restrictive, setup=instrument_clickhouse_server_log) + Scenario(run=for_select, setup=instrument_clickhouse_server_log) + Scenario(run=condition, setup=instrument_clickhouse_server_log) + Scenario(run=remove_condition, setup=instrument_clickhouse_server_log) + Scenario(run=if_exists, setup=instrument_clickhouse_server_log) + Scenario(run=rename, setup=instrument_clickhouse_server_log) + Scenario(run=on_cluster, setup=instrument_clickhouse_server_log) + Scenario(run=assignment, setup=instrument_clickhouse_server_log) + Scenario(run=assignment_none, setup=instrument_clickhouse_server_log) + Scenario(run=assignment_all, setup=instrument_clickhouse_server_log) + Scenario(run=assignment_all_except, setup=instrument_clickhouse_server_log) + Scenario(run=nested_view, setup=instrument_clickhouse_server_log) + Scenario(run=nested_live_view_before_policy, setup=instrument_clickhouse_server_log) + Scenario(run=nested_live_view_after_policy, setup=instrument_clickhouse_server_log) + Scenario(run=nested_mat_view_before_policy, setup=instrument_clickhouse_server_log) + Scenario(run=nested_mat_view_after_policy, setup=instrument_clickhouse_server_log) + Scenario(run=populate_mat_view, setup=instrument_clickhouse_server_log) + Scenario(run=dist_table, setup=instrument_clickhouse_server_log) + Scenario(run=dist_table_on_dist_table, setup=instrument_clickhouse_server_log) + Scenario(run=dist_table_diff_policies_on_diff_nodes, setup=instrument_clickhouse_server_log) + Scenario(run=diff_policies_on_diff_nodes, setup=instrument_clickhouse_server_log) + Scenario(run=policy_before_table, setup=instrument_clickhouse_server_log) + Scenario(run=dict, setup=instrument_clickhouse_server_log) diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_settings.py b/tests/testflows/rbac/tests/privileges/alter/alter_settings.py index 6ac482fa33d..c2c2110ddf0 100755 --- a/tests/testflows/rbac/tests/privileges/alter/alter_settings.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_settings.py @@ -1,7 +1,5 @@ import json -from multiprocessing.dummy import Pool - from testflows.core import * from testflows.asserts import error @@ -10,7 +8,7 @@ from rbac.helper.common import * import rbac.helper.errors as errors from rbac.helper.tables import table_types -aliases = {"ALTER SETTINGS", "ALTER SETTING", "ALTER MODIFY SETTING", "MODIFY SETTING"} +aliases = {"ALTER SETTINGS", "ALTER SETTING", "ALTER MODIFY SETTING", "MODIFY SETTING", "ALL"} def check_alter_settings_when_privilege_is_granted(table, user, node): """Ensures ADD SETTINGS runs as expected when the privilege is granted to the specified user @@ -21,7 +19,7 @@ def check_alter_settings_when_privilege_is_granted(table, user, node): with And(f"I modify settings"): node.query(f"ALTER TABLE {table} MODIFY SETTING merge_with_ttl_timeout=5", - settings = [("user", user)]) + settings=[("user", user)]) with Then("I verify that the setting is in the table"): output = json.loads(node.query(f"SHOW CREATE TABLE {table} FORMAT JSONEachRow").output) @@ -30,10 +28,16 @@ def check_alter_settings_when_privilege_is_granted(table, user, node): def check_alter_settings_when_privilege_is_not_granted(table, user, node): """Ensures CLEAR SETTINGS runs as expected when the privilege is granted to the specified user """ - with When("I try to use ALTER SETTING, has not been granted"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user}") + + with Then("I try to use ALTER SETTING, has not been granted"): exitcode, message = errors.not_enough_privileges(user) node.query(f"ALTER TABLE {table} MODIFY SETTING merge_with_ttl_timeout=5", - settings = [("user", user)], exitcode=exitcode, message=message) + settings=[("user", user)], exitcode=exitcode, message=message) @TestScenario def user_with_privileges(self, privilege, table_type, node=None): @@ -53,6 +57,7 @@ def user_with_privileges(self, privilege, table_type, node=None): with Then(f"I try to ALTER SETTINGS"): check_alter_settings_when_privilege_is_granted(table_name, user_name, node) + @TestScenario @Requirements( RQ_SRS_006_RBAC_Privileges_AlterSettings_Revoke("1.0"), @@ -180,7 +185,9 @@ def scenario_parallelization(self, table_type, privilege): @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterSettings("1.0"), - RQ_SRS_006_RBAC_Privileges_AlterSettings_TableEngines("1.0") + RQ_SRS_006_RBAC_Privileges_AlterSettings_TableEngines("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() @@ -208,7 +215,9 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): tasks = [] try: for alias in aliases: - run_scenario(pool, tasks, Suite(test=scenario_parallelization, name=alias, setup=instrument_clickhouse_server_log), {"table_type": table_type, "privilege": alias}) + run_scenario(pool, tasks, Suite(test=scenario_parallelization, name=alias, + setup=instrument_clickhouse_server_log), + {"table_type": table_type, "privilege": alias}) finally: join(tasks) finally: diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_settings_profile.py b/tests/testflows/rbac/tests/privileges/alter/alter_settings_profile.py index 9212b745544..cd4648305f7 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_settings_profile.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_settings_profile.py @@ -31,7 +31,7 @@ def alter_settings_profile_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=alter_settings_profile, flags=TE, + Suite(run=alter_settings_profile, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in alter_settings_profile.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -52,13 +52,14 @@ def alter_settings_profile_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=alter_settings_profile, flags=TE, + Suite(run=alter_settings_profile, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in alter_settings_profile.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("ALTER SETTINGS PROFILE",), ("ALTER PROFILE",), @@ -76,7 +77,13 @@ def alter_settings_profile(self, privilege, grant_target_name, user_name, node=N with settings_profile(node, alter_settings_profile_name): - with When("I check the user can't alter a settings_profile"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't alter a settings_profile"): node.query(f"ALTER SETTINGS PROFILE {alter_settings_profile_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -128,6 +135,8 @@ def alter_settings_profile(self, privilege, grant_target_name, user_name, node=N @Name("alter settings profile") @Requirements( RQ_SRS_006_RBAC_Privileges_AlterSettingsProfile("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of ALTER SETTINGS PROFILE. diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_ttl.py b/tests/testflows/rbac/tests/privileges/alter/alter_ttl.py index 00240f19bb4..8fa7136076e 100755 --- a/tests/testflows/rbac/tests/privileges/alter/alter_ttl.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_ttl.py @@ -16,7 +16,7 @@ subprivileges = { aliases = { "TTL" : ["ALTER TTL", "ALTER MODIFY TTL", "MODIFY TTL"], - "MATERIALIZE TTL": ["ALTER MATERIALIZE TTL", "MATERIALIZE TTL"], + "MATERIALIZE TTL": ["ALTER MATERIALIZE TTL", "MATERIALIZE TTL", "ALL"], } permutation_count = (1 << len(subprivileges)) @@ -250,7 +250,9 @@ def user_with_privileges_on_cluster(self, table_type, node=None): @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterTTL("1.0"), - RQ_SRS_006_RBAC_Privileges_AlterTTL_TableEngines("1.0") + RQ_SRS_006_RBAC_Privileges_AlterTTL_TableEngines("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_update.py b/tests/testflows/rbac/tests/privileges/alter/alter_update.py index 3b3e3990497..d205740b901 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_update.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_update.py @@ -7,7 +7,7 @@ from rbac.requirements import * from rbac.helper.common import * import rbac.helper.errors as errors -aliases = {"ALTER UPDATE", "UPDATE"} +aliases = {"ALTER UPDATE", "UPDATE", "ALL"} @TestSuite def privilege_granted_directly_or_via_role(self, table_type, privilege, node=None): @@ -38,26 +38,41 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No with Scenario("user without privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): - with When("I attempt to update a column without privilege"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to update a column without privilege"): node.query(f"ALTER TABLE {table_name} UPDATE a = x WHERE 1", settings = [("user", user_name)], exitcode=exitcode, message=message) with Scenario("user with privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): + with When("I grant the update privilege"): node.query(f"GRANT {privilege} ON {table_name} TO {grant_target_name}") + with Then("I attempt to update a column"): node.query(f"ALTER TABLE {table_name} UPDATE a = x WHERE 1", settings = [("user", user_name)]) with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): table_name = f"merge_tree_{getuid()}" + with table(node, table_name, table_type): + with When("I grant the update privilege"): node.query(f"GRANT {privilege} ON {table_name} TO {grant_target_name}") + with And("I revoke the update privilege"): node.query(f"REVOKE {privilege} ON {table_name} FROM {grant_target_name}") + with Then("I attempt to update a column"): node.query(f"ALTER TABLE {table_name} UPDATE a = x WHERE 1", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -65,7 +80,9 @@ def privilege_check(grant_target_name, user_name, table_type, privilege, node=No @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AlterUpdate("1.0"), - RQ_SRS_006_RBAC_Privileges_AlterUpdate_TableEngines("1.0") + RQ_SRS_006_RBAC_Privileges_AlterUpdate_TableEngines("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() diff --git a/tests/testflows/rbac/tests/privileges/alter/alter_user.py b/tests/testflows/rbac/tests/privileges/alter/alter_user.py index 2531f4a3451..bcf3014c9be 100644 --- a/tests/testflows/rbac/tests/privileges/alter/alter_user.py +++ b/tests/testflows/rbac/tests/privileges/alter/alter_user.py @@ -17,7 +17,7 @@ def alter_user_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=alter_user, flags=TE, + Suite(run=alter_user, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in alter_user.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def alter_user_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=alter_user, flags=TE, + Suite(run=alter_user, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in alter_user.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("ALTER USER",), ]) @@ -61,7 +62,13 @@ def alter_user(self, privilege, grant_target_name, user_name, node=None): alter_user_name = f"alter_user_{getuid()}" with user(node, alter_user_name): - with When("I check the user can't alter a user"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't alter a user"): node.query(f"ALTER USER {alter_user_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -108,6 +115,8 @@ def alter_user(self, privilege, grant_target_name, user_name, node=None): @Name("alter user") @Requirements( RQ_SRS_006_RBAC_Privileges_AlterUser("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of ALTER USER. diff --git a/tests/testflows/rbac/tests/privileges/attach/attach_database.py b/tests/testflows/rbac/tests/privileges/attach/attach_database.py index 0f1a9a07975..3fecbe2571f 100644 --- a/tests/testflows/rbac/tests/privileges/attach/attach_database.py +++ b/tests/testflows/rbac/tests/privileges/attach/attach_database.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute CREATE DATABASE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,11 +32,17 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): db_name = f"db_{getuid()}" try: - with When("I attempt to attach a database without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to attach a database without privilege"): node.query(f"ATTACH DATABASE {db_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -44,14 +50,14 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): db_name = f"db_{getuid()}" try: with When("I grant create database privilege"): node.query(f"GRANT CREATE DATABASE ON {db_name}.* TO {grant_target_name}") - with Then("I attempt to attach aa database"): + with Then("I attempt to attach a database"): node.query(f"ATTACH DATABASE {db_name}", settings = [("user", user_name)], exitcode=80, message="DB::Exception: Received from localhost:9000. DB::Exception: Database engine must be specified for ATTACH DATABASE query") @@ -59,7 +65,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): db_name = f"db_{getuid()}" try: @@ -77,9 +83,44 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") + with Scenario("user with revoked ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with When("I grant the create database privilege"): + node.query(f"GRANT CREATE DATABASE ON {db_name}.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to attach a database"): + node.query(f"ATTACH DATABASE {db_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the database"): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + + with Scenario("user with ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to attach a database"): + node.query(f"ATTACH DATABASE {db_name}", settings = [("user", user_name)], + exitcode=80, message="DB::Exception: Received from localhost:9000. DB::Exception: Database engine must be specified for ATTACH DATABASE query") + + finally: + with Finally("I drop the database"): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AttachDatabase("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("attach database") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -92,5 +133,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/attach/attach_dictionary.py b/tests/testflows/rbac/tests/privileges/attach/attach_dictionary.py index 62ff70ac75a..390a7f03aba 100644 --- a/tests/testflows/rbac/tests/privileges/attach/attach_dictionary.py +++ b/tests/testflows/rbac/tests/privileges/attach/attach_dictionary.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute CREATE DICTIONARY with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,11 +32,17 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): dict_name = f"dict_{getuid()}" try: - with When("I attempt to attach a dictionary without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to attach a dictionary without privilege"): node.query(f"ATTACH DICTIONARY {dict_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -44,7 +50,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): dict_name = f"dict_{getuid()}" try: @@ -59,7 +65,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): dict_name = f"dict_{getuid()}" try: @@ -77,9 +83,44 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + with Scenario("user with revoked ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with When("I grant the create database privilege"): + node.query(f"GRANT CREATE DATABASE ON {db_name}.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to attach a database"): + node.query(f"ATTACH DATABASE {db_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the database"): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + + with Scenario("user with ALL privilege"): + dict_name = f"dict_{getuid()}" + + try: + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to attach a dictionary"): + node.query(f"ATTACH DICTIONARY {dict_name}", settings = [("user", user_name)], + exitcode=231, message=f"DB::Exception: Dictionary `{dict_name}` doesn't exist.") + + finally: + with Finally("I drop the dictionary"): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AttachDictionary("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("attach dictionary") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -92,5 +133,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/attach/attach_table.py b/tests/testflows/rbac/tests/privileges/attach/attach_table.py index 55c9efd369c..411140506ea 100644 --- a/tests/testflows/rbac/tests/privileges/attach/attach_table.py +++ b/tests/testflows/rbac/tests/privileges/attach/attach_table.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute CREATE TABLE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,12 +32,17 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): table_name = f"table_{getuid()}" try: + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") - with When("I attempt to attach a table without privilege"): + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to attach a table without privilege"): node.query(f"ATTACH TABLE {table_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -45,7 +50,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): table_name = f"table_{getuid()}" try: @@ -60,7 +65,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): table_name = f"table_{getuid()}" try: @@ -78,9 +83,44 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") + with Scenario("user with revoked ALL privilege"): + table_name = f"table_{getuid()}" + + try: + with When("I grant the create table privilege"): + node.query(f"GRANT CREATE TABLE ON *.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to attach a table"): + node.query(f"ATTACH TABLE {table_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + + with Scenario("user with ALL privilege"): + table_name = f"table_{getuid()}" + + try: + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to attach a table"): + node.query(f"ATTACH TABLE {table_name}", settings = [("user", user_name)], + exitcode=134, message=f"DB::Exception: Table `{table_name}` doesn't exist.") + + finally: + with Finally("I drop the table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AttachTable("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("attach table") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -93,5 +133,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/attach/attach_temp_table.py b/tests/testflows/rbac/tests/privileges/attach/attach_temp_table.py index fad47e71967..2662a24d5a2 100644 --- a/tests/testflows/rbac/tests/privileges/attach/attach_temp_table.py +++ b/tests/testflows/rbac/tests/privileges/attach/attach_temp_table.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute CREATE TEMPORARY TABLE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,10 +32,16 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): temp_table_name = f"temp_table_{getuid()}" try: + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + with When("I attempt to attach a temporary table without privilege"): node.query(f"ATTACH TEMPORARY TABLE {temp_table_name} (x Int8)", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -44,12 +50,13 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the temporary table"): node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): temp_table_name = f"temp_table_{getuid()}" try: with When("I grant create temporary table privilege"): node.query(f"GRANT CREATE TEMPORARY TABLE ON *.* TO {grant_target_name}") + with Then("I attempt to attach a temporary table"): node.query(f"ATTACH TEMPORARY TABLE {temp_table_name} (x Int8)", settings = [("user", user_name)]) @@ -57,7 +64,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the temporary table"): node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): temp_table_name = f"temp_table_{getuid()}" try: @@ -75,9 +82,43 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the temporary table"): node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") + with Scenario("user with revoked ALL privilege"): + temp_table_name = f"temp_table_{getuid()}" + + try: + with When("I grant the create temporary table privilege"): + node.query(f"GRANT CREATE TEMPORARY TABLE ON *.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to attach a temporary table"): + node.query(f"ATTACH TEMPORARY TABLE {temp_table_name} (x Int8)", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the temporary table"): + node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") + + with Scenario("user with ALL privilege"): + temp_table_name = f"temp_table_{getuid()}" + + try: + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to attach a temporary table"): + node.query(f"ATTACH TEMPORARY TABLE {temp_table_name} (x Int8)", settings = [("user", user_name)]) + + finally: + with Finally("I drop the temporary table"): + node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_AttachTemporaryTable("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("attach temporary table") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -90,5 +131,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/create/create_database.py b/tests/testflows/rbac/tests/privileges/create/create_database.py index deefe4b4ce8..8367d49e050 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_database.py +++ b/tests/testflows/rbac/tests/privileges/create/create_database.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute CREATE DATABASE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,11 +32,17 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): db_name = f"db_{getuid()}" try: - with When("I attempt to create a database without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to create a database without privilege"): node.query(f"CREATE DATABASE {db_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -44,7 +50,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): db_name = f"db_{getuid()}" try: @@ -58,7 +64,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): db_name = f"db_{getuid()}" try: @@ -76,9 +82,43 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") + with Scenario("user with revoked ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with When("I grant the create database privilege"): + node.query(f"GRANT CREATE DATABASE ON {db_name}.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to create a database"): + node.query(f"CREATE DATABASE {db_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the database"): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + + with Scenario("user with ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to create a database"): + node.query(f"CREATE DATABASE {db_name}", settings = [("user", user_name)]) + + finally: + with Finally("I drop the database"): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_CreateDatabase("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("create database") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -91,5 +131,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/create/create_dictionary.py b/tests/testflows/rbac/tests/privileges/create/create_dictionary.py index 0dbc3e1f6bb..73734f5d556 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_dictionary.py +++ b/tests/testflows/rbac/tests/privileges/create/create_dictionary.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute CREATE DICTIONARY with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,11 +32,17 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): dict_name = f"dict_{getuid()}" try: - with When("I attempt to create a dictionary without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to create a dictionary without privilege"): node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -44,7 +50,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): dict_name = f"dict_{getuid()}" try: @@ -58,7 +64,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): dict_name = f"dict_{getuid()}" try: @@ -76,9 +82,44 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + + with Scenario("user with revoked ALL privilege"): + dict_name = f"dict_{getuid()}" + + try: + with When("I grant the create dictionary privilege"): + node.query(f"GRANT CREATE DICTIONARY ON {dict_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to create a dictionary"): + node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the dictionary"): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + + with Scenario("user with ALL privilege"): + dict_name = f"dict_{getuid()}" + + try: + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to create a dictionary"): + node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)", settings = [("user", user_name)]) + + finally: + with Finally("I drop the dictionary"): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_CreateDictionary("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("create dictionary") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -91,5 +132,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/create/create_quota.py b/tests/testflows/rbac/tests/privileges/create/create_quota.py index e7f4f4d5f7c..d6e50ea904e 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_quota.py +++ b/tests/testflows/rbac/tests/privileges/create/create_quota.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=create_quota, flags=TE, + Suite(run=create_quota, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in create_quota.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=create_quota, flags=TE, + Suite(run=create_quota, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in create_quota.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("CREATE QUOTA",), ]) @@ -60,7 +61,13 @@ def create_quota(self, privilege, grant_target_name, user_name, node=None): create_quota_name = f"create_quota_{getuid()}" try: - with When("I check the user can't create a quota"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't create a quota"): node.query(f"CREATE QUOTA {create_quota_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -118,6 +125,8 @@ def create_quota(self, privilege, grant_target_name, user_name, node=None): @Name("create quota") @Requirements( RQ_SRS_006_RBAC_Privileges_CreateQuota("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of CREATE QUOTA. diff --git a/tests/testflows/rbac/tests/privileges/create/create_role.py b/tests/testflows/rbac/tests/privileges/create/create_role.py index 9d8af913893..c442036b625 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_role.py +++ b/tests/testflows/rbac/tests/privileges/create/create_role.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=create_role, flags=TE, + Suite(run=create_role, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in create_role.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=create_role, flags=TE, + Suite(run=create_role, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in create_role.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("CREATE ROLE",), ]) @@ -60,7 +61,13 @@ def create_role(self, privilege, grant_target_name, user_name, node=None): create_role_name = f"create_role_{getuid()}" try: - with When("I check the user can't create a role"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't create a role"): node.query(f"CREATE ROLE {create_role_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -118,6 +125,8 @@ def create_role(self, privilege, grant_target_name, user_name, node=None): @Name("create role") @Requirements( RQ_SRS_006_RBAC_Privileges_CreateRole("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of CREATE ROLE. diff --git a/tests/testflows/rbac/tests/privileges/create/create_row_policy.py b/tests/testflows/rbac/tests/privileges/create/create_row_policy.py index 040cc631cc3..8e670333492 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_row_policy.py +++ b/tests/testflows/rbac/tests/privileges/create/create_row_policy.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=create_row_policy, flags=TE, + Suite(run=create_row_policy, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in create_row_policy.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=create_row_policy, flags=TE, + Suite(run=create_row_policy, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in create_row_policy.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("CREATE ROW POLICY",), ("CREATE POLICY",), @@ -62,7 +63,13 @@ def create_row_policy(self, privilege, grant_target_name, user_name, node=None): table_name = f"table_name_{getuid()}" try: - with When("I check the user can't create a row policy"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't create a row policy"): node.query(f"CREATE ROW POLICY {create_row_policy_name} ON {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -119,15 +126,962 @@ def create_row_policy(self, privilege, grant_target_name, user_name, node=None): with Finally("I drop the row policy"): node.query(f"DROP ROW POLICY IF EXISTS {create_row_policy_name} ON {table_name}") +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Restriction("1.0") +) +def no_grants(self, node=None): + """Check that user is unable to select from a table without a row policy + after a row policy with a condition has been created on that table. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name}") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + with When("I create a row policy with a condition"): + node.query(f"CREATE ROW POLICY OR REPLACE {pol_name} ON {table_name} FOR SELECT USING 1") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Access_Permissive("1.0"), +) +def permissive(self, node=None): + """Check that user is able to see from a table when they have a PERMISSIVE policy. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1), (2)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Access_Restrictive("1.0") +) +def restrictive(self, node=None): + """Check that user is able to see values they have a RESTRICTIVE policy for. + """ + + table_name = f"table_{getuid()}" + perm_pol_name = f"perm_pol_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a permissive row policy"): + node.query(f"CREATE ROW POLICY {perm_pol_name} ON {table_name} FOR SELECT USING y=1 OR y=2 TO default") + + with And("I have a restrictive row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS RESTRICTIVE FOR SELECT USING y=1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1), (2)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the restrictive row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the permissive row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {perm_pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_ForSelect("1.0"), +) +def for_select(self, node=None): + """Check that user is able to see values allowed by the row policy condition in the FOR SELECT clause. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a restrictive row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Condition("1.0") +) +def condition(self, node=None): + """Check that user is able to see values allowed by the row policy condition. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a restrictive row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_IfNotExists("1.0") +) +def if_not_exists(self, node=None): + """Check that a row policy created using IF NOT EXISTS does not replace a row policy with the same name. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + with When("I create another row policy with the same name using IF NOT EXISTS"): + node.query(f"CREATE ROW POLICY IF NOT EXISTS {pol_name} ON {table_name}") + + with Then("I select from the table again"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Replace("1.0") +) +def or_replace(self, node=None): + """Check that a row policy created using OR REPLACE does replace the row policy with the same name. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + with When("I create another row policy with the same name using OR REPLACE"): + node.query(f"CREATE ROW POLICY OR REPLACE {pol_name} ON {table_name} AS RESTRICTIVE FOR SELECT USING 1 TO default") + + with Then("I can no longer select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert output == '', error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_OnCluster("1.0") +) +def on_cluster(self, node=None): + """Check that a row policy created using ON CLUSTER applies to the nodes of the cluster correctly. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name} FOR SELECT USING 1") + + with When("I insert some values into the table on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with And("I insert some values into the table on the second node"): + node2.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + with And("I select from another node on the cluster"): + output = node2.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE {table_name} ON CLUSTER sharded_cluster") + +@TestScenario +def diff_policies_on_diff_nodes(self, node=None): + """Check that a row policy created on a node, does not effect a different node. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy on one node"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with When("I insert some values into the table on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with And("I insert some values into the table on the second node"): + node2.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + with And("I select from another node on the cluster"): + output = node2.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE {table_name} ON CLUSTER sharded_cluster") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment("1.0"), +) +def assignment(self, node=None): + """Check that user is able to see rows from a table when they have PERMISSIVE policy assigned to them. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_None("1.0"), +) +def assignment_none(self, node=None): + """Check that no one is affected when a row policy is assigned to NONE. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO NONE") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_All("1.0"), +) +def assignment_all(self, node=None): + """Check that everyone is effected with a row policy is assigned to ALL. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO ALL") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_AllExcept("1.0"), +) +def assignment_all_except(self, node=None): + """Check that everyone is except the specified user is effect by a row policy assigned to ALL EXCEPT. + """ + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO ALL EXCEPT default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0"), +) +def nested_view(self, node=None): + """Check that if a user has a row policy on a table and a view is created on that table, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with And("I create a view on the table"): + node.query(f"CREATE VIEW {view_name} AS SELECT * FROM {table_name}") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0"), +) +def nested_live_view_after_policy(self, node=None): + """Check that if a user has a row policy on a table and a live view is created on that table, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I add allow_experimental_live_view to the default query settings"): + default_query_settings = getsattr(current().context, "default_query_settings", []) + default_query_settings.append(("allow_experimental_live_view", 1)) + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with And("I create a live view on the table"): + node.query(f"CREATE LIVE VIEW {view_name} AS SELECT * FROM {table_name}") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the live view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + + with And("I remove allow_experimental_live_view from the default query settings", flags=TE): + if default_query_settings: + try: + default_query_settings.pop(default_query_settings.index(("allow_experimental_live_view", 1))) + except ValueError: + pass + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0"), +) +def nested_live_view_before_policy(self, node=None): + """Check that if a live view exists on a table and then a row policy is created, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I add allow_experimental_live_view to the default query settings"): + default_query_settings = getsattr(current().context, "default_query_settings", []) + default_query_settings.append(("allow_experimental_live_view", 1)) + + with And("There is a live view on the table"): + node.query(f"CREATE LIVE VIEW {view_name} AS SELECT * FROM {table_name}") + + with And("There is a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with When("I insert values into the table"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the live view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + + with And("I remove allow_experimental_live_view from the default query settings", flags=TE): + if default_query_settings: + try: + default_query_settings.pop(default_query_settings.index(("allow_experimental_live_view", 1))) + except ValueError: + pass + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0"), +) +def nested_mat_view_after_policy(self, node=None): + """Check that if a user has a row policy on a table and a materialized view is created on that table, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with When("I create a view on the table"): + node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory AS SELECT * FROM {table_name}") + + with And("I insert some values on the table"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the materialized view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0"), +) +def nested_mat_view_before_policy(self, node=None): + """Check that if a materialized view exists on a table and then a row policy is created, + the user is only able to select rows specified by the assigned policies from the view. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a view on the table"): + node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory AS SELECT * FROM {table_name}") + + with And("I have some values on the table"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with When("I create a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the materialized view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +def populate_mat_view(self, node=None): + """Check that if a user has a row policy on a table and a materialized view is created using POPULATE from that table, + the user can only select the rows from the materialized view specified in the row policy. + """ + + table_name = f"table_{getuid()}" + view_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name): + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with When("I create a mat view with POPULATE from the table"): + node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory POPULATE AS SELECT * FROM {table_name}") + + with Then("I try to select from the view"): + output = node.query(f"SELECT * FROM {view_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the materialized view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def dist_table(self, node=None): + """Check that if a user has a row policy on a table and a distributed table is created on that table, + the user is only able to select rows specified by the assigned policies from the distributed table. + """ + + table_name = f"table_{getuid()}" + dist_table_name = f"dist_table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name} FOR SELECT USING 1") + + with And("I have a distributed table"): + node.query(f"CREATE TABLE {dist_table_name} (x UInt64) ENGINE = Distributed(sharded_cluster, default, {table_name}, rand())") + + with When("I insert some values into the table on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {dist_table_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster") + + with And("I drop the distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def dist_table_diff_policies_on_diff_nodes(self, node=None): + """Check that the user can only access the rows of the distributed table that are allowed + by row policies on the the source tables. The row policies are different on different nodes. + """ + + table_name = f"table_{getuid()}" + dist_table_name = f"dist_table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with And("I have a distributed table"): + node.query(f"CREATE TABLE {dist_table_name} (x UInt64) ENGINE = Distributed(sharded_cluster, default, {table_name}, rand())") + + with When("I insert some values into the table on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with And("I insert some values into the table on the second node"): + node2.query(f"INSERT INTO {table_name} (x) VALUES (2)") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {dist_table_name}").output + assert '2' in output and '1' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster") + + with And("I drop the distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0") +) +def dist_table_on_dist_table(self, node=None): + """Check that if a user has a row policy on a table and a distributed table is created on that table, + and another distributed table is created on top of that, + the user is only able to access rows on any of the tables specified by the assigned policies. + """ + table_name = f"table_{getuid()}" + dist_table_name = f"dist_table_{getuid()}" + dist_table_2_name = f"dist_table_2_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + node2 = self.context.node2 + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name} FOR SELECT USING 1") + + with And("I have a distributed table on a cluster"): + node.query(f"CREATE TABLE {dist_table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Distributed(sharded_cluster, default, {table_name}, rand())") + + with And("I have a distributed table on the other distributed table"): + node.query(f"CREATE TABLE {dist_table_2_name} (x UInt64) ENGINE = Distributed(sharded_cluster, default, {dist_table_name}, rand())") + + with When("I insert some values into the table on the first node"): + node.query(f"INSERT INTO {dist_table_2_name} (x) VALUES (1)") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {dist_table_2_name}").output + assert '' == output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster") + + with And("I drop the distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_name} ON CLUSTER sharded_cluster") + + with And("I drop the outer distributed table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {dist_table_2_name}") + +@TestScenario +def no_table(self, node=None): + """Check that row policy is not created when the table is not specified. + """ + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + with When("I try to create a row policy without a table"): + node.query(f"CREATE ROW POLICY {pol_name}", + exitcode=62, message='Exception: Syntax error') + + with And("I try to create a row policy on a database"): + node.query(f"CREATE ROW POLICY {pol_name} ON default.*", + exitcode=62, message='Exception: Syntax error') + +@TestScenario +def policy_before_table(self, node=None): + """Check that if the policy is created before the table, + then it is still applied correctly. + """ + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING y=1 TO default") + + with table(node, table_name): + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1), (2)") + + with Then("I try to select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy"): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Nesting("1.0"), +) +def dict(self, node=None): + """Check that if a user has a row policy on a table and a dictionary is created on that table, + the user is only able to select rows specified by the assigned policies from the dict. + """ + + table_name = f"table_{getuid()}" + dict_name = f"view_{getuid()}" + pol_name = f"pol_{getuid()}" + + if node is None: + node = self.context.node + + try: + with Given("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON {table_name} AS PERMISSIVE FOR SELECT USING key=1 TO default") + + with And("I have a table"): + node.query(f"CREATE TABLE {table_name} (key UInt64, val UInt64 DEFAULT 5) ENGINE = Memory") + + with When("The table has some values"): + node.query(f"INSERT INTO {table_name} (key) VALUES (1),(2)") + + with And("I create a dict on the table"): + node.query(f"CREATE DICTIONARY {dict_name} (key UInt64 DEFAULT 0, val UInt64 DEFAULT 5) PRIMARY KEY key SOURCE(CLICKHOUSE(HOST 'localhost' PORT tcpPort() USER 'default' TABLE {table_name} PASSWORD '' DB 'default')) LIFETIME(MIN 0 MAX 0) LAYOUT(FLAT())") + + with Then("I try to select from the dict"): + output = node.query(f"SELECT * FROM {dict_name}").output + assert '1' in output and '2' not in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON {table_name}") + + with And("I drop the materialized view", flags=TE): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name}") + @TestFeature @Name("create row policy") @Requirements( RQ_SRS_006_RBAC_Privileges_CreateRowPolicy("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of CREATE ROW POLICY. """ self.context.node = self.context.cluster.node(node) + self.context.node2 = self.context.cluster.node("clickhouse2") Suite(run=privileges_granted_directly, setup=instrument_clickhouse_server_log) Suite(run=privileges_granted_via_role, setup=instrument_clickhouse_server_log) + + Scenario(run=no_grants, setup=instrument_clickhouse_server_log) + Scenario(run=permissive, setup=instrument_clickhouse_server_log) + Scenario(run=restrictive, setup=instrument_clickhouse_server_log) + Scenario(run=for_select, setup=instrument_clickhouse_server_log) + Scenario(run=condition, setup=instrument_clickhouse_server_log) + Scenario(run=if_not_exists, setup=instrument_clickhouse_server_log) + Scenario(run=or_replace, setup=instrument_clickhouse_server_log) + Scenario(run=on_cluster, setup=instrument_clickhouse_server_log) + Scenario(run=assignment, setup=instrument_clickhouse_server_log) + Scenario(run=assignment_none, setup=instrument_clickhouse_server_log) + Scenario(run=assignment_all, setup=instrument_clickhouse_server_log) + Scenario(run=assignment_all_except, setup=instrument_clickhouse_server_log) + Scenario(run=nested_view, setup=instrument_clickhouse_server_log) + Scenario(run=nested_live_view_before_policy, setup=instrument_clickhouse_server_log) + Scenario(run=nested_live_view_after_policy, setup=instrument_clickhouse_server_log) + Scenario(run=nested_mat_view_before_policy, setup=instrument_clickhouse_server_log) + Scenario(run=nested_mat_view_after_policy, setup=instrument_clickhouse_server_log) + Scenario(run=populate_mat_view, setup=instrument_clickhouse_server_log) + Scenario(run=dist_table, setup=instrument_clickhouse_server_log) + Scenario(run=dist_table_on_dist_table, setup=instrument_clickhouse_server_log) + Scenario(run=dist_table_diff_policies_on_diff_nodes, setup=instrument_clickhouse_server_log) + Scenario(run=diff_policies_on_diff_nodes, setup=instrument_clickhouse_server_log) + Scenario(run=no_table, setup=instrument_clickhouse_server_log) + Scenario(run=policy_before_table, setup=instrument_clickhouse_server_log) + Scenario(run=dict, setup=instrument_clickhouse_server_log) diff --git a/tests/testflows/rbac/tests/privileges/create/create_settings_profile.py b/tests/testflows/rbac/tests/privileges/create/create_settings_profile.py index 8b206564647..938de560391 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_settings_profile.py +++ b/tests/testflows/rbac/tests/privileges/create/create_settings_profile.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=create_settings_profile, flags=TE, + Suite(run=create_settings_profile, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in create_settings_profile.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=create_settings_profile, flags=TE, + Suite(run=create_settings_profile, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in create_settings_profile.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("CREATE SETTINGS PROFILE",), ("CREATE PROFILE",), @@ -61,7 +62,13 @@ def create_settings_profile(self, privilege, grant_target_name, user_name, node= create_settings_profile_name = f"create_settings_profile_{getuid()}" try: - with When("I check the user can't create a settings_profile"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't create a settings_profile"): node.query(f"CREATE SETTINGS PROFILE {create_settings_profile_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -119,6 +126,8 @@ def create_settings_profile(self, privilege, grant_target_name, user_name, node= @Name("create settings profile") @Requirements( RQ_SRS_006_RBAC_Privileges_CreateSettingsProfile("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of CREATE SETTINGS PROFILE. diff --git a/tests/testflows/rbac/tests/privileges/create/create_table.py b/tests/testflows/rbac/tests/privileges/create/create_table.py index 919e683f0f1..88d055f2915 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_table.py +++ b/tests/testflows/rbac/tests/privileges/create/create_table.py @@ -6,6 +6,9 @@ from rbac.helper.common import * import rbac.helper.errors as errors @TestScenario +@Requirements( + RQ_SRS_006_RBAC_Privileges_None("1.0") +) def create_without_create_table_privilege(self, node=None): """Check that user is unable to create a table without CREATE TABLE privilege. """ @@ -21,7 +24,13 @@ def create_without_create_table_privilege(self, node=None): with Given("I don't have a table"): node.query(f"DROP TABLE IF EXISTS {table_name}") - with When("I try to create a table without CREATE TABLE privilege as the user"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + + with Then("I try to create a table without CREATE TABLE privilege as the user"): node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE = Memory", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) @@ -74,6 +83,54 @@ def create_with_create_table_privilege(self, grant_target_name, user_name, node= with Then("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_Privileges_All("1.0") +) +def create_with_all_privilege_granted_directly_or_via_role(self, node=None): + """Check that user is able to create a table with ALL privilege, either granted directly or through a role. + """ + user_name = f"user_{getuid()}" + role_name = f"role_{getuid()}" + + if node is None: + node = self.context.node + + with user(node, f"{user_name}"): + + Scenario(test=create_with_all_privilege, + name="create with ALL privilege granted directly")(grant_target_name=user_name, user_name=user_name) + + with user(node, f"{user_name}"), role(node, f"{role_name}"): + + with When("I grant the role to the user"): + node.query(f"GRANT {role_name} TO {user_name}") + + Scenario(test=create_with_all_privilege, + name="create with ALL privilege granted through a role")(grant_target_name=role_name, user_name=user_name) + +@TestOutline +def create_with_all_privilege(self, grant_target_name, user_name, node=None): + """Check that user is able to create a table with the granted privileges. + """ + table_name = f"table_{getuid()}" + + if node is None: + node = self.context.node + try: + with Given("I don't have a table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I try to create a table without privilege as the user"): + node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE = Memory", settings = [("user", f"{user_name}")]) + + finally: + with Then("I drop the table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + @TestScenario def create_with_revoked_create_table_privilege_revoked_directly_or_from_role(self, node=None): """Check that user is unable to create table after the CREATE TABLE privilege is revoked, either directly or from a role. @@ -125,6 +182,57 @@ def create_with_revoked_create_table_privilege(self, grant_target_name, user_nam with Finally("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") +@TestScenario +def create_with_all_privileges_revoked_directly_or_from_role(self, node=None): + """Check that user is unable to create table after ALL privileges are revoked, either directly or from a role. + """ + user_name = f"user_{getuid()}" + role_name = f"role_{getuid()}" + + if node is None: + node = self.context.node + + with user(node, f"{user_name}"): + + Scenario(test=create_with_revoked_all_privilege, + name="create with all privilege revoked directly")(grant_target_name=user_name, user_name=user_name) + + with user(node, f"{user_name}"), role(node, f"{role_name}"): + + with When("I grant the role to the user"): + node.query(f"GRANT {role_name} TO {user_name}") + + Scenario(test=create_with_revoked_all_privilege, + name="create with all privilege revoked from a role")(grant_target_name=role_name, user_name=user_name) + +@TestOutline +def create_with_revoked_all_privilege(self, grant_target_name, user_name, node=None): + """Revoke ALL privilege and check the user is unable to create a table. + """ + table_name = f"table_{getuid()}" + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") + + if node is None: + node = self.context.node + + try: + with Given("I don't have a table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + + with When("I grant CREATE TABLE privilege"): + node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I try to create a table on the table as the user"): + node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE = Memory", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + @TestScenario def create_without_source_table_privilege(self, node=None): """Check that user is unable to create a table without select diff --git a/tests/testflows/rbac/tests/privileges/create/create_temp_table.py b/tests/testflows/rbac/tests/privileges/create/create_temp_table.py index 5dbbcc04732..ac38e0269cf 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_temp_table.py +++ b/tests/testflows/rbac/tests/privileges/create/create_temp_table.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute CREATE TEMPORARY TABLE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,11 +32,17 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): temp_table_name = f"temp_table_{getuid()}" try: - with When("I attempt to create a temporary table without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to create a temporary table without privilege"): node.query(f"CREATE TEMPORARY TABLE {temp_table_name} (x Int8)", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -44,7 +50,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the temporary table"): node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): temp_table_name = f"temp_table_{getuid()}" try: @@ -58,7 +64,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the temporary table"): node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): temp_table_name = f"temp_table_{getuid()}" try: @@ -76,9 +82,43 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the temporary table"): node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") + with Scenario("user with revoked ALL privilege"): + temp_table_name = f"temp_table_{getuid()}" + + try: + with When("I grant the create temporary table privilege"): + node.query(f"GRANT CREATE TEMPORARY TABLE ON *.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to create a temporary table"): + node.query(f"CREATE TEMPORARY TABLE {temp_table_name} (x Int8)", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the temporary table"): + node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") + + with Scenario("user with ALL privilege"): + temp_table_name = f"temp_table_{getuid()}" + + try: + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to create aa temporary table"): + node.query(f"CREATE TEMPORARY TABLE {temp_table_name} (x Int8)", settings = [("user", user_name)]) + + finally: + with Finally("I drop the temporary table"): + node.query(f"DROP TEMPORARY TABLE IF EXISTS {temp_table_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_CreateTemporaryTable("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("create temporary table") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -91,5 +131,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/create/create_user.py b/tests/testflows/rbac/tests/privileges/create/create_user.py index 02fe238b618..b055deecea2 100644 --- a/tests/testflows/rbac/tests/privileges/create/create_user.py +++ b/tests/testflows/rbac/tests/privileges/create/create_user.py @@ -17,7 +17,7 @@ def create_user_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=create_user, flags=TE, + Suite(run=create_user, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in create_user.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def create_user_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=create_user, flags=TE, + Suite(run=create_user, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in create_user.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("CREATE USER",), ]) @@ -60,7 +61,13 @@ def create_user(self, privilege, grant_target_name, user_name, node=None): create_user_name = f"create_user_{getuid()}" try: - with When("I check the user can't create a user"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't create a user"): node.query(f"CREATE USER {create_user_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -127,7 +134,7 @@ def default_role_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(test=default_role, flags=TE)(grant_target_name=user_name, user_name=user_name) + Suite(test=default_role)(grant_target_name=user_name, user_name=user_name) @TestSuite def default_role_granted_via_role(self, node=None): @@ -145,7 +152,7 @@ def default_role_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(test=default_role, flags=TE)(grant_target_name=role_name, user_name=user_name) + Suite(test=default_role)(grant_target_name=role_name, user_name=user_name) @TestSuite @Requirements( @@ -215,7 +222,7 @@ def default_role(self, grant_target_name, user_name, node=None): settings = [("user", f"{user_name}")]) finally: - with Finally("I drop the user", flags=TE): + with Finally("I drop the user"): node.query(f"DROP USER IF EXISTS {create_user_name} ON CLUSTER sharded_cluster") with And("I drop the role from the cluster"): @@ -264,6 +271,8 @@ def default_role(self, grant_target_name, user_name, node=None): @Name("create user") @Requirements( RQ_SRS_006_RBAC_Privileges_CreateUser("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of CREATE USER. diff --git a/tests/testflows/rbac/tests/privileges/detach/detach_database.py b/tests/testflows/rbac/tests/privileges/detach/detach_database.py index 8f4576c3399..12eeb39aa1b 100644 --- a/tests/testflows/rbac/tests/privileges/detach/detach_database.py +++ b/tests/testflows/rbac/tests/privileges/detach/detach_database.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute DETACH DATABASE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -39,7 +39,13 @@ def privilege_check(grant_target_name, user_name, node=None): with Given("I have a database"): node.query(f"CREATE DATABASE {db_name}") - with When("I attempt to detach the database"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to detach the database"): node.query(f"DETACH DATABASE {db_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) finally: @@ -48,7 +54,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the database", flags=TE): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): db_name = f"db_{getuid()}" try: @@ -67,7 +73,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the database", flags=TE): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): db_name = f"db_{getuid()}" try: @@ -90,9 +96,53 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the database", flags=TE): node.query(f"DROP DATABASE IF EXISTS {db_name}") + with Scenario("user with revoked ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with Given("I have a database"): + node.query(f"CREATE DATABASE {db_name}") + + with When("I grant the drop database privilege"): + node.query(f"GRANT DROP DATABASE ON {db_name}.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to detach a database"): + node.query(f"DETACH DATABASE {db_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I reattach the database", flags=TE): + node.query(f"ATTACH DATABASE IF NOT EXISTS {db_name}") + with And("I drop the database", flags=TE): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + + with Scenario("user with ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with Given("I have a database"): + node.query(f"CREATE DATABASE {db_name}") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to detach a database"): + node.query(f"DETACH DATABASE {db_name}", settings = [("user", user_name)]) + + finally: + with Finally("I reattach the database", flags=TE): + node.query(f"ATTACH DATABASE IF NOT EXISTS {db_name}") + with And("I drop the database", flags=TE): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_DetachDatabase("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("detach database") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -105,5 +155,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/detach/detach_dictionary.py b/tests/testflows/rbac/tests/privileges/detach/detach_dictionary.py index 5ae992e3623..17b37ce6dc0 100644 --- a/tests/testflows/rbac/tests/privileges/detach/detach_dictionary.py +++ b/tests/testflows/rbac/tests/privileges/detach/detach_dictionary.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute DETACH DICTIONARY with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,14 +32,20 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): dict_name = f"dict_{getuid()}" try: with Given("I have a dictionary"): node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") - with When("I attempt to detach a dictionary without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to detach a dictionary without privilege"): node.query(f"DETACH DICTIONARY {dict_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) finally: @@ -48,7 +54,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the dictionary", flags=TE): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): dict_name = f"dict_{getuid()}" try: @@ -67,7 +73,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the dictionary", flags=TE): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): dict_name = f"dict_{getuid()}" try: @@ -89,9 +95,52 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the dictionary", flags=TE): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + with Scenario("user with revoked ALL privilege"): + dict_name = f"dict_{getuid()}" + + try: + with Given("I have a dictionary"): + node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") + + with When("I grant the drop dictionary privilege"): + node.query(f"GRANT DROP DICTIONARY ON {dict_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to detach a dictionary"): + node.query(f"DETACH DICTIONARY {dict_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) + + finally: + with Finally("I reattach the dictionary", flags=TE): + node.query(f"ATTACH DICTIONARY IF NOT EXISTS {dict_name}") + with And("I drop the dictionary", flags=TE): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + + with Scenario("user with ALL privilege"): + dict_name = f"dict_{getuid()}" + + try: + with Given("I have a dictionary"): + node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to detach a dictionary"): + node.query(f"DETACH DICTIONARY {dict_name}", settings = [("user", user_name)]) + + finally: + with Finally("I reattach the dictionary", flags=TE): + node.query(f"ATTACH DICTIONARY IF NOT EXISTS {dict_name}") + with And("I drop the dictionary", flags=TE): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_DetachDictionary("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("detach dictionary") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -104,5 +153,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/detach/detach_table.py b/tests/testflows/rbac/tests/privileges/detach/detach_table.py index 38a4a5dfde1..b5a01b361fc 100644 --- a/tests/testflows/rbac/tests/privileges/detach/detach_table.py +++ b/tests/testflows/rbac/tests/privileges/detach/detach_table.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute DETACH TABLE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,13 +32,19 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): table_name = f"table_{getuid()}" try: with Given("I have a table"): node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE=Memory") + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + with When("I attempt to detach a table without privilege"): node.query(f"DETACH TABLE {table_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -49,7 +55,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the table", flags=TE): node.query(f"DROP TABLE IF EXISTS {table_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): table_name = f"table_{getuid()}" try: @@ -68,7 +74,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the table", flags=TE): node.query(f"DROP TABLE IF EXISTS {table_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): table_name = f"table_{getuid()}" try: @@ -91,9 +97,53 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the table", flags=TE): node.query(f"DROP TABLE IF EXISTS {table_name}") + with Scenario("user with revoked ALL privilege"): + table_name = f"table_{getuid()}" + + try: + with Given("I have a table"): + node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE=Memory") + + with When("I grant the drop table privilege"): + node.query(f"GRANT DROP TABLE ON *.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to detach a table"): + node.query(f"DETACH TABLE {table_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I reattach the table", flags=TE): + node.query(f"ATTACH TABLE IF NOT EXISTS {table_name}") + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name}") + + with Scenario("user with ALL privilege"): + table_name = f"table_{getuid()}" + + try: + with Given("I have a table"): + node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE=Memory") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to detach a table"): + node.query(f"DETACH TABLE {table_name}", settings = [("user", user_name)]) + + finally: + with Finally("I reattach the table", flags=TE): + node.query(f"ATTACH TABLE IF NOT EXISTS {table_name}") + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE IF EXISTS {table_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_DetachTable("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("detach table") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -106,5 +156,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/detach/detach_view.py b/tests/testflows/rbac/tests/privileges/detach/detach_view.py index e6e8adad065..c3c9f70a35a 100644 --- a/tests/testflows/rbac/tests/privileges/detach/detach_view.py +++ b/tests/testflows/rbac/tests/privileges/detach/detach_view.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute DETACH VIEW with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,13 +32,19 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): view_name = f"view_{getuid()}" try: with Given("I have a view"): node.query(f"CREATE VIEW {view_name} AS SELECT 1") + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + with When("I attempt to drop a view without privilege"): node.query(f"DETACH VIEW {view_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -49,7 +55,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the view", flags=TE): node.query(f"DROP VIEW IF EXISTS {view_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): view_name = f"view_{getuid()}" try: @@ -68,7 +74,7 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the table", flags=TE): node.query(f"DROP VIEW IF EXISTS {view_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): view_name = f"view_{getuid()}" try: @@ -91,9 +97,53 @@ def privilege_check(grant_target_name, user_name, node=None): with And("I drop the view", flags=TE): node.query(f"DROP VIEW IF EXISTS {view_name}") + with Scenario("user with revoked ALL privilege"): + view_name = f"view_{getuid()}" + + try: + with Given("I have a view"): + node.query(f"CREATE VIEW {view_name} AS SELECT 1") + + with When("I grant the drop view privilege"): + node.query(f"GRANT DROP VIEW ON {view_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to drop a view"): + node.query(f"DETACH VIEW {view_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I reattach the view as a table", flags=TE): + node.query(f"ATTACH VIEW IF NOT EXISTS {view_name} AS SELECT 1") + with And("I drop the view", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + + with Scenario("user with ALL privilege"): + view_name = f"view_{getuid()}" + + try: + with Given("I have a view"): + node.query(f"CREATE VIEW {view_name} AS SELECT 1") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to drop a view"): + node.query(f"DETACH VIEW {view_name}", settings = [("user", user_name)]) + + finally: + with Finally("I reattach the view as a table", flags=TE): + node.query(f"ATTACH VIEW IF NOT EXISTS {view_name} AS SELECT 1") + with And("I drop the table", flags=TE): + node.query(f"DROP VIEW IF EXISTS {view_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_DetachView("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("detach view") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -106,5 +156,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/dictGet.py b/tests/testflows/rbac/tests/privileges/dictGet.py index 532fa798eb2..21de4a36b77 100644 --- a/tests/testflows/rbac/tests/privileges/dictGet.py +++ b/tests/testflows/rbac/tests/privileges/dictGet.py @@ -39,8 +39,8 @@ def dictGet_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=dictGet_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictGet_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dictGet_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -60,60 +60,67 @@ def dictGet_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictGet_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictGet_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dictGet_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) -@Examples("privilege",[ - ("dictGet",), - ("dictHas",), - ("dictGetHierarchy",), - ("dictIsIn",), +@Examples("privilege on",[ + ("ALL", "*.*"), + ("dictGet", "dict"), + ("dictHas", "dict"), + ("dictGetHierarchy", "dict"), + ("dictIsIn", "dict"), ]) @Requirements( RQ_SRS_006_RBAC_dictGet_RequiredPrivilege("1.0") ) -def dictGet_check(self, privilege, grant_target_name, user_name, node=None): +def dictGet_check(self, privilege, on, grant_target_name, user_name, node=None): """Check that user is able to execute `dictGet` if and only if they have the necessary privileges. """ if node is None: node = self.context.node + dict_name = f"dict_{getuid()}" + table_name = f"table_{getuid()}" + + on = on.replace("dict", f"{dict_name}") + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user without privilege"): with dict_setup(node, table_name, dict_name): - with When("I attempt to dictGet without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to dictGet without privilege"): node.query(f"SELECT dictGet ({dict_name},'y',toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user with privilege"): with dict_setup(node, table_name, dict_name): with When(f"I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with Then("I attempt to dictGet with privilege"): node.query(f"SELECT dictGet ({dict_name},'y',toUInt64(1))", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" + with Scenario("user with revoked privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with And("I revoke privilege"): - node.query(f"REVOKE {privilege} ON {dict_name} FROM {grant_target_name}") + node.query(f"REVOKE {privilege} ON {on} FROM {grant_target_name}") with When("I attempt to dictGet without privilege"): node.query(f"SELECT dictGet ({dict_name},'y',toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -130,8 +137,8 @@ def dictGetOrDefault_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=dictGetOrDefault_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictGetOrDefault_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dictGetOrDefault_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -151,60 +158,67 @@ def dictGetOrDefault_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictGetOrDefault_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictGetOrDefault_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dictGetOrDefault_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) -@Examples("privilege",[ - ("dictGet",), - ("dictHas",), - ("dictGetHierarchy",), - ("dictIsIn",), +@Examples("privilege on",[ + ("ALL", "*.*"), + ("dictGet", "dict"), + ("dictHas", "dict"), + ("dictGetHierarchy", "dict"), + ("dictIsIn", "dict"), ]) @Requirements( RQ_SRS_006_RBAC_dictGet_OrDefault_RequiredPrivilege("1.0") ) -def dictGetOrDefault_check(self, privilege, grant_target_name, user_name, node=None): +def dictGetOrDefault_check(self, privilege, on, grant_target_name, user_name, node=None): """Check that user is able to execute `dictGetOrDefault` if and only if they have the necessary privileges. """ if node is None: node = self.context.node + dict_name = f"dict_{getuid()}" + table_name = f"table_{getuid()}" + + on = on.replace("dict", f"{dict_name}") + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user without privilege"): with dict_setup(node, table_name, dict_name): - with When("I attempt to dictGetOrDefault without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to dictGetOrDefault without privilege"): node.query(f"SELECT dictGetOrDefault ({dict_name},'y',toUInt64(1),toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user with privilege"): with dict_setup(node, table_name, dict_name): with When(f"I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with Then("I attempt to dictGetOrDefault with privilege"): node.query(f"SELECT dictGetOrDefault ({dict_name},'y',toUInt64(1),toUInt64(1))", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" + with Scenario("user with revoked privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with And("I revoke privilege"): - node.query(f"REVOKE {privilege} ON {dict_name} FROM {grant_target_name}") + node.query(f"REVOKE {privilege} ON {on} FROM {grant_target_name}") with When("I attempt to dictGetOrDefault without privilege"): node.query(f"SELECT dictGetOrDefault ({dict_name},'y',toUInt64(1),toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -221,8 +235,8 @@ def dictHas_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=dictHas_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictHas_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dictHas_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -242,60 +256,67 @@ def dictHas_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictHas_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictHas_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dictHas_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) -@Examples("privilege",[ - ("dictGet",), - ("dictHas",), - ("dictGetHierarchy",), - ("dictIsIn",), +@Examples("privilege on",[ + ("ALL", "*.*"), + ("dictGet", "dict"), + ("dictHas", "dict"), + ("dictGetHierarchy", "dict"), + ("dictIsIn", "dict"), ]) @Requirements( RQ_SRS_006_RBAC_dictHas_RequiredPrivilege("1.0") ) -def dictHas_check(self, privilege, grant_target_name, user_name, node=None): +def dictHas_check(self, privilege, on, grant_target_name, user_name, node=None): """Check that user is able to execute `dictHas` if and only if they have the necessary privileges. """ if node is None: node = self.context.node + dict_name = f"dict_{getuid()}" + table_name = f"table_{getuid()}" + + on = on.replace("dict", f"{dict_name}") + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user without privilege"): with dict_setup(node, table_name, dict_name): - with When("I attempt to dictHas without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to dictHas without privilege"): node.query(f"SELECT dictHas({dict_name},toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user with privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with Then("I attempt to dictHas with privilege"): node.query(f"SELECT dictHas({dict_name},toUInt64(1))", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" + with Scenario("user with revoked privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with And("I revoke privilege"): - node.query(f"REVOKE {privilege} ON {dict_name} FROM {grant_target_name}") + node.query(f"REVOKE {privilege} ON {on} FROM {grant_target_name}") with When("I attempt to dictHas without privilege"): node.query(f"SELECT dictHas({dict_name},toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -311,8 +332,8 @@ def dictGetHierarchy_granted_directly(self, node=None): node = self.context.node with user(node, f"{user_name}"): - Suite(run=dictGetHierarchy_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictGetHierarchy_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dictGetHierarchy_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -332,60 +353,67 @@ def dictGetHierarchy_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictGetHierarchy_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictGetHierarchy_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dictGetHierarchy_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) -@Examples("privilege",[ - ("dictGet",), - ("dictHas",), - ("dictGetHierarchy",), - ("dictIsIn",), +@Examples("privilege on",[ + ("ALL", "*.*"), + ("dictGet", "dict"), + ("dictHas", "dict"), + ("dictGetHierarchy", "dict"), + ("dictIsIn", "dict"), ]) @Requirements( RQ_SRS_006_RBAC_dictGetHierarchy_RequiredPrivilege("1.0") ) -def dictGetHierarchy_check(self, privilege, grant_target_name, user_name, node=None): +def dictGetHierarchy_check(self, privilege, on, grant_target_name, user_name, node=None): """Check that user is able to execute `dictGetHierarchy` if and only if they have the necessary privileges. """ if node is None: node = self.context.node + dict_name = f"dict_{getuid()}" + table_name = f"table_{getuid()}" + + on = on.replace("dict", f"{dict_name}") + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user without privilege"): with dict_setup(node, table_name, dict_name): - with When("I attempt to dictGetHierarchy without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to dictGetHierarchy without privilege"): node.query(f"SELECT dictGetHierarchy({dict_name},toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user with privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with Then("I attempt to dictGetHierarchy with privilege"): node.query(f"SELECT dictGetHierarchy({dict_name},toUInt64(1))", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" + with Scenario("user with revoked privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with And("I revoke privilege"): - node.query(f"REVOKE {privilege} ON {dict_name} FROM {grant_target_name}") + node.query(f"REVOKE {privilege} ON {on} FROM {grant_target_name}") with When("I attempt to dictGetHierarchy without privilege"): node.query(f"SELECT dictGetHierarchy({dict_name},toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -401,8 +429,8 @@ def dictIsIn_granted_directly(self, node=None): node = self.context.node with user(node, f"{user_name}"): - Suite(run=dictIsIn_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictIsIn_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dictIsIn_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -422,60 +450,67 @@ def dictIsIn_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictIsIn_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name", [ + Suite(run=dictIsIn_check, + examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dictIsIn_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) -@Examples("privilege",[ - ("dictGet",), - ("dictHas",), - ("dictGetHierarchy",), - ("dictIsIn",), +@Examples("privilege on",[ + ("ALL", "*.*"), + ("dictGet", "dict"), + ("dictHas", "dict"), + ("dictGetHierarchy", "dict"), + ("dictIsIn", "dict"), ]) @Requirements( RQ_SRS_006_RBAC_dictIsIn_RequiredPrivilege("1.0") ) -def dictIsIn_check(self, privilege, grant_target_name, user_name, node=None): +def dictIsIn_check(self, privilege, on, grant_target_name, user_name, node=None): """Check that user is able to execute `dictIsIn` if and only if they have the necessary privileges. """ if node is None: node = self.context.node + dict_name = f"dict_{getuid()}" + table_name = f"table_{getuid()}" + + on = on.replace("dict", f"{dict_name}") + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user without privilege"): with dict_setup(node, table_name, dict_name): - with When("I attempt to dictIsIn without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to dictIsIn without privilege"): node.query(f"SELECT dictIsIn({dict_name},toUInt64(1),toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user with privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with Then("I attempt to dictIsIn with privilege"): node.query(f"SELECT dictIsIn({dict_name},toUInt64(1),toUInt64(1))", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" + with Scenario("user with revoked privilege"): with dict_setup(node, table_name, dict_name): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with And("I revoke privilege"): - node.query(f"REVOKE {privilege} ON {dict_name} FROM {grant_target_name}") + node.query(f"REVOKE {privilege} ON {on} FROM {grant_target_name}") with When("I attempt to dictIsIn without privilege"): node.query(f"SELECT dictIsIn({dict_name},toUInt64(1),toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -507,8 +542,8 @@ def dictGetType_granted_directly(self, type, node=None): node = self.context.node with user(node, f"{user_name}"): - Suite(run=dictGetType_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name type", [ + Suite(run=dictGetType_check, + examples=Examples("privilege on grant_target_name user_name type", [ tuple(list(row)+[user_name,user_name,type]) for row in dictGetType_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -544,67 +579,76 @@ def dictGetType_granted_via_role(self, type, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictGetType_check, setup=instrument_clickhouse_server_log, - examples=Examples("privilege grant_target_name user_name type", [ + Suite(run=dictGetType_check, + examples=Examples("privilege on grant_target_name user_name type", [ tuple(list(row)+[role_name,user_name,type]) for row in dictGetType_check.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) -@Examples("privilege",[ - ("dictGet",), - ("dictHas",), - ("dictGetHierarchy",), - ("dictIsIn",), +@Examples("privilege on",[ + ("ALL", "*.*"), + ("dictGet", "dict"), + ("dictHas", "dict"), + ("dictGetHierarchy", "dict"), + ("dictIsIn", "dict"), ]) @Requirements( RQ_SRS_006_RBAC_dictGet_Type_RequiredPrivilege("1.0") ) -def dictGetType_check(self, privilege, grant_target_name, user_name, type, node=None): +def dictGetType_check(self, privilege, on, grant_target_name, user_name, type, node=None): """Check that user is able to execute `dictGet` if and only if they have the necessary privileges. """ if node is None: node = self.context.node + dict_name = f"dict_{getuid()}" + table_name = f"table_{getuid()}" + + on = on.replace("dict", f"{dict_name}") + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user without privilege"): with dict_setup(node, table_name, dict_name, type): - with When("I attempt to dictGet without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to dictGet without privilege"): node.query(f"SELECT dictGet{type}({dict_name},'z',toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" - table_name = f"table_{getuid()}" + with Scenario("user with privilege"): with dict_setup(node, table_name, dict_name, type): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with Then("I attempt to dictGet with privilege"): node.query(f"SELECT dictGet{type}({dict_name},'z',toUInt64(1))", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): - dict_name = f"dict_{getuid()}" + with Scenario("user with revoked privilege"): with dict_setup(node, table_name, dict_name, type): with When("I grant privilege"): - node.query(f"GRANT {privilege} ON {dict_name} TO {grant_target_name}") + node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") with And("I revoke privilege"): - node.query(f"REVOKE {privilege} ON {dict_name} FROM {grant_target_name}") + node.query(f"REVOKE {privilege} ON {on} FROM {grant_target_name}") with When("I attempt to dictGet without privilege"): node.query(f"SELECT dictGet{type}({dict_name},'z',toUInt64(1))", settings = [("user", user_name)], exitcode=exitcode, message=message) @TestFeature @Requirements( - RQ_SRS_006_RBAC_dictGet_Privilege("1.0") + RQ_SRS_006_RBAC_dictGet_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("dictGet") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -622,23 +666,23 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): tasks = [] try: - run_scenario(pool, tasks, Suite(test=dictGet_granted_directly)) - run_scenario(pool, tasks, Suite(test=dictGet_granted_via_role)) - run_scenario(pool, tasks, Suite(test=dictGetOrDefault_granted_directly)) - run_scenario(pool, tasks, Suite(test=dictGetOrDefault_granted_via_role)) - run_scenario(pool, tasks, Suite(test=dictHas_granted_directly)) - run_scenario(pool, tasks, Suite(test=dictHas_granted_via_role)) - run_scenario(pool, tasks, Suite(test=dictGetHierarchy_granted_directly)) - run_scenario(pool, tasks, Suite(test=dictGetHierarchy_granted_via_role)) - run_scenario(pool, tasks, Suite(test=dictIsIn_granted_directly)) - run_scenario(pool, tasks, Suite(test=dictIsIn_granted_via_role)) + run_scenario(pool, tasks, Suite(test=dictGet_granted_directly, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictGet_granted_via_role, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictGetOrDefault_granted_directly, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictGetOrDefault_granted_via_role, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictHas_granted_directly, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictHas_granted_via_role, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictGetHierarchy_granted_directly, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictGetHierarchy_granted_via_role, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictIsIn_granted_directly, setup=instrument_clickhouse_server_log)) + run_scenario(pool, tasks, Suite(test=dictIsIn_granted_via_role, setup=instrument_clickhouse_server_log)) for example in dictGetType_granted_directly.examples: type, = example with Example(example): - run_scenario(pool, tasks, Suite(test=dictGetType_granted_directly),{"type" : type}) - run_scenario(pool, tasks, Suite(test=dictGetType_granted_via_role),{"type" : type}) + run_scenario(pool, tasks, Suite(test=dictGetType_granted_directly, setup=instrument_clickhouse_server_log),{"type" : type}) + run_scenario(pool, tasks, Suite(test=dictGetType_granted_via_role, setup=instrument_clickhouse_server_log),{"type" : type}) finally: join(tasks) diff --git a/tests/testflows/rbac/tests/privileges/distributed_table.py b/tests/testflows/rbac/tests/privileges/distributed_table.py index 5b62448a446..ba001ea7f2c 100755 --- a/tests/testflows/rbac/tests/privileges/distributed_table.py +++ b/tests/testflows/rbac/tests/privileges/distributed_table.py @@ -69,6 +69,7 @@ def create(self): create_scenarios=[ create_without_privilege, create_with_privilege_granted_directly_or_via_role, + create_with_all_privilege_granted_directly_or_via_role, ] for scenario in create_scenarios: @@ -79,18 +80,30 @@ def create_without_privilege(self, node=None): """Check that user is unable to create a distributed table without privileges. """ user_name = f"user_{getuid()}" + table0_name = f"table0_{getuid()}" table1_name = f"table1_{getuid()}" + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") + cluster = self.context.cluster_name + if node is None: node = self.context.node with Given("I have a user"): user(name=user_name) + with And("I have a table on a cluster"): table(name=table0_name, cluster=cluster) - with When("I attempt to create the distributed table without privilege"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + + with Then("I attempt to create the distributed table without privilege"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed(sharded_cluster, default, {table0_name}, rand())", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) @@ -101,20 +114,25 @@ def create_with_privilege_granted_directly_or_via_role(self, node=None): """ user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" + if node is None: node = self.context.node with Given("I have a user"): user(name=user_name) + Scenario(test=create_with_privilege, name="create with privilege granted directly")(grant_target_name=user_name, user_name=user_name) with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") + Scenario(test=create_with_privilege, name="create with privilege granted through a role")(grant_target_name=role_name, user_name=user_name) @@ -138,20 +156,24 @@ def create_with_privilege(self, user_name, grant_target_name, node=None): with When("I grant create table privilege"): node.query(f"GRANT CREATE ON {table1_name} TO {grant_target_name}") + with Then("I attempt to create the distributed table as the user"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke the create table privilege"): node.query(f"REVOKE CREATE TABLE ON {table1_name} FROM {grant_target_name}") + with And("I grant remote privilege"): node.query(f"GRANT REMOTE ON *.* to {grant_target_name}") + with Then("I attempt to create the distributed table as the user"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant create table privilege"): node.query(f"GRANT CREATE ON {table1_name} TO {grant_target_name}") + with Then("I attempt to create the distributed table as the user"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())", settings = [("user", f"{user_name}")]) @@ -159,6 +181,62 @@ def create_with_privilege(self, user_name, grant_target_name, node=None): with Finally("I drop the distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") +@TestScenario +def create_with_all_privilege_granted_directly_or_via_role(self, node=None): + """Check that user is able to create a distributed table if and only if + they have ALL privilege granted either directly or through a role. + """ + user_name = f"user_{getuid()}" + role_name = f"role_{getuid()}" + + if node is None: + node = self.context.node + + with Given("I have a user"): + user(name=user_name) + + Scenario(test=create_with_privilege, + name="create with privilege granted directly")(grant_target_name=user_name, user_name=user_name) + + with Given("I have a user"): + user(name=user_name) + + with And("I have a role"): + role(name=role_name) + + with When("I grant the role to the user"): + node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") + + Scenario(test=create_with_privilege, + name="create with privilege granted through a role")(grant_target_name=role_name, user_name=user_name) + +@TestOutline +def create_with_privilege(self, user_name, grant_target_name, node=None): + """Grant ALL privilege and check the user is able is create the table. + """ + table0_name = f"table0_{getuid()}" + table1_name = f"table1_{getuid()}" + + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") + cluster = self.context.cluster_name + + if node is None: + node = self.context.node + + try: + with Given("I have a table on a cluster"): + table(name=table0_name, cluster=cluster) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I create the distributed table as the user"): + node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())", settings = [("user", f"{user_name}")]) + + finally: + with Finally("I drop the distributed table"): + node.query(f"DROP TABLE IF EXISTS {table1_name}") + @TestSuite @Requirements( RQ_SRS_006_RBAC_DistributedTable_Select("1.0"), @@ -169,6 +247,7 @@ def select(self): select_scenarios = [ select_without_privilege, select_with_privilege_granted_directly_or_via_role, + select_with_all_privilege_granted_directly_or_via_role ] for scenario in select_scenarios: @@ -191,11 +270,19 @@ def select_without_privilege(self, node=None): try: with Given("I have a user"): user(name=user_name) + with And("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a distributed table"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) @@ -222,8 +309,10 @@ def select_with_privilege_granted_directly_or_via_role(self, node=None): with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -247,25 +336,89 @@ def select_with_privilege(self, user_name, grant_target_name, node=None): try: with Given("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a distributed table"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") with When("I grant select privilege on the distributed table"): node.query(f"GRANT SELECT ON {table1_name} TO {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke select privilege on the distributed table"): node.query(f"REVOKE SELECT ON {table1_name} FROM {grant_target_name}") + with And("I grant select privilege on the table used by the distributed table"): node.query(f"GRANT SELECT ON {table0_name} to {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant the user select privilege on the distributed table"): node.query(f"GRANT SELECT ON {table1_name} TO {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) + + finally: + with Finally("I drop the distributed table"): + node.query(f"DROP TABLE IF EXISTS {table1_name}") + +@TestScenario +def select_with_all_privilege_granted_directly_or_via_role(self, node=None): + """Check that user is able to select from a distributed table if and only if + they have ALL privilege. + """ + user_name = f"user_{getuid()}" + role_name = f"role_{getuid()}" + + if node is None: + node = self.context.node + + with Given("I have a user"): + user(name=user_name) + + Scenario(test=select_with_privilege, + name="select with privilege granted directly")(grant_target_name=user_name, user_name=user_name) + + with Given("I have a user"): + user(name=user_name) + + with And("I have a role"): + role(name=role_name) + + with When("I grant the role to the user"): + node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") + + Scenario(test=select_with_privilege, + name="select with privilege granted through a role")(grant_target_name=role_name, user_name=user_name) + +@TestOutline +def select_with_privilege(self, user_name, grant_target_name, node=None): + """Grant ALL and check the user is able to select from the distributed table. + """ + table0_name = f"table0_{getuid()}" + table1_name = f"table1_{getuid()}" + + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") + cluster = self.context.cluster_name + + if node is None: + node = self.context.node + + try: + with Given("I have a table on a cluster"): + table(name=table0_name, cluster=cluster) + + with And("I have a distributed table"): + node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) @@ -293,10 +446,12 @@ def insert_without_privilege(self, node=None): """Check that user is unable to insert into a distributed table without privileges. """ user_name = f"user_{getuid()}" + table0_name = f"table0_{getuid()}" table1_name = f"table1_{getuid()}" exitcode, message = errors.not_enough_privileges(name=f"{user_name}") + cluster = self.context.cluster_name if node is None: @@ -305,11 +460,19 @@ def insert_without_privilege(self, node=None): try: with Given("I have a user"): user(name=user_name) + with And("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a distributed table"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) @@ -336,8 +499,10 @@ def insert_with_privilege_granted_directly_or_via_role(self, node=None): with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -361,25 +526,43 @@ def insert_with_privilege(self, user_name, grant_target_name, node=None): try: with Given("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a distributed table"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") with When("I grant insert privilege on the distributed table"): node.query(f"GRANT INSERT ON {table1_name} TO {grant_target_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke the insert privilege on the distributed table"): node.query(f"REVOKE INSERT ON {table1_name} FROM {grant_target_name}") + with And("I grant insert privilege on the table used by the distributed table"): node.query(f"GRANT INSERT ON {table0_name} to {grant_target_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant insert privilege on the distributed table"): node.query(f"GRANT INSERT ON {table1_name} TO {grant_target_name}") + + with Then("I attempt to insert into the distributed table as the user"): + node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")]) + + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to insert into the distributed table as the user"): + node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {grant_target_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")]) @@ -426,8 +609,10 @@ def select_with_table_on_materialized_view_privilege_granted_directly_or_via_rol with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -452,33 +637,63 @@ def select_with_table_on_materialized_view(self, user_name, grant_target_name, n try: with Given("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a materialized view on a cluster"): node.query(f"CREATE MATERIALIZED VIEW {view_name} ON CLUSTER {cluster} ENGINE = Memory() AS SELECT * FROM {table0_name}") + with And("I have a distributed table on the materialized view"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {view_name}, rand())") + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + with When("I grant select privilege on the distributed table"): node.query(f"GRANT SELECT ON {table1_name} TO {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke the select privilege on the distributed table"): node.query(f"REVOKE SELECT ON {table1_name} FROM {grant_target_name}") + with And("I grant select privilege on the materialized view"): node.query(f"GRANT SELECT ON {view_name} to {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant select privilege on the distributed table"): node.query(f"GRANT SELECT ON {table1_name} TO {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) + + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) finally: with Finally("I drop the distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") + with And("I drop the view"): node.query(f"DROP VIEW IF EXISTS {view_name}") @@ -501,8 +716,10 @@ def select_with_table_on_source_table_of_materialized_view_privilege_granted_dir with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -527,33 +744,53 @@ def select_with_table_on_source_table_of_materialized_view(self, user_name, gran try: with Given("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a materialized view on a cluster"): node.query(f"CREATE MATERIALIZED VIEW {view_name} ON CLUSTER {cluster} ENGINE = Memory() AS SELECT * FROM {table0_name}") + with And("I have a distributed table using the source table of the materialized view"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") with When("I grant select privilege on the distributed table"): node.query(f"GRANT SELECT ON {table1_name} TO {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke select privilege on the distributed table"): node.query(f"REVOKE SELECT ON {table1_name} FROM {grant_target_name}") + with And("I grant select privilege on the source table"): node.query(f"GRANT SELECT ON {table0_name} to {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant select privilege on the distributed table"): node.query(f"GRANT SELECT ON {table1_name} TO {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) + + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {grant_target_name}") + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) finally: with Finally("I drop the distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") + with And("I drop the view"): node.query(f"DROP VIEW IF EXISTS {view_name}") @@ -576,8 +813,10 @@ def select_with_table_on_distributed_table_privilege_granted_directly_or_via_rol with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -602,26 +841,47 @@ def select_with_table_on_distributed_table(self, user_name, grant_target_name, n try: with Given("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a distributed table on a cluster"): node.query(f"CREATE TABLE {table1_name} ON CLUSTER {cluster} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") + with And("I have a distributed table on that distributed table"): node.query(f"CREATE TABLE {table2_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table1_name}, rand())") for permutation in permutations(table_count=3): + with grant_select_on_table(node, permutation, grant_target_name, table0_name, table1_name, table2_name) as tables_granted: + with When(f"permutation={permutation}, tables granted = {tables_granted}"): + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table2_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant select on all tables"): + with grant_select_on_table(node, max(permutations(table_count=3))+1, grant_target_name, table0_name, table1_name, table2_name): + with Then("I attempt to select from the distributed table as the user"): node.query(f"SELECT * FROM {table2_name}", settings = [("user", f"{user_name}")]) + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table2_name}", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {grant_target_name}") + + with Then("I attempt to select from the distributed table as the user"): + node.query(f"SELECT * FROM {table2_name}", settings = [("user", f"{user_name}")]) + finally: with Finally("I drop the first distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") + with And("I drop the other distributed table"): node.query(f"DROP TABLE IF EXISTS {table2_name}") @@ -644,8 +904,10 @@ def insert_with_table_on_materialized_view_privilege_granted_directly_or_via_rol with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -671,35 +933,56 @@ def insert_with_table_on_materialized_view(self, user_name, grant_target_name, n try: with Given(f"I have a table on cluster {cluster}"): table(name=table0_name, cluster=cluster) + with And("I have another table on the same cluster"): table(name=table1_name, cluster=cluster) + with And("I have a materialized view on a cluster"): node.query(f"CREATE MATERIALIZED VIEW {view_name} ON CLUSTER {cluster} TO {table0_name} AS SELECT * FROM {table1_name}") + with And("I have a distributed table on the materialized view"): node.query(f"CREATE TABLE {table2_name} (a UInt64) ENGINE = Distributed({cluster}, default, {view_name}, rand())") with When("I grant insert privilege on the distributed table"): node.query(f"GRANT INSERT ON {table2_name} TO {grant_target_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke the insert privilege on the distributed table"): node.query(f"REVOKE INSERT ON {table2_name} FROM {grant_target_name}") + with And("I grant insert privilege on the view"): node.query(f"GRANT INSERT ON {view_name} to {grant_target_name}") + with Then("I attempt insert into the distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant insert privilege on the distributed table"): node.query(f"GRANT INSERT ON {table2_name} TO {grant_target_name}") + + with Then("I attempt to insert into the distributed table as the user"): + node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")]) + + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt insert into the distributed table as the user"): + node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {grant_target_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")]) finally: with Finally("I drop the distributed table"): node.query(f"DROP TABLE IF EXISTS {table2_name}") + with And("I drop the view"): node.query(f"DROP VIEW IF EXISTS {view_name}") @@ -722,8 +1005,10 @@ def insert_with_table_on_source_table_of_materialized_view_privilege_granted_dir with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -748,33 +1033,53 @@ def insert_with_table_on_source_table_of_materialized_view(self, user_name, gran try: with Given("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a materialized view on a cluster"): node.query(f"CREATE MATERIALIZED VIEW {view_name} ON CLUSTER {cluster} ENGINE = Memory() AS SELECT * FROM {table0_name}") + with And("I have a distributed table on the materialized view"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") with When("I grant insert privilege on the distributed table"): node.query(f"GRANT INSERT ON {table1_name} TO {grant_target_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke insert privilege on the distributed table"): node.query(f"REVOKE INSERT ON {table1_name} FROM {grant_target_name}") + with And("I grant insert privilege on the source table"): node.query(f"GRANT INSERT ON {table0_name} to {grant_target_name}") + with Then("I attempt insert into the distributed table as the user"): node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant insert privilege on the distributed table"): node.query(f"GRANT INSERT ON {table1_name} TO {grant_target_name}") + + with Then("I attempt to insert into the distributed table as the user"): + node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")]) + + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt insert into the distributed table as the user"): + node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {grant_target_name}") + with Then("I attempt to insert into the distributed table as the user"): node.query(f"INSERT INTO {table1_name} VALUES (8888)", settings = [("user", f"{user_name}")]) finally: with Finally("I drop the distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") + with And("I drop the view"): node.query(f"DROP VIEW IF EXISTS {view_name}") @@ -797,8 +1102,10 @@ def insert_with_table_on_distributed_table_privilege_granted_directly_or_via_rol with Given("I have a user"): user(name=user_name) + with And("I have a role"): role(name=role_name) + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name} ON CLUSTER one_shard_cluster") @@ -823,47 +1130,70 @@ def insert_with_table_on_distributed_table(self, user_name, grant_target_name, n try: with Given("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a distributed table on a cluster"): node.query(f"CREATE TABLE {table1_name} ON CLUSTER {cluster} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") + with And("I have a distributed table on that distributed table"): node.query(f"CREATE TABLE {table2_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table1_name}, rand())") with When("I grant insert privilege on the outer distributed table"): node.query(f"GRANT INSERT ON {table2_name} TO {grant_target_name}") + with Then("I attempt to insert into the outer distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke the insert privilege on the outer distributed table"): node.query(f"REVOKE INSERT ON {table2_name} FROM {grant_target_name}") + with And("I grant insert privilege on the inner distributed table"): node.query(f"GRANT INSERT ON {table1_name} to {grant_target_name}") + with Then("I attempt insert into the outer distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I revoke the insert privilege on the inner distributed table"): node.query(f"REVOKE INSERT ON {table1_name} FROM {grant_target_name}") + with And("I grant insert privilege on the innermost table"): node.query(f"GRANT INSERT ON {table0_name} to {grant_target_name}") + with Then("I attempt insert into the outer distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant insert privilege on the inner distributed table"): node.query(f"GRANT INSERT ON {table1_name} to {grant_target_name}") + with Then("I attempt insert into the outer distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant insert privilege on the outer distributed table"): node.query(f"GRANT INSERT ON {table2_name} to {grant_target_name}") + + with Then("I attempt insert into the outer distributed table as the user"): + node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")]) + + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt insert into the outer distributed table as the user"): + node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")], + exitcode=exitcode, message=message) + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {grant_target_name}") + with Then("I attempt insert into the outer distributed table as the user"): node.query(f"INSERT INTO {table2_name} VALUES (8888)", settings = [("user", f"{user_name}")]) finally: with Finally("I drop the outer distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") + with And("I drop the inner distributed table"): node.query(f"DROP TABLE IF EXISTS {table2_name}") @@ -882,6 +1212,7 @@ def local_user(self, cluster, node=None): is able to execute queries they have privileges to. """ user_name = f"user_{getuid()}" + table0_name = f"table0_{getuid()}" table1_name = f"table1_{getuid()}" @@ -891,22 +1222,35 @@ def local_user(self, cluster, node=None): try: with Given("I have a user on one node"): node.query(f"CREATE USER {user_name}") + with And("I have a table on a cluster"): table(name=table0_name, cluster=cluster) + with And("I have a distributed table"): node.query(f"CREATE TABLE {table1_name} (a UInt64) ENGINE = Distributed({cluster}, default, {table0_name}, rand())") with When("I grant select privilege on the distributed table"): node.query(f"GRANT SELECT ON {table1_name} TO {user_name}") + with And("I grant select privilege on the other table"): node.query(f"GRANT SELECT ON {table0_name} TO {user_name}") with Then("I select from the distributed table as the user"): node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) + with When("I revoke ALL privileges"): + node.query(f"REVOKE ALL ON *.* FROM {user_name}") + + with And("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* To {user_name}") + + with Then("I select from the distributed table as the user"): + node.query(f"SELECT * FROM {table1_name}", settings = [("user", f"{user_name}")]) + finally: with Finally("I drop the user"): node.query(f"DROP USER IF EXISTS {user_name}") + with And("I drop the distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") @@ -919,8 +1263,10 @@ def multiple_node_user(self, node=None): if and only if they have the required privileges on the node they are executing the query from. """ user_name = f"user_{getuid()}" + table0_name = f"table0_{getuid()}" table1_name = f"table1_{getuid()}" + exitcode, message = errors.not_enough_privileges(name=f"{user_name}") if node is None: @@ -931,13 +1277,16 @@ def multiple_node_user(self, node=None): try: with Given("I have a user on a cluster with two nodes"): node.query(f"CREATE USER {user_name} ON CLUSTER sharded_cluster12") + with And("I have a table on a cluster"): table(name=table0_name, cluster="sharded_cluster12") + with And("I have a distributed table"): node.query(f"CREATE TABLE {table1_name} ON CLUSTER sharded_cluster12 (a UInt64) ENGINE = Distributed(sharded_cluster12, default, {table0_name}, rand())") with When("I grant select privilege on the distributed table on one node"): node.query(f"GRANT SELECT ON {table1_name} TO {user_name}") + with And("I grant select privilege on the other table on one node"): node.query(f"GRANT SELECT ON {table0_name} TO {user_name}") @@ -951,6 +1300,7 @@ def multiple_node_user(self, node=None): finally: with Finally("I drop the user"): node.query(f"DROP USER IF EXISTS {user_name}") + with And("I drop the distributed table"): node.query(f"DROP TABLE IF EXISTS {table1_name}") @@ -973,13 +1323,19 @@ def cluster_tests(self, cluster, node=None): pool = Pool(3) try: - for suite in loads(current_module(), Suite): - run_scenario(pool, tasks, Suite(test=suite)) + try: + for suite in loads(current_module(), Suite): + run_scenario(pool, tasks, Suite(test=suite)) + finally: + join(tasks) finally: - join(tasks) - + pool.close() @TestFeature +@Requirements( + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") +) @Name("distributed table") def feature(self, node="clickhouse1"): """Check the RBAC functionality of queries executed using distributed tables. @@ -992,9 +1348,13 @@ def feature(self, node="clickhouse1"): pool = Pool(3) try: - run_scenario(pool, tasks, Feature(test=cluster_tests)) - run_scenario(pool, tasks, Scenario(test=local_user)) - run_scenario(pool, tasks, Scenario(test=multiple_node_user)) + try: + run_scenario(pool, tasks, Feature(test=cluster_tests)) + run_scenario(pool, tasks, Scenario(test=local_user)) + run_scenario(pool, tasks, Scenario(test=multiple_node_user)) + finally: + join(tasks) finally: - join(tasks) + pool.close() + diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_database.py b/tests/testflows/rbac/tests/privileges/drop/drop_database.py index fd31b8d5411..274003e763f 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_database.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_database.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute DROP DATABASE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,21 +32,27 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): db_name = f"db_{getuid()}" try: with Given("I have a database"): node.query(f"CREATE DATABASE {db_name}") - with When("I attempt to drop the database"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to drop the database"): node.query(f"DROP DATABASE {db_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) finally: with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): db_name = f"db_{getuid()}" try: @@ -63,7 +69,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): db_name = f"db_{getuid()}" try: @@ -84,9 +90,49 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the database"): node.query(f"DROP DATABASE IF EXISTS {db_name}") + with Scenario("user with revoked ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with Given("I have a database"): + node.query(f"CREATE DATABASE {db_name}") + + with When("I grant the drop database privilege"): + node.query(f"GRANT DROP DATABASE ON {db_name}.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to drop a database"): + node.query(f"DROP DATABASE {db_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the database"): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + + with Scenario("user with ALL privilege"): + db_name = f"db_{getuid()}" + + try: + with Given("I have a database"): + node.query(f"CREATE DATABASE {db_name}") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to drop a database"): + node.query(f"DROP DATABASE {db_name}", settings = [("user", user_name)]) + + finally: + with Finally("I drop the database"): + node.query(f"DROP DATABASE IF EXISTS {db_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_DropDatabase("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("drop database") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -99,5 +145,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_dictionary.py b/tests/testflows/rbac/tests/privileges/drop/drop_dictionary.py index 14e6da0ebe9..c3f07885bd5 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_dictionary.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_dictionary.py @@ -12,12 +12,12 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute DROP DICTIONARY with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") @@ -29,21 +29,27 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): dict_name = f"dict_{getuid()}" try: with Given("I have a dictionary"): node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") - with When("I attempt to drop a dictionary without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to drop a dictionary without privilege"): node.query(f"DROP DICTIONARY {dict_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) finally: with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): dict_name = f"dict_{getuid()}" try: @@ -60,7 +66,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): dict_name = f"dict_{getuid()}" try: @@ -80,9 +86,27 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the dictionary"): node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") + with Scenario("user with ALL privilege"): + dict_name = f"db_{getuid()}" + + try: + with Given("I have a dictionary"): + node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I drop the dictionary"): + node.query(f"DROP DICTIONARY {dict_name}", settings = [("user", user_name)]) + + finally: + with Finally("I drop the dictionary"): + node.query(f"DROP DICTIONARY IF EXISTS {dict_name}") @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_DropDictionary("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("drop dictionary") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -95,5 +119,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_quota.py b/tests/testflows/rbac/tests/privileges/drop/drop_quota.py index de25f0e15b1..b8727556a26 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_quota.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_quota.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=drop_quota, flags=TE, + Suite(run=drop_quota, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in drop_quota.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=drop_quota, flags=TE, + Suite(run=drop_quota, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in drop_quota.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("DROP QUOTA",), ]) @@ -63,7 +64,13 @@ def drop_quota(self, privilege, grant_target_name, user_name, node=None): with Given("I have a quota"): node.query(f"CREATE QUOTA {drop_row_policy_name}") - with When("I check the user can't drop a quota"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't drop a quota"): node.query(f"DROP QUOTA {drop_row_policy_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -129,6 +136,8 @@ def drop_quota(self, privilege, grant_target_name, user_name, node=None): @Name("drop quota") @Requirements( RQ_SRS_006_RBAC_Privileges_DropQuota("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of DROP QUOTA. diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_role.py b/tests/testflows/rbac/tests/privileges/drop/drop_role.py index 4b6b7c04741..ca9eb1b0947 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_role.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_role.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=drop_role, flags=TE, + Suite(run=drop_role, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in drop_role.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=drop_role, flags=TE, + Suite(run=drop_role, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in drop_role.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("DROP ROLE",), ]) @@ -58,14 +59,22 @@ def drop_role(self, privilege, grant_target_name, user_name, node=None): with Scenario("DROP ROLE without privilege"): drop_role_name = f"drop_role_{getuid()}" + with role(node, drop_role_name): - with When("I check the user can't drop a role"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't drop a role"): node.query(f"DROP ROLE {drop_role_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("DROP ROLE with privilege"): drop_role_name = f"drop_role_{getuid()}" + with role(node, drop_role_name): with When(f"I grant {privilege}"): @@ -93,6 +102,7 @@ def drop_role(self, privilege, grant_target_name, user_name, node=None): with Scenario("DROP ROLE with revoked privilege"): drop_role_name = f"drop_role_{getuid()}" + with role(node, drop_role_name): with When(f"I grant {privilege}"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -108,6 +118,8 @@ def drop_role(self, privilege, grant_target_name, user_name, node=None): @Name("drop role") @Requirements( RQ_SRS_006_RBAC_Privileges_DropRole("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of DROP ROLE. diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_row_policy.py b/tests/testflows/rbac/tests/privileges/drop/drop_row_policy.py index 6e8a2aaa3d5..ad7fed94df0 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_row_policy.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_row_policy.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=drop_row_policy, flags=TE, + Suite(run=drop_row_policy, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in drop_row_policy.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=drop_row_policy, flags=TE, + Suite(run=drop_row_policy, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in drop_row_policy.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("DROP ROW POLICY",), ("DROP POLICY",), @@ -65,7 +66,13 @@ def drop_row_policy(self, privilege, grant_target_name, user_name, node=None): with Given("I have a row policy"): node.query(f"CREATE ROW POLICY {drop_row_policy_name} ON {table_name}") - with When("I check the user can't drop a row policy"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't drop a row policy"): node.query(f"DROP ROW POLICY {drop_row_policy_name} ON {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -130,15 +137,140 @@ def drop_row_policy(self, privilege, grant_target_name, user_name, node=None): with Finally("I drop the row policy"): node.query(f"DROP ROW POLICY IF EXISTS {drop_row_policy_name} ON {table_name}") +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Restriction("1.0") +) +def drop_all_pol_with_conditions(self, node=None): + """Check that when all policies with conditions are dropped, the table becomes unrestricted. + """ + + if node is None: + node = self.context.node + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The row policy has a condition"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING 1") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with And("I can't see any of the rows on the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '' == output, error() + + with When("I drop the row policy"): + node.query(f"DROP ROW POLICY {pol_name} ON {table_name}") + + with Then("I select all the rows from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0"), +) +def drop_on(self, node=None): + """Check that when a row policy is dropped, users are able to access rows restricted by that policy. + """ + + if node is None: + node = self.context.node + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + with table(node, table_name): + + with Given("I have a row policy"): + row_policy(name=pol_name, table=table_name) + + with And("The row policy has a condition"): + node.query(f"ALTER ROW POLICY {pol_name} ON {table_name} FOR SELECT USING y=1 TO default") + + with And("The table has some values"): + node.query(f"INSERT INTO {table_name} (y) VALUES (1),(2)") + + with And("I can't see one of the rows on the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' not in output, error() + + with When("I drop the row policy"): + node.query(f"DROP ROW POLICY {pol_name} ON {table_name}") + + with Then("I select all the rows from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output and '2' in output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_RowPolicy_Drop_OnCluster("1.0"), +) +def drop_on_cluster(self, node=None): + """Check that when a row policy is dropped on a cluster, it works on all nodes. + """ + + if node is None: + node = self.context.node + node2 = self.context.node2 + + table_name = f"table_{getuid()}" + pol_name = f"pol_{getuid()}" + + try: + with Given("I have a table on a cluster"): + node.query(f"CREATE TABLE {table_name} ON CLUSTER sharded_cluster (x UInt64) ENGINE = Memory") + + with And("I have a row policy"): + node.query(f"CREATE ROW POLICY {pol_name} ON CLUSTER sharded_cluster ON {table_name} FOR SELECT USING 1") + + with And("There are some values on the table on the first node"): + node.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with And("There are some values on the table on the second node"): + node2.query(f"INSERT INTO {table_name} (x) VALUES (1)") + + with When("I drop the row policy on cluster"): + node.query(f"DROP ROW POLICY {pol_name} ON {table_name} ON CLUSTER sharded_cluster") + + with Then("I select from the table"): + output = node.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + with And("I select from another node on the cluster"): + output = node2.query(f"SELECT * FROM {table_name}").output + assert '1' in output, error() + + finally: + with Finally("I drop the row policy", flags=TE): + node.query(f"DROP ROW POLICY IF EXISTS {pol_name} ON CLUSTER sharded_cluster ON {table_name}") + + with And("I drop the table", flags=TE): + node.query(f"DROP TABLE {table_name} ON CLUSTER sharded_cluster") + @TestFeature @Name("drop row policy") @Requirements( RQ_SRS_006_RBAC_Privileges_DropRowPolicy("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of DROP ROW POLICY. """ self.context.node = self.context.cluster.node(node) + self.context.node2 = self.context.cluster.node("clickhouse2") Suite(run=privileges_granted_directly, setup=instrument_clickhouse_server_log) Suite(run=privileges_granted_via_role, setup=instrument_clickhouse_server_log) + + Scenario(run=drop_all_pol_with_conditions, setup=instrument_clickhouse_server_log) + Scenario(run=drop_on, setup=instrument_clickhouse_server_log) + Scenario(run=drop_on_cluster, setup=instrument_clickhouse_server_log) diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_settings_profile.py b/tests/testflows/rbac/tests/privileges/drop/drop_settings_profile.py index 51139653283..3aa9ef2c369 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_settings_profile.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_settings_profile.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=drop_settings_profile, flags=TE, + Suite(run=drop_settings_profile, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in drop_settings_profile.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=drop_settings_profile, flags=TE, + Suite(run=drop_settings_profile, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in drop_settings_profile.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("DROP SETTINGS PROFILE",), ("DROP PROFILE",), @@ -64,7 +65,13 @@ def drop_settings_profile(self, privilege, grant_target_name, user_name, node=No with Given("I have a settings_profile"): node.query(f"CREATE SETTINGS PROFILE {drop_row_policy_name}") - with When("I check the user can't drop a settings_profile"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't drop a settings_profile"): node.query(f"DROP SETTINGS PROFILE {drop_row_policy_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -130,6 +137,8 @@ def drop_settings_profile(self, privilege, grant_target_name, user_name, node=No @Name("drop settings profile") @Requirements( RQ_SRS_006_RBAC_Privileges_DropSettingsProfile("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of DROP SETTINGS PROFILE. diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_table.py b/tests/testflows/rbac/tests/privileges/drop/drop_table.py index e5deac646eb..1fd394daf96 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_table.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_table.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute DROP TABLE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,14 +32,20 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): table_name = f"table_{getuid()}" try: with Given("I have a table"): node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE=Memory") - with When("I attempt to drop a table without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to drop a table without privilege"): node.query(f"DROP TABLE {table_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) @@ -47,7 +53,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): table_name = f"table_{getuid()}" try: @@ -64,7 +70,7 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): table_name = f"table_{getuid()}" try: with Given("I have a table"): @@ -84,9 +90,48 @@ def privilege_check(grant_target_name, user_name, node=None): with Finally("I drop the table"): node.query(f"DROP TABLE IF EXISTS {table_name}") + with Scenario("user with revoked ALL privilege"): + table_name = f"table_{getuid()}" + try: + with Given("I have a table"): + node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE=Memory") + + with When("I grant the drop table privilege"): + node.query(f"GRANT DROP TABLE ON *.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to drop a table"): + node.query(f"DROP TABLE {table_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + finally: + with Finally("I drop the table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + + with Scenario("user with ALL privilege"): + table_name = f"table_{getuid()}" + + try: + with Given("I have a table"): + node.query(f"CREATE TABLE {table_name} (x Int8) ENGINE=Memory") + + with When("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I drop the table"): + node.query(f"DROP TABLE {table_name}", settings = [("user", user_name)]) + + finally: + with Finally("I drop the table"): + node.query(f"DROP TABLE IF EXISTS {table_name}") + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_DropTable("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("drop table") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -99,5 +144,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/drop/drop_user.py b/tests/testflows/rbac/tests/privileges/drop/drop_user.py index 9aec34cca81..c3f1df8ae15 100644 --- a/tests/testflows/rbac/tests/privileges/drop/drop_user.py +++ b/tests/testflows/rbac/tests/privileges/drop/drop_user.py @@ -17,7 +17,7 @@ def drop_user_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=drop_user, flags=TE, + Suite(run=drop_user, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in drop_user.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def drop_user_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=drop_user, flags=TE, + Suite(run=drop_user, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in drop_user.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("DROP USER",), ]) @@ -59,14 +60,22 @@ def drop_user(self, privilege, grant_target_name, user_name, node=None): with Scenario("DROP USER without privilege"): drop_user_name = f"drop_user_{getuid()}" + with user(node, drop_user_name): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + with When("I check the user can't drop a user"): node.query(f"DROP USER {drop_user_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("DROP USER with privilege"): drop_user_name = f"drop_user_{getuid()}" + with user(node, drop_user_name): with When(f"I grant {privilege}"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -76,6 +85,7 @@ def drop_user(self, privilege, grant_target_name, user_name, node=None): with Scenario("DROP USER on cluster"): drop_user_name = f"drop_user_{getuid()}" + try: with Given("I have a user on a cluster"): node.query(f"CREATE USER {drop_user_name} ON CLUSTER sharded_cluster") @@ -93,6 +103,7 @@ def drop_user(self, privilege, grant_target_name, user_name, node=None): with Scenario("DROP USER with revoked privilege"): drop_user_name = f"drop_user_{getuid()}" + with user(node, drop_user_name): with When(f"I grant {privilege}"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -108,6 +119,8 @@ def drop_user(self, privilege, grant_target_name, user_name, node=None): @Name("drop user") @Requirements( RQ_SRS_006_RBAC_Privileges_DropUser("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of DROP USER. diff --git a/tests/testflows/rbac/tests/privileges/feature.py b/tests/testflows/rbac/tests/privileges/feature.py index e7a0cf2d368..7302a971ec1 100755 --- a/tests/testflows/rbac/tests/privileges/feature.py +++ b/tests/testflows/rbac/tests/privileges/feature.py @@ -11,91 +11,92 @@ def feature(self): try: try: - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.insert", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.select", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.public_tables", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.distributed_table", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.grant_option", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.truncate", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.optimize", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.kill_query", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.kill_mutation", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.role_admin", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.dictGet", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.introspection", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.sources", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.admin_option", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.insert", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.select", "feature"), ), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.public_tables", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.distributed_table", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.grant_option", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.truncate", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.optimize", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.kill_query", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.kill_mutation", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.role_admin", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.dictGet", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.introspection", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.sources", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.admin_option", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.all_role", "feature")), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_tables", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_dictionaries", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_databases", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_columns", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_users", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_roles", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_quotas", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_settings_profiles", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_row_policies", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_tables", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_dictionaries", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_databases", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_columns", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_users", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_roles", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_quotas", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_settings_profiles", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.show.show_row_policies", "feature")), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_column", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_index", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_constraint", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_ttl", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_settings", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_update", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_delete", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_freeze", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_fetch", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_move", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_user", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_role", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_row_policy", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_quota", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_settings_profile", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_column", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_index", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_constraint", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_ttl", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_settings", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_update", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_delete", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_freeze", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_fetch", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_move", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_user", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_role", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_row_policy", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_quota", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.alter.alter_settings_profile", "feature")), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_database", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_dictionary", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_temp_table", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_table", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_user", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_role", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_row_policy", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_quota", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_settings_profile", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_database", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_dictionary", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_temp_table", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_table", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_user", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_role", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_row_policy", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_quota", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.create.create_settings_profile", "feature")), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_database", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_dictionary", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_temp_table", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_table", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_database", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_dictionary", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_temp_table", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.attach.attach_table", "feature")), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_database", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_dictionary", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_table", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_user", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_role", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_row_policy", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_quota", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_settings_profile", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_database", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_dictionary", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_table", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_user", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_role", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_row_policy", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_quota", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.drop.drop_settings_profile", "feature")), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_database", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_dictionary", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_table", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_view", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_database", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_dictionary", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_table", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.detach.detach_view", "feature")), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.drop_cache", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.reload", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.flush", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.merges", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.moves", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.replication_queues", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.ttl_merges", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.restart_replica", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.sends", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.sync_replica", "feature"), flags=TE), {}) - run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.fetches", "feature"), flags=TE), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.drop_cache", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.reload", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.flush", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.merges", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.moves", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.replication_queues", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.ttl_merges", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.restart_replica", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.sends", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.sync_replica", "feature")), {}) + run_scenario(pool, tasks, Feature(test=load("rbac.tests.privileges.system.fetches", "feature")), {}) finally: join(tasks) finally: pool.close() - Feature(test=load("rbac.tests.privileges.system.shutdown", "feature"), flags=TE) + Feature(test=load("rbac.tests.privileges.system.shutdown", "feature")) diff --git a/tests/testflows/rbac/tests/privileges/insert.py b/tests/testflows/rbac/tests/privileges/insert.py index 78478967d37..305ce62f5e4 100755 --- a/tests/testflows/rbac/tests/privileges/insert.py +++ b/tests/testflows/rbac/tests/privileges/insert.py @@ -16,6 +16,9 @@ def input_output_equality_check(node, input_columns, input_data, table_name): return input_dict == output_dict @TestScenario +@Requirements( + RQ_SRS_006_RBAC_Privileges_None("1.0") +) def without_privilege(self, table_type, node=None): """Check that user without insert privilege on a table is not able to insert on that table. """ @@ -28,7 +31,13 @@ def without_privilege(self, table_type, node=None): with table(node, table_name, table_type): with user(node, user_name): - with When("I run INSERT without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + + with Then("I run INSERT without privilege"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings = [("user", user_name)], @@ -60,6 +69,34 @@ def user_with_privilege(self, table_type, node=None): output = node.query(f"SELECT d FROM {table_name} FORMAT JSONEachRow").output assert output == '{"d":"2020-01-01"}', error() +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Grant_Privilege_Insert("1.0"), +) +def all_privilege(self, table_type, node=None): + """Check that user can insert into a table on which they have insert privilege. + """ + user_name = f"user_{getuid()}" + table_name = f"table_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name, table_type): + + with user(node, user_name): + + with When("I grant insert privilege"): + node.query(f"GRANT ALL ON *.* TO {user_name}") + + with And("I use INSERT"): + node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)]) + + with Then("I check the insert functioned"): + output = node.query(f"SELECT d FROM {table_name} FORMAT JSONEachRow").output + assert output == '{"d":"2020-01-01"}', error() + @TestScenario @Requirements( RQ_SRS_006_RBAC_Revoke_Privilege_Insert("1.0"), @@ -82,7 +119,31 @@ def user_with_revoked_privilege(self, table_type, node=None): with And("I revoke insert privilege"): node.query(f"REVOKE INSERT ON {table_name} FROM {user_name}") - with And("I use INSERT"): + with Then("I use INSERT"): + exitcode, message = errors.not_enough_privileges(name=user_name) + node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", + settings=[("user",user_name)], exitcode=exitcode, message=message) + +@TestScenario +def user_with_all_revoked_privilege(self, table_type, node=None): + """Check that user is unable to insert into a table after ALL privilege has been revoked from user. + """ + user_name = f"user_{getuid()}" + table_name = f"table_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name, table_type): + with user(node, user_name): + + with When("I grant insert privilege"): + node.query(f"GRANT INSERT ON {table_name} TO {user_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {user_name}") + + with Then("I use INSERT"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -111,26 +172,36 @@ def user_column_privileges(self, grant_columns, insert_columns_pass, data_fail, """ user_name = f"user_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name): + with When("I grant insert privilege"): node.query(f"GRANT INSERT({grant_columns}) ON {table_name} TO {user_name}") + if insert_columns_fail is not None: with And("I insert into a column without insert privilege"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} ({insert_columns_fail}) VALUES ({data_fail})", settings=[("user",user_name)], exitcode=exitcode, message=message) + with And("I insert into granted column"): node.query(f"INSERT INTO {table_name} ({insert_columns_pass}) VALUES ({data_pass})", settings=[("user",user_name)]) + with Then("I check the insert functioned"): input_equals_output = input_output_equality_check(node, insert_columns_pass, data_pass, table_name) assert input_equals_output, error() + if revoke_columns is not None: + with When("I revoke insert privilege from columns"): node.query(f"REVOKE INSERT({revoke_columns}) ON {table_name} FROM {user_name}") + with And("I insert into revoked columns"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} ({insert_columns_pass}) VALUES ({data_pass})", @@ -147,16 +218,23 @@ def role_with_privilege(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name), role(node, role_name): + with When("I grant insert privilege to a role"): node.query(f"GRANT INSERT ON {table_name} TO {role_name}") + with And("I grant the role to a user"): node.query(f"GRANT {role_name} TO {user_name}") + with And("I insert into the table"): node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)]) + with Then("I check the data matches the input"): output = node.query(f"SELECT d FROM {table_name} FORMAT JSONEachRow").output assert output == '{"d":"2020-01-01"}', error() @@ -173,16 +251,23 @@ def role_with_revoked_privilege(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name), role(node, role_name): + with When("I grant privilege to a role"): node.query(f"GRANT INSERT ON {table_name} TO {role_name}") + with And("I grant the role to a user"): node.query(f"GRANT {role_name} TO {user_name}") + with And("I revoke privilege from the role"): node.query(f"REVOKE INSERT ON {table_name} FROM {role_name}") + with And("I insert into the table"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", @@ -196,16 +281,23 @@ def user_with_revoked_role(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name), role(node, role_name): + with When("I grant privilege to a role"): node.query(f"GRANT INSERT ON {table_name} TO {role_name}") + with And("I grant the role to a user"): node.query(f"GRANT {role_name} TO {user_name}") + with And("I revoke the role from the user"): node.query(f"REVOKE {role_name} FROM {user_name}") + with And("I insert into the table"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", @@ -235,32 +327,43 @@ def role_column_privileges(self, grant_columns, insert_columns_pass, data_fail, user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): with user(node, user_name), role(node, role_name): - with When("I grant insert privilege"): - node.query(f"GRANT INSERT({grant_columns}) ON {table_name} TO {role_name}") - with And("I grant the role to a user"): - node.query(f"GRANT {role_name} TO {user_name}") - if insert_columns_fail is not None: - with And("I insert into columns without insert privilege"): - exitcode, message = errors.not_enough_privileges(name=user_name) - node.query(f"INSERT INTO {table_name} ({insert_columns_fail}) VALUES ({data_fail})", - settings=[("user",user_name)], exitcode=exitcode, message=message) - with And("I insert into granted column"): + + with When("I grant insert privilege"): + node.query(f"GRANT INSERT({grant_columns}) ON {table_name} TO {role_name}") + + with And("I grant the role to a user"): + node.query(f"GRANT {role_name} TO {user_name}") + + if insert_columns_fail is not None: + with And("I insert into columns without insert privilege"): + exitcode, message = errors.not_enough_privileges(name=user_name) + + node.query(f"INSERT INTO {table_name} ({insert_columns_fail}) VALUES ({data_fail})", + settings=[("user",user_name)], exitcode=exitcode, message=message) + + with And("I insert into granted column"): + node.query(f"INSERT INTO {table_name} ({insert_columns_pass}) VALUES ({data_pass})", + settings=[("user",user_name)]) + + with Then("I check the insert functioned"): + input_equals_output = input_output_equality_check(node, insert_columns_pass, data_pass, table_name) + assert input_equals_output, error() + + if revoke_columns is not None: + with When("I revoke insert privilege from columns"): + node.query(f"REVOKE INSERT({revoke_columns}) ON {table_name} FROM {role_name}") + + with And("I insert into revoked columns"): + exitcode, message = errors.not_enough_privileges(name=user_name) + node.query(f"INSERT INTO {table_name} ({insert_columns_pass}) VALUES ({data_pass})", - settings=[("user",user_name)]) - with Then("I check the insert functioned"): - input_equals_output = input_output_equality_check(node, insert_columns_pass, data_pass, table_name) - assert input_equals_output, error() - if revoke_columns is not None: - with When("I revoke insert privilege from columns"): - node.query(f"REVOKE INSERT({revoke_columns}) ON {table_name} FROM {role_name}") - with And("I insert into revoked columns"): - exitcode, message = errors.not_enough_privileges(name=user_name) - node.query(f"INSERT INTO {table_name} ({insert_columns_pass}) VALUES ({data_pass})", - settings=[("user",user_name)], exitcode=exitcode, message=message) + settings=[("user",user_name)], exitcode=exitcode, message=message) @TestScenario @Requirements( @@ -272,29 +375,40 @@ def user_with_privilege_on_cluster(self, table_type, node=None): """ user_name = f"user_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + try: with Given("I have a user on a cluster"): node.query(f"CREATE USER OR REPLACE {user_name} ON CLUSTER sharded_cluster") + with When("I grant insert privilege on a cluster without the node with the table"): node.query(f"GRANT ON CLUSTER sharded_cluster23 INSERT ON {table_name} TO {user_name}") + with And("I insert into the table expecting a fail"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)], exitcode=exitcode, message=message) + with And("I grant insert privilege on cluster including all nodes"): node.query(f"GRANT ON CLUSTER sharded_cluster INSERT ON {table_name} TO {user_name}") + with And("I revoke insert privilege on cluster without the node with the table"): node.query(f"REVOKE ON CLUSTER sharded_cluster23 INSERT ON {table_name} FROM {user_name}") + with And("I insert into the table"): node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)]) + with And("I check that I can read inserted data"): output = node.query(f"SELECT d FROM {table_name} FORMAT JSONEachRow").output assert output == '{"d":"2020-01-01"}', error() + with And("I revoke insert privilege on cluster with all nodes"): node.query(f"REVOKE ON CLUSTER sharded_cluster INSERT ON {table_name} FROM {user_name}") + with Then("I insert into table expecting fail"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)], @@ -314,33 +428,46 @@ def role_with_privilege_on_cluster(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + try: with Given("I have a user on a cluster"): node.query(f"CREATE USER OR REPLACE {user_name} ON CLUSTER sharded_cluster") + with And("I have a role on a cluster"): node.query(f"CREATE ROLE OR REPLACE {role_name} ON CLUSTER sharded_cluster") + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") + with And("I grant insert privilege on a cluster without the node with the table"): node.query(f"GRANT ON CLUSTER sharded_cluster23 INSERT ON {table_name} TO {role_name}") + with And("I insert into the table expecting a fail"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)], exitcode=exitcode, message=message) + with And("I grant insert privilege on cluster including all nodes"): node.query(f"GRANT ON CLUSTER sharded_cluster INSERT ON {table_name} TO {role_name}") + with And("I revoke insert privilege on cluster without the table node"): node.query(f"REVOKE ON CLUSTER sharded_cluster23 INSERT ON {table_name} FROM {role_name}") + with And("I insert into the table"): node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)]) + with And("I check that I can read inserted data"): output = node.query(f"SELECT d FROM {table_name} FORMAT JSONEachRow").output assert output == '{"d":"2020-01-01"}', error() + with And("I revoke insert privilege on cluster with all nodes"): node.query(f"REVOKE ON CLUSTER sharded_cluster INSERT ON {table_name} FROM {role_name}") + with Then("I insert into table expecting fail"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')", settings=[("user",user_name)], @@ -357,7 +484,6 @@ def role_with_privilege_on_cluster(self, table_type, node=None): @Examples("table_type", [ (key,) for key in table_types.keys() ]) -@Flags(TE) @Name("insert") def feature(self, table_type, parallel=None, stress=None, node="clickhouse1"): """Check the RBAC functionality of INSERT. @@ -377,7 +503,10 @@ def feature(self, table_type, parallel=None, stress=None, node="clickhouse1"): pool = Pool(10) try: - for scenario in loads(current_module(), Scenario): - run_scenario(pool, tasks, Scenario(test=scenario, setup=instrument_clickhouse_server_log), {"table_type" : table_type}) + try: + for scenario in loads(current_module(), Scenario): + run_scenario(pool, tasks, Scenario(test=scenario, setup=instrument_clickhouse_server_log), {"table_type" : table_type}) + finally: + join(tasks) finally: - join(tasks) + pool.close() diff --git a/tests/testflows/rbac/tests/privileges/introspection.py b/tests/testflows/rbac/tests/privileges/introspection.py index f8d774902ab..a8d62cf8618 100644 --- a/tests/testflows/rbac/tests/privileges/introspection.py +++ b/tests/testflows/rbac/tests/privileges/introspection.py @@ -35,7 +35,7 @@ def addressToLine_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=addressToLine, flags=TE, + Suite(run=addressToLine, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in addressToLine.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -56,13 +56,14 @@ def addressToLine_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=addressToLine, flags=TE, + Suite(run=addressToLine, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in addressToLine.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("INTROSPECTION",), ("INTROSPECTION FUNCTIONS",), ("addressToLine",), @@ -80,7 +81,13 @@ def addressToLine(self, privilege, grant_target_name, user_name, node=None): with Scenario("addressToLine without privilege"): - with When("I check the user can't use addressToLine"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use addressToLine"): node.query(f"WITH addressToLine(toUInt64(dummy)) AS addr SELECT 1 WHERE addr = ''", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -116,7 +123,7 @@ def addressToSymbol_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=addressToSymbol, flags=TE, + Suite(run=addressToSymbol, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in addressToSymbol.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -137,13 +144,14 @@ def addressToSymbol_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=addressToSymbol, flags=TE, + Suite(run=addressToSymbol, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in addressToSymbol.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("INTROSPECTION",), ("INTROSPECTION FUNCTIONS",), ("addressToSymbol",), @@ -161,7 +169,13 @@ def addressToSymbol(self, privilege, grant_target_name, user_name, node=None): with Scenario("addressToSymbol without privilege"): - with When("I check the user can't use addressToSymbol"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use addressToSymbol"): node.query(f"WITH addressToSymbol(toUInt64(dummy)) AS addr SELECT 1 WHERE addr = ''", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -197,7 +211,7 @@ def demangle_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=demangle, flags=TE, + Suite(run=demangle, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in demangle.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -218,13 +232,14 @@ def demangle_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=demangle, flags=TE, + Suite(run=demangle, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in demangle.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("INTROSPECTION",), ("INTROSPECTION FUNCTIONS",), ("demangle",), @@ -242,7 +257,13 @@ def demangle(self, privilege, grant_target_name, user_name, node=None): with Scenario("demangle without privilege"): - with When("I check the user can't use demangle"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use demangle"): node.query(f"WITH demangle(toString(dummy)) AS addr SELECT 1 WHERE addr = ''", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -270,6 +291,8 @@ def demangle(self, privilege, grant_target_name, user_name, node=None): @Name("introspection") @Requirements( RQ_SRS_006_RBAC_Privileges_Introspection("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of INTROSPECTION. diff --git a/tests/testflows/rbac/tests/privileges/kill_mutation.py b/tests/testflows/rbac/tests/privileges/kill_mutation.py index 41d4a837480..9a27836cad4 100644 --- a/tests/testflows/rbac/tests/privileges/kill_mutation.py +++ b/tests/testflows/rbac/tests/privileges/kill_mutation.py @@ -14,8 +14,16 @@ def no_privilege(self, node=None): table_name = f"merge_tree_{getuid()}" with table(node, table_name): + with user(node, user_name): - with When("I attempt to kill mutation on table"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + + with Then("I attempt to kill mutation on table"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) with Scenario("kill mutation on cluster"): @@ -23,8 +31,16 @@ def no_privilege(self, node=None): table_name = f"merge_tree_{getuid()}" with table(node, table_name): + with user(node, user_name): - with When("I attempt to kill mutation on cluster"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + + with Then("I attempt to kill mutation on cluster"): node.query(f"KILL MUTATION ON CLUSTER sharded_cluster WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) @TestSuite @@ -40,9 +56,9 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(test=update, setup=instrument_clickhouse_server_log)(user_name=user_name, grant_target_name=user_name) - Suite(test=delete, setup=instrument_clickhouse_server_log)(user_name=user_name, grant_target_name=user_name) - Suite(test=drop_column, setup=instrument_clickhouse_server_log)(user_name=user_name, grant_target_name=user_name) + Suite(test=update)(user_name=user_name, grant_target_name=user_name) + Suite(test=delete)(user_name=user_name, grant_target_name=user_name) + Suite(test=drop_column)(user_name=user_name, grant_target_name=user_name) @TestSuite def privileges_granted_via_role(self, node=None): @@ -61,9 +77,9 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(test=update, setup=instrument_clickhouse_server_log)(user_name=user_name, grant_target_name=role_name) - Suite(test=delete, setup=instrument_clickhouse_server_log)(user_name=user_name, grant_target_name=role_name) - Suite(test=drop_column, setup=instrument_clickhouse_server_log)(user_name=user_name, grant_target_name=role_name) + Suite(test=update)(user_name=user_name, grant_target_name=role_name) + Suite(test=delete)(user_name=user_name, grant_target_name=role_name) + Suite(test=drop_column)(user_name=user_name, grant_target_name=role_name) @TestSuite @Requirements( @@ -78,6 +94,9 @@ def update(self, user_name, grant_target_name, node=None): if node is None: node = self.context.node + with Given("The user has no privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + with Scenario("KILL ALTER UPDATE without privilege"): table_name = f"merge_tree_{getuid()}" @@ -86,7 +105,13 @@ def update(self, user_name, grant_target_name, node=None): with Given("I have an ALTER UPDATE mutation"): node.query(f"ALTER TABLE {table_name} UPDATE a = x WHERE 1") - with When("I try to KILL MUTATION"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], exitcode=exitcode, message="Exception: Not allowed to kill mutation.") @@ -101,7 +126,7 @@ def update(self, user_name, grant_target_name, node=None): with When("I grant the ALTER UPDATE privilege"): node.query(f"GRANT ALTER UPDATE ON {table_name} TO {grant_target_name}") - with When("I try to KILL MUTATION"): + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) with Scenario("KILL ALTER UPDATE with revoked privilege"): @@ -118,10 +143,42 @@ def update(self, user_name, grant_target_name, node=None): with And("I revoke the ALTER UPDATE privilege"): node.query(f"REVOKE ALTER UPDATE ON {table_name} FROM {grant_target_name}") - with When("I try to KILL MUTATION"): + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], exitcode=exitcode, message="Exception: Not allowed to kill mutation.") + with Scenario("KILL ALTER UPDATE with revoked ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name): + + with Given("I have an ALTER UPDATE mutation"): + node.query(f"ALTER TABLE {table_name} UPDATE a = x WHERE 1") + + with When("I grant the ALTER UPDATE privilege"): + node.query(f"GRANT ALTER UPDATE ON {table_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I try to KILL MUTATION"): + node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], + exitcode=exitcode, message="Exception: Not allowed to kill mutation.") + + with Scenario("KILL ALTER UPDATE with ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name): + + with Given("I have an ALTER UPDATE mutation"): + node.query(f"ALTER TABLE {table_name} UPDATE a = x WHERE 1") + + with When("I grant the ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I try to KILL MUTATION"): + node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) + @TestSuite @Requirements( RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDelete("1.0") @@ -135,6 +192,9 @@ def delete(self, user_name, grant_target_name, node=None): if node is None: node = self.context.node + with Given("The user has no privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + with Scenario("KILL ALTER DELETE without privilege"): table_name = f"merge_tree_{getuid()}" @@ -143,7 +203,13 @@ def delete(self, user_name, grant_target_name, node=None): with Given("I have an ALTER DELETE mutation"): node.query(f"ALTER TABLE {table_name} DELETE WHERE 1") - with When("I try to KILL MUTATION"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], exitcode=exitcode, message="Exception: Not allowed to kill mutation.") @@ -158,7 +224,7 @@ def delete(self, user_name, grant_target_name, node=None): with When("I grant the ALTER DELETE privilege"): node.query(f"GRANT ALTER DELETE ON {table_name} TO {grant_target_name}") - with When("I try to KILL MUTATION"): + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) with Scenario("KILL ALTER DELETE with revoked privilege"): @@ -175,10 +241,42 @@ def delete(self, user_name, grant_target_name, node=None): with And("I revoke the ALTER DELETE privilege"): node.query(f"REVOKE ALTER DELETE ON {table_name} FROM {grant_target_name}") - with When("I try to KILL MUTATION"): + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], exitcode=exitcode, message="Exception: Not allowed to kill mutation.") + with Scenario("KILL ALTER DELETE with revoked ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name): + + with Given("I have an ALTER DELETE mutation"): + node.query(f"ALTER TABLE {table_name} DELETE WHERE 1") + + with When("I grant the ALTER DELETE privilege"): + node.query(f"GRANT ALTER DELETE ON {table_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I try to KILL MUTATION"): + node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], + exitcode=exitcode, message="Exception: Not allowed to kill mutation.") + + with Scenario("KILL ALTER DELETE with ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name): + + with Given("I have an ALTER DELETE mutation"): + node.query(f"ALTER TABLE {table_name} DELETE WHERE 1") + + with When("I grant the ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I try to KILL MUTATION"): + node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) + @TestSuite @Requirements( RQ_SRS_006_RBAC_Privileges_KillMutation_AlterDropColumn("1.0") @@ -192,6 +290,9 @@ def drop_column(self, user_name, grant_target_name, node=None): if node is None: node = self.context.node + with Given("The user has no privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + with Scenario("KILL ALTER DROP COLUMN without privilege"): table_name = f"merge_tree_{getuid()}" @@ -200,7 +301,13 @@ def drop_column(self, user_name, grant_target_name, node=None): with Given("I have an ALTER DROP COLUMN mutation"): node.query(f"ALTER TABLE {table_name} DROP COLUMN x") - with When("I try to KILL MUTATION"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], exitcode=exitcode, message="Exception: Not allowed to kill mutation.") @@ -215,7 +322,7 @@ def drop_column(self, user_name, grant_target_name, node=None): with When("I grant the ALTER DROP COLUMN privilege"): node.query(f"GRANT ALTER DROP COLUMN ON {table_name} TO {grant_target_name}") - with When("I try to KILL MUTATION"): + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) with Scenario("KILL ALTER DROP COLUMN with revoked privilege"): @@ -232,13 +339,47 @@ def drop_column(self, user_name, grant_target_name, node=None): with And("I revoke the ALTER DROP COLUMN privilege"): node.query(f"REVOKE ALTER DROP COLUMN ON {table_name} FROM {grant_target_name}") - with When("I try to KILL MUTATION"): + with Then("I try to KILL MUTATION"): node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], exitcode=exitcode, message="Exception: Not allowed to kill mutation.") + with Scenario("KILL ALTER DROP COLUMN with revoked privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name): + + with Given("I have an ALTER DROP COLUMN mutation"): + node.query(f"ALTER TABLE {table_name} DROP COLUMN x") + + with When("I grant the ALTER DROP COLUMN privilege"): + node.query(f"GRANT ALTER DROP COLUMN ON {table_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I try to KILL MUTATION"): + node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)], + exitcode=exitcode, message="Exception: Not allowed to kill mutation.") + + with Scenario("KILL ALTER DROP COLUMN with ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name): + + with Given("I have an ALTER DROP COLUMN mutation"): + node.query(f"ALTER TABLE {table_name} DROP COLUMN x") + + with When("I grant the ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I try to KILL MUTATION"): + node.query(f"KILL MUTATION WHERE database = 'default' AND table = '{table_name}'", settings = [("user", user_name)]) + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_KillMutation("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("kill mutation") def feature(self, node="clickhouse1", stress=None, parallel=None): diff --git a/tests/testflows/rbac/tests/privileges/kill_query.py b/tests/testflows/rbac/tests/privileges/kill_query.py index 161ee7b35e0..d1f96e23fd8 100644 --- a/tests/testflows/rbac/tests/privileges/kill_query.py +++ b/tests/testflows/rbac/tests/privileges/kill_query.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute KILL QUERY with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,20 +32,27 @@ def privilege_check(grant_target_name, user_name, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): - with When("I attempt to kill a query without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to kill a query without privilege"): node.query(f"KILL QUERY WHERE user ='default'", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): + with When("I grant kill query privilege"): node.query(f"GRANT KILL QUERY TO {grant_target_name}") with Then("I attempt to kill a query"): node.query(f"KILL QUERY WHERE 1", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): with When("I grant the kill query privilege"): node.query(f"GRANT KILL QUERY TO {grant_target_name}") @@ -57,7 +64,19 @@ def privilege_check(grant_target_name, user_name, node=None): node.query(f"KILL QUERY WHERE 1", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("execute on cluster", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked ALL privilege"): + + with When("I grant the kill query privilege"): + node.query(f"GRANT KILL QUERY TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to kill a query"): + node.query(f"KILL QUERY WHERE 1", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + with Scenario("execute on cluster"): with When("I grant the truncate privilege"): node.query(f"GRANT KILL QUERY TO {grant_target_name}") @@ -65,9 +84,22 @@ def privilege_check(grant_target_name, user_name, node=None): with Then("I attempt to kill a query"): node.query(f"KILL QUERY ON CLUSTER WHERE 1'", settings = [("user", user_name)]) + with Scenario("user with ALL privilege"): + + with When("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with And("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* ON {grant_target_name}") + + with Then("I attempt to kill a query"): + node.query(f"KILL QUERY WHERE 1", settings = [("user", user_name)]) + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_KillQuery("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Name("kill query") def feature(self, node="clickhouse1", stress=None, parallel=None): @@ -80,5 +112,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): if stress is not None: self.context.stress = stress - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role() diff --git a/tests/testflows/rbac/tests/privileges/optimize.py b/tests/testflows/rbac/tests/privileges/optimize.py index b0e8b69e372..7d3f41a43b4 100644 --- a/tests/testflows/rbac/tests/privileges/optimize.py +++ b/tests/testflows/rbac/tests/privileges/optimize.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, table_type, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute OPTIMIZE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, table_type=table_type, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,16 +32,22 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): table_name = f"merge_tree_{getuid()}" with table(node, table_name, table_type): - with When("I attempt to optimize a table without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to optimize a table without privilege"): node.query(f"OPTIMIZE TABLE {table_name} FINAL", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): table_name = f"merge_tree_{getuid()}" with table(node, table_name, table_type): @@ -52,7 +58,7 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): with Then("I attempt to optimize a table"): node.query(f"OPTIMIZE TABLE {table_name}", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): table_name = f"merge_tree_{getuid()}" with table(node, table_name, table_type): @@ -67,7 +73,22 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): node.query(f"OPTIMIZE TABLE {table_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("execute on cluster", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name, table_type): + + with When("I grant the optimize privilege"): + node.query(f"GRANT OPTIMIZE ON {table_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to optimize a table"): + node.query(f"OPTIMIZE TABLE {table_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + with Scenario("execute on cluster"): table_name = f"merge_tree_{getuid()}" try: @@ -84,9 +105,24 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): with Finally("I drop the table from the cluster"): node.query(f"DROP TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster") + with Scenario("user with ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name, table_type): + + with When("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with And("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to optimize a table"): + node.query(f"OPTIMIZE TABLE {table_name}", settings = [("user", user_name)]) @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_Optimize("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() @@ -109,5 +145,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): continue with Example(str(example)): - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role(table_type=table_type) diff --git a/tests/testflows/rbac/tests/privileges/public_tables.py b/tests/testflows/rbac/tests/privileges/public_tables.py index 98077438946..ed17c1a77ea 100755 --- a/tests/testflows/rbac/tests/privileges/public_tables.py +++ b/tests/testflows/rbac/tests/privileges/public_tables.py @@ -95,5 +95,5 @@ def sensitive_tables(self, node=None): def feature(self, node="clickhouse1"): self.context.node = self.context.cluster.node(node) - Scenario(run=public_tables, setup=instrument_clickhouse_server_log, flags=TE) - Scenario(run=sensitive_tables, setup=instrument_clickhouse_server_log, flags=TE) \ No newline at end of file + Scenario(run=public_tables, setup=instrument_clickhouse_server_log) + Scenario(run=sensitive_tables, setup=instrument_clickhouse_server_log) diff --git a/tests/testflows/rbac/tests/privileges/role_admin.py b/tests/testflows/rbac/tests/privileges/role_admin.py index 955b0fcd258..8deea7874cd 100644 --- a/tests/testflows/rbac/tests/privileges/role_admin.py +++ b/tests/testflows/rbac/tests/privileges/role_admin.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(test=role_admin, flags=TE)(grant_target_name=user_name, user_name=user_name) + Suite(test=role_admin)(grant_target_name=user_name, user_name=user_name) @TestSuite def privileges_granted_via_role(self, node=None): @@ -35,7 +35,7 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(test=role_admin, flags=TE)(grant_target_name=role_name, user_name=user_name) + Suite(test=role_admin)(grant_target_name=role_name, user_name=user_name) @TestSuite def role_admin(self, grant_target_name, user_name, node=None): @@ -52,7 +52,13 @@ def role_admin(self, grant_target_name, user_name, node=None): with user(node, target_user_name), role(node, role_admin_name): - with When("I check the user can't grant a role"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't grant a role"): node.query(f"GRANT {role_admin_name} TO {target_user_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -105,10 +111,40 @@ def role_admin(self, grant_target_name, user_name, node=None): node.query(f"GRANT {role_admin_name} TO {target_user_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) + with Scenario("Grant role with revoked ALL privilege"): + role_admin_name = f"role_admin_{getuid()}" + target_user_name = f"target_user_{getuid()}" + + with user(node, target_user_name), role(node, role_admin_name): + + with When(f"I grant ROLE ADMIN"): + node.query(f"GRANT ROLE ADMIN ON *.* TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I check the user cannot grant a role"): + node.query(f"GRANT {role_admin_name} TO {target_user_name}", settings=[("user",user_name)], + exitcode=exitcode, message=message) + + with Scenario("Grant role with ALL privilege"): + role_admin_name = f"role_admin_{getuid()}" + target_user_name = f"target_user_{getuid()}" + + with user(node, target_user_name), role(node, role_admin_name): + + with When(f"I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I check the user can grant a role"): + node.query(f"GRANT {role_admin_name} TO {target_user_name}", settings = [("user", f"{user_name}")]) + @TestFeature @Name("role admin") @Requirements( RQ_SRS_006_RBAC_Privileges_RoleAdmin("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of ROLE ADMIN. diff --git a/tests/testflows/rbac/tests/privileges/select.py b/tests/testflows/rbac/tests/privileges/select.py index e58dd8184d2..036ea944ae1 100755 --- a/tests/testflows/rbac/tests/privileges/select.py +++ b/tests/testflows/rbac/tests/privileges/select.py @@ -9,17 +9,31 @@ from rbac.helper.common import * import rbac.helper.errors as errors @TestScenario +@Requirements( + RQ_SRS_006_RBAC_Privileges_None("1.0") +) def without_privilege(self, table_type, node=None): """Check that user without select privilege on a table is not able to select on that table. """ user_name = f"user_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name): - with When("I run SELECT without privilege"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {user_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {user_name}") + + with Then("I run SELECT without privilege"): exitcode, message = errors.not_enough_privileges(name=user_name) + node.query(f"SELECT * FROM {table_name}", settings = [("user",user_name)], exitcode=exitcode, message=message) @@ -32,16 +46,52 @@ def user_with_privilege(self, table_type, node=None): """ user_name = f"user_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with Given("I have some data inserted into table"): node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')") + with user(node, user_name): + with When("I grant privilege"): node.query(f"GRANT SELECT ON {table_name} TO {user_name}") + with Then("I verify SELECT command"): user_select = node.query(f"SELECT d FROM {table_name}", settings = [("user",user_name)]) + + default = node.query(f"SELECT d FROM {table_name}") + assert user_select.output == default.output, error() + +@TestScenario +@Requirements( + RQ_SRS_006_RBAC_Privileges_All("1.0") +) +def user_with_all_privilege(self, table_type, node=None): + """Check that user can select from a table if have ALL privilege. + """ + user_name = f"user_{getuid()}" + table_name = f"table_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name, table_type): + + with Given("I have some data inserted into table"): + node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')") + + with user(node, user_name): + + with When("I grant privilege"): + node.query(f"GRANT ALL ON *.* TO {user_name}") + + with Then("I verify SELECT command"): + user_select = node.query(f"SELECT d FROM {table_name}", settings = [("user",user_name)]) + default = node.query(f"SELECT d FROM {table_name}") assert user_select.output == default.output, error() @@ -55,15 +105,47 @@ def user_with_revoked_privilege(self, table_type, node=None): """ user_name = f"user_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name): + with When("I grant privilege"): node.query(f"GRANT SELECT ON {table_name} TO {user_name}") + with And("I revoke privilege"): node.query(f"REVOKE SELECT ON {table_name} FROM {user_name}") - with And("I use SELECT, throws exception"): + + with Then("I use SELECT, throws exception"): + exitcode, message = errors.not_enough_privileges(name=user_name) + node.query(f"SELECT * FROM {table_name}", settings = [("user",user_name)], + exitcode=exitcode, message=message) + +@TestScenario +def user_with_revoked_all_privilege(self, table_type, node=None): + """Check that user is unable to select from a table after ALL privilege + on that table has been revoked from the user. + """ + user_name = f"user_{getuid()}" + table_name = f"table_{getuid()}" + + if node is None: + node = self.context.node + + with table(node, table_name, table_type): + + with user(node, user_name): + + with When("I grant privilege"): + node.query(f"GRANT SELECT ON {table_name} TO {user_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {user_name}") + + with Then("I use SELECT, throws exception"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"SELECT * FROM {table_name}", settings = [("user",user_name)], exitcode=exitcode, message=message) @@ -90,25 +172,35 @@ def user_column_privileges(self, grant_columns, select_columns_pass, data_pass, """ user_name = f"user_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type), user(node, user_name): + with Given("The table has some data on some columns"): node.query(f"INSERT INTO {table_name} ({select_columns_pass}) VALUES ({data_pass})") + with When("I grant select privilege"): node.query(f"GRANT SELECT({grant_columns}) ON {table_name} TO {user_name}") + if select_columns_fail is not None: + with And("I select from not granted column"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"SELECT ({select_columns_fail}) FROM {table_name}", settings = [("user",user_name)], exitcode=exitcode, message=message) + with Then("I select from granted column, verify correct result"): user_select = node.query(f"SELECT ({select_columns_pass}) FROM {table_name}", settings = [("user",user_name)]) default = node.query(f"SELECT ({select_columns_pass}) FROM {table_name}") assert user_select.output == default.output + if revoke_columns is not None: + with When("I revoke select privilege for columns from user"): node.query(f"REVOKE SELECT({revoke_columns}) ON {table_name} FROM {user_name}") + with And("I select from revoked columns"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"SELECT ({select_columns_pass}) FROM {table_name}", settings = [("user",user_name)], exitcode=exitcode, message=message) @@ -124,17 +216,25 @@ def role_with_privilege(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with Given("I have some data inserted into table"): node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')") + with user(node, user_name): + with role(node, role_name): + with When("I grant select privilege to a role"): node.query(f"GRANT SELECT ON {table_name} TO {role_name}") + with And("I grant role to the user"): node.query(f"GRANT {role_name} TO {user_name}") + with Then("I verify SELECT command"): user_select = node.query(f"SELECT d FROM {table_name}", settings = [("user",user_name)]) default = node.query(f"SELECT d FROM {table_name}") @@ -151,16 +251,23 @@ def role_with_revoked_privilege(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name), role(node, role_name): + with When("I grant privilege to a role"): node.query(f"GRANT SELECT ON {table_name} TO {role_name}") + with And("I grant the role to a user"): node.query(f"GRANT {role_name} TO {user_name}") + with And("I revoke privilege from the role"): node.query(f"REVOKE SELECT ON {table_name} FROM {role_name}") + with And("I select from the table"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"SELECT * FROM {table_name}", settings = [("user",user_name)], @@ -174,16 +281,23 @@ def user_with_revoked_role(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with user(node, user_name), role(node, role_name): + with When("I grant privilege to a role"): node.query(f"GRANT SELECT ON {table_name} TO {role_name}") + with And("I grant the role to a user"): node.query(f"GRANT {role_name} TO {user_name}") + with And("I revoke the role from the user"): node.query(f"REVOKE {role_name} FROM {user_name}") + with And("I select from the table"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"SELECT * FROM {table_name}", settings = [("user",user_name)], @@ -212,28 +326,39 @@ def role_column_privileges(self, grant_columns, select_columns_pass, data_pass, user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): + with Given("The table has some data on some columns"): node.query(f"INSERT INTO {table_name} ({select_columns_pass}) VALUES ({data_pass})") + with user(node, user_name), role(node, role_name): + with When("I grant select privilege"): node.query(f"GRANT SELECT({grant_columns}) ON {table_name} TO {role_name}") + with And("I grant the role to a user"): node.query(f"GRANT {role_name} TO {user_name}") + if select_columns_fail is not None: with And("I select from not granted column"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"SELECT ({select_columns_fail}) FROM {table_name}", settings = [("user",user_name)], exitcode=exitcode, message=message) + with Then("I verify SELECT command"): user_select = node.query(f"SELECT d FROM {table_name}", settings = [("user",user_name)]) default = node.query(f"SELECT d FROM {table_name}") assert user_select.output == default.output, error() + if revoke_columns is not None: + with When("I revoke select privilege for columns from role"): node.query(f"REVOKE SELECT({revoke_columns}) ON {table_name} FROM {role_name}") + with And("I select from revoked columns"): exitcode, message = errors.not_enough_privileges(name=user_name) node.query(f"SELECT ({select_columns_pass}) FROM {table_name}", @@ -250,20 +375,26 @@ def user_with_privilege_on_cluster(self, table_type, node=None): user_name = f"user_{getuid()}" role_name = f"role_{getuid()}" table_name = f"table_{getuid()}" + if node is None: node = self.context.node + with table(node, table_name, table_type): try: with Given("I have some data inserted into table"): node.query(f"INSERT INTO {table_name} (d) VALUES ('2020-01-01')") + with Given("I have a user on a cluster"): node.query(f"CREATE USER OR REPLACE {user_name} ON CLUSTER sharded_cluster") + with When("I grant select privilege on a cluster"): node.query(f"GRANT ON CLUSTER sharded_cluster SELECT ON {table_name} TO {user_name}") + with Then("I verify SELECT command"): user_select = node.query(f"SELECT d FROM {table_name}", settings = [("user",user_name)]) default = node.query(f"SELECT d FROM {table_name}") assert user_select.output == default.output, error() + finally: with Finally("I drop the user"): node.query(f"DROP USER {user_name} ON CLUSTER sharded_cluster") @@ -291,7 +422,10 @@ def feature(self, table_type, parallel=None, stress=None, node="clickhouse1"): pool = Pool(10) try: - for scenario in loads(current_module(), Scenario): - run_scenario(pool, tasks, Scenario(test=scenario, setup=instrument_clickhouse_server_log), {"table_type" : table_type}) + try: + for scenario in loads(current_module(), Scenario): + run_scenario(pool, tasks, Scenario(test=scenario, setup=instrument_clickhouse_server_log), {"table_type" : table_type}) + finally: + join(tasks) finally: - join(tasks) + pool.close() diff --git a/tests/testflows/rbac/tests/privileges/show/show_columns.py b/tests/testflows/rbac/tests/privileges/show/show_columns.py index 996663cdcbc..108200e7a57 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_columns.py +++ b/tests/testflows/rbac/tests/privileges/show/show_columns.py @@ -18,7 +18,7 @@ def describe_with_privilege_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(test=describe, setup=instrument_clickhouse_server_log)(grant_target_name=user_name, user_name=user_name, table_name=table_name) + Suite(test=describe)(grant_target_name=user_name, user_name=user_name, table_name=table_name) @TestSuite def describe_with_privilege_granted_via_role(self, node=None): @@ -37,7 +37,7 @@ def describe_with_privilege_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(test=describe, setup=instrument_clickhouse_server_log)(grant_target_name=role_name, user_name=user_name, table_name=table_name) + Suite(test=describe)(grant_target_name=role_name, user_name=user_name, table_name=table_name) @TestSuite @Requirements( @@ -54,11 +54,19 @@ def describe(self, grant_target_name, user_name, table_name, node=None): with table(node, table_name): with Scenario("DESCRIBE table without privilege"): - with When(f"I attempt to DESCRIBE {table_name}"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I attempt to DESCRIBE {table_name}"): node.query(f"DESCRIBE {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("DESCRIBE with privilege"): + with When(f"I grant SHOW COLUMNS on the table"): node.query(f"GRANT SHOW COLUMNS ON {table_name} TO {grant_target_name}") @@ -66,6 +74,7 @@ def describe(self, grant_target_name, user_name, table_name, node=None): node.query(f"DESCRIBE TABLE {table_name}", settings=[("user",user_name)]) with Scenario("DESCRIBE with revoked privilege"): + with When(f"I grant SHOW COLUMNS on the table"): node.query(f"GRANT SHOW COLUMNS ON {table_name} TO {grant_target_name}") @@ -76,6 +85,26 @@ def describe(self, grant_target_name, user_name, table_name, node=None): node.query(f"DESCRIBE {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) + with Scenario("DESCRIBE with revoked ALL privilege"): + + with When(f"I grant SHOW COLUMNS on the table"): + node.query(f"GRANT SHOW COLUMNS ON {table_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then(f"I attempt to DESCRIBE {table_name}"): + node.query(f"DESCRIBE {table_name}", settings=[("user",user_name)], + exitcode=exitcode, message=message) + + with Scenario("DESCRIBE with ALL privilege"): + + with When(f"I grant SHOW COLUMNS on the table"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then(f"I attempt to DESCRIBE {table_name}"): + node.query(f"DESCRIBE TABLE {table_name}", settings=[("user",user_name)]) + @TestSuite def show_create_with_privilege_granted_directly(self, node=None): """Check that user is able to execute SHOW CREATE on a table if and only if @@ -89,7 +118,7 @@ def show_create_with_privilege_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(test=show_create, setup=instrument_clickhouse_server_log)(grant_target_name=user_name, user_name=user_name, table_name=table_name) + Suite(test=show_create)(grant_target_name=user_name, user_name=user_name, table_name=table_name) @TestSuite def show_create_with_privilege_granted_via_role(self, node=None): @@ -108,7 +137,7 @@ def show_create_with_privilege_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(test=show_create, setup=instrument_clickhouse_server_log)(grant_target_name=role_name, user_name=user_name, table_name=table_name) + Suite(test=show_create)(grant_target_name=role_name, user_name=user_name, table_name=table_name) @TestSuite @Requirements( @@ -125,11 +154,19 @@ def show_create(self, grant_target_name, user_name, table_name, node=None): with table(node, table_name): with Scenario("SHOW CREATE without privilege"): - with When(f"I attempt to SHOW CREATE {table_name}"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I attempt to SHOW CREATE {table_name}"): node.query(f"SHOW CREATE TABLE {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("SHOW CREATE with privilege"): + with When(f"I grant SHOW COLUMNS on the table"): node.query(f"GRANT SHOW COLUMNS ON {table_name} TO {grant_target_name}") @@ -137,6 +174,7 @@ def show_create(self, grant_target_name, user_name, table_name, node=None): node.query(f"SHOW CREATE TABLE {table_name}", settings=[("user",user_name)]) with Scenario("SHOW CREATE with revoked privilege"): + with When(f"I grant SHOW COLUMNS on the table"): node.query(f"GRANT SHOW COLUMNS ON {table_name} TO {grant_target_name}") @@ -147,10 +185,20 @@ def show_create(self, grant_target_name, user_name, table_name, node=None): node.query(f"SHOW CREATE TABLE {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) + with Scenario("SHOW CREATE with ALL privilege"): + + with When(f"I grant SHOW COLUMNS on the table"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then(f"I attempt to SHOW CREATE {table_name}"): + node.query(f"SHOW CREATE TABLE {table_name}", settings=[("user",user_name)]) + @TestFeature @Name("show columns") @Requirements( - RQ_SRS_006_RBAC_ShowColumns_Privilege("1.0") + RQ_SRS_006_RBAC_ShowColumns_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW COLUMNS. diff --git a/tests/testflows/rbac/tests/privileges/show/show_databases.py b/tests/testflows/rbac/tests/privileges/show/show_databases.py index 27d10ef2b73..39a46947afe 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_databases.py +++ b/tests/testflows/rbac/tests/privileges/show/show_databases.py @@ -20,7 +20,7 @@ def dict_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): db_name = f"db_name_{getuid()}" - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name db_name", [ tuple(list(row)+[user_name,user_name,db_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -44,13 +44,14 @@ def dict_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name db_name", [ tuple(list(row)+[role_name,user_name,db_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SHOW","*.*"), ("SHOW DATABASES","db"), ("CREATE DATABASE","db"), @@ -65,9 +66,9 @@ def check_privilege(self, privilege, on, grant_target_name, user_name, db_name, on = on.replace("db", f"{db_name}") - Suite(test=show_db, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, db_name=db_name) - Suite(test=use, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, db_name=db_name) - Suite(test=show_create, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, db_name=db_name) + Suite(test=show_db)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, db_name=db_name) + Suite(test=use)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, db_name=db_name) + Suite(test=show_create)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, db_name=db_name) @TestSuite @Requirements( @@ -83,14 +84,23 @@ def show_db(self, privilege, on, grant_target_name, user_name, db_name, node=Non try: with Given("I have a database"): + node.query(f"CREATE DATABASE {db_name}") with Scenario("SHOW DATABASES without privilege"): - with When("I check the user doesn't see the database"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user doesn't see the database"): output = node.query("SHOW DATABASES", settings = [("user", f"{user_name}")]).output assert output == '', error() with Scenario("SHOW DATABASES with privilege"): + with When(f"I grant {privilege} on the database"): node.query(f"GRANT {privilege} ON {db_name}.* TO {grant_target_name}") @@ -98,6 +108,7 @@ def show_db(self, privilege, on, grant_target_name, user_name, db_name, node=Non output = node.query("SHOW DATABASES", settings = [("user", f"{user_name}")], message = f'{db_name}') with Scenario("SHOW DATABASES with revoked privilege"): + with When(f"I grant {privilege} on the database"): node.query(f"GRANT {privilege} ON {db_name}.* TO {grant_target_name}") @@ -130,11 +141,19 @@ def use(self, privilege, on, grant_target_name, user_name, db_name, node=None): node.query(f"CREATE DATABASE {db_name}") with Scenario("USE without privilege"): - with When(f"I attempt to USE {db_name}"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I attempt to USE {db_name}"): node.query(f"USE {db_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("USE with privilege"): + with When(f"I grant {privilege} on the database"): node.query(f"GRANT {privilege} ON {db_name}.* TO {grant_target_name}") @@ -142,6 +161,7 @@ def use(self, privilege, on, grant_target_name, user_name, db_name, node=None): node.query(f"USE {db_name}", settings=[("user",user_name)]) with Scenario("USE with revoked privilege"): + with When(f"I grant {privilege} on the database"): node.query(f"GRANT {privilege} ON {db_name}.* TO {grant_target_name}") @@ -174,11 +194,19 @@ def show_create(self, privilege, on, grant_target_name, user_name, db_name, node node.query(f"CREATE DATABASE {db_name}") with Scenario("SHOW CREATE without privilege"): - with When(f"I attempt to SHOW CREATE {db_name}"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I attempt to SHOW CREATE {db_name}"): node.query(f"SHOW CREATE DATABASE {db_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("SHOW CREATE with privilege"): + with When(f"I grant {privilege} on the database"): node.query(f"GRANT {privilege} ON {db_name}.* TO {grant_target_name}") @@ -186,6 +214,7 @@ def show_create(self, privilege, on, grant_target_name, user_name, db_name, node node.query(f"SHOW CREATE DATABASE {db_name}", settings=[("user",user_name)]) with Scenario("SHOW CREATE with revoked privilege"): + with When(f"I grant {privilege} on the database"): node.query(f"GRANT {privilege} ON {db_name}.* TO {grant_target_name}") @@ -203,7 +232,9 @@ def show_create(self, privilege, on, grant_target_name, user_name, db_name, node @TestFeature @Name("show databases") @Requirements( - RQ_SRS_006_RBAC_ShowDatabases_Privilege("1.0") + RQ_SRS_006_RBAC_ShowDatabases_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW DATABASES. diff --git a/tests/testflows/rbac/tests/privileges/show/show_dictionaries.py b/tests/testflows/rbac/tests/privileges/show/show_dictionaries.py index ec5617af904..5b717b5f47c 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_dictionaries.py +++ b/tests/testflows/rbac/tests/privileges/show/show_dictionaries.py @@ -20,7 +20,7 @@ def dict_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): dict_name = f"dict_name_{getuid()}" - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name dict_name", [ tuple(list(row)+[user_name,user_name,dict_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -44,13 +44,14 @@ def dict_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name dict_name", [ tuple(list(row)+[role_name,user_name,dict_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SHOW","*.*"), ("SHOW DICTIONARIES","dict"), ("CREATE DICTIONARY","dict"), @@ -65,9 +66,9 @@ def check_privilege(self, privilege, on, grant_target_name, user_name, dict_name on = on.replace("dict", f"{dict_name}") - Suite(test=show_dict, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, dict_name=dict_name) - Suite(test=exists, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, dict_name=dict_name) - Suite(test=show_create, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, dict_name=dict_name) + Suite(test=show_dict)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, dict_name=dict_name) + Suite(test=exists)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, dict_name=dict_name) + Suite(test=show_create)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, dict_name=dict_name) @TestSuite @Requirements( @@ -87,7 +88,14 @@ def show_dict(self, privilege, on, grant_target_name, user_name, dict_name, node node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") with Scenario("SHOW DICTIONARIES without privilege"): - with When("I check the user doesn't see the dictionary"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user doesn't see the dictionary"): output = node.query("SHOW DICTIONARIES", settings = [("user", f"{user_name}")]).output assert output == '', error() @@ -131,7 +139,14 @@ def exists(self, privilege, on, grant_target_name, user_name, dict_name, node=No node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") with Scenario("EXISTS without privilege"): - with When(f"I check if {dict_name} EXISTS"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I check if {dict_name} EXISTS"): node.query(f"EXISTS {dict_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -175,7 +190,14 @@ def show_create(self, privilege, on, grant_target_name, user_name, dict_name, no node.query(f"CREATE DICTIONARY {dict_name}(x Int32, y Int32) PRIMARY KEY x LAYOUT(FLAT()) SOURCE(CLICKHOUSE()) LIFETIME(0)") with Scenario("SHOW CREATE without privilege"): - with When(f"I attempt to SHOW CREATE {dict_name}"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I attempt to SHOW CREATE {dict_name}"): node.query(f"SHOW CREATE DICTIONARY {dict_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -205,6 +227,8 @@ def show_create(self, privilege, on, grant_target_name, user_name, dict_name, no @Name("show dictionaries") @Requirements( RQ_SRS_006_RBAC_ShowDictionaries_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW DICTIONARIES. diff --git a/tests/testflows/rbac/tests/privileges/show/show_quotas.py b/tests/testflows/rbac/tests/privileges/show/show_quotas.py index d84b5192677..20476ae759b 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_quotas.py +++ b/tests/testflows/rbac/tests/privileges/show/show_quotas.py @@ -29,7 +29,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -50,13 +50,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("SHOW ACCESS",), ("SHOW QUOTAS",), @@ -69,8 +70,8 @@ def check_privilege(self, privilege, grant_target_name, user_name, node=None): if node is None: node = self.context.node - Suite(test=show_quotas, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=show_create, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_quotas)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_create)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) @TestSuite @Requirements( @@ -86,7 +87,13 @@ def show_quotas(self, privilege, grant_target_name, user_name, node=None): with Scenario("SHOW QUOTAS without privilege"): - with When("I check the user can't use SHOW QUOTAS"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW QUOTAS"): node.query(f"SHOW QUOTAS", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -127,7 +134,13 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): with quota(node, target_quota_name): - with When("I check the user can't use SHOW CREATE QUOTA"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW CREATE QUOTA"): node.query(f"SHOW CREATE QUOTA {target_quota_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -161,6 +174,8 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): @Name("show quotas") @Requirements( RQ_SRS_006_RBAC_ShowQuotas_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW QUOTAS. diff --git a/tests/testflows/rbac/tests/privileges/show/show_roles.py b/tests/testflows/rbac/tests/privileges/show/show_roles.py index 3106e1c5df3..14d038102dd 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_roles.py +++ b/tests/testflows/rbac/tests/privileges/show/show_roles.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("SHOW ACCESS",), ("SHOW ROLES",), @@ -57,8 +58,8 @@ def check_privilege(self, privilege, grant_target_name, user_name, node=None): if node is None: node = self.context.node - Suite(test=show_roles, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=show_create, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_roles)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_create)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) @TestSuite @Requirements( @@ -74,7 +75,13 @@ def show_roles(self, privilege, grant_target_name, user_name, node=None): with Scenario("SHOW ROLES without privilege"): - with When("I check the user can't use SHOW ROLES"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW ROLES"): node.query(f"SHOW ROLES", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -115,7 +122,13 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): with role(node, target_role_name): - with When("I check the user can't use SHOW CREATE ROLE"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW CREATE ROLE"): node.query(f"SHOW CREATE ROLE {target_role_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -149,6 +162,8 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): @Name("show roles") @Requirements( RQ_SRS_006_RBAC_ShowRoles_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW ROLES. diff --git a/tests/testflows/rbac/tests/privileges/show/show_row_policies.py b/tests/testflows/rbac/tests/privileges/show/show_row_policies.py index cfa25284cee..789c4c95223 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_row_policies.py +++ b/tests/testflows/rbac/tests/privileges/show/show_row_policies.py @@ -29,7 +29,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -50,13 +50,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("SHOW ACCESS",), ("SHOW ROW POLICIES",), @@ -71,8 +72,8 @@ def check_privilege(self, privilege, grant_target_name, user_name, node=None): if node is None: node = self.context.node - Suite(test=show_row_policies, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=show_create, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_row_policies)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_create)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) @TestSuite @Requirements( @@ -88,7 +89,13 @@ def show_row_policies(self, privilege, grant_target_name, user_name, node=None): with Scenario("SHOW ROW POLICIES without privilege"): - with When("I check the user can't use SHOW ROW POLICIES"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW ROW POLICIES"): node.query(f"SHOW ROW POLICIES", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -130,7 +137,13 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): with row_policy(node, target_row_policy_name, table_name): - with When("I check the user can't use SHOW CREATE ROW POLICY"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW CREATE ROW POLICY"): node.query(f"SHOW CREATE ROW POLICY {target_row_policy_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -166,6 +179,8 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): @Name("show row policies") @Requirements( RQ_SRS_006_RBAC_ShowRowPolicies_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW ROW POLICYS. diff --git a/tests/testflows/rbac/tests/privileges/show/show_settings_profiles.py b/tests/testflows/rbac/tests/privileges/show/show_settings_profiles.py index 8c29a7f462e..18ca0ee7f6e 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_settings_profiles.py +++ b/tests/testflows/rbac/tests/privileges/show/show_settings_profiles.py @@ -29,7 +29,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -50,13 +50,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("SHOW ACCESS",), ("SHOW SETTINGS PROFILES",), @@ -71,8 +72,8 @@ def check_privilege(self, privilege, grant_target_name, user_name, node=None): if node is None: node = self.context.node - Suite(test=show_settings_profiles, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=show_create, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_settings_profiles)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_create)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) @TestSuite @Requirements( @@ -88,7 +89,13 @@ def show_settings_profiles(self, privilege, grant_target_name, user_name, node=N with Scenario("SHOW SETTINGS PROFILES without privilege"): - with When("I check the user can't use SHOW SETTINGS PROFILES"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW SETTINGS PROFILES"): node.query(f"SHOW SETTINGS PROFILES", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -129,7 +136,13 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): with settings_profile(node, target_settings_profile_name): - with When("I check the user can't use SHOW CREATE SETTINGS PROFILE"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW CREATE SETTINGS PROFILE"): node.query(f"SHOW CREATE SETTINGS PROFILE {target_settings_profile_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -163,6 +176,8 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): @Name("show settings profiles") @Requirements( RQ_SRS_006_RBAC_ShowSettingsProfiles_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW SETTINGS PROFILES. diff --git a/tests/testflows/rbac/tests/privileges/show/show_tables.py b/tests/testflows/rbac/tests/privileges/show/show_tables.py index 913b64cef69..d445550c032 100755 --- a/tests/testflows/rbac/tests/privileges/show/show_tables.py +++ b/tests/testflows/rbac/tests/privileges/show/show_tables.py @@ -20,7 +20,7 @@ def table_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[user_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -44,13 +44,14 @@ def table_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[role_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SHOW", "*.*"), ("SHOW TABLES", "table"), ("SELECT", "table"), @@ -67,9 +68,9 @@ def check_privilege(self, privilege, on, grant_target_name, user_name, table_nam if node is None: node = self.context.node - Suite(test=show_tables, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) - Suite(test=exists, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) - Suite(test=check, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=show_tables)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=exists)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=check)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) @TestSuite @Requirements( @@ -88,11 +89,19 @@ def show_tables(self, privilege, on, grant_target_name, user_name, table_name, n with table(node, table_name): with Scenario("SHOW TABLES without privilege"): - with When("I check the user doesn't see the table"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user doesn't see the table"): output = node.query("SHOW TABLES", settings = [("user", f"{user_name}")]).output assert output == '', error() with Scenario("SHOW TABLES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -100,6 +109,7 @@ def show_tables(self, privilege, on, grant_target_name, user_name, table_name, n node.query("SHOW TABLES", settings = [("user", f"{user_name}")], message=f"{table_name}") with Scenario("SHOW TABLES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -127,12 +137,21 @@ def exists(self, privilege, on, grant_target_name, user_name, table_name, node=N on = f"{table_name}" with table(node, table_name): + with Scenario("EXISTS without privilege"): - with When(f"I check if {table_name} EXISTS"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I check if {table_name} EXISTS"): node.query(f"EXISTS {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("EXISTS with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -140,6 +159,7 @@ def exists(self, privilege, on, grant_target_name, user_name, table_name, node=N node.query(f"EXISTS {table_name}", settings=[("user",user_name)]) with Scenario("EXISTS with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -167,12 +187,21 @@ def check(self, privilege, on, grant_target_name, user_name, table_name, node=No on = f"{table_name}" with table(node, table_name): + with Scenario("CHECK without privilege"): - with When(f"I CHECK {table_name}"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then(f"I CHECK {table_name}"): node.query(f"CHECK TABLE {table_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) with Scenario("CHECK with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -180,6 +209,7 @@ def check(self, privilege, on, grant_target_name, user_name, table_name, node=No node.query(f"CHECK TABLE {table_name}", settings=[("user",user_name)]) with Scenario("CHECK with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -194,6 +224,8 @@ def check(self, privilege, on, grant_target_name, user_name, table_name, node=No @Name("show tables") @Requirements( RQ_SRS_006_RBAC_ShowTables_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW TABLES. diff --git a/tests/testflows/rbac/tests/privileges/show/show_users.py b/tests/testflows/rbac/tests/privileges/show/show_users.py index 48e6ba51f48..aa5c97297b5 100644 --- a/tests/testflows/rbac/tests/privileges/show/show_users.py +++ b/tests/testflows/rbac/tests/privileges/show/show_users.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("ACCESS MANAGEMENT",), ("SHOW ACCESS",), ("SHOW USERS",), @@ -57,8 +58,8 @@ def check_privilege(self, privilege, grant_target_name, user_name, node=None): if node is None: node = self.context.node - Suite(test=show_users, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=show_create, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_users)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=show_create)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) @TestSuite @Requirements( @@ -74,7 +75,13 @@ def show_users(self, privilege, grant_target_name, user_name, node=None): with Scenario("SHOW USERS without privilege"): - with When("I check the user can't use SHOW USERS"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW USERS"): node.query(f"SHOW USERS", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -115,7 +122,13 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): with user(node, target_user_name): - with When("I check the user can't use SHOW CREATE USER"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SHOW CREATE USER"): node.query(f"SHOW CREATE USER {target_user_name}", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -149,6 +162,8 @@ def show_create(self, privilege, grant_target_name, user_name, node=None): @Name("show users") @Requirements( RQ_SRS_006_RBAC_ShowUsers_Privilege("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SHOW USERS. diff --git a/tests/testflows/rbac/tests/privileges/sources.py b/tests/testflows/rbac/tests/privileges/sources.py index 8c1b61ee401..19d32cf500a 100644 --- a/tests/testflows/rbac/tests/privileges/sources.py +++ b/tests/testflows/rbac/tests/privileges/sources.py @@ -17,7 +17,7 @@ def file_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=file, flags=TE, + Suite(run=file, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in file.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def file_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=file, flags=TE, + Suite(run=file, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in file.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("FILE",), ]) @@ -65,7 +66,13 @@ def file(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the File source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the File source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE=File()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -102,7 +109,7 @@ def url_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=url, flags=TE, + Suite(run=url, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in url.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -123,13 +130,14 @@ def url_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=url, flags=TE, + Suite(run=url, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in url.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("URL",), ]) @@ -150,7 +158,13 @@ def url(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the URL source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the URL source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE=URL()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -187,7 +201,7 @@ def remote_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=remote, flags=TE, + Suite(run=remote, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in remote.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -208,13 +222,14 @@ def remote_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=remote, flags=TE, + Suite(run=remote, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in remote.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("REMOTE",), ]) @@ -235,7 +250,13 @@ def remote(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the Remote source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the Remote source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE = Distributed()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -272,7 +293,7 @@ def MySQL_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=MySQL, flags=TE, + Suite(run=MySQL, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in MySQL.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -293,13 +314,14 @@ def MySQL_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=MySQL, flags=TE, + Suite(run=MySQL, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in MySQL.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("MYSQL",), ]) @@ -320,7 +342,13 @@ def MySQL(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the MySQL source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the MySQL source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE=MySQL()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -357,7 +385,7 @@ def ODBC_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=ODBC, flags=TE, + Suite(run=ODBC, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in ODBC.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -378,13 +406,14 @@ def ODBC_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=ODBC, flags=TE, + Suite(run=ODBC, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in ODBC.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("ODBC",), ]) @@ -405,7 +434,13 @@ def ODBC(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the ODBC source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the ODBC source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE=ODBC()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -442,7 +477,7 @@ def JDBC_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=JDBC, flags=TE, + Suite(run=JDBC, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in JDBC.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -463,13 +498,14 @@ def JDBC_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=JDBC, flags=TE, + Suite(run=JDBC, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in JDBC.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("JDBC",), ]) @@ -490,7 +526,13 @@ def JDBC(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the JDBC source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the JDBC source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE=JDBC()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -527,7 +569,7 @@ def HDFS_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=HDFS, flags=TE, + Suite(run=HDFS, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in HDFS.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -548,13 +590,14 @@ def HDFS_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=HDFS, flags=TE, + Suite(run=HDFS, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in HDFS.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("HDFS",), ]) @@ -575,7 +618,13 @@ def HDFS(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the HDFS source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the HDFS source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE=HDFS()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -612,7 +661,7 @@ def S3_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=S3, flags=TE, + Suite(run=S3, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in S3.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -633,13 +682,14 @@ def S3_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=S3, flags=TE, + Suite(run=S3, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in S3.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SOURCES",), ("S3",), ]) @@ -660,7 +710,13 @@ def S3(self, privilege, grant_target_name, user_name, node=None): with Given("The user has table privilege"): node.query(f"GRANT CREATE TABLE ON {table_name} TO {grant_target_name}") - with When("I check the user can't use the S3 source"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use the S3 source"): node.query(f"CREATE TABLE {table_name} (x String) ENGINE=S3()", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -689,6 +745,8 @@ def S3(self, privilege, grant_target_name, user_name, node=None): @Name("sources") @Requirements( RQ_SRS_006_RBAC_Privileges_Sources("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SOURCES. diff --git a/tests/testflows/rbac/tests/privileges/system/drop_cache.py b/tests/testflows/rbac/tests/privileges/system/drop_cache.py index 6439beb248d..8f1a6caeaac 100644 --- a/tests/testflows/rbac/tests/privileges/system/drop_cache.py +++ b/tests/testflows/rbac/tests/privileges/system/drop_cache.py @@ -17,7 +17,7 @@ def dns_cache_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=dns_cache, flags=TE, + Suite(run=dns_cache, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dns_cache.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,7 +38,7 @@ def dns_cache_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dns_cache, flags=TE, + Suite(run=dns_cache, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dns_cache.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -48,6 +48,7 @@ def dns_cache_privileges_granted_via_role(self, node=None): RQ_SRS_006_RBAC_Privileges_System_DropCache_DNS("1.0"), ) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM DROP CACHE",), ("SYSTEM DROP DNS CACHE",), @@ -65,11 +66,19 @@ def dns_cache(self, privilege, grant_target_name, user_name, node=None): node = self.context.node with Scenario("SYSTEM DROP DNS CACHE without privilege"): - with When("I check the user is unable to execute SYSTEM DROP DNS CACHE"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user is unable to execute SYSTEM DROP DNS CACHE"): node.query("SYSTEM DROP DNS CACHE", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM DROP DNS CACHE with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -77,6 +86,7 @@ def dns_cache(self, privilege, grant_target_name, user_name, node=None): node.query("SYSTEM DROP DNS CACHE", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM DROP DNS CACHE with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -99,7 +109,7 @@ def mark_cache_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=mark_cache, flags=TE, + Suite(run=mark_cache, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in mark_cache.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -120,7 +130,7 @@ def mark_cache_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=mark_cache, flags=TE, + Suite(run=mark_cache, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in mark_cache.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -130,6 +140,7 @@ def mark_cache_privileges_granted_via_role(self, node=None): RQ_SRS_006_RBAC_Privileges_System_DropCache_Mark("1.0"), ) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM DROP CACHE",), ("SYSTEM DROP MARK CACHE",), @@ -147,11 +158,19 @@ def mark_cache(self, privilege, grant_target_name, user_name, node=None): node = self.context.node with Scenario("SYSTEM DROP MARK CACHE without privilege"): - with When("I check the user is unable to execute SYSTEM DROP MARK CACHE"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user is unable to execute SYSTEM DROP MARK CACHE"): node.query("SYSTEM DROP MARK CACHE", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM DROP MARK CACHE with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -159,6 +178,7 @@ def mark_cache(self, privilege, grant_target_name, user_name, node=None): node.query("SYSTEM DROP MARK CACHE", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM DROP MARK CACHE with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -181,7 +201,7 @@ def uncompressed_cache_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=uncompressed_cache, flags=TE, + Suite(run=uncompressed_cache, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in uncompressed_cache.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -202,7 +222,7 @@ def uncompressed_cache_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=uncompressed_cache, flags=TE, + Suite(run=uncompressed_cache, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in uncompressed_cache.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -212,6 +232,7 @@ def uncompressed_cache_privileges_granted_via_role(self, node=None): RQ_SRS_006_RBAC_Privileges_System_DropCache_Uncompressed("1.0"), ) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM DROP CACHE",), ("SYSTEM DROP UNCOMPRESSED CACHE",), @@ -229,11 +250,19 @@ def uncompressed_cache(self, privilege, grant_target_name, user_name, node=None) node = self.context.node with Scenario("SYSTEM DROP UNCOMPRESSED CACHE without privilege"): - with When("I check the user is unable to execute SYSTEM DROP UNCOMPRESSED CACHE"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user is unable to execute SYSTEM DROP UNCOMPRESSED CACHE"): node.query("SYSTEM DROP UNCOMPRESSED CACHE", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM DROP UNCOMPRESSED CACHE with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -241,6 +270,7 @@ def uncompressed_cache(self, privilege, grant_target_name, user_name, node=None) node.query("SYSTEM DROP UNCOMPRESSED CACHE", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM DROP UNCOMPRESSED CACHE with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -255,6 +285,8 @@ def uncompressed_cache(self, privilege, grant_target_name, user_name, node=None) @Name("system drop cache") @Requirements( RQ_SRS_006_RBAC_Privileges_System_DropCache("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM DROP CACHE. diff --git a/tests/testflows/rbac/tests/privileges/system/fetches.py b/tests/testflows/rbac/tests/privileges/system/fetches.py index 14c046f4fbe..3aba1b71566 100644 --- a/tests/testflows/rbac/tests/privileges/system/fetches.py +++ b/tests/testflows/rbac/tests/privileges/system/fetches.py @@ -17,7 +17,7 @@ def replicated_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_replicated_privilege, flags=TE, + Suite(run=check_replicated_privilege, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_replicated_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def replicated_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_replicated_privilege, flags=TE, + Suite(run=check_replicated_privilege, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_replicated_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM FETCHES", "table"), ("SYSTEM STOP FETCHES", "table"), @@ -59,8 +60,8 @@ def check_replicated_privilege(self, privilege, on, grant_target_name, user_name if node is None: node = self.context.node - Suite(test=start_replication_queues, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=stop_replication_queues, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=start_replication_queues)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=stop_replication_queues)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) @TestSuite def start_replication_queues(self, privilege, on, grant_target_name, user_name, node=None): @@ -77,11 +78,19 @@ def start_replication_queues(self, privilege, on, grant_target_name, user_name, with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM START FETCHES without privilege"): - with When("I check the user can't start fetches"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't start fetches"): node.query(f"SYSTEM START FETCHES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM START FETCHES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -89,6 +98,7 @@ def start_replication_queues(self, privilege, on, grant_target_name, user_name, node.query(f"SYSTEM START FETCHES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM START FETCHES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -114,11 +124,19 @@ def stop_replication_queues(self, privilege, on, grant_target_name, user_name, n with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM STOP FETCHES without privilege"): - with When("I check the user can't stop fetches"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't stop fetches"): node.query(f"SYSTEM STOP FETCHES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM STOP FETCHES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -126,6 +144,7 @@ def stop_replication_queues(self, privilege, on, grant_target_name, user_name, n node.query(f"SYSTEM STOP FETCHES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM STOP FETCHES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -140,6 +159,8 @@ def stop_replication_queues(self, privilege, on, grant_target_name, user_name, n @Name("system fetches") @Requirements( RQ_SRS_006_RBAC_Privileges_System_Fetches("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM FETCHES. diff --git a/tests/testflows/rbac/tests/privileges/system/flush.py b/tests/testflows/rbac/tests/privileges/system/flush.py index 8835b51db9e..8c540fa1286 100644 --- a/tests/testflows/rbac/tests/privileges/system/flush.py +++ b/tests/testflows/rbac/tests/privileges/system/flush.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=flush_logs, flags=TE, + Suite(run=flush_logs, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in flush_logs.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=flush_logs, flags=TE, + Suite(run=flush_logs, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in flush_logs.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM FLUSH", "*.*"), ("SYSTEM FLUSH LOGS", "*.*"), @@ -62,11 +63,19 @@ def flush_logs(self, privilege, on, grant_target_name, user_name, node=None): node = self.context.node with Scenario("SYSTEM FLUSH LOGS without privilege"): - with When("I check the user can't flush logs"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't flush logs"): node.query(f"SYSTEM FLUSH LOGS", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM FLUSH LOGS with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -74,6 +83,7 @@ def flush_logs(self, privilege, on, grant_target_name, user_name, node=None): node.query(f"SYSTEM FLUSH LOGS", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM FLUSH LOGS with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -97,7 +107,7 @@ def distributed_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(run=flush_distributed, flags=TE, + Suite(run=flush_distributed, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[user_name,user_name,table_name]) for row in flush_distributed.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -119,13 +129,14 @@ def distributed_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=flush_distributed, flags=TE, + Suite(run=flush_distributed, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[role_name,user_name,table_name]) for row in flush_distributed.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM FLUSH", "*.*"), ("SYSTEM FLUSH DISTRIBUTED", "table"), @@ -151,11 +162,19 @@ def flush_distributed(self, privilege, on, grant_target_name, user_name, table_n node.query(f"CREATE TABLE {table_name} (a UInt64) ENGINE = Distributed(sharded_cluster, default, {table0_name}, rand())") with Scenario("SYSTEM FLUSH DISTRIBUTED without privilege"): - with When("I check the user can't flush distributed"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't flush distributed"): node.query(f"SYSTEM FLUSH DISTRIBUTED {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM FLUSH DISTRIBUTED with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -163,6 +182,7 @@ def flush_distributed(self, privilege, on, grant_target_name, user_name, table_n node.query(f"SYSTEM FLUSH DISTRIBUTED {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM FLUSH DISTRIBUTED with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -182,6 +202,8 @@ def flush_distributed(self, privilege, on, grant_target_name, user_name, table_n @Name("system flush") @Requirements( RQ_SRS_006_RBAC_Privileges_System_Flush("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM FLUSH. diff --git a/tests/testflows/rbac/tests/privileges/system/merges.py b/tests/testflows/rbac/tests/privileges/system/merges.py index 0f347299c44..324b9c0b4ec 100644 --- a/tests/testflows/rbac/tests/privileges/system/merges.py +++ b/tests/testflows/rbac/tests/privileges/system/merges.py @@ -18,7 +18,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[user_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -40,13 +40,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[role_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM MERGES", "table"), ("SYSTEM STOP MERGES", "table"), @@ -61,8 +62,8 @@ def check_privilege(self, privilege, on, grant_target_name, user_name, table_nam if node is None: node = self.context.node - Suite(test=start_merges, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) - Suite(test=stop_merges, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=start_merges)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=stop_merges)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) @TestSuite def start_merges(self, privilege, on, grant_target_name, user_name, table_name, node=None): @@ -78,11 +79,19 @@ def start_merges(self, privilege, on, grant_target_name, user_name, table_name, with table(node, table_name): with Scenario("SYSTEM START MERGES without privilege"): - with When("I check the user can't start merges"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't start merges"): node.query(f"SYSTEM START MERGES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM START MERGES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -90,6 +99,7 @@ def start_merges(self, privilege, on, grant_target_name, user_name, table_name, node.query(f"SYSTEM START MERGES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM START MERGES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -114,11 +124,19 @@ def stop_merges(self, privilege, on, grant_target_name, user_name, table_name, n with table(node, table_name): with Scenario("SYSTEM STOP MERGES without privilege"): - with When("I check the user can't stop merges"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't stop merges"): node.query(f"SYSTEM STOP MERGES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM STOP MERGES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -126,6 +144,7 @@ def stop_merges(self, privilege, on, grant_target_name, user_name, table_name, n node.query(f"SYSTEM STOP MERGES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM STOP MERGES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -140,6 +159,8 @@ def stop_merges(self, privilege, on, grant_target_name, user_name, table_name, n @Name("system merges") @Requirements( RQ_SRS_006_RBAC_Privileges_System_Merges("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM MERGES. diff --git a/tests/testflows/rbac/tests/privileges/system/moves.py b/tests/testflows/rbac/tests/privileges/system/moves.py index 2081e6dfe22..2a75ff39aaf 100644 --- a/tests/testflows/rbac/tests/privileges/system/moves.py +++ b/tests/testflows/rbac/tests/privileges/system/moves.py @@ -18,7 +18,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[user_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -40,13 +40,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[role_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM MOVES", "table"), ("SYSTEM STOP MOVES", "table"), @@ -61,8 +62,8 @@ def check_privilege(self, privilege, on, grant_target_name, user_name, table_nam if node is None: node = self.context.node - Suite(test=start_moves, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) - Suite(test=stop_moves, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=start_moves)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=stop_moves)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) @TestSuite def start_moves(self, privilege, on, grant_target_name, user_name, table_name, node=None): @@ -78,11 +79,19 @@ def start_moves(self, privilege, on, grant_target_name, user_name, table_name, n with table(node, table_name): with Scenario("SYSTEM START MOVES without privilege"): - with When("I check the user can't start moves"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't start moves"): node.query(f"SYSTEM START MOVES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM START MOVES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -90,6 +99,7 @@ def start_moves(self, privilege, on, grant_target_name, user_name, table_name, n node.query(f"SYSTEM START MOVES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM START MOVES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -114,11 +124,19 @@ def stop_moves(self, privilege, on, grant_target_name, user_name, table_name, no with table(node, table_name): with Scenario("SYSTEM STOP MOVES without privilege"): - with When("I check the user can't stop moves"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't stop moves"): node.query(f"SYSTEM STOP MOVES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM STOP MOVES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -126,6 +144,7 @@ def stop_moves(self, privilege, on, grant_target_name, user_name, table_name, no node.query(f"SYSTEM STOP MOVES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM STOP MOVES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -140,6 +159,8 @@ def stop_moves(self, privilege, on, grant_target_name, user_name, table_name, no @Name("system moves") @Requirements( RQ_SRS_006_RBAC_Privileges_System_Moves("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM MOVES. diff --git a/tests/testflows/rbac/tests/privileges/system/reload.py b/tests/testflows/rbac/tests/privileges/system/reload.py index cfc752fb253..bb8f91a0dd4 100644 --- a/tests/testflows/rbac/tests/privileges/system/reload.py +++ b/tests/testflows/rbac/tests/privileges/system/reload.py @@ -38,7 +38,7 @@ def config_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=config, flags=TE, + Suite(run=config, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in config.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -59,7 +59,7 @@ def config_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=config, flags=TE, + Suite(run=config, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in config.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -69,6 +69,7 @@ def config_privileges_granted_via_role(self, node=None): RQ_SRS_006_RBAC_Privileges_System_Reload_Config("1.0"), ) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM RELOAD",), ("SYSTEM RELOAD CONFIG",), @@ -83,11 +84,19 @@ def config(self, privilege, grant_target_name, user_name, node=None): node = self.context.node with Scenario("SYSTEM RELOAD CONFIG without privilege"): - with When("I check the user is unable to execute SYSTEM RELOAD CONFIG"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user is unable to execute SYSTEM RELOAD CONFIG"): node.query("SYSTEM RELOAD CONFIG", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM RELOAD CONFIG with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -95,6 +104,7 @@ def config(self, privilege, grant_target_name, user_name, node=None): node.query("SYSTEM RELOAD CONFIG", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM RELOAD CONFIG with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -117,7 +127,7 @@ def dictionary_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=dictionary, flags=TE, + Suite(run=dictionary, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dictionary.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -138,7 +148,7 @@ def dictionary_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictionary, flags=TE, + Suite(run=dictionary, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dictionary.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -148,6 +158,7 @@ def dictionary_privileges_granted_via_role(self, node=None): RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionary("1.0"), ) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM RELOAD",), ("SYSTEM RELOAD DICTIONARIES",), @@ -163,16 +174,24 @@ def dictionary(self, privilege, grant_target_name, user_name, node=None): node = self.context.node with Scenario("SYSTEM RELOAD DICTIONARY without privilege"): + dict_name = f"dict_{getuid()}" table_name = f"table_{getuid()}" with dict_setup(node, table_name, dict_name): - with When("I check the user is unable to execute SYSTEM RELOAD DICTIONARY"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user is unable to execute SYSTEM RELOAD DICTIONARY"): node.query(f"SYSTEM RELOAD DICTIONARY default.{dict_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM RELOAD DICTIONARY with privilege"): + dict_name = f"dict_{getuid()}" table_name = f"table_{getuid()}" @@ -185,6 +204,7 @@ def dictionary(self, privilege, grant_target_name, user_name, node=None): node.query(f"SYSTEM RELOAD DICTIONARY default.{dict_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM RELOAD DICTIONARY with revoked privilege"): + dict_name = f"dict_{getuid()}" table_name = f"table_{getuid()}" @@ -212,7 +232,7 @@ def dictionaries_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=dictionaries, flags=TE, + Suite(run=dictionaries, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in dictionaries.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -233,7 +253,7 @@ def dictionaries_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=dictionaries, flags=TE, + Suite(run=dictionaries, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in dictionaries.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -243,6 +263,7 @@ def dictionaries_privileges_granted_via_role(self, node=None): RQ_SRS_006_RBAC_Privileges_System_Reload_Dictionaries("1.0"), ) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM RELOAD",), ("SYSTEM RELOAD DICTIONARIES",), @@ -258,11 +279,19 @@ def dictionaries(self, privilege, grant_target_name, user_name, node=None): node = self.context.node with Scenario("SYSTEM RELOAD DICTIONARIES without privilege"): - with When("I check the user is unable to execute SYSTEM RELOAD DICTIONARIES"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user is unable to execute SYSTEM RELOAD DICTIONARIES"): node.query("SYSTEM RELOAD DICTIONARIES", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM RELOAD DICTIONARIES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -270,6 +299,7 @@ def dictionaries(self, privilege, grant_target_name, user_name, node=None): node.query("SYSTEM RELOAD DICTIONARIES", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM RELOAD DICTIONARIES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -292,7 +322,7 @@ def embedded_dictionaries_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=embedded_dictionaries, flags=TE, + Suite(run=embedded_dictionaries, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in embedded_dictionaries.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -313,7 +343,7 @@ def embedded_dictionaries_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=embedded_dictionaries, flags=TE, + Suite(run=embedded_dictionaries, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in embedded_dictionaries.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -323,6 +353,7 @@ def embedded_dictionaries_privileges_granted_via_role(self, node=None): RQ_SRS_006_RBAC_Privileges_System_Reload_EmbeddedDictionaries("1.0"), ) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM RELOAD",), ("SYSTEM RELOAD EMBEDDED DICTIONARIES",), @@ -337,11 +368,19 @@ def embedded_dictionaries(self, privilege, grant_target_name, user_name, node=No node = self.context.node with Scenario("SYSTEM RELOAD EMBEDDED DICTIONARIES without privilege"): - with When("I check the user is unable to execute SYSTEM RELOAD EMBEDDED DICTIONARIES"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user is unable to execute SYSTEM RELOAD EMBEDDED DICTIONARIES"): node.query("SYSTEM RELOAD EMBEDDED DICTIONARIES", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM RELOAD EMBEDDED DICTIONARIES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -349,6 +388,7 @@ def embedded_dictionaries(self, privilege, grant_target_name, user_name, node=No node.query("SYSTEM RELOAD EMBEDDED DICTIONARIES", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM RELOAD EMBEDDED DICTIONARIES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON *.* TO {grant_target_name}") @@ -363,6 +403,8 @@ def embedded_dictionaries(self, privilege, grant_target_name, user_name, node=No @Name("system reload") @Requirements( RQ_SRS_006_RBAC_Privileges_System_Reload("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM RELOAD. diff --git a/tests/testflows/rbac/tests/privileges/system/replication_queues.py b/tests/testflows/rbac/tests/privileges/system/replication_queues.py index 3ac2e09418a..47f12b7c866 100644 --- a/tests/testflows/rbac/tests/privileges/system/replication_queues.py +++ b/tests/testflows/rbac/tests/privileges/system/replication_queues.py @@ -17,7 +17,7 @@ def replicated_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_replicated_privilege, flags=TE, + Suite(run=check_replicated_privilege, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_replicated_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def replicated_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_replicated_privilege, flags=TE, + Suite(run=check_replicated_privilege, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_replicated_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM REPLICATION QUEUES", "table"), ("SYSTEM STOP REPLICATION QUEUES", "table"), @@ -59,8 +60,8 @@ def check_replicated_privilege(self, privilege, on, grant_target_name, user_name if node is None: node = self.context.node - Suite(test=start_replication_queues, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=stop_replication_queues, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=start_replication_queues)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=stop_replication_queues)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) @TestSuite def start_replication_queues(self, privilege, on, grant_target_name, user_name, node=None): @@ -77,11 +78,19 @@ def start_replication_queues(self, privilege, on, grant_target_name, user_name, with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM START REPLICATION QUEUES without privilege"): - with When("I check the user can't start sends"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't start sends"): node.query(f"SYSTEM START REPLICATION QUEUES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM START REPLICATION QUEUES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -89,6 +98,7 @@ def start_replication_queues(self, privilege, on, grant_target_name, user_name, node.query(f"SYSTEM START REPLICATION QUEUES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM START REPLICATION QUEUES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -114,11 +124,19 @@ def stop_replication_queues(self, privilege, on, grant_target_name, user_name, n with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM STOP REPLICATION QUEUES without privilege"): - with When("I check the user can't stop sends"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't stop sends"): node.query(f"SYSTEM STOP REPLICATION QUEUES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM STOP REPLICATION QUEUES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -126,6 +144,7 @@ def stop_replication_queues(self, privilege, on, grant_target_name, user_name, n node.query(f"SYSTEM STOP REPLICATION QUEUES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM STOP REPLICATION QUEUES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -140,6 +159,8 @@ def stop_replication_queues(self, privilege, on, grant_target_name, user_name, n @Name("system replication queues") @Requirements( RQ_SRS_006_RBAC_Privileges_System_ReplicationQueues("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM REPLICATION QUEUES. diff --git a/tests/testflows/rbac/tests/privileges/system/restart_replica.py b/tests/testflows/rbac/tests/privileges/system/restart_replica.py index 0e3e61d04bb..4e3d5f7b060 100644 --- a/tests/testflows/rbac/tests/privileges/system/restart_replica.py +++ b/tests/testflows/rbac/tests/privileges/system/restart_replica.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=restart_replica, flags=TE, + Suite(run=restart_replica, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in restart_replica.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=restart_replica, flags=TE, + Suite(run=restart_replica, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in restart_replica.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM RESTART REPLICA", "table"), ("RESTART REPLICA", "table"), @@ -63,11 +64,19 @@ def restart_replica(self, privilege, on, grant_target_name, user_name, node=None with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM RESTART REPLICA without privilege"): - with When("I check the user can't restart replica"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't restart replica"): node.query(f"SYSTEM RESTART REPLICA {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM RESTART REPLICA with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -75,6 +84,7 @@ def restart_replica(self, privilege, on, grant_target_name, user_name, node=None node.query(f"SYSTEM RESTART REPLICA {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM RESTART REPLICA with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -89,6 +99,8 @@ def restart_replica(self, privilege, on, grant_target_name, user_name, node=None @Name("system restart replica") @Requirements( RQ_SRS_006_RBAC_Privileges_System_RestartReplica("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM RESTART REPLICA. diff --git a/tests/testflows/rbac/tests/privileges/system/sends.py b/tests/testflows/rbac/tests/privileges/system/sends.py index 24865088703..4acd173d922 100644 --- a/tests/testflows/rbac/tests/privileges/system/sends.py +++ b/tests/testflows/rbac/tests/privileges/system/sends.py @@ -17,7 +17,7 @@ def replicated_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_replicated_privilege, flags=TE, + Suite(run=check_replicated_privilege, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_replicated_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def replicated_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_replicated_privilege, flags=TE, + Suite(run=check_replicated_privilege, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_replicated_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM SENDS", "*.*"), ("SYSTEM START SENDS", "*.*"), @@ -67,8 +68,8 @@ def check_replicated_privilege(self, privilege, on, grant_target_name, user_name if node is None: node = self.context.node - Suite(test=start_replicated_sends, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=stop_replicated_sends, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=start_replicated_sends)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=stop_replicated_sends)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name) @TestSuite def start_replicated_sends(self, privilege, on, grant_target_name, user_name, node=None): @@ -85,11 +86,19 @@ def start_replicated_sends(self, privilege, on, grant_target_name, user_name, no with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM START REPLICATED SENDS without privilege"): - with When("I check the user can't start sends"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't start sends"): node.query(f"SYSTEM START REPLICATED SENDS {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM START REPLICATED SENDS with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -97,6 +106,7 @@ def start_replicated_sends(self, privilege, on, grant_target_name, user_name, no node.query(f"SYSTEM START REPLICATED SENDS {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM START REPLICATED SENDS with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -122,11 +132,19 @@ def stop_replicated_sends(self, privilege, on, grant_target_name, user_name, nod with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM STOP REPLICATED SENDS without privilege"): - with When("I check the user can't stop sends"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't stop sends"): node.query(f"SYSTEM STOP REPLICATED SENDS {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM STOP REPLICATED SENDS with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -134,6 +152,7 @@ def stop_replicated_sends(self, privilege, on, grant_target_name, user_name, nod node.query(f"SYSTEM STOP REPLICATED SENDS {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM STOP REPLICATED SENDS with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -157,7 +176,7 @@ def distributed_privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(run=check_distributed_privilege, flags=TE, + Suite(run=check_distributed_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[user_name,user_name,table_name]) for row in check_distributed_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -179,13 +198,14 @@ def distributed_privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_distributed_privilege, flags=TE, + Suite(run=check_distributed_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[role_name,user_name,table_name]) for row in check_distributed_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM SENDS", "*.*"), ("SYSTEM START SENDS", "*.*"), @@ -208,8 +228,8 @@ def check_distributed_privilege(self, privilege, on, grant_target_name, user_nam if node is None: node = self.context.node - Suite(test=start_distributed_moves, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) - Suite(test=stop_distributed_moves, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=start_distributed_moves)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=stop_distributed_moves)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) @TestSuite def start_distributed_moves(self, privilege, on, grant_target_name, user_name, table_name, node=None): @@ -229,11 +249,19 @@ def start_distributed_moves(self, privilege, on, grant_target_name, user_name, t node.query(f"CREATE TABLE {table_name} (a UInt64) ENGINE = Distributed(sharded_cluster, default, {table0_name}, rand())") with Scenario("SYSTEM START DISTRIBUTED SENDS without privilege"): - with When("I check the user can't start merges"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't start merges"): node.query(f"SYSTEM START DISTRIBUTED SENDS {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM START DISTRIBUTED SENDS with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -241,6 +269,7 @@ def start_distributed_moves(self, privilege, on, grant_target_name, user_name, t node.query(f"SYSTEM START DISTRIBUTED SENDS {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM START DISTRIBUTED SENDS with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -273,11 +302,19 @@ def stop_distributed_moves(self, privilege, on, grant_target_name, user_name, ta node.query(f"CREATE TABLE {table_name} (a UInt64) ENGINE = Distributed(sharded_cluster, default, {table0_name}, rand())") with Scenario("SYSTEM STOP DISTRIBUTED SENDS without privilege"): - with When("I check the user can't stop merges"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't stop merges"): node.query(f"SYSTEM STOP DISTRIBUTED SENDS {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM STOP DISTRIBUTED SENDS with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -285,6 +322,7 @@ def stop_distributed_moves(self, privilege, on, grant_target_name, user_name, ta node.query(f"SYSTEM STOP DISTRIBUTED SENDS {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM STOP DISTRIBUTED SENDS with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -302,6 +340,8 @@ def stop_distributed_moves(self, privilege, on, grant_target_name, user_name, ta @Name("system sends") @Requirements( RQ_SRS_006_RBAC_Privileges_System_Sends("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM SENDS. diff --git a/tests/testflows/rbac/tests/privileges/system/shutdown.py b/tests/testflows/rbac/tests/privileges/system/shutdown.py index 290f6d8e5d1..26752ef4d01 100644 --- a/tests/testflows/rbac/tests/privileges/system/shutdown.py +++ b/tests/testflows/rbac/tests/privileges/system/shutdown.py @@ -19,7 +19,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @@ -40,13 +40,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in check_privilege.examples ], args=Args(name="privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege",[ + ("ALL",), ("SYSTEM",), ("SYSTEM SHUTDOWN",), ("SHUTDOWN",), @@ -59,8 +60,8 @@ def check_privilege(self, privilege, grant_target_name, user_name, node=None): if node is None: node = self.context.node - Suite(test=shutdown, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) - Suite(test=kill, setup=instrument_clickhouse_server_log)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=shutdown)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) + Suite(test=kill)(privilege=privilege, grant_target_name=grant_target_name, user_name=user_name) @TestSuite def shutdown(self, privilege, grant_target_name, user_name, node=None): @@ -75,7 +76,13 @@ def shutdown(self, privilege, grant_target_name, user_name, node=None): with Scenario("SYSTEM SHUTDOWN without privilege"): - with When("I check the user can't use SYSTEM SHUTDOWN"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SYSTEM SHUTDOWN"): node.query(f"SYSTEM SHUTDOWN", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -136,7 +143,13 @@ def kill(self, privilege, grant_target_name, user_name, node=None): with Scenario("SYSTEM KILL without privilege"): - with When("I check the user can't use SYSTEM KILL"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't use SYSTEM KILL"): node.query(f"SYSTEM KILL", settings=[("user",user_name)], exitcode=exitcode, message=message) @@ -190,6 +203,8 @@ def kill(self, privilege, grant_target_name, user_name, node=None): @Name("system shutdown") @Requirements( RQ_SRS_006_RBAC_Privileges_System_Shutdown("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM SHUTDOWN. diff --git a/tests/testflows/rbac/tests/privileges/system/sync_replica.py b/tests/testflows/rbac/tests/privileges/system/sync_replica.py index 7df697fd6e5..14681ad31ae 100644 --- a/tests/testflows/rbac/tests/privileges/system/sync_replica.py +++ b/tests/testflows/rbac/tests/privileges/system/sync_replica.py @@ -17,7 +17,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): - Suite(run=sync_replica, flags=TE, + Suite(run=sync_replica, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[user_name,user_name]) for row in sync_replica.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -38,13 +38,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=sync_replica, flags=TE, + Suite(run=sync_replica, examples=Examples("privilege on grant_target_name user_name", [ tuple(list(row)+[role_name,user_name]) for row in sync_replica.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM SYNC REPLICA", "table"), ("SYNC REPLICA", "table"), @@ -63,11 +64,19 @@ def sync_replica(self, privilege, on, grant_target_name, user_name, node=None): with table(node, table_name, "ReplicatedMergeTree-sharded_cluster"): with Scenario("SYSTEM SYNC REPLICA without privilege"): - with When("I check the user can't sync replica"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't sync replica"): node.query(f"SYSTEM SYNC REPLICA {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM SYNC REPLICA with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -75,6 +84,7 @@ def sync_replica(self, privilege, on, grant_target_name, user_name, node=None): node.query(f"SYSTEM SYNC REPLICA {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM SYNC REPLICA with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -89,6 +99,8 @@ def sync_replica(self, privilege, on, grant_target_name, user_name, node=None): @Name("system sync replica") @Requirements( RQ_SRS_006_RBAC_Privileges_System_SyncReplica("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM SYNC REPLICA. diff --git a/tests/testflows/rbac/tests/privileges/system/ttl_merges.py b/tests/testflows/rbac/tests/privileges/system/ttl_merges.py index 74f99026fe4..a59cc530a6d 100644 --- a/tests/testflows/rbac/tests/privileges/system/ttl_merges.py +++ b/tests/testflows/rbac/tests/privileges/system/ttl_merges.py @@ -18,7 +18,7 @@ def privileges_granted_directly(self, node=None): with user(node, f"{user_name}"): table_name = f"table_name_{getuid()}" - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[user_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @@ -40,13 +40,14 @@ def privileges_granted_via_role(self, node=None): with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") - Suite(run=check_privilege, flags=TE, + Suite(run=check_privilege, examples=Examples("privilege on grant_target_name user_name table_name", [ tuple(list(row)+[role_name,user_name,table_name]) for row in check_privilege.examples ], args=Args(name="check privilege={privilege}", format_name=True))) @TestOutline(Suite) @Examples("privilege on",[ + ("ALL", "*.*"), ("SYSTEM", "*.*"), ("SYSTEM TTL MERGES", "table"), ("SYSTEM STOP TTL MERGES", "table"), @@ -61,8 +62,8 @@ def check_privilege(self, privilege, on, grant_target_name, user_name, table_nam if node is None: node = self.context.node - Suite(test=start_ttl_merges, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) - Suite(test=stop_ttl_merges, setup=instrument_clickhouse_server_log)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=start_ttl_merges)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) + Suite(test=stop_ttl_merges)(privilege=privilege, on=on, grant_target_name=grant_target_name, user_name=user_name, table_name=table_name) @TestSuite def start_ttl_merges(self, privilege, on, grant_target_name, user_name, table_name, node=None): @@ -78,11 +79,19 @@ def start_ttl_merges(self, privilege, on, grant_target_name, user_name, table_na with table(node, table_name): with Scenario("SYSTEM START TTL MERGES without privilege"): - with When("I check the user can't start merges"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't start merges"): node.query(f"SYSTEM START TTL MERGES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM START TTL MERGES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -90,6 +99,7 @@ def start_ttl_merges(self, privilege, on, grant_target_name, user_name, table_na node.query(f"SYSTEM START TTL MERGES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM START TTL MERGES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -114,11 +124,19 @@ def stop_ttl_merges(self, privilege, on, grant_target_name, user_name, table_nam with table(node, table_name): with Scenario("SYSTEM STOP TTL MERGES without privilege"): - with When("I check the user can't stop merges"): + + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I check the user can't stop merges"): node.query(f"SYSTEM STOP TTL MERGES {table_name}", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with Scenario("SYSTEM STOP TTL MERGES with privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -126,6 +144,7 @@ def stop_ttl_merges(self, privilege, on, grant_target_name, user_name, table_nam node.query(f"SYSTEM STOP TTL MERGES {table_name}", settings = [("user", f"{user_name}")]) with Scenario("SYSTEM STOP TTL MERGES with revoked privilege"): + with When(f"I grant {privilege} on the table"): node.query(f"GRANT {privilege} ON {on} TO {grant_target_name}") @@ -140,6 +159,8 @@ def stop_ttl_merges(self, privilege, on, grant_target_name, user_name, table_nam @Name("system ttl merges") @Requirements( RQ_SRS_006_RBAC_Privileges_System_TTLMerges("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) def feature(self, node="clickhouse1"): """Check the RBAC functionality of SYSTEM TTL MERGES. diff --git a/tests/testflows/rbac/tests/privileges/truncate.py b/tests/testflows/rbac/tests/privileges/truncate.py index b7dfcbfd718..df81913f0a8 100644 --- a/tests/testflows/rbac/tests/privileges/truncate.py +++ b/tests/testflows/rbac/tests/privileges/truncate.py @@ -12,13 +12,13 @@ def privilege_granted_directly_or_via_role(self, table_type, node=None): if node is None: node = self.context.node - with Suite("user with direct privilege", setup=instrument_clickhouse_server_log): + with Suite("user with direct privilege"): with user(node, user_name): with When(f"I run checks that {user_name} is only able to execute TRUNCATE with required privileges"): privilege_check(grant_target_name=user_name, user_name=user_name, table_type=table_type, node=node) - with Suite("user with privilege via role", setup=instrument_clickhouse_server_log): + with Suite("user with privilege via role"): with user(node, user_name), role(node, role_name): with When("I grant the role to the user"): @@ -32,16 +32,22 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): """ exitcode, message = errors.not_enough_privileges(name=f"{user_name}") - with Scenario("user without privilege", setup=instrument_clickhouse_server_log): + with Scenario("user without privilege"): table_name = f"merge_tree_{getuid()}" with table(node, table_name, table_type): - with When("I attempt to truncate a table without privilege"): + with When("I grant the user NONE privilege"): + node.query(f"GRANT NONE TO {grant_target_name}") + + with And("I grant the user USAGE privilege"): + node.query(f"GRANT USAGE ON *.* TO {grant_target_name}") + + with Then("I attempt to truncate a table without privilege"): node.query(f"TRUNCATE TABLE {table_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("user with privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with privilege"): table_name = f"merge_tree_{getuid()}" with table(node, table_name, table_type): @@ -52,7 +58,7 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): with Then("I attempt to truncate a table"): node.query(f"TRUNCATE TABLE {table_name}", settings = [("user", user_name)]) - with Scenario("user with revoked privilege", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked privilege"): table_name = f"merge_tree_{getuid()}" with table(node, table_name, table_type): @@ -67,7 +73,22 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): node.query(f"TRUNCATE TABLE {table_name}", settings = [("user", user_name)], exitcode=exitcode, message=message) - with Scenario("execute on cluster", setup=instrument_clickhouse_server_log): + with Scenario("user with revoked ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name, table_type): + + with When("I grant the truncate privilege"): + node.query(f"GRANT TRUNCATE ON {table_name} TO {grant_target_name}") + + with And("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with Then("I attempt to truncate a table"): + node.query(f"TRUNCATE TABLE {table_name}", settings = [("user", user_name)], + exitcode=exitcode, message=message) + + with Scenario("execute on cluster"): table_name = f"merge_tree_{getuid()}" with table(node, table_name, table_type): @@ -78,9 +99,25 @@ def privilege_check(grant_target_name, user_name, table_type, node=None): with Then("I attempt to truncate a table"): node.query(f"TRUNCATE TABLE IF EXISTS {table_name} ON CLUSTER sharded_cluster", settings = [("user", user_name)]) + with Scenario("user with ALL privilege"): + table_name = f"merge_tree_{getuid()}" + + with table(node, table_name, table_type): + + with When("I revoke ALL privilege"): + node.query(f"REVOKE ALL ON *.* FROM {grant_target_name}") + + with And("I grant ALL privilege"): + node.query(f"GRANT ALL ON *.* TO {grant_target_name}") + + with Then("I attempt to truncate a table"): + node.query(f"TRUNCATE TABLE {table_name}", settings = [("user", user_name)]) + @TestFeature @Requirements( RQ_SRS_006_RBAC_Privileges_Truncate("1.0"), + RQ_SRS_006_RBAC_Privileges_All("1.0"), + RQ_SRS_006_RBAC_Privileges_None("1.0") ) @Examples("table_type", [ (key,) for key in table_types.keys() @@ -103,5 +140,5 @@ def feature(self, node="clickhouse1", stress=None, parallel=None): continue with Example(str(example)): - with Suite(test=privilege_granted_directly_or_via_role): + with Suite(test=privilege_granted_directly_or_via_role, setup=instrument_clickhouse_server_log): privilege_granted_directly_or_via_role(table_type=table_type) diff --git a/tests/testflows/rbac/tests/syntax/alter_quota.py b/tests/testflows/rbac/tests/syntax/alter_quota.py index 74a9c05bd27..6ccafc4dbcd 100755 --- a/tests/testflows/rbac/tests/syntax/alter_quota.py +++ b/tests/testflows/rbac/tests/syntax/alter_quota.py @@ -33,12 +33,12 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER user0") node.query(f"CREATE ROLE role0") - with Scenario("I alter quota with no options", flags=TE, requirements=[ + with Scenario("I alter quota with no options", requirements=[ RQ_SRS_006_RBAC_Quota_Alter("1.0")]): with When("I alter quota"): node.query("ALTER QUOTA quota0") - with Scenario("I alter quota that does not exist, throws an exception", flags=TE, requirements=[ + with Scenario("I alter quota that does not exist, throws an exception", requirements=[ RQ_SRS_006_RBAC_Quota_Alter("1.0")]): quota = "quota1" cleanup_quota(quota) @@ -47,11 +47,11 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER QUOTA {quota}", exitcode=exitcode, message=message) del quota - with Scenario("I alter quota with if exists, quota does exist", flags=TE, requirements=[ + with Scenario("I alter quota with if exists, quota does exist", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_IfExists("1.0")]): node.query("ALTER QUOTA IF EXISTS quota0") - with Scenario("I alter quota with if exists, quota does not exist", flags=TE, requirements=[ + with Scenario("I alter quota with if exists, quota does not exist", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_IfExists("1.0")]): quota = "quota1" cleanup_quota(quota) @@ -59,11 +59,11 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER QUOTA IF EXISTS {quota}") del quota - with Scenario("I alter quota using rename, target available", flags=TE, requirements=[ + with Scenario("I alter quota using rename, target available", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Rename("1.0")]): node.query("ALTER QUOTA quota0 RENAME TO quota0") - with Scenario("I alter quota using rename, target unavailable", flags=TE, requirements=[ + with Scenario("I alter quota using rename, target unavailable", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Rename("1.0")]): new_quota = "quota1" @@ -82,20 +82,20 @@ def feature(self, node="clickhouse1"): keys = ['none', 'user name', 'ip address', 'client key', 'client key or user name', 'client key or ip address'] for key in keys: - with Scenario(f"I alter quota keyed by {key}", flags=TE, requirements=[ + with Scenario(f"I alter quota keyed by {key}", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_KeyedBy("1.0"), RQ_SRS_006_RBAC_Quota_Alter_KeyedByOptions("1.0")]): with When("I alter quota with a key"): node.query(f"ALTER QUOTA quota0 KEYED BY '{key}'") - with Scenario("I alter quota for randomized interval", flags=TE, requirements=[ + with Scenario("I alter quota for randomized interval", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Interval_Randomized("1.0")]): with When("I alter quota on a randomized interval"): node.query("ALTER QUOTA quota0 FOR RANDOMIZED INTERVAL 1 DAY NO LIMITS") intervals = ['SECOND', 'MINUTE', 'HOUR', 'DAY', 'MONTH'] for i, interval in enumerate(intervals): - with Scenario(f"I alter quota for interval {interval}", flags=TE, requirements=[ + with Scenario(f"I alter quota for interval {interval}", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Interval("1.0")]): with When(f"I alter quota for {interval}"): node.query(f"ALTER QUOTA quota0 FOR INTERVAL 1 {interval} NO LIMITS") @@ -104,7 +104,7 @@ def feature(self, node="clickhouse1"): 'MAX RESULT BYTES', 'MAX READ ROWS', 'MAX READ BYTES', 'MAX EXECUTION TIME', 'NO LIMITS', 'TRACKING ONLY'] for i, constraint in enumerate(constraints): - with Scenario(f"I alter quota for {constraint.lower()}", flags=TE, requirements=[ + with Scenario(f"I alter quota for {constraint.lower()}", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Queries("1.0"), RQ_SRS_006_RBAC_Quota_Alter_Errors("1.0"), RQ_SRS_006_RBAC_Quota_Alter_ResultRows("1.0"), @@ -117,7 +117,7 @@ def feature(self, node="clickhouse1"): with When("I alter quota for a constraint"): node.query(f"ALTER QUOTA quota0 FOR INTERVAL 1 DAY {constraint}{' 1024' if constraint.startswith('MAX') else ''}") - with Scenario("I create quota for multiple constraints", flags=TE, requirements=[ + with Scenario("I create quota for multiple constraints", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Interval("1.0"), RQ_SRS_006_RBAC_Quota_Alter_Queries("1.0")]): node.query("ALTER QUOTA quota0 \ @@ -125,12 +125,12 @@ def feature(self, node="clickhouse1"): FOR INTERVAL 2 DAY MAX QUERIES 124, \ FOR INTERVAL 1 MONTH TRACKING ONLY") - with Scenario("I alter quota to assign to one role", flags=TE, requirements=[ + with Scenario("I alter quota to assign to one role", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment("1.0")]): with When("I alter quota to a role"): node.query("ALTER QUOTA quota0 TO role0") - with Scenario("I alter quota to assign to role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter quota to assign to role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -140,7 +140,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER QUOTA quota0 TO {role}", exitcode=exitcode, message=message) del role - with Scenario("I alter quota to assign to all except role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter quota to assign to all except role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -150,32 +150,32 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER QUOTA quota0 TO ALL EXCEPT {role}", exitcode=exitcode, message=message) del role - with Scenario("I alter quota to assign to one role and one user", flags=TE, requirements=[ + with Scenario("I alter quota to assign to one role and one user", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment("1.0")]): with When("I alter quota to a role and a user"): node.query("ALTER QUOTA quota0 TO role0, user0") - with Scenario("I alter quota assigned to none", flags=TE, requirements=[ + with Scenario("I alter quota assigned to none", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment_None("1.0")]): with When("I alter quota to none"): node.query("ALTER QUOTA quota0 TO NONE") - with Scenario("I alter quota to assign to all", flags=TE, requirements=[ + with Scenario("I alter quota to assign to all", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment_All("1.0")]): with When("I alter quota to all"): node.query("ALTER QUOTA quota0 TO ALL") - with Scenario("I alter quota to assign to all except one role", flags=TE, requirements=[ + with Scenario("I alter quota to assign to all except one role", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment_Except("1.0")]): with When("I alter quota to all except one role"): node.query("ALTER QUOTA quota0 TO ALL EXCEPT role0") - with Scenario("I alter quota to assign to all except multiple roles", flags=TE, requirements=[ + with Scenario("I alter quota to assign to all except multiple roles", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Assignment_Except("1.0")]): with When("I alter quota to all except one multiple roles"): node.query("ALTER QUOTA quota0 TO ALL EXCEPT role0, user0") - with Scenario("I alter quota on cluster", flags=TE, requirements=[ + with Scenario("I alter quota on cluster", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Cluster("1.0")]): try: with Given("I have a quota on a cluster"): @@ -193,7 +193,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the quota"): node.query("DROP QUOTA IF EXISTS quota1 ON CLUSTER sharded_cluster") - with Scenario("I alter quota on nonexistent cluster, throws exception", flags=TE, requirements=[ + with Scenario("I alter quota on nonexistent cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Alter_Cluster("1.0")]): with When("I run alter quota on a cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/alter_role.py b/tests/testflows/rbac/tests/syntax/alter_role.py index b1e66fb5893..5068302fc84 100755 --- a/tests/testflows/rbac/tests/syntax/alter_role.py +++ b/tests/testflows/rbac/tests/syntax/alter_role.py @@ -38,13 +38,13 @@ def feature(self, node="clickhouse1"): with Given(f"I ensure that role {role} does not exist"): node.query(f"DROP ROLE IF EXISTS {role}") - with Scenario("I alter role with no options", flags=TE, requirements=[ + with Scenario("I alter role with no options", requirements=[ RQ_SRS_006_RBAC_Role_Alter("1.0")]): with setup("role0"): with When("I alter role"): node.query("ALTER ROLE role0") - with Scenario("I alter role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Alter("1.0")]): role = "role0" cleanup_role(role) @@ -53,13 +53,13 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER ROLE {role}", exitcode=exitcode, message=message) del role - with Scenario("I alter role if exists, role does exist", flags=TE, requirements=[ + with Scenario("I alter role if exists, role does exist", requirements=[ RQ_SRS_006_RBAC_Role_Alter_IfExists("1.0")]): with setup("role1"): with When("I alter role with if exists"): node.query("ALTER ROLE IF EXISTS role1") - with Scenario("I alter role if exists, role does not exist", flags=TE, requirements=[ + with Scenario("I alter role if exists, role does not exist", requirements=[ RQ_SRS_006_RBAC_Role_Alter_IfExists("1.0")]): role = "role0" cleanup_role(role) @@ -67,7 +67,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER ROLE IF EXISTS {role}") del role - with Scenario("I alter role on cluster", flags=TE, requirements=[ + with Scenario("I alter role on cluster", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Cluster("1.0")]): try: with Given("I have a role on a cluster"): @@ -82,13 +82,13 @@ def feature(self, node="clickhouse1"): with Finally("I drop the role"): node.query("DROP ROLE IF EXISTS role1,role2 ON CLUSTER sharded_cluster") - with Scenario("I alter role on nonexistent cluster, throws exception", flags=TE, requirements=[ + with Scenario("I alter role on nonexistent cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Cluster("1.0")]): with When("I run alter role on a cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") node.query("ALTER ROLE role1 ON CLUSTER fake_cluster", exitcode=exitcode, message=message) - with Scenario("I alter role to rename, new name is available", flags=TE, requirements=[ + with Scenario("I alter role to rename, new name is available", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Rename("1.0")]): with setup("role2"): new_role = "role3" @@ -102,7 +102,7 @@ def feature(self, node="clickhouse1"): node.query(f"DROP ROLE IF EXISTS {new_role}") del new_role - with Scenario("I alter role to rename, new name is not available, throws exception", flags=TE, requirements=[ + with Scenario("I alter role to rename, new name is not available, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Rename("1.0")]): with setup("role2a"): new_role = "role3a" @@ -117,13 +117,13 @@ def feature(self, node="clickhouse1"): node.query(f"DROP ROLE IF EXISTS {new_role}") del new_role - with Scenario("I alter role settings profile", flags=TE, requirements=[ + with Scenario("I alter role settings profile", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role4"): with When("I alter role with settings profile"): node.query("ALTER ROLE role4 SETTINGS PROFILE default, max_memory_usage=10000000 READONLY") - with Scenario("I alter role settings profile, profile does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter role settings profile, profile does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role4a"): with Given("I ensure profile profile0 does not exist"): @@ -132,20 +132,20 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.settings_profile_not_found_in_disk("profile0") node.query("ALTER ROLE role4a SETTINGS PROFILE profile0", exitcode=exitcode, message=message) - with Scenario("I alter role settings profile multiple", flags=TE, requirements=[ + with Scenario("I alter role settings profile multiple", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role4b", profile="profile0"): with When("I alter role with multiple profiles"): node.query("ALTER ROLE role4b SETTINGS PROFILE default, PROFILE profile0, \ max_memory_usage=10000000 READONLY") - with Scenario("I alter role settings without profile", flags=TE, requirements=[ + with Scenario("I alter role settings without profile", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role5"): with When("I alter role with settings and no profile"): node.query("ALTER ROLE role5 SETTINGS max_memory_usage=10000000 READONLY") - with Scenario("I alter role settings, variable does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter role settings, variable does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role5a"): with When("I alter role using settings and nonexistent value"): @@ -153,33 +153,33 @@ def feature(self, node="clickhouse1"): node.query("ALTER ROLE role5a SETTINGS fake_setting = 100000001", exitcode=exitcode, message=message) - with Scenario("I alter role settings without profile multiple", flags=TE, requirements=[ + with Scenario("I alter role settings without profile multiple", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role6"): with When("I alter role with multiple settings and no profile"): node.query("ALTER ROLE role6 SETTINGS max_memory_usage=10000000 READONLY, \ max_rows_to_read MIN 20 MAX 25") - with Scenario("I alter role settings with multiple profiles multiple variables", flags=TE, requirements=[ + with Scenario("I alter role settings with multiple profiles multiple variables", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role7", profile="profile1"): with When("I alter role with multiple settings and profiles"): node.query("ALTER ROLE role7 SETTINGS PROFILE default, PROFILE profile1, \ max_memory_usage=10000000 READONLY, max_rows_to_read MIN 20 MAX 25") - with Scenario("I alter role settings readonly", flags=TE, requirements=[ + with Scenario("I alter role settings readonly", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role8"): with When("I alter role with readonly"): node.query("ALTER ROLE role8 SETTINGS max_memory_usage READONLY") - with Scenario("I alter role settings writable", flags=TE, requirements=[ + with Scenario("I alter role settings writable", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role9"): with When("I alter role with writable"): node.query("ALTER ROLE role9 SETTINGS max_memory_usage WRITABLE") - with Scenario("I alter role settings min, with and without = sign", flags=TE, requirements=[ + with Scenario("I alter role settings min, with and without = sign", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role10"): with When("I set min, no equals"): @@ -187,7 +187,7 @@ def feature(self, node="clickhouse1"): with When("I set min, yes equals"): node.query("ALTER ROLE role10 SETTINGS max_memory_usage MIN = 200") - with Scenario("I alter role settings max, with and without = sign", flags=TE, requirements=[ + with Scenario("I alter role settings max, with and without = sign", requirements=[ RQ_SRS_006_RBAC_Role_Alter_Settings("1.0")]): with setup("role11"): with When("I set max, no equals"): diff --git a/tests/testflows/rbac/tests/syntax/alter_row_policy.py b/tests/testflows/rbac/tests/syntax/alter_row_policy.py index 7fbed4a63c4..6422a81fec2 100755 --- a/tests/testflows/rbac/tests/syntax/alter_row_policy.py +++ b/tests/testflows/rbac/tests/syntax/alter_row_policy.py @@ -42,21 +42,21 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROLE role0") node.query(f"CREATE ROLE role1") - with Scenario("I alter row policy with no options", flags=TE, requirements=[ + with Scenario("I alter row policy with no options", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy0"): with When("I alter row policy"): node.query("ALTER ROW POLICY policy0 ON default.foo") - with Scenario("I alter row policy using short syntax with no options", flags=TE, requirements=[ + with Scenario("I alter row policy using short syntax with no options", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy1"): with When("I alter row policy short form"): node.query("ALTER POLICY policy1 ON default.foo") - with Scenario("I alter row policy, does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter row policy, does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): policy = "policy2" @@ -66,14 +66,14 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER ROW POLICY {policy} ON default.foo", exitcode=exitcode, message=message) del policy - with Scenario("I alter row policy if exists", flags=TE, requirements=[ + with Scenario("I alter row policy if exists", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_IfExists("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy2"): with When("I alter row policy using if exists"): node.query("ALTER ROW POLICY IF EXISTS policy2 ON default.foo") - with Scenario("I alter row policy if exists, policy does not exist", flags=TE, requirements=[ + with Scenario("I alter row policy if exists, policy does not exist", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_IfExists("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): policy = "policy2" @@ -82,14 +82,14 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER ROW POLICY IF EXISTS {policy} ON default.foo") del policy - with Scenario("I alter row policy to rename, target available", flags=TE, requirements=[ + with Scenario("I alter row policy to rename, target available", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Rename("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy3"): with When("I alter row policy with rename"): node.query("ALTER ROW POLICY policy3 ON default.foo RENAME TO policy3") - with Scenario("I alter row policy to rename, target unavailable", flags=TE, requirements=[ + with Scenario("I alter row policy to rename, target unavailable", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Rename("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy3"): @@ -106,49 +106,49 @@ def feature(self, node="clickhouse1"): node.query(f"DROP ROW POLICY IF EXISTS {new_policy} ON default.foo") del new_policy - with Scenario("I alter row policy to permissive", flags=TE, requirements=[ + with Scenario("I alter row policy to permissive", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Permissive("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy4"): with When("I alter row policy as permissive"): node.query("ALTER ROW POLICY policy4 ON default.foo AS PERMISSIVE") - with Scenario("I alter row policy to restrictive", flags=TE, requirements=[ + with Scenario("I alter row policy to restrictive", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Access_Restrictive("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy5"): with When("I alter row policy as restrictive"): node.query("ALTER ROW POLICY policy5 ON default.foo AS RESTRICTIVE") - with Scenario("I alter row policy for select", flags=TE, requirements=[ + with Scenario("I alter row policy for select", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_ForSelect("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy6"): with When("I alter row policy using for select"): node.query("ALTER ROW POLICY policy6 ON default.foo FOR SELECT USING x > 10") - with Scenario("I alter row policy using condition", flags=TE, requirements=[ + with Scenario("I alter row policy using condition", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Condition("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy6"): with When("I alter row policy wtih condition"): node.query("ALTER ROW POLICY policy6 ON default.foo USING x > 10") - with Scenario("I alter row policy using condition none", flags=TE, requirements=[ + with Scenario("I alter row policy using condition none", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Condition_None("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy7"): with When("I alter row policy using no condition"): node.query("ALTER ROW POLICY policy7 ON default.foo USING NONE") - with Scenario("I alter row policy to one role", flags=TE, requirements=[ + with Scenario("I alter row policy to one role", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy8"): with When("I alter row policy to a role"): node.query("ALTER ROW POLICY policy8 ON default.foo TO role0") - with Scenario("I alter row policy to assign to role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter row policy to assign to role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment("1.0")]): role = "role2" with cleanup("policy8a"): @@ -159,7 +159,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER ROW POLICY policy8a ON default.foo TO {role}", exitcode=exitcode, message=message) del role - with Scenario("I alter row policy to assign to all excpet role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter row policy to assign to all excpet role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment("1.0")]): role = "role2" with cleanup("policy8a"): @@ -170,35 +170,35 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER ROW POLICY policy8a ON default.foo TO ALL EXCEPT {role}", exitcode=exitcode, message=message) del role - with Scenario("I alter row policy assigned to multiple roles", flags=TE, requirements=[ + with Scenario("I alter row policy assigned to multiple roles", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy9"): with When("I alter row policy to multiple roles"): node.query("ALTER ROW POLICY policy9 ON default.foo TO role0, role1") - with Scenario("I alter row policy assigned to all", flags=TE, requirements=[ + with Scenario("I alter row policy assigned to all", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_All("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy10"): with When("I alter row policy to all"): node.query("ALTER ROW POLICY policy10 ON default.foo TO ALL") - with Scenario("I alter row policy assigned to all except one role", flags=TE, requirements=[ + with Scenario("I alter row policy assigned to all except one role", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_AllExcept("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy11"): with When("I alter row policy to all except"): node.query("ALTER ROW POLICY policy11 ON default.foo TO ALL EXCEPT role0") - with Scenario("I alter row policy assigned to all except multiple roles", flags=TE, requirements=[ + with Scenario("I alter row policy assigned to all except multiple roles", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_AllExcept("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy12"): with When("I alter row policy to all except multiple roles"): node.query("ALTER ROW POLICY policy12 ON default.foo TO ALL EXCEPT role0, role1") - with Scenario("I alter row policy assigned to none", flags=TE, requirements=[ + with Scenario("I alter row policy assigned to none", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_Assignment_None("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with cleanup("policy12"): @@ -208,7 +208,7 @@ def feature(self, node="clickhouse1"): # Official syntax: ON CLUSTER cluster_name ON database.table # Working syntax: both orderings of ON CLUSTER and TABLE clauses work - with Scenario("I alter row policy on cluster", flags=TE, requirements=[ + with Scenario("I alter row policy on cluster", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): try: @@ -220,14 +220,14 @@ def feature(self, node="clickhouse1"): with Finally("I drop the row policy"): node.query("DROP ROW POLICY IF EXISTS policy13 ON CLUSTER sharded_cluster ON default.foo") - with Scenario("I alter row policy on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I alter row policy on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): with When("I run alter row policy command"): exitcode, message = errors.cluster_not_found("fake_cluster") node.query("ALTER ROW POLICY policy13 ON CLUSTER fake_cluster ON default.foo", exitcode=exitcode, message=message) - with Scenario("I alter row policy on cluster after table", flags=TE, requirements=[ + with Scenario("I alter row policy on cluster after table", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Alter_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Alter_On("1.0")]): try: diff --git a/tests/testflows/rbac/tests/syntax/alter_settings_profile.py b/tests/testflows/rbac/tests/syntax/alter_settings_profile.py index 4222b27954d..4533f6aea65 100755 --- a/tests/testflows/rbac/tests/syntax/alter_settings_profile.py +++ b/tests/testflows/rbac/tests/syntax/alter_settings_profile.py @@ -31,15 +31,15 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER user0") node.query(f"CREATE ROLE role0") - with Scenario("I alter settings profile with no options", flags=TE, requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter("1.0")]): + with Scenario("I alter settings profile with no options", requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter("1.0")]): with When("I alter settings profile"): node.query("ALTER SETTINGS PROFILE profile0") - with Scenario("I alter settings profile short form", flags=TE, requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter("1.0")]): + with Scenario("I alter settings profile short form", requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter("1.0")]): with When("I short form alter settings profile"): node.query("ALTER PROFILE profile0") - with Scenario("I alter settings profile that does not exist, throws exception", flags=TE, requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter("1.0")]): + with Scenario("I alter settings profile that does not exist, throws exception", requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter("1.0")]): profile = "profile1" cleanup_profile(profile) @@ -48,11 +48,11 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER SETTINGS PROFILE {profile}", exitcode=exitcode, message=message) del profile - with Scenario("I alter settings profile if exists", flags=TE, requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_IfExists("1.0")]): + with Scenario("I alter settings profile if exists", requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_IfExists("1.0")]): with When("I alter settings profile using if exists"): node.query("ALTER SETTINGS PROFILE IF EXISTS profile0") - with Scenario("I alter settings profile if exists, profile does not exist", flags=TE, requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_IfExists("1.0")]): + with Scenario("I alter settings profile if exists, profile does not exist", requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_IfExists("1.0")]): profile = "profile1" cleanup_profile(profile) @@ -61,11 +61,11 @@ def feature(self, node="clickhouse1"): del profile - with Scenario("I alter settings profile to rename, target available", flags=TE, requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_Rename("1.0")]): + with Scenario("I alter settings profile to rename, target available", requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_Rename("1.0")]): with When("I alter settings profile by renaming it"): node.query("ALTER SETTINGS PROFILE profile0 RENAME TO profile0") - with Scenario("I alter settings profile to rename, target unavailable", flags=TE, requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_Rename("1.0")]): + with Scenario("I alter settings profile to rename, target unavailable", requirements=[RQ_SRS_006_RBAC_SettingsProfile_Alter_Rename("1.0")]): new_profile = "profile1" try: @@ -81,52 +81,52 @@ def feature(self, node="clickhouse1"): del new_profile - with Scenario("I alter settings profile with a setting value", flags=TE, requirements=[ + with Scenario("I alter settings profile with a setting value", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables("1.0"), RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Value("1.0")]): with When("I alter settings profile using settings"): node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage = 100000001") - with Scenario("I alter settings profile with a setting value, does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter settings profile with a setting value, does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables("1.0"), RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Value("1.0")]): with When("I alter settings profile using settings and nonexistent value"): exitcode, message = errors.unknown_setting("fake_setting") node.query("ALTER SETTINGS PROFILE profile0 SETTINGS fake_setting = 100000001", exitcode=exitcode, message=message) - with Scenario("I alter settings profile with a min setting value", flags=TE, requirements=[ + with Scenario("I alter settings profile with a min setting value", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints("1.0")]): with When("I alter settings profile using 2 minimum formats"): node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage MIN 100000001") node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage MIN = 100000001") - with Scenario("I alter settings profile with a max setting value", flags=TE, requirements=[ + with Scenario("I alter settings profile with a max setting value", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints("1.0")]): with When("I alter settings profile using 2 maximum formats"): node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage MAX 100000001") node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage MAX = 100000001") - with Scenario("I alter settings profile with min and max setting values", flags=TE, requirements=[ + with Scenario("I alter settings profile with min and max setting values", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints("1.0")]): with When("I alter settings profile with both min and max"): node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage MIN 100000001 MAX 200000001") - with Scenario("I alter settings profile with a readonly setting", flags=TE, requirements=[ + with Scenario("I alter settings profile with a readonly setting", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints("1.0")]): with When("I alter settings profile with with readonly"): node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage READONLY") - with Scenario("I alter settings profile with a writable setting", flags=TE, requirements=[ + with Scenario("I alter settings profile with a writable setting", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Constraints("1.0")]): with When("I alter settings profile with writable"): node.query("ALTER SETTINGS PROFILE profile0 SETTINGS max_memory_usage WRITABLE") - with Scenario("I alter settings profile with inherited settings", flags=TE, requirements=[ + with Scenario("I alter settings profile with inherited settings", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_Inherit("1.0")]): with When("I alter settings profile with inherit"): node.query("ALTER SETTINGS PROFILE profile0 SETTINGS INHERIT 'default'") - with Scenario("I alter settings profile with inherit, parent profile does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter settings profile with inherit, parent profile does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_Inherit("1.0")]): profile = "profile3" with Given(f"I ensure that profile {profile} does not exist"): @@ -136,7 +136,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER PROFILE profile0 SETTINGS INHERIT {profile}", exitcode=exitcode, message=message) del profile - with Scenario("I alter settings profile with multiple settings", flags=TE, requirements=[ + with Scenario("I alter settings profile with multiple settings", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables("1.0"), RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Value("1.0")]): with When("I alter settings profile with multiple settings"): @@ -144,7 +144,7 @@ def feature(self, node="clickhouse1"): " SETTINGS max_memory_usage = 100000001" " SETTINGS max_memory_usage_for_user = 100000001") - with Scenario("I alter settings profile with multiple settings short form", flags=TE, requirements=[ + with Scenario("I alter settings profile with multiple settings short form", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables("1.0"), RQ_SRS_006_RBAC_SettingsProfile_Alter_Variables_Value("1.0")]): with When("I alter settings profile with short form multiple settings"): @@ -152,12 +152,12 @@ def feature(self, node="clickhouse1"): " SETTINGS max_memory_usage = 100000001," " max_memory_usage_for_user = 100000001") - with Scenario("I alter settings profile assigned to one role", flags=TE, requirements=[ + with Scenario("I alter settings profile assigned to one role", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment("1.0")]): with When("I alter settings profile with assignment to role"): node.query("ALTER SETTINGS PROFILE profile0 TO role0") - with Scenario("I alter settings profile to assign to role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter settings profile to assign to role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -167,7 +167,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER SETTINGS PROFILE profile0 TO {role}", exitcode=exitcode, message=message) del role - with Scenario("I alter settings profile to assign to all except role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter settings profile to assign to all except role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -177,32 +177,32 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER SETTINGS PROFILE profile0 TO ALL EXCEPT {role}", exitcode=exitcode, message=message) del role - with Scenario("I alter settings profile assigned to multiple roles", flags=TE, requirements=[ + with Scenario("I alter settings profile assigned to multiple roles", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment("1.0")]): with When("I alter settings profile with assignment to multiple roles"): node.query("ALTER SETTINGS PROFILE profile0 TO role0, user0") - with Scenario("I alter settings profile assigned to all", flags=TE, requirements=[ + with Scenario("I alter settings profile assigned to all", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_All("1.0")]): with When("I alter settings profile with assignment to all"): node.query("ALTER SETTINGS PROFILE profile0 TO ALL") - with Scenario("I alter settings profile assigned to all except one role", flags=TE, requirements=[ + with Scenario("I alter settings profile assigned to all except one role", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_AllExcept("1.0")]): with When("I alter settings profile with assignment to all except a role"): node.query("ALTER SETTINGS PROFILE profile0 TO ALL EXCEPT role0") - with Scenario("I alter settings profile assigned to all except multiple roles", flags=TE, requirements=[ + with Scenario("I alter settings profile assigned to all except multiple roles", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_AllExcept("1.0")]): with When("I alter settings profile with assignmentto all except multiple roles"): node.query("ALTER SETTINGS PROFILE profile0 TO ALL EXCEPT role0, user0") - with Scenario("I alter settings profile assigned to none", flags=TE, requirements=[ + with Scenario("I alter settings profile assigned to none", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_None("1.0")]): with When("I alter settings profile with assignment to none"): node.query("ALTER SETTINGS PROFILE profile0 TO NONE") - with Scenario("I alter settings profile on cluster", flags=TE, requirements=[ + with Scenario("I alter settings profile on cluster", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_OnCluster("1.0")]): try: with Given("I have a settings profile on cluster"): @@ -219,7 +219,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the settings profile"): node.query("DROP SETTINGS PROFILE IF EXISTS profile1 ON CLUSTER sharded_cluster") - with Scenario("I alter settings profile on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I alter settings profile on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Alter_Assignment_OnCluster("1.0")]): with When("I run alter settings profile command"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/alter_user.py b/tests/testflows/rbac/tests/syntax/alter_user.py index 8a7ce8724eb..cf8a13008c9 100755 --- a/tests/testflows/rbac/tests/syntax/alter_user.py +++ b/tests/testflows/rbac/tests/syntax/alter_user.py @@ -30,28 +30,28 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER OR REPLACE {user}") yield finally: - with Finally("I drop the user", flags=TE): + with Finally("I drop the user"): node.query(f"DROP USER IF EXISTS {user}") - with Scenario("I alter user, base command", flags=TE, requirements=[ + with Scenario("I alter user, base command", requirements=[ RQ_SRS_006_RBAC_User_Alter("1.0")]): with setup("user0"): with When("I alter user"): node.query("ALTER USER user0") - with Scenario("I alter user that does not exist without if exists, throws exception", flags=TE, requirements=[ + with Scenario("I alter user that does not exist without if exists, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Alter("1.0")]): with When("I run alter user command, expecting error 192"): exitcode, message = errors.user_not_found_in_disk(name="user0") node.query(f"ALTER USER user0",exitcode=exitcode, message=message) - with Scenario("I alter user with if exists", flags=TE, requirements=[ + with Scenario("I alter user with if exists", requirements=[ RQ_SRS_006_RBAC_User_Alter_IfExists("1.0")]): with setup("user0"): with When(f"I alter user with if exists"): node.query(f"ALTER USER IF EXISTS user0") - with Scenario("I alter user that does not exist with if exists", flags=TE, requirements=[ + with Scenario("I alter user that does not exist with if exists", requirements=[ RQ_SRS_006_RBAC_User_Alter_IfExists("1.0")]): user = "user0" with Given("I don't have a user"): @@ -60,7 +60,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER USER IF EXISTS {user}") del user - with Scenario("I alter user on a cluster", flags=TE, requirements=[ + with Scenario("I alter user on a cluster", requirements=[ RQ_SRS_006_RBAC_User_Alter_Cluster("1.0")]): with Given("I have a user on a cluster"): node.query("CREATE USER OR REPLACE user0 ON CLUSTER sharded_cluster") @@ -69,19 +69,19 @@ def feature(self, node="clickhouse1"): with Finally("I drop user from cluster"): node.query("DROP USER IF EXISTS user0 ON CLUSTER sharded_cluster") - with Scenario("I alter user on a fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I alter user on a fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Alter_Cluster("1.0")]): with When("I alter user on a fake cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") node.query("ALTER USER user0 ON CLUSTER fake_cluster", exitcode=exitcode, message=message) - with Scenario("I alter user to rename, target available", flags=TE, requirements=[ + with Scenario("I alter user to rename, target available", requirements=[ RQ_SRS_006_RBAC_User_Alter_Rename("1.0")]): with setup("user15"): with When("I alter user name"): node.query("ALTER USER user15 RENAME TO user15") - with Scenario("I alter user to rename, target unavailable", flags=TE, requirements=[ + with Scenario("I alter user to rename, target unavailable", requirements=[ RQ_SRS_006_RBAC_User_Alter_Rename("1.0")]): with setup("user15"): new_user = "user16" @@ -96,20 +96,20 @@ def feature(self, node="clickhouse1"): node.query(f"DROP USER IF EXISTS {new_user}") del new_user - with Scenario("I alter user password plaintext password", flags=TE, requirements=[ + with Scenario("I alter user password plaintext password", requirements=[ RQ_SRS_006_RBAC_User_Alter_Password_PlainText("1.0")]): with setup("user1"): with When("I alter user with plaintext password"): node.query("ALTER USER user1 IDENTIFIED WITH PLAINTEXT_PASSWORD BY 'mypassword'", step=When) - with Scenario("I alter user password to sha256", flags=TE, requirements=[ + with Scenario("I alter user password to sha256", requirements=[ RQ_SRS_006_RBAC_User_Alter_Password_Sha256Password("1.0")]): with setup("user2"): with When("I alter user with sha256_password"): password = hashlib.sha256("mypassword".encode("utf-8")).hexdigest() node.query(f"ALTER USER user2 IDENTIFIED WITH SHA256_PASSWORD BY '{password}'",step=When) - with Scenario("I alter user password to double_sha1_password", flags=TE, requirements=[ + with Scenario("I alter user password to double_sha1_password", requirements=[ RQ_SRS_006_RBAC_User_Alter_Password_DoubleSha1Password("1.0")]): with setup("user3"): with When("I alter user with double_sha1_password"): @@ -118,56 +118,56 @@ def feature(self, node="clickhouse1"): password = hash(hash("mypassword")) node.query(f"ALTER USER user3 IDENTIFIED WITH DOUBLE_SHA1_PASSWORD BY '{password}'", step=When) - with Scenario("I alter user host local", flags=TE, requirements=[ + with Scenario("I alter user host local", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_Local("1.0")]): with setup("user4"): with When("I alter user with host local"): node.query("ALTER USER user4 HOST LOCAL") - with Scenario("I alter user host name", flags=TE, requirements=[ + with Scenario("I alter user host name", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_Name("1.0")]): with setup("user5"): with When("I alter user with host name"): node.query("ALTER USER user5 HOST NAME 'localhost', NAME 'clickhouse.com'") - with Scenario("I alter user host regexp", flags=TE, requirements=[ + with Scenario("I alter user host regexp", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_Regexp("1.0")]): with setup("user6"): with When("I alter user with host regexp"): node.query("ALTER USER user6 HOST REGEXP 'lo..*host', 'lo*host'") - with Scenario("I alter user host ip", flags=TE, requirements=[ + with Scenario("I alter user host ip", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_IP("1.0")]): with setup("user7"): with When("I alter user with host ip"): node.query("ALTER USER user7 HOST IP '127.0.0.1', IP '127.0.0.2'") - with Scenario("I alter user host like", flags=TE, requirements=[ + with Scenario("I alter user host like", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_Like("1.0")]): with setup("user8"): with When("I alter user with host like"): node.query("ALTER USER user8 HOST LIKE '%.clickhouse.com'") - with Scenario("I alter user host any", flags=TE, requirements=[ + with Scenario("I alter user host any", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_Any("1.0")]): with setup("user9"): with When("I alter user with host any"): node.query("ALTER USER user9 HOST ANY") - with Scenario("I alter user host many hosts", flags=TE, requirements=[ + with Scenario("I alter user host many hosts", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_Like("1.0")]): with setup("user11"): with When("I alter user with multiple hosts"): node.query("ALTER USER user11 HOST LIKE '%.clickhouse.com', \ IP '127.0.0.2', NAME 'localhost', REGEXP 'lo*host'") - with Scenario("I alter user default role set to none", flags=TE, requirements=[ + with Scenario("I alter user default role set to none", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_None("1.0")]): with setup("user12"): with When("I alter user with default role none"): node.query("ALTER USER user12 DEFAULT ROLE NONE") - with Scenario("I alter user default role set to all", flags=TE, requirements=[ + with Scenario("I alter user default role set to all", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole_All("1.0")]): with setup("user13"): with When("I alter user with all roles set to default"): @@ -183,7 +183,7 @@ def feature(self, node="clickhouse1"): with Finally(f"I drop the role {role}", flags=TE): node.query(f"DROP ROLE IF EXISTS {role}") - with Scenario("I alter user default role", flags=TE, requirements=[ + with Scenario("I alter user default role", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole("1.0")]): with setup("user14"), setup_role("role2"): with Given("I have a user with a role"): @@ -191,7 +191,7 @@ def feature(self, node="clickhouse1"): with When("I alter user default role"): node.query("ALTER USER user14 DEFAULT ROLE role2") - with Scenario("I alter user default role, setting default role", flags=TE, requirements=[ + with Scenario("I alter user default role, setting default role", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole("1.0")]): with setup("user14a"), setup_role("default"): with Given("I grant default role to the user"): @@ -199,7 +199,7 @@ def feature(self, node="clickhouse1"): with When("I alter user default role"): node.query("ALTER USER user14a DEFAULT ROLE default") - with Scenario("I alter user default role, role doesn't exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter user default role, role doesn't exist, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole("1.0")]): with setup("user12"): role = "role0" @@ -210,7 +210,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER USER user12 DEFAULT ROLE {role}",exitcode=exitcode, message=message) del role - with Scenario("I alter user default role, all except role doesn't exist, throws exception", flags=TE, requirements=[ + with Scenario("I alter user default role, all except role doesn't exist, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole("1.0")]): with setup("user12"): role = "role0" @@ -221,7 +221,7 @@ def feature(self, node="clickhouse1"): node.query(f"ALTER USER user12 DEFAULT ROLE ALL EXCEPT {role}",exitcode=exitcode, message=message) del role - with Scenario("I alter user default role multiple", flags=TE, requirements=[ + with Scenario("I alter user default role multiple", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole("1.0")]): with setup("user15"), setup_role("second"), setup_role("third"): with Given("I have a user with multiple roles"): @@ -229,7 +229,7 @@ def feature(self, node="clickhouse1"): with When("I alter user default role to second, third"): node.query("ALTER USER user15 DEFAULT ROLE second, third") - with Scenario("I alter user default role set to all except", flags=TE, requirements=[ + with Scenario("I alter user default role set to all except", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole_AllExcept("1.0")]): with setup("user16"), setup_role("second"): with Given("I have a user with a role"): @@ -237,7 +237,7 @@ def feature(self, node="clickhouse1"): with When("I alter user default role"): node.query("ALTER USER user16 DEFAULT ROLE ALL EXCEPT second") - with Scenario("I alter user default role multiple all except", flags=TE, requirements=[ + with Scenario("I alter user default role multiple all except", requirements=[ RQ_SRS_006_RBAC_User_Alter_DefaultRole_AllExcept("1.0")]): with setup("user17"), setup_role("second"), setup_role("third"): with Given("I have a user with multiple roles"): @@ -245,7 +245,7 @@ def feature(self, node="clickhouse1"): with When("I alter user default role to all except second"): node.query("ALTER USER user17 DEFAULT ROLE ALL EXCEPT second") - with Scenario("I alter user settings profile", flags=TE, requirements=[ + with Scenario("I alter user settings profile", requirements=[ RQ_SRS_006_RBAC_User_Alter_Settings("1.0"), \ RQ_SRS_006_RBAC_User_Alter_Settings_Profile("1.0")]): with setup("user18"): @@ -258,7 +258,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the profile"): node.query(f"DROP SETTINGS PROFILE profile10") - with Scenario("I alter user settings profile, fake profile, throws exception", flags=TE, requirements=[ + with Scenario("I alter user settings profile, fake profile, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Alter_Settings("1.0"), RQ_SRS_006_RBAC_User_Alter_Settings_Profile("1.0")]): with setup("user18a"): @@ -270,14 +270,14 @@ def feature(self, node="clickhouse1"): node.query("ALTER USER user18a SETTINGS PROFILE profile0", exitcode=exitcode, message=message) del profile - with Scenario("I alter user settings with a fake setting, throws exception", flags=TE, requirements=[ + with Scenario("I alter user settings with a fake setting, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Alter_Settings("1.0")]): with setup("user18b"): with When("I alter settings profile using settings and nonexistent value"): exitcode, message = errors.unknown_setting("fake_setting") node.query("ALTER USER user18b SETTINGS fake_setting = 100000001", exitcode=exitcode, message=message) - with Scenario("I alter user settings without profile (no equals)", flags=TE, requirements=[ + with Scenario("I alter user settings without profile (no equals)", requirements=[ RQ_SRS_006_RBAC_User_Alter_Settings("1.0"), RQ_SRS_006_RBAC_User_Alter_Settings_Min("1.0"), RQ_SRS_006_RBAC_User_Alter_Settings_Max("1.0")]): @@ -286,7 +286,7 @@ def feature(self, node="clickhouse1"): node.query("ALTER USER user19 SETTINGS max_memory_usage=10000000 MIN 100000 MAX 1000000000 READONLY") #equals sign (=) syntax verify - with Scenario("I alter user settings without profile (yes equals)", flags=TE, requirements=[ + with Scenario("I alter user settings without profile (yes equals)", requirements=[ RQ_SRS_006_RBAC_User_Alter_Settings("1.0"), RQ_SRS_006_RBAC_User_Alter_Settings_Min("1.0"), RQ_SRS_006_RBAC_User_Alter_Settings_Max("1.0")]): @@ -295,7 +295,7 @@ def feature(self, node="clickhouse1"): node.query("ALTER USER user20 SETTINGS max_memory_usage=10000000 MIN=100000 MAX=1000000000 READONLY") #Add requirement to host: add/drop - with Scenario("I alter user to add host", flags=TE, requirements=[ + with Scenario("I alter user to add host", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_AddDrop("1.0")]): with setup("user21"): with When("I alter user by adding local host"): @@ -309,7 +309,7 @@ def feature(self, node="clickhouse1"): with And("I alter user by adding host name"): node.query("ALTER USER user21 ADD HOST NAME 'localhost'") - with Scenario("I alter user to remove host", flags=TE, requirements=[ + with Scenario("I alter user to remove host", requirements=[ RQ_SRS_006_RBAC_User_Alter_Host_AddDrop("1.0")]): with setup("user22"): with When("I alter user by removing local host"): diff --git a/tests/testflows/rbac/tests/syntax/create_quota.py b/tests/testflows/rbac/tests/syntax/create_quota.py index 4945583a542..33dbbf9c153 100755 --- a/tests/testflows/rbac/tests/syntax/create_quota.py +++ b/tests/testflows/rbac/tests/syntax/create_quota.py @@ -41,13 +41,13 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER user0") node.query(f"CREATE ROLE role0") - with Scenario("I create quota with no options", flags=TE, requirements=[ + with Scenario("I create quota with no options", requirements=[ RQ_SRS_006_RBAC_Quota_Create("1.0")]): with cleanup("quota0"): with When("I create a quota with no options"): node.query("CREATE QUOTA quota0") - with Scenario("I create quota that already exists, throws exception", flags=TE, requirements=[ + with Scenario("I create quota that already exists, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Create("1.0")]): quota = "quota0" with cleanup(quota): @@ -57,7 +57,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE QUOTA {quota}", exitcode=exitcode, message=message) del quota - with Scenario("I create quota if not exists, quota does not exist", flags=TE, requirements=[ + with Scenario("I create quota if not exists, quota does not exist", requirements=[ RQ_SRS_006_RBAC_Quota_Create_IfNotExists("1.0")]): quota = "quota1" with cleanup(quota): @@ -65,7 +65,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE QUOTA IF NOT EXISTS {quota}") del quota - with Scenario("I create quota if not exists, quota does exist", flags=TE, requirements=[ + with Scenario("I create quota if not exists, quota does exist", requirements=[ RQ_SRS_006_RBAC_Quota_Create_IfNotExists("1.0")]): quota = "quota1" with cleanup(quota): @@ -74,7 +74,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE QUOTA IF NOT EXISTS {quota}") del quota - with Scenario("I create quota or replace, quota does not exist", flags=TE, requirements=[ + with Scenario("I create quota or replace, quota does not exist", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Replace("1.0")]): quota = "quota2" with cleanup(quota): @@ -82,7 +82,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE QUOTA OR REPLACE {quota}") del quota - with Scenario("I create quota or replace, quota does exist", flags=TE, requirements=[ + with Scenario("I create quota or replace, quota does exist", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Replace("1.0")]): quota = "quota2" with cleanup(quota): @@ -93,7 +93,7 @@ def feature(self, node="clickhouse1"): keys = ['none', 'user name', 'ip address', 'client key', 'client key or user name', 'client key or ip address'] for i, key in enumerate(keys): - with Scenario(f"I create quota keyed by {key}", flags=TE, requirements=[ + with Scenario(f"I create quota keyed by {key}", requirements=[ RQ_SRS_006_RBAC_Quota_Create_KeyedBy("1.0"), RQ_SRS_006_RBAC_Quota_Create_KeyedByOptions("1.0")]): name = f'quota{3 + i}' @@ -101,7 +101,7 @@ def feature(self, node="clickhouse1"): with When(f"I create a quota with {key}"): node.query(f"CREATE QUOTA {name} KEYED BY '{key}'") - with Scenario("I create quota for randomized interval", flags=TE, requirements=[ + with Scenario("I create quota for randomized interval", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Interval_Randomized("1.0")]): with cleanup("quota9"): with When("I create a quota for randomized interval"): @@ -109,7 +109,7 @@ def feature(self, node="clickhouse1"): intervals = ['SECOND', 'MINUTE', 'HOUR', 'DAY', 'MONTH'] for i, interval in enumerate(intervals): - with Scenario(f"I create quota for interval {interval}", flags=TE, requirements=[ + with Scenario(f"I create quota for interval {interval}", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Interval("1.0")]): name = f'quota{10 + i}' with cleanup(name): @@ -120,7 +120,7 @@ def feature(self, node="clickhouse1"): 'MAX RESULT BYTES', 'MAX READ ROWS', 'MAX READ BYTES', 'MAX EXECUTION TIME', 'NO LIMITS', 'TRACKING ONLY'] for i, constraint in enumerate(constraints): - with Scenario(f"I create quota for {constraint.lower()}", flags=TE, requirements=[ + with Scenario(f"I create quota for {constraint.lower()}", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Queries("1.0"), RQ_SRS_006_RBAC_Quota_Create_Errors("1.0"), RQ_SRS_006_RBAC_Quota_Create_ResultRows("1.0"), @@ -135,7 +135,7 @@ def feature(self, node="clickhouse1"): with When(f"I create quota for {constraint.lower()}"): node.query(f"CREATE QUOTA {name} FOR INTERVAL 1 DAY {constraint}{' 1024' if constraint.startswith('MAX') else ''}") - with Scenario("I create quota for multiple constraints", flags=TE, requirements=[ + with Scenario("I create quota for multiple constraints", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Interval("1.0"), RQ_SRS_006_RBAC_Quota_Create_Queries("1.0")]): with cleanup("quota23"): @@ -145,13 +145,13 @@ def feature(self, node="clickhouse1"): FOR INTERVAL 2 DAY MAX QUERIES 124, \ FOR INTERVAL 1 HOUR TRACKING ONLY') - with Scenario("I create quota assigned to one role", flags=TE, requirements=[ + with Scenario("I create quota assigned to one role", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment("1.0")]): with cleanup("quota24"): with When("I create quota for role"): node.query("CREATE QUOTA quota24 TO role0") - with Scenario("I create quota to assign to role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I create quota to assign to role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -161,7 +161,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE QUOTA quota0 TO {role}", exitcode=exitcode, message=message) del role - with Scenario("I create quota to assign to all except role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I create quota to assign to all except role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -171,36 +171,36 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE QUOTA quota0 TO ALL EXCEPT {role}", exitcode=exitcode, message=message) del role - with Scenario("I create quota assigned to no role", flags=TE, requirements=[ + with Scenario("I create quota assigned to no role", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment_None("1.0")]): with When("I create quota for no role"): node.query("CREATE QUOTA quota24 TO NONE") - with Scenario("I create quota assigned to multiple roles", flags=TE, requirements=[ + with Scenario("I create quota assigned to multiple roles", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment("1.0")]): with cleanup("quota25"): with When("I create quota for multiple roles"): node.query("CREATE QUOTA quota25 TO role0, user0") - with Scenario("I create quota assigned to all", flags=TE,requirements=[ + with Scenario("I create quota assigned to all", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment_All("1.0")]): with cleanup("quota26"): with When("I create quota for all"): node.query("CREATE QUOTA quota26 TO ALL") - with Scenario("I create quota assigned to all except one role", flags=TE, requirements=[ + with Scenario("I create quota assigned to all except one role", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment_Except("1.0")]): with cleanup("quota27"): with When("I create quota for all except one role"): node.query("CREATE QUOTA quota27 TO ALL EXCEPT role0") - with Scenario("I create quota assigned to all except multiple roles", flags=TE, requirements=[ + with Scenario("I create quota assigned to all except multiple roles", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Assignment_Except("1.0")]): with cleanup("quota28"): with When("I create quota for all except multiple roles"): node.query("CREATE QUOTA quota28 TO ALL EXCEPT role0, user0") - with Scenario("I create quota on cluster", flags=TE, requirements=[ + with Scenario("I create quota on cluster", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Cluster("1.0")]): try: with When("I run create quota command on cluster"): @@ -215,7 +215,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the quota from cluster"): node.query("DROP QUOTA IF EXISTS quota29 ON CLUSTER sharded_cluster") - with Scenario("I create quota on nonexistent cluster, throws exception", flags=TE, requirements=[ + with Scenario("I create quota on nonexistent cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Create_Cluster("1.0")]): with When("I run create quota on a cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/create_role.py b/tests/testflows/rbac/tests/syntax/create_role.py index 86db48691bd..1cb10077570 100755 --- a/tests/testflows/rbac/tests/syntax/create_role.py +++ b/tests/testflows/rbac/tests/syntax/create_role.py @@ -32,13 +32,13 @@ def feature(self, node="clickhouse1"): with Given(f"I ensure I do have role {role}"): node.query(f"CREATE ROLE OR REPLACE {role}") - with Scenario("I create role with no options", flags=TE, requirements=[ + with Scenario("I create role with no options", requirements=[ RQ_SRS_006_RBAC_Role_Create("1.0")]): with cleanup("role0"): with When("I create role"): node.query("CREATE ROLE role0") - with Scenario("I create role that already exists, throws exception", flags=TE, requirements=[ + with Scenario("I create role that already exists, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Create("1.0")]): role = "role0" with cleanup(role): @@ -49,7 +49,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROLE {role}", exitcode=exitcode, message=message) del role - with Scenario("I create role if not exists, role does not exist", flags=TE, requirements=[ + with Scenario("I create role if not exists, role does not exist", requirements=[ RQ_SRS_006_RBAC_Role_Create_IfNotExists("1.0")]): role = "role1" with cleanup(role): @@ -57,7 +57,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROLE IF NOT EXISTS {role}") del role - with Scenario("I create role if not exists, role does exist", flags=TE, requirements=[ + with Scenario("I create role if not exists, role does exist", requirements=[ RQ_SRS_006_RBAC_Role_Create_IfNotExists("1.0")]): role = "role1" with cleanup(role): @@ -66,7 +66,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROLE IF NOT EXISTS {role}") del role - with Scenario("I create role or replace, role does not exist", flags=TE, requirements=[ + with Scenario("I create role or replace, role does not exist", requirements=[ RQ_SRS_006_RBAC_Role_Create_Replace("1.0")]): role = "role2" with cleanup(role): @@ -74,7 +74,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROLE OR REPLACE {role}") del role - with Scenario("I create role or replace, role does exist", flags=TE, requirements=[ + with Scenario("I create role or replace, role does exist", requirements=[ RQ_SRS_006_RBAC_Role_Create_Replace("1.0")]): role = "role2" with cleanup(role): @@ -83,7 +83,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROLE OR REPLACE {role}") del role - with Scenario("I create role on cluster", flags=TE, requirements=[ + with Scenario("I create role on cluster", requirements=[ RQ_SRS_006_RBAC_Role_Create("1.0")]): try: with When("I have a role on a cluster"): @@ -96,19 +96,19 @@ def feature(self, node="clickhouse1"): with Finally("I drop the role"): node.query("DROP ROLE IF EXISTS role1,role2 ON CLUSTER sharded_cluster") - with Scenario("I create role on nonexistent cluster, throws exception", flags=TE, requirements=[ + with Scenario("I create role on nonexistent cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Create("1.0")]): with When("I run create role on a cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") node.query("CREATE ROLE role1 ON CLUSTER fake_cluster", exitcode=exitcode, message=message) - with Scenario("I create role with settings profile", flags=TE, requirements=[ + with Scenario("I create role with settings profile", requirements=[ RQ_SRS_006_RBAC_Role_Create_Settings("1.0")]): with cleanup("role3"): with When("I create role with settings profile"): node.query("CREATE ROLE role3 SETTINGS PROFILE default, max_memory_usage=10000000 WRITABLE") - with Scenario("I create role settings profile, fake profile, throws exception", flags=TE, requirements=[ + with Scenario("I create role settings profile, fake profile, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Create_Settings("1.0")]): with cleanup("role4a"): with Given("I ensure profile profile0 does not exist"): @@ -117,7 +117,7 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.settings_profile_not_found_in_disk("profile0") node.query("CREATE ROLE role4a SETTINGS PROFILE profile0", exitcode=exitcode, message=message) - with Scenario("I create role with settings without profile", flags=TE, requirements=[ + with Scenario("I create role with settings without profile", requirements=[ RQ_SRS_006_RBAC_Role_Create_Settings("1.0")]): with cleanup("role4"): with When("I create role with settings without profile"): diff --git a/tests/testflows/rbac/tests/syntax/create_row_policy.py b/tests/testflows/rbac/tests/syntax/create_row_policy.py index 4f35f47ff4b..8bf83579dd5 100755 --- a/tests/testflows/rbac/tests/syntax/create_row_policy.py +++ b/tests/testflows/rbac/tests/syntax/create_row_policy.py @@ -41,21 +41,21 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROLE role0") node.query(f"CREATE ROLE role1") - with Scenario("I create row policy with no options", flags=TE, requirements=[ + with Scenario("I create row policy with no options", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy0"): with When("I create row policy"): node.query("CREATE ROW POLICY policy0 ON default.foo") - with Scenario("I create row policy using short syntax with no options", flags=TE, requirements=[ + with Scenario("I create row policy using short syntax with no options", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy1"): with When("I create row policy short form"): node.query("CREATE POLICY policy1 ON default.foo") - with Scenario("I create row policy that already exists, throws exception", flags=TE, requirements=[ + with Scenario("I create row policy that already exists, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): policy = "policy0" @@ -66,14 +66,14 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROW POLICY {policy} ON default.foo", exitcode=exitcode, message=message) del policy - with Scenario("I create row policy if not exists, policy does not exist", flags=TE, requirements=[ + with Scenario("I create row policy if not exists, policy does not exist", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_IfNotExists("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy2"): with When("I create row policy with if not exists"): node.query("CREATE ROW POLICY IF NOT EXISTS policy2 ON default.foo") - with Scenario("I create row policy if not exists, policy does exist", flags=TE, requirements=[ + with Scenario("I create row policy if not exists, policy does exist", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_IfNotExists("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): policy = "policy2" @@ -83,14 +83,14 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROW POLICY IF NOT EXISTS {policy} ON default.foo") del policy - with Scenario("I create row policy or replace, policy does not exist", flags=TE, requirements=[ + with Scenario("I create row policy or replace, policy does not exist", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Replace("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy3"): with When("I create row policy with or replace"): node.query("CREATE ROW POLICY OR REPLACE policy3 ON default.foo") - with Scenario("I create row policy or replace, policy does exist", flags=TE, requirements=[ + with Scenario("I create row policy or replace, policy does exist", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Replace("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): policy = "policy3" @@ -100,21 +100,21 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROW POLICY OR REPLACE {policy} ON default.foo") del policy - with Scenario("I create row policy as permissive", flags=TE, requirements=[ + with Scenario("I create row policy as permissive", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Access_Permissive("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy4"): with When("I create row policy as permissive"): node.query("CREATE ROW POLICY policy4 ON default.foo AS PERMISSIVE") - with Scenario("I create row policy as restrictive", flags=TE, requirements=[ + with Scenario("I create row policy as restrictive", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Access_Restrictive("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy5"): with When("I create row policy as restrictive"): node.query("CREATE ROW POLICY policy5 ON default.foo AS RESTRICTIVE") - with Scenario("I create row policy for select", flags=TE, requirements=[ + with Scenario("I create row policy for select", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_ForSelect("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_Condition("1.0")]): @@ -122,21 +122,21 @@ def feature(self, node="clickhouse1"): with When("I create row policy with for select"): node.query("CREATE ROW POLICY policy6 ON default.foo FOR SELECT USING x > 10") - with Scenario("I create row policy using condition", flags=TE, requirements=[ + with Scenario("I create row policy using condition", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Condition("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy6"): with When("I create row policy with condition"): node.query("CREATE ROW POLICY policy6 ON default.foo USING x > 10") - with Scenario("I create row policy assigned to one role", flags=TE, requirements=[ + with Scenario("I create row policy assigned to one role", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy7"): with When("I create row policy for one role"): node.query("CREATE ROW POLICY policy7 ON default.foo TO role0") - with Scenario("I create row policy to assign to role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I create row policy to assign to role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment("1.0")]): role = "role2" with cleanup("policy8a"): @@ -147,7 +147,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROW POLICY policy8a ON default.foo TO {role}", exitcode=exitcode, message=message) del role - with Scenario("I create row policy to assign to all excpet role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I create row policy to assign to all excpet role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment("1.0")]): role = "role2" with cleanup("policy8a"): @@ -158,42 +158,42 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE ROW POLICY policy8a ON default.foo TO ALL EXCEPT {role}", exitcode=exitcode, message=message) del role - with Scenario("I create row policy assigned to multiple roles", flags=TE, requirements=[ + with Scenario("I create row policy assigned to multiple roles", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy8b"): with When("I create row policy for multiple roles"): node.query("CREATE ROW POLICY policy8b ON default.foo TO role0, role1") - with Scenario("I create row policy assigned to all", flags=TE, requirements=[ + with Scenario("I create row policy assigned to all", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_All("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy9"): with When("I create row policy for all"): node.query("CREATE ROW POLICY policy9 ON default.foo TO ALL") - with Scenario("I create row policy assigned to all except one role", flags=TE, requirements=[ + with Scenario("I create row policy assigned to all except one role", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_AllExcept("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy10"): with When("I create row policy for all except one"): node.query("CREATE ROW POLICY policy10 ON default.foo TO ALL EXCEPT role0") - with Scenario("I create row policy assigned to all except multiple roles", flags=TE, requirements=[ + with Scenario("I create row policy assigned to all except multiple roles", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_AllExcept("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy11"): with When("I create row policy for all except multiple roles"): node.query("CREATE ROW POLICY policy11 ON default.foo TO ALL EXCEPT role0, role1") - with Scenario("I create row policy assigned to none", flags=TE, requirements=[ + with Scenario("I create row policy assigned to none", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_Assignment_None("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with cleanup("policy11"): with When("I create row policy for none"): node.query("CREATE ROW POLICY policy11 ON default.foo TO NONE") - with Scenario("I create row policy on cluster", flags=TE, requirements=[ + with Scenario("I create row policy on cluster", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): try: @@ -203,14 +203,14 @@ def feature(self, node="clickhouse1"): with Finally("I drop the row policy from cluster"): node.query("DROP ROW POLICY IF EXISTS policy12 ON default.foo ON CLUSTER sharded_cluster") - with Scenario("I create row policy on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I create row policy on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): with When("I run create row policy command"): exitcode, message = errors.cluster_not_found("fake_cluster") node.query("CREATE ROW POLICY policy13 ON CLUSTER fake_cluster ON default.foo", exitcode=exitcode, message=message) - with Scenario("I create row policy on cluster after table", flags=TE, requirements=[ + with Scenario("I create row policy on cluster after table", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Create_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Create_On("1.0")]): try: diff --git a/tests/testflows/rbac/tests/syntax/create_settings_profile.py b/tests/testflows/rbac/tests/syntax/create_settings_profile.py index 6d720af21bc..8976ce6843a 100755 --- a/tests/testflows/rbac/tests/syntax/create_settings_profile.py +++ b/tests/testflows/rbac/tests/syntax/create_settings_profile.py @@ -39,13 +39,13 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER user0") node.query(f"CREATE ROLE role0") - with Scenario("I create settings profile with no options", flags=TE, requirements=[ + with Scenario("I create settings profile with no options", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create("1.0")]): with cleanup("profile0"): with When("I create settings profile"): node.query("CREATE SETTINGS PROFILE profile0") - with Scenario("I create settings profile that already exists, throws exception", flags=TE, requirements=[ + with Scenario("I create settings profile that already exists, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create("1.0")]): profile = "profile0" with cleanup(profile): @@ -55,13 +55,13 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE SETTINGS PROFILE {profile}", exitcode=exitcode, message=message) del profile - with Scenario("I create settings profile if not exists, profile does not exist", flags=TE, requirements=[ + with Scenario("I create settings profile if not exists, profile does not exist", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_IfNotExists("1.0")]): with cleanup("profile1"): with When("I create settings profile with if not exists"): node.query("CREATE SETTINGS PROFILE IF NOT EXISTS profile1") - with Scenario("I create settings profile if not exists, profile does exist", flags=TE, requirements=[ + with Scenario("I create settings profile if not exists, profile does exist", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_IfNotExists("1.0")]): profile = "profile1" with cleanup(profile): @@ -70,78 +70,78 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE SETTINGS PROFILE IF NOT EXISTS {profile}") del profile - with Scenario("I create settings profile or replace, profile does not exist", flags=TE, requirements=[ + with Scenario("I create settings profile or replace, profile does not exist", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Replace("1.0")]): with cleanup("profile2"): with When("I create settings policy with or replace"): node.query("CREATE SETTINGS PROFILE OR REPLACE profile2") - with Scenario("I create settings profile or replace, profile does exist", flags=TE, requirements=[ + with Scenario("I create settings profile or replace, profile does exist", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Replace("1.0")]): with cleanup("profile2"): create_profile("profile2") with When("I create settings policy with or replace"): node.query("CREATE SETTINGS PROFILE OR REPLACE profile2") - with Scenario("I create settings profile short form", flags=TE, requirements=[ + with Scenario("I create settings profile short form", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create("1.0")]): with cleanup("profile3"): with When("I create settings profile short form"): node.query("CREATE PROFILE profile3") - with Scenario("I create settings profile with a setting value", flags=TE, requirements=[ + with Scenario("I create settings profile with a setting value", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables("1.0"), RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Value("1.0")]): with cleanup("profile4"): with When("I create settings profile with settings"): node.query("CREATE SETTINGS PROFILE profile4 SETTINGS max_memory_usage = 100000001") - with Scenario("I create settings profile with a setting value, does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I create settings profile with a setting value, does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables("1.0"), RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Value("1.0")]): with When("I create settings profile using settings and nonexistent value"): exitcode, message = errors.unknown_setting("fake_setting") node.query("CREATE SETTINGS PROFILE profile0 SETTINGS fake_setting = 100000001", exitcode=exitcode, message=message) - with Scenario("I create settings profile with a min setting value", flags=TE, requirements=[ + with Scenario("I create settings profile with a min setting value", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints("1.0")]): with cleanup("profile5"), cleanup("profile6"): with When("I create settings profile with min setting with and without equals"): node.query("CREATE SETTINGS PROFILE profile5 SETTINGS max_memory_usage MIN 100000001") node.query("CREATE SETTINGS PROFILE profile6 SETTINGS max_memory_usage MIN = 100000001") - with Scenario("I create settings profile with a max setting value", flags=TE, requirements=[ + with Scenario("I create settings profile with a max setting value", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints("1.0")]): with cleanup("profile7"), cleanup("profile8"): with When("I create settings profile with max setting with and without equals"): node.query("CREATE SETTINGS PROFILE profile7 SETTINGS max_memory_usage MAX 100000001") node.query("CREATE SETTINGS PROFILE profile8 SETTINGS max_memory_usage MAX = 100000001") - with Scenario("I create settings profile with min and max setting values", flags=TE, requirements=[ + with Scenario("I create settings profile with min and max setting values", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints("1.0")]): with cleanup("profile9"): with When("I create settings profile with min and max setting"): node.query("CREATE SETTINGS PROFILE profile9 SETTINGS max_memory_usage MIN 100000001 MAX 200000001") - with Scenario("I create settings profile with a readonly setting", flags=TE, requirements=[ + with Scenario("I create settings profile with a readonly setting", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints("1.0")]): with cleanup("profile10"): with When("I create settings profile with readonly"): node.query("CREATE SETTINGS PROFILE profile10 SETTINGS max_memory_usage READONLY") - with Scenario("I create settings profile with a writable setting", flags=TE, requirements=[ + with Scenario("I create settings profile with a writable setting", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints("1.0")]): with cleanup("profile21"): with When("I create settings profile with writable"): node.query("CREATE SETTINGS PROFILE profile21 SETTINGS max_memory_usage WRITABLE") - with Scenario("I create settings profile with inherited settings", flags=TE, requirements=[ + with Scenario("I create settings profile with inherited settings", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Inherit("1.0")]): with cleanup("profile11"): with When("I create settings profile with inherit"): node.query("CREATE SETTINGS PROFILE profile11 SETTINGS INHERIT 'default'") - with Scenario("I create settings profile with inherit/from profile, fake profile, throws exception", flags=TE, requirements=[ + with Scenario("I create settings profile with inherit/from profile, fake profile, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Inherit("1.0")]): profile = "profile3" with Given(f"I ensure that profile {profile} does not exist"): @@ -153,13 +153,13 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE PROFILE profile0 SETTINGS {source} {profile}", exitcode=exitcode, message=message) del profile - with Scenario("I create settings profile with inherited settings other form", flags=TE, requirements=[ + with Scenario("I create settings profile with inherited settings other form", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Inherit("1.0")]): with cleanup("profile12"): with When("I create settings profile with inherit short form"): node.query("CREATE PROFILE profile12 SETTINGS PROFILE 'default'") - with Scenario("I create settings profile with multiple settings", flags=TE, requirements=[ + with Scenario("I create settings profile with multiple settings", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints("1.0")]): with cleanup("profile13"): with When("I create settings profile with multiple settings"): @@ -167,7 +167,7 @@ def feature(self, node="clickhouse1"): " SETTINGS max_memory_usage = 100000001" " SETTINGS max_memory_usage_for_user = 100000001") - with Scenario("I create settings profile with multiple settings short form", flags=TE, requirements=[ + with Scenario("I create settings profile with multiple settings short form", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Variables_Constraints("1.0")]): with cleanup("profile14"): with When("I create settings profile with multiple settings short form"): @@ -175,13 +175,13 @@ def feature(self, node="clickhouse1"): " SETTINGS max_memory_usage = 100000001," " max_memory_usage_for_user = 100000001") - with Scenario("I create settings profile assigned to one role", flags=TE, requirements=[ + with Scenario("I create settings profile assigned to one role", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment("1.0")]): with cleanup("profile15"): with When("I create settings profile for a role"): node.query("CREATE SETTINGS PROFILE profile15 TO role0") - with Scenario("I create settings profile to assign to role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I create settings profile to assign to role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -191,7 +191,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE SETTINGS PROFILE profile0 TO {role}", exitcode=exitcode, message=message) del role - with Scenario("I create settings profile to assign to all except role that does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I create settings profile to assign to all except role that does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment("1.0")]): role = "role1" with Given(f"I drop {role} if it exists"): @@ -201,37 +201,37 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE SETTINGS PROFILE profile0 TO ALL EXCEPT {role}", exitcode=exitcode, message=message) del role - with Scenario("I create settings profile assigned to multiple roles", flags=TE, requirements=[ + with Scenario("I create settings profile assigned to multiple roles", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment("1.0")]): with cleanup("profile16"): with When("I create settings profile for multiple roles"): node.query("CREATE SETTINGS PROFILE profile16 TO role0, user0") - with Scenario("I create settings profile assigned to all", flags=TE, requirements=[ + with Scenario("I create settings profile assigned to all", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_All("1.0")]): with cleanup("profile17"): with When("I create settings profile for all"): node.query("CREATE SETTINGS PROFILE profile17 TO ALL") - with Scenario("I create settings profile assigned to all except one role", flags=TE,requirements=[ + with Scenario("I create settings profile assigned to all except one role",requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_AllExcept("1.0")]): with cleanup("profile18"): with When("I create settings profile for all except one role"): node.query("CREATE SETTINGS PROFILE profile18 TO ALL EXCEPT role0") - with Scenario("I create settings profile assigned to all except multiple roles", flags=TE, requirements=[ + with Scenario("I create settings profile assigned to all except multiple roles", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_AllExcept("1.0")]): with cleanup("profile19"): with When("I create settings profile for all except multiple roles"): node.query("CREATE SETTINGS PROFILE profile19 TO ALL EXCEPT role0, user0") - with Scenario("I create settings profile assigned to none", flags=TE, requirements=[ + with Scenario("I create settings profile assigned to none", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_Assignment_None("1.0")]): with cleanup("profile22"): with When("I create settings profile for none"): node.query("CREATE SETTINGS PROFILE profile22 TO NONE") - with Scenario("I create settings profile on cluster", flags=TE, requirements=[ + with Scenario("I create settings profile on cluster", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_OnCluster("1.0")]): try: with When("I run create settings profile command"): @@ -243,7 +243,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the settings profile"): node.query("DROP SETTINGS PROFILE IF EXISTS profile20 ON CLUSTER sharded_cluster") - with Scenario("I create settings profile on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I create settings profile on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Create_OnCluster("1.0")]): with When("I run create settings profile command"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/create_user.py b/tests/testflows/rbac/tests/syntax/create_user.py index d410dd1ab6e..326446e4620 100755 --- a/tests/testflows/rbac/tests/syntax/create_user.py +++ b/tests/testflows/rbac/tests/syntax/create_user.py @@ -25,7 +25,7 @@ def feature(self, node="clickhouse1"): @contextmanager def cleanup(user): try: - with Given("I ensure the user does not already exist", flags=TE): + with Given("I ensure the user does not already exist"): node.query(f"DROP USER IF EXISTS {user}") yield finally: @@ -36,14 +36,14 @@ def feature(self, node="clickhouse1"): with Given(f"I ensure I do have user {user}"): node.query(f"CREATE USER OR REPLACE {user}") - with Scenario("I create user with no options", flags=TE, requirements=[ + with Scenario("I create user with no options", requirements=[ RQ_SRS_006_RBAC_User_Create("1.0"), RQ_SRS_006_RBAC_User_Create_Host_Default("1.0")]): with cleanup("user0"): with When("I create a user with no options"): node.query("CREATE USER user0") - with Scenario("I create user that already exists, throws exception", flags=TE, requirements=[ + with Scenario("I create user that already exists, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Create("1.0"), RQ_SRS_006_RBAC_User_Create_Host_Default("1.0")]): user = "user0" @@ -54,7 +54,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER {user}", exitcode=exitcode, message=message) del user - with Scenario("I create user with if not exists, user does not exist", flags=TE, requirements=[ + with Scenario("I create user with if not exists, user does not exist", requirements=[ RQ_SRS_006_RBAC_User_Create_IfNotExists("1.0")]): user = "user0" with cleanup(user): @@ -63,7 +63,7 @@ def feature(self, node="clickhouse1"): del user #Bug exists, mark as xfail - with Scenario("I create user with if not exists, user does exist", flags=TE, requirements=[ + with Scenario("I create user with if not exists, user does exist", requirements=[ RQ_SRS_006_RBAC_User_Create_IfNotExists("1.0")]): user = "user0" with cleanup(user): @@ -72,7 +72,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER IF NOT EXISTS {user}") del user - with Scenario("I create user or replace, user does not exist", flags=TE, requirements=[ + with Scenario("I create user or replace, user does not exist", requirements=[ RQ_SRS_006_RBAC_User_Create_Replace("1.0")]): user = "user0" with cleanup(user): @@ -80,7 +80,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER OR REPLACE {user}") del user - with Scenario("I create user or replace, user does exist", flags=TE, requirements=[ + with Scenario("I create user or replace, user does exist", requirements=[ RQ_SRS_006_RBAC_User_Create_Replace("1.0")]): user = "user0" with cleanup(user): @@ -89,33 +89,33 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER OR REPLACE {user}") del user - with Scenario("I create user with no password", flags=TE, requirements=[ + with Scenario("I create user with no password", requirements=[ RQ_SRS_006_RBAC_User_Create_Password_NoPassword("1.0")]): with cleanup("user1"): with When("I create a user with no password"): node.query("CREATE USER user1 IDENTIFIED WITH NO_PASSWORD") - with Scenario("I create user with plaintext password", flags=TE, requirements=[ + with Scenario("I create user with plaintext password", requirements=[ RQ_SRS_006_RBAC_User_Create_Password_PlainText("1.0")]): with cleanup("user1"): with When("I create a user with plaintext password"): node.query("CREATE USER user1 IDENTIFIED WITH PLAINTEXT_PASSWORD BY 'mypassword'") - with Scenario("I create user with sha256 password", flags=TE, requirements=[ + with Scenario("I create user with sha256 password", requirements=[ RQ_SRS_006_RBAC_User_Create_Password_Sha256Password("1.0")]): with cleanup("user2"): with When("I create a user with sha256 password"): password = hashlib.sha256("mypassword".encode("utf-8")).hexdigest() node.query(f"CREATE USER user2 IDENTIFIED WITH SHA256_PASSWORD BY '{password}'") - with Scenario("I create user with sha256 password using IDENTIFIED BY", flags=TE, requirements=[ + with Scenario("I create user with sha256 password using IDENTIFIED BY", requirements=[ RQ_SRS_006_RBAC_User_Create_Password_Sha256Password("1.0")]): with cleanup("user2"): with When("I create a user with sha256 password using short form"): password = hashlib.sha256("mypassword".encode("utf-8")).hexdigest() node.query(f"CREATE USER user2 IDENTIFIED BY '{password}'") - with Scenario("I create user with sha256_hash password", flags=TE, requirements=[ + with Scenario("I create user with sha256_hash password", requirements=[ RQ_SRS_006_RBAC_User_Create_Password_Sha256Hash("1.0")]): with cleanup("user3"): with When("I create a user with sha256_hash"): @@ -124,13 +124,13 @@ def feature(self, node="clickhouse1"): password = hash(hash("mypassword")) node.query(f"CREATE USER user3 IDENTIFIED WITH SHA256_HASH BY '{password}'") - with Scenario("I create user with double sha1 password", flags=TE, requirements=[ + with Scenario("I create user with double sha1 password", requirements=[ RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Password("1.0")]): with cleanup("user3"): with When("I create a user with double_sha1_password"): node.query(f"CREATE USER user3 IDENTIFIED WITH DOUBLE_SHA1_PASSWORD BY 'mypassword'") - with Scenario("I create user with double sha1 hash", flags=TE, requirements=[ + with Scenario("I create user with double sha1 hash", requirements=[ RQ_SRS_006_RBAC_User_Create_Password_DoubleSha1Hash("1.0")]): with cleanup("user3"): with When("I create a user with double_sha1_hash"): @@ -139,55 +139,55 @@ def feature(self, node="clickhouse1"): password = hash(hash("mypassword")) node.query(f"CREATE USER user3 IDENTIFIED WITH DOUBLE_SHA1_HASH BY '{password}'") - with Scenario("I create user with host name", flags=TE, requirements=[ + with Scenario("I create user with host name", requirements=[ RQ_SRS_006_RBAC_User_Create_Host_Name("1.0")]): with cleanup("user4"): with When("I create a user with host name"): node.query("CREATE USER user4 HOST NAME 'localhost', NAME 'clickhouse.com'") - with Scenario("I create user with host regexp", flags=TE, requirements=[ + with Scenario("I create user with host regexp", requirements=[ RQ_SRS_006_RBAC_User_Create_Host_Regexp("1.0")]): with cleanup("user5"): with When("I create a user with host regexp"): node.query("CREATE USER user5 HOST REGEXP 'lo.?*host', REGEXP 'lo*host'") - with Scenario("I create user with host ip", flags=TE, requirements=[ + with Scenario("I create user with host ip", requirements=[ RQ_SRS_006_RBAC_User_Create_Host_IP("1.0")]): with cleanup("user6"): with When("I create a user with host ip"): node.query("CREATE USER user6 HOST IP '127.0.0.1', IP '127.0.0.2'") - with Scenario("I create user with host like", flags=TE, requirements=[ + with Scenario("I create user with host like", requirements=[ RQ_SRS_006_RBAC_User_Create_Host_Like("1.0")]): with cleanup("user7"): with When("I create a user with host like"): node.query("CREATE USER user7 HOST LIKE 'local%'") - with Scenario("I create user with host none", flags=TE, requirements=[ + with Scenario("I create user with host none", requirements=[ RQ_SRS_006_RBAC_User_Create_Host_None("1.0")]): with cleanup("user7"): with When("I create a user with host none"): node.query("CREATE USER user7 HOST NONE") - with Scenario("I create user with host local", flags=TE, requirements=[ + with Scenario("I create user with host local", requirements=[ RQ_SRS_006_RBAC_User_Create_Host_Local("1.0")]): with cleanup("user7"): with When("I create a user with host local"): node.query("CREATE USER user7 HOST LOCAL") - with Scenario("I create user with host any", flags=TE, requirements=[ + with Scenario("I create user with host any", requirements=[ RQ_SRS_006_RBAC_User_Create_Host_Any("1.0")]): with cleanup("user7"): with When("I create a user with host any"): node.query("CREATE USER user7 HOST ANY") - with Scenario("I create user with default role set to none", flags=TE, requirements=[ + with Scenario("I create user with default role set to none", requirements=[ RQ_SRS_006_RBAC_User_Create_DefaultRole_None("1.0")]): with cleanup("user8"): with When("I create a user with no default role"): node.query("CREATE USER user8 DEFAULT ROLE NONE") - with Scenario("I create user with default role", flags=TE, requirements=[ + with Scenario("I create user with default role", requirements=[ RQ_SRS_006_RBAC_User_Create_DefaultRole("1.0")]): with Given("I have a role"): node.query("CREATE ROLE default") @@ -197,7 +197,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the role"): node.query("DROP ROLE default") - with Scenario("I create user default role, role doesn't exist, throws exception", flags=TE, requirements=[ + with Scenario("I create user default role, role doesn't exist, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Create_DefaultRole("1.0")]): with cleanup("user12"): role = "role0" @@ -208,7 +208,7 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER user12 DEFAULT ROLE {role}",exitcode=exitcode, message=message) del role - with Scenario("I create user default role, all except role doesn't exist, throws exception", flags=TE, requirements=[ + with Scenario("I create user default role, all except role doesn't exist, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Create_DefaultRole("1.0")]): with cleanup("user12"): role = "role0" @@ -219,19 +219,19 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER user12 DEFAULT ROLE ALL EXCEPT {role}",exitcode=exitcode, message=message) del role - with Scenario("I create user with all roles set to default", flags=TE, requirements=[ + with Scenario("I create user with all roles set to default", requirements=[ RQ_SRS_006_RBAC_User_Create_DefaultRole_All("1.0")]): with cleanup("user10"): with When("I create a user with all roles as default"): node.query("CREATE USER user10 DEFAULT ROLE ALL") - with Scenario("I create user with settings profile", flags=TE, requirements=[ + with Scenario("I create user with settings profile", requirements=[ RQ_SRS_006_RBAC_User_Create_Settings("1.0")]): with cleanup("user11"): with When("I create a user with a settings profile"): node.query("CREATE USER user11 SETTINGS PROFILE default, max_memory_usage=10000000 READONLY") - with Scenario("I create user settings profile, fake profile, throws exception", flags=TE, requirements=[ + with Scenario("I create user settings profile, fake profile, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Create_Settings("1.0")]): with cleanup("user18a"): profile = "profile0" @@ -242,20 +242,20 @@ def feature(self, node="clickhouse1"): node.query("CREATE USER user18a SETTINGS PROFILE profile0", exitcode=exitcode, message=message) del profile - with Scenario("I create user settings with a fake setting, throws exception", flags=TE, requirements=[ + with Scenario("I create user settings with a fake setting, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Create_Settings("1.0")]): with cleanup("user18b"): with When("I create settings profile using settings and nonexistent value"): exitcode, message = errors.unknown_setting("fake_setting") node.query("CREATE USER user18b SETTINGS fake_setting = 100000001", exitcode=exitcode, message=message) - with Scenario("I create user with settings without profile", flags=TE, requirements=[ + with Scenario("I create user with settings without profile", requirements=[ RQ_SRS_006_RBAC_User_Create_Settings("1.0")]): with cleanup("user12"): with When("I create a user with settings and no profile"): node.query("CREATE USER user12 SETTINGS max_memory_usage=10000000 READONLY") - with Scenario("I create user on cluster", flags=TE, requirements=[ + with Scenario("I create user on cluster", requirements=[ RQ_SRS_006_RBAC_User_Create_OnCluster("1.0")]): try: with When("I create user on cluster"): @@ -264,7 +264,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the user"): node.query("DROP USER user13 ON CLUSTER sharded_cluster") - with Scenario("I create user on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I create user on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Create_OnCluster("1.0")]): with When("I create user on fake cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/drop_quota.py b/tests/testflows/rbac/tests/syntax/drop_quota.py index 099951e3f19..879964e46fb 100755 --- a/tests/testflows/rbac/tests/syntax/drop_quota.py +++ b/tests/testflows/rbac/tests/syntax/drop_quota.py @@ -23,20 +23,20 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE QUOTA {quota}") yield finally: - with Finally("I drop the quota"): + with Finally("I drop the quota", flags=TE): node.query(f"DROP QUOTA IF EXISTS {quota}") def cleanup_quota(quota): with Given(f"I ensure that quota {quota} does not exist"): node.query(f"DROP QUOTA IF EXISTS {quota}") - with Scenario("I drop quota with no options", flags=TE, requirements=[ + with Scenario("I drop quota with no options", requirements=[ RQ_SRS_006_RBAC_Quota_Drop("1.0")]): with cleanup("quota0"): with When("I run drop quota command"): node.query("DROP QUOTA quota0") - with Scenario("I drop quota, does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I drop quota, does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Quota_Drop("1.0")]): quota = "quota0" cleanup_quota(quota) @@ -45,31 +45,31 @@ def feature(self, node="clickhouse1"): node.query(f"DROP QUOTA {quota}", exitcode=exitcode, message=message) del quota - with Scenario("I drop quota if exists, quota exists", flags=TE, requirements=[ + with Scenario("I drop quota if exists, quota exists", requirements=[ RQ_SRS_006_RBAC_Quota_Drop_IfExists("1.0")]): with cleanup("quota1"): with When("I run drop quota command"): node.query("DROP QUOTA IF EXISTS quota1") - with Scenario("I drop quota if exists, quota does not exist", flags=TE, requirements=[ + with Scenario("I drop quota if exists, quota does not exist", requirements=[ RQ_SRS_006_RBAC_Quota_Drop_IfExists("1.0")]): cleanup_quota("quota2") with When("I run drop quota command, quota does not exist"): node.query("DROP QUOTA IF EXISTS quota2") - with Scenario("I drop default quota, throws error", flags=TE, requirements=[ + with Scenario("I drop default quota, throws error", requirements=[ RQ_SRS_006_RBAC_Quota_Drop("1.0")]): with When("I drop default quota"): exitcode, message = errors.cannot_remove_quota_default() node.query("DROP QUOTA default", exitcode=exitcode, message=message) - with Scenario("I drop multiple quotas", flags=TE, requirements=[ + with Scenario("I drop multiple quotas", requirements=[ RQ_SRS_006_RBAC_Quota_Drop("1.0")]): with cleanup("quota2"), cleanup("quota3"): with When("I run drop quota command"): node.query("DROP QUOTA quota2, quota3") - with Scenario("I drop quota on cluster", flags=TE, requirements=[ + with Scenario("I drop quota on cluster", requirements=[ RQ_SRS_006_RBAC_Quota_Drop_Cluster("1.0")]): try: with Given("I have a quota"): @@ -80,7 +80,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the quota in case it still exists"): node.query("DROP QUOTA IF EXISTS quota4 ON CLUSTER sharded_cluster") - with Scenario("I drop quota on fake cluster", flags=TE, requirements=[ + with Scenario("I drop quota on fake cluster", requirements=[ RQ_SRS_006_RBAC_Quota_Drop_Cluster("1.0")]): with When("I run drop quota command"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/drop_role.py b/tests/testflows/rbac/tests/syntax/drop_role.py index 0e6d0134649..87810dc0184 100755 --- a/tests/testflows/rbac/tests/syntax/drop_role.py +++ b/tests/testflows/rbac/tests/syntax/drop_role.py @@ -31,13 +31,13 @@ def feature(self, node="clickhouse1"): node.query(f"DROP ROLE IF EXISTS {role}") - with Scenario("I drop role with no options", flags=TE, requirements=[ + with Scenario("I drop role with no options", requirements=[ RQ_SRS_006_RBAC_Role_Drop("1.0")]): with setup("role0"): with When("I drop role"): node.query("DROP ROLE role0") - with Scenario("I drop role that doesn't exist, throws exception", flags=TE, requirements=[ + with Scenario("I drop role that doesn't exist, throws exception", requirements=[ RQ_SRS_006_RBAC_Role_Drop("1.0")]): role = "role0" cleanup_role(role) @@ -46,38 +46,38 @@ def feature(self, node="clickhouse1"): node.query(f"DROP ROLE {role}", exitcode=exitcode, message=message) del role - with Scenario("I drop multiple roles", flags=TE, requirements=[ + with Scenario("I drop multiple roles", requirements=[ RQ_SRS_006_RBAC_Role_Drop("1.0")]): with setup("role1"), setup("role2"): with When("I drop multiple roles"): node.query("DROP ROLE role1, role2") - with Scenario("I drop role that does not exist, using if exists", flags=TE, requirements=[ + with Scenario("I drop role that does not exist, using if exists", requirements=[ RQ_SRS_006_RBAC_Role_Drop_IfExists("1.0")]): with When("I drop role if exists"): node.query("DROP ROLE IF EXISTS role3") - with Scenario("I drop multiple roles where one does not exist", flags=TE, requirements=[ + with Scenario("I drop multiple roles where one does not exist", requirements=[ RQ_SRS_006_RBAC_Role_Drop_IfExists("1.0")]): with setup("role5"): with When("I drop multiple roles where one doesnt exist"): node.query("DROP ROLE IF EXISTS role3, role5") - with Scenario("I drop multiple roles where both do not exist", flags = TE, requirements=[ + with Scenario("I drop multiple roles where both do not exist", requirements=[ RQ_SRS_006_RBAC_Role_Drop_IfExists("1.0")]): with Given("I ensure role does not exist"): node.query("DROP ROLE IF EXISTS role6") with When("I drop the nonexistant roles"): node.query("DROP USER IF EXISTS role5, role6") - with Scenario("I drop role on cluster", flags=TE, requirements=[ + with Scenario("I drop role on cluster", requirements=[ RQ_SRS_006_RBAC_Role_Drop_Cluster("1.0")]): with Given("I have a role on cluster"): node.query("CREATE ROLE OR REPLACE role0 ON CLUSTER sharded_cluster") with When("I drop the role from the cluster"): node.query("DROP ROLE IF EXISTS role0 ON CLUSTER sharded_cluster") - with Scenario("I drop role on fake cluster", flags=TE, requirements=[ + with Scenario("I drop role on fake cluster", requirements=[ RQ_SRS_006_RBAC_Role_Drop_Cluster("1.0")]): with When("I run drop role command"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/drop_row_policy.py b/tests/testflows/rbac/tests/syntax/drop_row_policy.py index 2f04450a16a..357f5084bb3 100755 --- a/tests/testflows/rbac/tests/syntax/drop_row_policy.py +++ b/tests/testflows/rbac/tests/syntax/drop_row_policy.py @@ -39,21 +39,21 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE TABLE default.foo (x UInt64, y String) Engine=Memory") node.query(f"CREATE TABLE default.foo2 (x UInt64, y String) Engine=Memory") - with Scenario("I drop row policy with no options", flags=TE, requirements=[ + with Scenario("I drop row policy with no options", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): with cleanup(["policy1"]): with When("I drop row policy"): node.query("DROP ROW POLICY policy1 ON default.foo") - with Scenario("I drop row policy using short syntax with no options", flags=TE, requirements=[ + with Scenario("I drop row policy using short syntax with no options", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): with cleanup(["policy2"]): with When("I drop row policy short form"): node.query("DROP POLICY policy2 ON default.foo") - with Scenario("I drop row policy, does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I drop row policy, does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): policy = "policy1" @@ -63,42 +63,42 @@ def feature(self, node="clickhouse1"): node.query(f"DROP ROW POLICY {policy} ON default.foo", exitcode=exitcode, message=message) del policy - with Scenario("I drop row policy if exists, policy does exist", flags=TE, requirements=[ + with Scenario("I drop row policy if exists, policy does exist", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop_IfExists("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): with cleanup(["policy3"]): with When("I drop row policy if exists"): node.query("DROP ROW POLICY IF EXISTS policy3 ON default.foo") - with Scenario("I drop row policy if exists, policy doesn't exist", flags=TE, requirements=[ + with Scenario("I drop row policy if exists, policy doesn't exist", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop_IfExists("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): cleanup_policy("policy3") with When("I drop row policy if exists"): node.query("DROP ROW POLICY IF EXISTS policy3 ON default.foo") - with Scenario("I drop multiple row policies", flags=TE, requirements=[ + with Scenario("I drop multiple row policies", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): with cleanup(["policy3", "policy4"]): with When("I drop multiple row policies"): node.query("DROP ROW POLICY policy3, policy4 ON default.foo") - with Scenario("I drop row policy on multiple tables", flags=TE, requirements=[ + with Scenario("I drop row policy on multiple tables", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): with cleanup(["policy3"], ["default.foo","default.foo2"]): with When("I drop row policy on multiple tables"): node.query("DROP ROW POLICY policy3 ON default.foo, default.foo2") - with Scenario("I drop multiple row policies on multiple tables", flags=TE, requirements=[ + with Scenario("I drop multiple row policies on multiple tables", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): with cleanup(["policy3", "policy4"], ["default.foo","default.foo2"]): with When("I drop the row policies from the tables"): node.query("DROP ROW POLICY policy3 ON default.foo, policy4 ON default.foo2") - with Scenario("I drop row policy on cluster", flags=TE, requirements=[ + with Scenario("I drop row policy on cluster", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): try: @@ -110,7 +110,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the row policy in case it still exists"): node.query("DROP ROW POLICY IF EXISTS policy13 ON default.foo ON CLUSTER sharded_cluster") - with Scenario("I drop row policy on cluster after table", flags=TE, requirements=[ + with Scenario("I drop row policy on cluster after table", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): try: @@ -122,7 +122,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the row policy in case it still exists"): node.query("DROP ROW POLICY IF EXISTS policy12 ON default.foo ON CLUSTER sharded_cluster") - with Scenario("I drop row policy on fake cluster throws exception", flags=TE, requirements=[ + with Scenario("I drop row policy on fake cluster throws exception", requirements=[ RQ_SRS_006_RBAC_RowPolicy_Drop_OnCluster("1.0"), RQ_SRS_006_RBAC_RowPolicy_Drop_On("1.0")]): with When("I run drop row policy command"): diff --git a/tests/testflows/rbac/tests/syntax/drop_settings_profile.py b/tests/testflows/rbac/tests/syntax/drop_settings_profile.py index cb17815127f..514c3042679 100755 --- a/tests/testflows/rbac/tests/syntax/drop_settings_profile.py +++ b/tests/testflows/rbac/tests/syntax/drop_settings_profile.py @@ -30,13 +30,13 @@ def feature(self, node="clickhouse1"): with Given(f"I ensure that profile {profile} does not exist"): node.query(f"DROP SETTINGS PROFILE IF EXISTS {profile}") - with Scenario("I drop settings profile with no options", flags=TE, requirements=[ + with Scenario("I drop settings profile with no options", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop("1.0")]): with cleanup("profile0"): with When("I drop settings profile"): node.query("DROP SETTINGS PROFILE profile0") - with Scenario("I drop settings profile, does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I drop settings profile, does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop("1.0")]): profile = "profile0" cleanup_profile(profile) @@ -45,19 +45,19 @@ def feature(self, node="clickhouse1"): node.query("DROP SETTINGS PROFILE profile0", exitcode=exitcode, message=message) del profile - with Scenario("I drop settings profile short form", flags=TE, requirements=[ + with Scenario("I drop settings profile short form", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop("1.0")]): with cleanup("profile1"): with When("I drop settings profile short form"): node.query("DROP PROFILE profile1") - with Scenario("I drop settings profile if exists, profile does exist", flags=TE, requirements=[ + with Scenario("I drop settings profile if exists, profile does exist", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop_IfExists("1.0")]): with cleanup("profile2"): with When("I drop settings profile if exists"): node.query("DROP SETTINGS PROFILE IF EXISTS profile2") - with Scenario("I drop settings profile if exists, profile does not exist", flags=TE, requirements=[ + with Scenario("I drop settings profile if exists, profile does not exist", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop_IfExists("1.0")]): cleanup_profile("profile2") with When("I drop settings profile if exists"): @@ -69,13 +69,13 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.cannot_remove_settings_profile_default() node.query("DROP SETTINGS PROFILE default", exitcode=exitcode, message=message) - with Scenario("I drop multiple settings profiles", flags=TE, requirements=[ + with Scenario("I drop multiple settings profiles", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop("1.0")]): with cleanup("profile3"), cleanup("profile4"): with When("I drop multiple settings profiles"): node.query("DROP SETTINGS PROFILE profile3, profile4") - with Scenario("I drop settings profile on cluster", flags=TE, requirements=[ + with Scenario("I drop settings profile on cluster", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop_OnCluster("1.0")]): try: with Given("I have a settings profile"): @@ -86,7 +86,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the profile in case it still exists"): node.query("DROP SETTINGS PROFILE IF EXISTS profile5 ON CLUSTER sharded_cluster") - with Scenario("I drop settings profile on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I drop settings profile on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_Drop_OnCluster("1.0")]): with When("I run drop settings profile command"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/drop_user.py b/tests/testflows/rbac/tests/syntax/drop_user.py index 13f0093080a..9bd2433d487 100755 --- a/tests/testflows/rbac/tests/syntax/drop_user.py +++ b/tests/testflows/rbac/tests/syntax/drop_user.py @@ -30,13 +30,13 @@ def feature(self, node="clickhouse1"): with Given(f"I ensure that user {user} does not exist"): node.query(f"DROP USER IF EXISTS {user}") - with Scenario("I drop user with no options", flags=TE, requirements=[ + with Scenario("I drop user with no options", requirements=[ RQ_SRS_006_RBAC_User_Drop("1.0")]): with setup("user0"): with When("I drop user"): node.query("DROP USER user0") - with Scenario("I drop user, does not exist, throws exception", flags=TE, requirements=[ + with Scenario("I drop user, does not exist, throws exception", requirements=[ RQ_SRS_006_RBAC_User_Drop("1.0")]): user = "user0" cleanup_user(user) @@ -45,31 +45,31 @@ def feature(self, node="clickhouse1"): node.query(f"DROP USER {user}", exitcode=exitcode, message=message) del user - with Scenario("I drop multiple users", flags=TE, requirements=[ + with Scenario("I drop multiple users", requirements=[ RQ_SRS_006_RBAC_User_Drop("1.0")]): with setup("user1"), setup("user2"): with When("I drop multiple users"): node.query("DROP USER user1, user2") - with Scenario("I drop user if exists, user does exist", flags=TE, requirements=[ + with Scenario("I drop user if exists, user does exist", requirements=[ RQ_SRS_006_RBAC_User_Drop_IfExists("1.0")]): with setup("user3"): with When("I drop user that exists"): node.query("DROP USER IF EXISTS user3") - with Scenario("I drop user if exists, user does not exist", flags=TE, requirements=[ + with Scenario("I drop user if exists, user does not exist", requirements=[ RQ_SRS_006_RBAC_User_Drop_IfExists("1.0")]): cleanup_user("user3") with When("I drop nonexistant user"): node.query("DROP USER IF EXISTS user3") - with Scenario("I drop default user, throws error", flags=TE, requirements=[ + with Scenario("I drop default user, throws error", requirements=[ RQ_SRS_006_RBAC_User_Drop("1.0")]): with When("I drop user"): exitcode, message = errors.cannot_remove_user_default() node.query("DROP USER default", exitcode=exitcode, message=message) - with Scenario("I drop multiple users where one does not exist", flags=TE, requirements=[ + with Scenario("I drop multiple users where one does not exist", requirements=[ RQ_SRS_006_RBAC_User_Drop_IfExists("1.0")]): with setup("user3"): with When("I drop multiple users where one does not exist"): @@ -80,7 +80,7 @@ def feature(self, node="clickhouse1"): with When("I drop the nonexistant users"): node.query("DROP USER IF EXISTS user5, user6") - with Scenario("I drop user from specific cluster", flags=TE, requirements=[ + with Scenario("I drop user from specific cluster", requirements=[ RQ_SRS_006_RBAC_User_Drop_OnCluster("1.0")]): try: with Given("I have a user on cluster"): @@ -91,7 +91,7 @@ def feature(self, node="clickhouse1"): with Finally("I make sure the user is dropped"): node.query("DROP USER IF EXISTS user4 ON CLUSTER sharded_cluster") - with Scenario("I drop user from fake cluster", flags=TE, requirements=[ + with Scenario("I drop user from fake cluster", requirements=[ RQ_SRS_006_RBAC_User_Drop_OnCluster("1.0")]): with When("I drop a user from the fake cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") diff --git a/tests/testflows/rbac/tests/syntax/feature.py b/tests/testflows/rbac/tests/syntax/feature.py index aac786ff85c..b7c23f8d7ee 100755 --- a/tests/testflows/rbac/tests/syntax/feature.py +++ b/tests/testflows/rbac/tests/syntax/feature.py @@ -3,32 +3,32 @@ from testflows.core import * @TestFeature @Name("syntax") def feature(self): - Feature(run=load("rbac.tests.syntax.create_user", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.alter_user", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.drop_user", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_create_user", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.create_role", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.alter_role", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.drop_role", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_create_role", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.grant_role", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.grant_privilege","feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_grants", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.revoke_role", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.revoke_privilege","feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.create_row_policy", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.alter_row_policy", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.drop_row_policy", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_create_row_policy", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_row_policies", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.create_quota", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.alter_quota", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.drop_quota", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_create_quota", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_quotas", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.create_settings_profile", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.alter_settings_profile", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.drop_settings_profile", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.show_create_settings_profile", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.set_default_role", "feature"), flags=TE) - Feature(run=load("rbac.tests.syntax.set_role","feature"), flags=TE) \ No newline at end of file + Feature(run=load("rbac.tests.syntax.create_user", "feature")) + Feature(run=load("rbac.tests.syntax.alter_user", "feature")) + Feature(run=load("rbac.tests.syntax.drop_user", "feature")) + Feature(run=load("rbac.tests.syntax.show_create_user", "feature")) + Feature(run=load("rbac.tests.syntax.create_role", "feature")) + Feature(run=load("rbac.tests.syntax.alter_role", "feature")) + Feature(run=load("rbac.tests.syntax.drop_role", "feature")) + Feature(run=load("rbac.tests.syntax.show_create_role", "feature")) + Feature(run=load("rbac.tests.syntax.grant_role", "feature")) + Feature(run=load("rbac.tests.syntax.grant_privilege","feature")) + Feature(run=load("rbac.tests.syntax.show_grants", "feature")) + Feature(run=load("rbac.tests.syntax.revoke_role", "feature")) + Feature(run=load("rbac.tests.syntax.revoke_privilege","feature")) + Feature(run=load("rbac.tests.syntax.create_row_policy", "feature")) + Feature(run=load("rbac.tests.syntax.alter_row_policy", "feature")) + Feature(run=load("rbac.tests.syntax.drop_row_policy", "feature")) + Feature(run=load("rbac.tests.syntax.show_create_row_policy", "feature")) + Feature(run=load("rbac.tests.syntax.show_row_policies", "feature")) + Feature(run=load("rbac.tests.syntax.create_quota", "feature")) + Feature(run=load("rbac.tests.syntax.alter_quota", "feature")) + Feature(run=load("rbac.tests.syntax.drop_quota", "feature")) + Feature(run=load("rbac.tests.syntax.show_create_quota", "feature")) + Feature(run=load("rbac.tests.syntax.show_quotas", "feature")) + Feature(run=load("rbac.tests.syntax.create_settings_profile", "feature")) + Feature(run=load("rbac.tests.syntax.alter_settings_profile", "feature")) + Feature(run=load("rbac.tests.syntax.drop_settings_profile", "feature")) + Feature(run=load("rbac.tests.syntax.show_create_settings_profile", "feature")) + Feature(run=load("rbac.tests.syntax.set_default_role", "feature")) + Feature(run=load("rbac.tests.syntax.set_role","feature")) \ No newline at end of file diff --git a/tests/testflows/rbac/tests/syntax/grant_privilege.py b/tests/testflows/rbac/tests/syntax/grant_privilege.py index 2108b101c44..817a70498f4 100755 --- a/tests/testflows/rbac/tests/syntax/grant_privilege.py +++ b/tests/testflows/rbac/tests/syntax/grant_privilege.py @@ -82,7 +82,7 @@ def feature(self, node="clickhouse1"): Scenario(run=grant_privileges) # with nonexistant object name, GRANT assumes type role - with Scenario("I grant privilege to role that does not exist", flags=TE, requirements=[ + with Scenario("I grant privilege to role that does not exist", requirements=[ RQ_SRS_006_RBAC_Grant_Privilege_None("1.0")]): with Given("I ensure that role does not exist"): node.query("DROP ROLE IF EXISTS role0") @@ -90,35 +90,35 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.role_not_found_in_disk(name="role0") node.query("GRANT NONE TO role0", exitcode=exitcode, message=message) - with Scenario("I grant privilege ON CLUSTER", flags=TE, requirements=[ + with Scenario("I grant privilege ON CLUSTER", requirements=[ RQ_SRS_006_RBAC_Grant_Privilege_OnCluster("1.0"), RQ_SRS_006_RBAC_Grant_Privilege_None("1.0")]): with setup(node): with When("I grant privilege ON CLUSTER"): node.query("GRANT ON CLUSTER sharded_cluster NONE TO user0") - with Scenario("I grant privilege on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I grant privilege on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_Grant_Privilege_OnCluster("1.0")]): with setup(node): with When("I grant privilege ON CLUSTER"): exitcode, message = errors.cluster_not_found("fake_cluster") node.query("GRANT ON CLUSTER fake_cluster NONE TO user0", exitcode=exitcode, message=message) - with Scenario("I grant privilege to multiple users and roles", flags=TE, requirements=[ + with Scenario("I grant privilege to multiple users and roles", requirements=[ RQ_SRS_006_RBAC_Grant_Privilege_To("1.0"), RQ_SRS_006_RBAC_Grant_Privilege_None("1.0")]): with setup(node): with When("I grant privilege to several users"): node.query("GRANT NONE TO user0, user1, role1") - with Scenario("I grant privilege to current user", flags=TE, requirements=[ + with Scenario("I grant privilege to current user", requirements=[ RQ_SRS_006_RBAC_Grant_Privilege_ToCurrentUser("1.0"), RQ_SRS_006_RBAC_Grant_Privilege_None("1.0")]): with setup(node): with When("I grant privilege to current user"): node.query("GRANT NONE TO CURRENT_USER", settings = [("user","user0")]) - with Scenario("I grant privilege NONE to default user, throws exception", flags=TE, requirements=[ + with Scenario("I grant privilege NONE to default user, throws exception", requirements=[ RQ_SRS_006_RBAC_Grant_Privilege_ToCurrentUser("1.0"), RQ_SRS_006_RBAC_Grant_Privilege_None("1.0")]): with setup(node): @@ -126,7 +126,7 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.cannot_update_default() node.query("GRANT NONE TO CURRENT_USER", exitcode=exitcode, message=message) - with Scenario("I grant privilege with grant option", flags=TE, requirements=[ + with Scenario("I grant privilege with grant option", requirements=[ RQ_SRS_006_RBAC_Grant_Privilege_GrantOption("1.0"), RQ_SRS_006_RBAC_Grant_Privilege_None("1.0")]): with setup(node): diff --git a/tests/testflows/rbac/tests/syntax/grant_role.py b/tests/testflows/rbac/tests/syntax/grant_role.py index 26c9fb619e9..af69e5f3751 100755 --- a/tests/testflows/rbac/tests/syntax/grant_role.py +++ b/tests/testflows/rbac/tests/syntax/grant_role.py @@ -33,7 +33,7 @@ def feature(self, node="clickhouse1"): for j in range(roles): node.query(f"DROP ROLE IF EXISTS role{j}") - with Scenario("I grant a role to a user",flags=TE, requirements=[ + with Scenario("I grant a role to a user", requirements=[ RQ_SRS_006_RBAC_Grant_Role("1.0")]): with setup(1,1): with When("I grant a role"): @@ -61,19 +61,19 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.role_not_found_in_disk(name="role0") node.query("GRANT role0 TO user0", exitcode=exitcode, message=message) - with Scenario("I grant a role to multiple users", flags=TE, requirements=[ + with Scenario("I grant a role to multiple users", requirements=[ RQ_SRS_006_RBAC_Grant_Role("1.0")]): with setup(2,1): with When("I grant role to a multiple users"): node.query("GRANT role0 TO user0, user1") - with Scenario("I grant multiple roles to multiple users", flags=TE, requirements=[ + with Scenario("I grant multiple roles to multiple users", requirements=[ RQ_SRS_006_RBAC_Grant_Role("1.0")]): with setup(2,2): with When("I grant multiple roles to multiple users"): node.query("GRANT role0, role1 TO user0, user1") - with Scenario("I grant role to current user", flags=TE, requirements=[ + with Scenario("I grant role to current user", requirements=[ RQ_SRS_006_RBAC_Grant_Role_CurrentUser("1.0")]): with setup(1,1): with Given("I have a user with access management privilege"): @@ -81,20 +81,20 @@ def feature(self, node="clickhouse1"): with When("I grant role to current user"): node.query("GRANT role0 TO CURRENT_USER", settings = [("user","user0")]) - with Scenario("I grant role to default user, throws exception", flags=TE, requirements=[ + with Scenario("I grant role to default user, throws exception", requirements=[ RQ_SRS_006_RBAC_Grant_Role_CurrentUser("1.0")]): with setup(1,1): with When("I grant role to default user"): exitcode, message = errors.cannot_update_default() node.query("GRANT role0 TO CURRENT_USER", exitcode=exitcode, message=message) - with Scenario("I grant role to user with admin option", flags=TE, requirements=[ + with Scenario("I grant role to user with admin option", requirements=[ RQ_SRS_006_RBAC_Grant_Role_AdminOption("1.0")]): with setup(1,1): with When("I grant role to a user with admin option"): node.query("GRANT role0 TO user0 WITH ADMIN OPTION") - with Scenario("I grant role to user on cluster", flags=TE, requirements=[ + with Scenario("I grant role to user on cluster", requirements=[ RQ_SRS_006_RBAC_Grant_Role_OnCluster("1.0")]): try: with Given("I have a user and a role on a cluster"): @@ -107,7 +107,7 @@ def feature(self, node="clickhouse1"): node.query("DROP USER IF EXISTS user0 ON CLUSTER sharded_cluster") node.query("DROP ROLE IF EXISTS role0 ON CLUSTER sharded_cluster") - with Scenario("I grant role to user on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I grant role to user on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_Grant_Role_OnCluster("1.0")]): with setup(1,1): with When("I grant the role to the user"): diff --git a/tests/testflows/rbac/tests/syntax/revoke_privilege.py b/tests/testflows/rbac/tests/syntax/revoke_privilege.py index a0fb714c823..5cd3f22e1b0 100755 --- a/tests/testflows/rbac/tests/syntax/revoke_privilege.py +++ b/tests/testflows/rbac/tests/syntax/revoke_privilege.py @@ -78,14 +78,14 @@ def feature(self, node="clickhouse1"): Scenario(run=revoke_privileges) - with Scenario("I revoke privilege ON CLUSTER", flags=TE, requirements=[ + with Scenario("I revoke privilege ON CLUSTER", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_Cluster("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): with When("I revoke privilege ON CLUSTER"): node.query("REVOKE ON CLUSTER sharded_cluster NONE FROM user0") - with Scenario("I revoke privilege ON fake CLUSTER, throws exception", flags=TE, requirements=[ + with Scenario("I revoke privilege ON fake CLUSTER, throws exception", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_Cluster("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): @@ -94,21 +94,21 @@ def feature(self, node="clickhouse1"): node.query("REVOKE ON CLUSTER fake_cluster NONE FROM user0", exitcode=exitcode, message=message) - with Scenario("I revoke privilege from multiple users and roles", flags=TE, requirements=[ + with Scenario("I revoke privilege from multiple users and roles", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): with When("I revoke privilege from multiple users"): node.query("REVOKE NONE FROM user0, user1, role1") - with Scenario("I revoke privilege from current user", flags=TE, requirements=[ + with Scenario("I revoke privilege from current user", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): with When("I revoke privilege from current user"): node.query("REVOKE NONE FROM CURRENT_USER", settings = [("user","user0")]) - with Scenario("I revoke privilege from all users", flags=TE, requirements=[ + with Scenario("I revoke privilege from all users", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): @@ -116,7 +116,7 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.cannot_update_default() node.query("REVOKE NONE FROM ALL", exitcode=exitcode,message=message) - with Scenario("I revoke privilege from default user", flags=TE, requirements=[ + with Scenario("I revoke privilege from default user", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): @@ -125,7 +125,7 @@ def feature(self, node="clickhouse1"): node.query("REVOKE NONE FROM default", exitcode=exitcode,message=message) #By default, ClickHouse treats unnamed object as role - with Scenario("I revoke privilege from nonexistent role, throws exception", flags=TE, requirements=[ + with Scenario("I revoke privilege from nonexistent role, throws exception", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): role = "role5" @@ -135,7 +135,7 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.role_not_found_in_disk(role) node.query(f"REVOKE NONE FROM {role}", exitcode=exitcode,message=message) - with Scenario("I revoke privilege from ALL EXCEPT nonexistent role, throws exception", flags=TE, requirements=[ + with Scenario("I revoke privilege from ALL EXCEPT nonexistent role, throws exception", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): role = "role5" @@ -145,14 +145,14 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.role_not_found_in_disk(role) node.query(f"REVOKE NONE FROM ALL EXCEPT {role}", exitcode=exitcode,message=message) - with Scenario("I revoke privilege from all except some users and roles", flags=TE, requirements=[ + with Scenario("I revoke privilege from all except some users and roles", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): with When("I revoke privilege all except some users"): node.query("REVOKE NONE FROM ALL EXCEPT default, user0, role1") - with Scenario("I revoke privilege from all except current user", flags=TE, requirements=[ + with Scenario("I revoke privilege from all except current user", requirements=[ RQ_SRS_006_RBAC_Revoke_Privilege_From("1.0"), RQ_SRS_006_RBAC_Revoke_Privilege_None("1.0")]): with setup(node): diff --git a/tests/testflows/rbac/tests/syntax/revoke_role.py b/tests/testflows/rbac/tests/syntax/revoke_role.py index 9d87257b054..4acdf127cec 100755 --- a/tests/testflows/rbac/tests/syntax/revoke_role.py +++ b/tests/testflows/rbac/tests/syntax/revoke_role.py @@ -37,7 +37,7 @@ def feature(self, node="clickhouse1"): for i in range(roles): node.query(f"DROP ROLE IF EXISTS role{i}") - with Scenario("I revoke a role from a user",flags=TE, requirements=[ + with Scenario("I revoke a role from a user", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0")]): with setup(): with When("I revoke a role"): @@ -73,19 +73,19 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.role_not_found_in_disk(name="role0") node.query("REVOKE role0 FROM user0", exitcode=exitcode, message=message) - with Scenario("I revoke a role from multiple users", flags=TE, requirements=[ + with Scenario("I revoke a role from multiple users", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0")]): with setup(): with When("I revoke a role from multiple users"): node.query("REVOKE role0 FROM user0, user1") - with Scenario("I revoke multiple roles from multiple users", flags=TE, requirements=[ + with Scenario("I revoke multiple roles from multiple users", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0")]): with setup(): node.query("REVOKE role0, role1 FROM user0, user1") #user is default, expect exception - with Scenario("I revoke a role from default user", flags=TE, requirements=[ + with Scenario("I revoke a role from default user", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Keywords("1.0")]): with setup(): @@ -94,7 +94,7 @@ def feature(self, node="clickhouse1"): node.query("REVOKE role0 FROM CURRENT_USER", exitcode=exitcode, message=message) #user is user0 - with Scenario("I revoke a role from current user", flags=TE, requirements=[ + with Scenario("I revoke a role from current user", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Keywords("1.0")]): with setup(): @@ -102,7 +102,7 @@ def feature(self, node="clickhouse1"): node.query("REVOKE role0 FROM CURRENT_USER", settings = [("user","user0")]) #user is default, expect exception - with Scenario("I revoke a role from all", flags=TE, requirements=[ + with Scenario("I revoke a role from all", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Keywords("1.0")]): with setup(): @@ -111,7 +111,7 @@ def feature(self, node="clickhouse1"): node.query("REVOKE role0 FROM ALL", exitcode=exitcode, message=message) #user is default, expect exception - with Scenario("I revoke multiple roles from all", flags=TE, requirements=[ + with Scenario("I revoke multiple roles from all", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Keywords("1.0")]): with setup(): @@ -119,14 +119,14 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.cannot_update_default() node.query("REVOKE role0, role1 FROM ALL", exitcode=exitcode, message=message) - with Scenario("I revoke a role from all but current user", flags=TE, requirements=[ + with Scenario("I revoke a role from all but current user", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Keywords("1.0")]): with setup(): with When("I revoke a role from all except current"): node.query("REVOKE role0 FROM ALL EXCEPT CURRENT_USER") - with Scenario("I revoke a role from all but default user", flags=TE, requirements=[ + with Scenario("I revoke a role from all but default user", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Keywords("1.0")]): with setup(): @@ -134,26 +134,26 @@ def feature(self, node="clickhouse1"): node.query("REVOKE role0 FROM ALL EXCEPT default", settings = [("user","user0")]) - with Scenario("I revoke multiple roles from all but default user", flags=TE, requirements=[ + with Scenario("I revoke multiple roles from all but default user", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Keywords("1.0")]): with setup(): with When("I revoke multiple roles from all except default"): node.query("REVOKE role0, role1 FROM ALL EXCEPT default", settings = [("user","user0")]) - with Scenario("I revoke a role from a role", flags=TE, requirements=[ + with Scenario("I revoke a role from a role", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0")]): with setup(): with When("I revoke a role from a role"): node.query("REVOKE role0 FROM role1") - with Scenario("I revoke a role from a role and a user", flags=TE, requirements=[ + with Scenario("I revoke a role from a role and a user", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0")]): with setup(): with When("I revoke a role from multiple roles"): node.query("REVOKE role0 FROM role1, user0") - with Scenario("I revoke a role from a user on cluster", flags=TE, requirements=[ + with Scenario("I revoke a role from a user on cluster", requirements=[ RQ_SRS_006_RBAC_Revoke_Role_Cluster("1.0")]): with Given("I have a role and a user on a cluster"): node.query("CREATE USER OR REPLACE user0 ON CLUSTER sharded_cluster") @@ -164,13 +164,13 @@ def feature(self, node="clickhouse1"): node.query("DROP USER IF EXISTS user0 ON CLUSTER sharded_cluster") node.query("DROP ROLE IF EXISTS role0 ON CLUSTER sharded_cluster") - with Scenario("I revoke a role on fake cluster, throws exception", flags=TE, requirements=[ + with Scenario("I revoke a role on fake cluster, throws exception", requirements=[ RQ_SRS_006_RBAC_Revoke_Role_Cluster("1.0")]): with When("I revoke a role from user on a cluster"): exitcode, message = errors.cluster_not_found("fake_cluster") node.query("REVOKE ON CLUSTER fake_cluster role0 FROM user0", exitcode=exitcode, message=message) - with Scenario("I revoke multiple roles from multiple users on cluster", flags=TE, requirements=[ + with Scenario("I revoke multiple roles from multiple users on cluster", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_Role_Cluster("1.0")]): with Given("I have multiple roles and multiple users on a cluster"): @@ -184,13 +184,13 @@ def feature(self, node="clickhouse1"): node.query(f"DROP USER IF EXISTS user{i} ON CLUSTER sharded_cluster") node.query(f"DROP ROLE IF EXISTS role{i} ON CLUSTER sharded_cluster") - with Scenario("I revoke admin option for role from a user", flags=TE, requirements=[ + with Scenario("I revoke admin option for role from a user", requirements=[ RQ_SRS_006_RBAC_Revoke_AdminOption("1.0")]): with setup(): with When("I revoke admin option for role from a user"): node.query("REVOKE ADMIN OPTION FOR role0 FROM user0") - with Scenario("I revoke admin option for multiple roles from multiple users", flags=TE, requirements=[ + with Scenario("I revoke admin option for multiple roles from multiple users", requirements=[ RQ_SRS_006_RBAC_Revoke_Role("1.0"), RQ_SRS_006_RBAC_Revoke_AdminOption("1.0")]): with setup(): diff --git a/tests/testflows/rbac/tests/syntax/set_default_role.py b/tests/testflows/rbac/tests/syntax/set_default_role.py index a7801e04b23..ed50810eba7 100755 --- a/tests/testflows/rbac/tests/syntax/set_default_role.py +++ b/tests/testflows/rbac/tests/syntax/set_default_role.py @@ -71,43 +71,43 @@ def feature(self, node="clickhouse1"): node.query(f"CREATE USER user{i}") node.query(f"GRANT role0, role1 TO user0, user1") - with Scenario("I set default role for a user to none", flags = TE, requirements=[ + with Scenario("I set default role for a user to none", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole_None("1.0")]): with When("I set no roles default for user"): node.query("SET DEFAULT ROLE NONE TO user0") - with Scenario("I set one default role for a user", flags = TE, requirements=[ + with Scenario("I set one default role for a user", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole("1.0")]): with When("I set a default role for user "): node.query("SET DEFAULT ROLE role0 TO user0") - with Scenario("I set one default role for user default, throws exception", flags = TE, requirements=[ + with Scenario("I set one default role for user default, throws exception", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole("1.0")]): with When("I set a default role for default"): exitcode, message = errors.cannot_update_default() node.query("SET DEFAULT ROLE role0 TO default", exitcode=exitcode, message=message) - with Scenario("I set multiple default roles for a user", flags = TE, requirements=[ + with Scenario("I set multiple default roles for a user", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole("1.0")]): with When("I set multiple default roles to user"): node.query("SET DEFAULT ROLE role0, role1 TO user0") - with Scenario("I set multiple default roles for multiple users", flags = TE, requirements=[ + with Scenario("I set multiple default roles for multiple users", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole("1.0")]): with When("I set multiple default roles to multiple users"): node.query("SET DEFAULT ROLE role0, role1 TO user0, user1") - with Scenario("I set all roles as default for a user", flags = TE, requirements=[ + with Scenario("I set all roles as default for a user", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole_All("1.0")]): with When("I set all roles default to user"): node.query("SET DEFAULT ROLE ALL TO user0") - with Scenario("I set all roles except one for a user", flags = TE, requirements=[ + with Scenario("I set all roles except one for a user", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole_AllExcept("1.0")]): with When("I set all except one role default to user"): node.query("SET DEFAULT ROLE ALL EXCEPT role0 TO user0") - with Scenario("I set default role for current user", flags = TE, requirements=[ + with Scenario("I set default role for current user", requirements=[ RQ_SRS_006_RBAC_SetDefaultRole_CurrentUser("1.0")]): with When("I set default role to current user"): node.query("GRANT ACCESS MANAGEMENT ON *.* TO user0") diff --git a/tests/testflows/rbac/tests/syntax/set_role.py b/tests/testflows/rbac/tests/syntax/set_role.py index 97a121797ac..3d3d4d00fac 100755 --- a/tests/testflows/rbac/tests/syntax/set_role.py +++ b/tests/testflows/rbac/tests/syntax/set_role.py @@ -29,17 +29,17 @@ def feature(self, node="clickhouse1"): for i in range(roles): node.query(f"DROP ROLE IF EXISTS role{i}") - with Scenario("I set default role for current user", flags = TE, requirements=[ + with Scenario("I set default role for current user", requirements=[ RQ_SRS_006_RBAC_SetRole_Default("1.0")]): with When("I set default role for current user"): node.query("SET ROLE DEFAULT") - with Scenario("I set no role for current user", flags = TE, requirements=[ + with Scenario("I set no role for current user", requirements=[ RQ_SRS_006_RBAC_SetRole_None("1.0")]): with When("I set no role for current user"): node.query("SET ROLE NONE") - with Scenario("I set nonexistent role, throws exception", flags = TE, requirements=[ + with Scenario("I set nonexistent role, throws exception", requirements=[ RQ_SRS_006_RBAC_SetRole_None("1.0")]): with Given("I ensure that role role5 does not exist"): node.query("DROP ROLE IF EXISTS role5") @@ -47,7 +47,7 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.role_not_found_in_disk("role5") node.query("SET ROLE role5", exitcode=exitcode, message=message) - with Scenario("I set nonexistent role, throws exception", flags = TE, requirements=[ + with Scenario("I set nonexistent role, throws exception", requirements=[ RQ_SRS_006_RBAC_SetRole_None("1.0")]): with Given("I ensure that role role5 does not exist"): node.query("DROP ROLE IF EXISTS role5") @@ -55,7 +55,7 @@ def feature(self, node="clickhouse1"): exitcode, message = errors.role_not_found_in_disk("role5") node.query("SET ROLE ALL EXCEPT role5", exitcode=exitcode, message=message) - with Scenario("I set one role for current user", flags = TE, requirements=[ + with Scenario("I set one role for current user", requirements=[ RQ_SRS_006_RBAC_SetRole("1.0")]): with setup(1): with Given("I have a user"): @@ -67,7 +67,7 @@ def feature(self, node="clickhouse1"): with Finally("I drop the user"): node.query("DROP USER user0") - with Scenario("I set multiple roles for current user", flags = TE, requirements=[ + with Scenario("I set multiple roles for current user", requirements=[ RQ_SRS_006_RBAC_SetRole("1.0")]): with setup(2): with Given("I have a user"): @@ -79,12 +79,12 @@ def feature(self, node="clickhouse1"): with Finally("I drop the user"): node.query("DROP USER user0") - with Scenario("I set all roles for current user", flags = TE, requirements=[ + with Scenario("I set all roles for current user", requirements=[ RQ_SRS_006_RBAC_SetRole_All("1.0")]): with When("I set all roles for current user"): node.query("SET ROLE ALL") - with Scenario("I set all roles except one for current user", flags = TE, requirements=[ + with Scenario("I set all roles except one for current user", requirements=[ RQ_SRS_006_RBAC_SetRole_AllExcept("1.0")]): with setup(1): with When("I run set role command"): diff --git a/tests/testflows/rbac/tests/syntax/show_create_quota.py b/tests/testflows/rbac/tests/syntax/show_create_quota.py index 0954a24d2db..f29b3f5bcc6 100755 --- a/tests/testflows/rbac/tests/syntax/show_create_quota.py +++ b/tests/testflows/rbac/tests/syntax/show_create_quota.py @@ -25,19 +25,19 @@ def feature(self, node="clickhouse1"): with Finally("I drop the quota"): node.query(f"DROP QUOTA IF EXISTS {quota}") - with Scenario("I show create quota", flags=TE, requirements=[ + with Scenario("I show create quota", requirements=[ RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Name("1.0")]): with cleanup("quota0"): with When("I run show create quota command"): node.query("SHOW CREATE QUOTA quota0") - with Scenario("I show create quota current", flags=TE, requirements=[ + with Scenario("I show create quota current", requirements=[ RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Current("1.0")]): with cleanup("quota1"): with When("I run show create quota command"): node.query("SHOW CREATE QUOTA CURRENT") - with Scenario("I show create quota current short form", flags=TE, requirements=[ + with Scenario("I show create quota current short form", requirements=[ RQ_SRS_006_RBAC_Quota_ShowCreateQuota_Current("1.0")]): with cleanup("quota2"): with When("I run show create quota command"): diff --git a/tests/testflows/rbac/tests/syntax/show_create_role.py b/tests/testflows/rbac/tests/syntax/show_create_role.py index 11ce7371ba2..0b2adba96e2 100755 --- a/tests/testflows/rbac/tests/syntax/show_create_role.py +++ b/tests/testflows/rbac/tests/syntax/show_create_role.py @@ -26,13 +26,13 @@ def feature(self, node="clickhouse1"): with Finally("I drop the role"): node.query(f"DROP ROLE IF EXISTS {role}") - with Scenario("I show create role", flags=TE, requirements=[ + with Scenario("I show create role", requirements=[ RQ_SRS_006_RBAC_Role_ShowCreate("1.0")]): with setup("role0"): with When("I run show create role command"): node.query("SHOW CREATE ROLE role0") - with Scenario("I show create role, role doesn't exist, exception", flags=TE, requirements=[ + with Scenario("I show create role, role doesn't exist, exception", requirements=[ RQ_SRS_006_RBAC_Role_ShowCreate("1.0")]): with When("I run show create role to catch an exception"): exitcode, message = errors.role_not_found_in_disk(name="role0") diff --git a/tests/testflows/rbac/tests/syntax/show_create_row_policy.py b/tests/testflows/rbac/tests/syntax/show_create_row_policy.py index 5d8b104540c..cf43c0f2b41 100755 --- a/tests/testflows/rbac/tests/syntax/show_create_row_policy.py +++ b/tests/testflows/rbac/tests/syntax/show_create_row_policy.py @@ -29,19 +29,19 @@ def feature(self, node="clickhouse1"): with Given("I have a table"): node.query(f"CREATE TABLE default.foo (x UInt64, y String) Engine=Memory") - with Scenario("I show create row policy", flags=TE, requirements=[ + with Scenario("I show create row policy", requirements=[ RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy("1.0")]): with cleanup("policy0"): with When("I run show create row policy command"): node.query("SHOW CREATE ROW POLICY policy0 ON default.foo") - with Scenario("I show create row policy on a table", flags=TE, requirements=[ + with Scenario("I show create row policy on a table", requirements=[ RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_On("1.0")]): with cleanup("policy0"): with When("I run show create row policy command"): node.query("SHOW CREATE ROW POLICY policy0 ON default.foo") - with Scenario("I show create row policy using short syntax on a table", flags=TE, requirements=[ + with Scenario("I show create row policy using short syntax on a table", requirements=[ RQ_SRS_006_RBAC_RowPolicy_ShowCreateRowPolicy_On("1.0")]): with cleanup("policy1",on="foo"): with When("I run show create row policy command"): diff --git a/tests/testflows/rbac/tests/syntax/show_create_settings_profile.py b/tests/testflows/rbac/tests/syntax/show_create_settings_profile.py index 6f715463539..4af4e37951a 100755 --- a/tests/testflows/rbac/tests/syntax/show_create_settings_profile.py +++ b/tests/testflows/rbac/tests/syntax/show_create_settings_profile.py @@ -25,13 +25,13 @@ def feature(self, node="clickhouse1"): with Finally("I drop the settings profile"): node.query(f"DROP SETTINGS PROFILE IF EXISTS {profile}") - with Scenario("I show create settings profile", flags=TE, requirements=[ + with Scenario("I show create settings profile", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_ShowCreateSettingsProfile("1.0")]): with cleanup("profile0"): with When("I run show create settings profile command"): node.query("SHOW CREATE SETTINGS PROFILE profile0") - with Scenario("I show create settings profile short form", flags=TE, requirements=[ + with Scenario("I show create settings profile short form", requirements=[ RQ_SRS_006_RBAC_SettingsProfile_ShowCreateSettingsProfile("1.0")]): with cleanup("profile1"): with When("I run show create settings profile command"): diff --git a/tests/testflows/rbac/tests/syntax/show_create_user.py b/tests/testflows/rbac/tests/syntax/show_create_user.py index 804b7e06959..963e0d5d193 100755 --- a/tests/testflows/rbac/tests/syntax/show_create_user.py +++ b/tests/testflows/rbac/tests/syntax/show_create_user.py @@ -25,13 +25,13 @@ def feature(self, node="clickhouse1"): with Finally("I drop the user"): node.query(f"DROP USER IF EXISTS {user}") - with Scenario("I run show create on user with no options", flags=TE, requirements=[ + with Scenario("I run show create on user with no options", requirements=[ RQ_SRS_006_RBAC_User_ShowCreateUser_For("1.0")]): with setup("user0"): with When("I run show create user command"): node.query("SHOW CREATE USER user0") - with Scenario("I run show create on current user", flags=TE, requirements=[ + with Scenario("I run show create on current user", requirements=[ RQ_SRS_006_RBAC_User_ShowCreateUser("1.0")]): with When("I show create the current user"): node.query("SHOW CREATE USER CURRENT_USER") \ No newline at end of file diff --git a/tests/testflows/rbac/tests/syntax/show_grants.py b/tests/testflows/rbac/tests/syntax/show_grants.py index f6c797a6d76..18165ba98a5 100755 --- a/tests/testflows/rbac/tests/syntax/show_grants.py +++ b/tests/testflows/rbac/tests/syntax/show_grants.py @@ -25,13 +25,13 @@ def feature(self, node="clickhouse1"): with Finally("I drop the user"): node.query(f"DROP USER IF EXISTS {user}") - with Scenario("I show grants for user", flags=TE, requirements=[ + with Scenario("I show grants for user", requirements=[ RQ_SRS_006_RBAC_Show_Grants_For("1.0")]): with setup("user0"): with When("I run show grants command"): node.query("SHOW GRANTS FOR user0") - with Scenario("I show grants for current user", flags=TE, requirements=[ + with Scenario("I show grants for current user", requirements=[ RQ_SRS_006_RBAC_Show_Grants("1.0")]): with When("I show grants"): node.query("SHOW GRANTS") \ No newline at end of file diff --git a/tests/testflows/rbac/tests/syntax/show_quotas.py b/tests/testflows/rbac/tests/syntax/show_quotas.py index 4003207354d..5fbae718a29 100755 --- a/tests/testflows/rbac/tests/syntax/show_quotas.py +++ b/tests/testflows/rbac/tests/syntax/show_quotas.py @@ -25,25 +25,25 @@ def feature(self, node="clickhouse1"): with Finally("I drop the quota"): node.query(f"DROP QUOTA IF EXISTS {quota}") - with Scenario("I show quotas", flags=TE, requirements=[ + with Scenario("I show quotas", requirements=[ RQ_SRS_006_RBAC_Quota_ShowQuotas("1.0")]): with cleanup("quota0"), cleanup("quota1"): with When("I run show quota command"): node.query("SHOW QUOTAS") - with Scenario("I show quotas into outfile", flags=TE, requirements=[ + with Scenario("I show quotas into outfile", requirements=[ RQ_SRS_006_RBAC_Quota_ShowQuotas_IntoOutfile("1.0")]): with cleanup("quota0"), cleanup("quota1"): with When("I run show quota command"): node.query("SHOW QUOTAS INTO OUTFILE 'quotas.txt'") - with Scenario("I show quotas with format", flags=TE, requirements=[ + with Scenario("I show quotas with format", requirements=[ RQ_SRS_006_RBAC_Quota_ShowQuotas_Format("1.0")]): with cleanup("quota0"), cleanup("quota1"): with When("I run show quota command"): node.query("SHOW QUOTAS FORMAT TabSeparated") - with Scenario("I show quotas with settings", flags=TE, requirements=[ + with Scenario("I show quotas with settings", requirements=[ RQ_SRS_006_RBAC_Quota_ShowQuotas("1.0")]): with cleanup("quota0"), cleanup("quota1"): with When("I run show quota command"): diff --git a/tests/testflows/rbac/tests/syntax/show_row_policies.py b/tests/testflows/rbac/tests/syntax/show_row_policies.py index 2bc1471fbe1..0dc7f7f1d1a 100755 --- a/tests/testflows/rbac/tests/syntax/show_row_policies.py +++ b/tests/testflows/rbac/tests/syntax/show_row_policies.py @@ -29,25 +29,25 @@ def feature(self, node="clickhouse1"): with Given("I have a table"): node.query(f"CREATE TABLE default.foo (x UInt64, y String) Engine=Memory") - with Scenario("I show row policies", flags=TE, requirements=[ + with Scenario("I show row policies", requirements=[ RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies("1.0")]): with cleanup("policy0"): with When("I run drop row policy command"): node.query("SHOW ROW POLICIES") - with Scenario("I show row policies using short syntax", flags=TE, requirements=[ + with Scenario("I show row policies using short syntax", requirements=[ RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies("1.0")]): with cleanup("policy1"): with When("I run drop row policy command"): node.query("SHOW POLICIES") - with Scenario("I show row policies on a database table", flags=TE, requirements=[ + with Scenario("I show row policies on a database table", requirements=[ RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_On("1.0")]): with cleanup("policy0"): with When("I run drop row policy command"): node.query("SHOW ROW POLICIES ON default.foo") - with Scenario("I show row policies on a table", flags=TE, requirements=[ + with Scenario("I show row policies on a table", requirements=[ RQ_SRS_006_RBAC_RowPolicy_ShowRowPolicies_On("1.0")]): with cleanup("policy0"): with When("I run drop row policy command"): diff --git a/tests/testflows/rbac/tests/views/live_view.py b/tests/testflows/rbac/tests/views/live_view.py index a510877a95b..f0bc381bd84 100755 --- a/tests/testflows/rbac/tests/views/live_view.py +++ b/tests/testflows/rbac/tests/views/live_view.py @@ -1133,9 +1133,13 @@ def feature(self, stress=None, parallel=None, node="clickhouse1"): tasks = [] pool = Pool(3) + with allow_experimental_live_view(self.context.node): try: - for suite in loads(current_module(), Suite): - run_scenario(pool, tasks, suite) + try: + for suite in loads(current_module(), Suite): + run_scenario(pool, tasks, suite) + finally: + join(tasks) finally: - join(tasks) + pool.close() diff --git a/tests/testflows/rbac/tests/views/materialized_view.py b/tests/testflows/rbac/tests/views/materialized_view.py index fc3b393c114..b2b1d19e256 100755 --- a/tests/testflows/rbac/tests/views/materialized_view.py +++ b/tests/testflows/rbac/tests/views/materialized_view.py @@ -612,13 +612,17 @@ def create_with_populate_privilege_granted_directly_or_via_role(self, node=None) if node is None: node = self.context.node + with user(node, f"{user_name}"): + Scenario(test=create_with_populate, name="create with populate privilege granted directly")(grant_target_name=user_name, user_name=user_name) with user(node, f"{user_name}"), role(node, f"{role_name}"): + with When("I grant the role to the user"): node.query(f"GRANT {role_name} TO {user_name}") + Scenario(test=create_with_populate, name="create with populate privilege granted through a role")(grant_target_name=role_name, user_name=user_name) @@ -632,17 +636,22 @@ def create_with_populate(self, user_name, grant_target_name, node=None): if node is None: node = self.context.node + try: + with When("I grant CREATE VIEW privilege"): node.query(f"GRANT CREATE VIEW ON {view_name} TO {grant_target_name}") + with Then("I attempt to create a view as the user"): node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory POPULATE AS SELECT 1", settings = [("user", f"{user_name}")], exitcode=exitcode, message=message) with When("I grant INSERT privilege on the view"): node.query(f"GRANT INSERT ON {view_name} TO {grant_target_name}") + with Given("I don't have a view"): node.query(f"DROP VIEW IF EXISTS {view_name}") + with Then("I attempt to create a view as the user"): node.query(f"CREATE MATERIALIZED VIEW {view_name} ENGINE = Memory POPULATE AS SELECT 1", settings = [("user", f"{user_name}")]) @@ -2262,7 +2271,10 @@ def feature(self, stress=None, parallel=None, node="clickhouse1"): pool = Pool(3) try: - for suite in loads(current_module(), Suite): - run_scenario(pool, tasks, suite) + try: + for suite in loads(current_module(), Suite): + run_scenario(pool, tasks, suite) + finally: + join(tasks) finally: - join(tasks) + pool.close()