thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-28 18:42:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #26759 from vitlibar/changing-default-roles-affects-new-sessions

Browse Source 
Changing default roles affects new sessions only.
This commit is contained in:
Vitaly Baranov 2021-07-24 23:15:14 +03:00 committed by GitHub
commit 7b4e5f8e21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/Interpreters/Context.cpp
View File

@ -799,8 +799,9 @@ void Context::setUser(const Credentials & credentials, const Poco::Net::SocketAd
user_id = new_user_id; user_id = new_user_id;
access = std::move(new_access); access = std::move(new_access);
current_roles.clear();
use_default_roles = true; auto user = access->getUser();
current_roles = std::make_shared<std::vector<UUID>>(user->granted_roles.findGranted(user->default_roles));
auto default_profile_info = access->getDefaultProfileInfo(); auto default_profile_info = access->getDefaultProfileInfo();
settings_constraints_and_current_profiles = default_profile_info->getConstraintsAndProfileIDs(); settings_constraints_and_current_profiles = default_profile_info->getConstraintsAndProfileIDs();
@ -843,21 +844,16 @@ std::optional<UUID> Context::getUserID() const
void Context::setCurrentRoles(const std::vector<UUID> & current_roles_) void Context::setCurrentRoles(const std::vector<UUID> & current_roles_)
{ {
auto lock = getLock(); auto lock = getLock();
if (current_roles == current_roles_ && !use_default_roles) if (current_roles ? (*current_roles == current_roles_) : current_roles_.empty())
return; return;
current_roles = current_roles_; current_roles = std::make_shared<std::vector<UUID>>(current_roles_);
use_default_roles = false;
calculateAccessRights(); calculateAccessRights();
} }
void Context::setCurrentRolesDefault() void Context::setCurrentRolesDefault()
{ {
auto lock = getLock(); auto user = getUser();
if (use_default_roles) setCurrentRoles(user->granted_roles.findGranted(user->default_roles));
return;
current_roles.clear();
use_default_roles = true;
calculateAccessRights();
} }
boost::container::flat_set<UUID> Context::getCurrentRoles() const boost::container::flat_set<UUID> Context::getCurrentRoles() const
@ -880,7 +876,13 @@ void Context::calculateAccessRights()
{ {
auto lock = getLock(); auto lock = getLock();
if (user_id) if (user_id)
access = getAccessControlManager().getContextAccess(*user_id, current_roles, use_default_roles, settings, current_database, client_info); access = getAccessControlManager().getContextAccess(
*user_id,
current_roles ? *current_roles : std::vector<UUID>{},
/* use_default_roles = */ false,
settings,
current_database,
client_info);
} }

3
src/Interpreters/Context.h
View File

@ -175,8 +175,7 @@ private:
InputBlocksReader input_blocks_reader; InputBlocksReader input_blocks_reader;
std::optional<UUID> user_id; std::optional<UUID> user_id;
std::vector<UUID> current_roles; std::shared_ptr<std::vector<UUID>> current_roles;
bool use_default_roles = false;
std::shared_ptr<const SettingsConstraintsAndProfileIDs> settings_constraints_and_current_profiles; std::shared_ptr<const SettingsConstraintsAndProfileIDs> settings_constraints_and_current_profiles;
std::shared_ptr<const ContextAccess> access; std::shared_ptr<const ContextAccess> access;
std::shared_ptr<const EnabledRowPolicies> initial_row_policy; std::shared_ptr<const EnabledRowPolicies> initial_row_policy;

14
tests/integration/test_role/test.py
View File

@ -166,6 +166,20 @@ def test_set_role():
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 1], ["R2", 0, 1]]) assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 1], ["R2", 0, 1]])
def test_changing_default_roles_affects_new_sessions_only():
instance.query("CREATE USER A")
instance.query("CREATE ROLE R1, R2")
instance.query("GRANT R1, R2 TO A")
session_id = new_session_id()
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 1], ["R2", 0, 1]])
instance.query('SET DEFAULT ROLE R2 TO A')
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 0], ["R2", 0, 1]])
other_session_id = new_session_id()
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':other_session_id}) == TSV([["R2", 0, 1]])
def test_introspection(): def test_introspection():
instance.query("CREATE USER A") instance.query("CREATE USER A")
instance.query("CREATE USER B") instance.query("CREATE USER B")