Merge pull request #26759 from vitlibar/changing-default-roles-affects-new-sessions

Changing default roles affects new sessions only.
This commit is contained in:
Vitaly Baranov 2021-07-24 23:15:14 +03:00 committed by GitHub
commit 7b4e5f8e21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 15 deletions

View File

@ -799,8 +799,9 @@ void Context::setUser(const Credentials & credentials, const Poco::Net::SocketAd
user_id = new_user_id;
access = std::move(new_access);
current_roles.clear();
use_default_roles = true;
auto user = access->getUser();
current_roles = std::make_shared<std::vector<UUID>>(user->granted_roles.findGranted(user->default_roles));
auto default_profile_info = access->getDefaultProfileInfo();
settings_constraints_and_current_profiles = default_profile_info->getConstraintsAndProfileIDs();
@ -843,21 +844,16 @@ std::optional<UUID> Context::getUserID() const
void Context::setCurrentRoles(const std::vector<UUID> & current_roles_)
{
auto lock = getLock();
if (current_roles == current_roles_ && !use_default_roles)
if (current_roles ? (*current_roles == current_roles_) : current_roles_.empty())
return;
current_roles = current_roles_;
use_default_roles = false;
current_roles = std::make_shared<std::vector<UUID>>(current_roles_);
calculateAccessRights();
}
void Context::setCurrentRolesDefault()
{
auto lock = getLock();
if (use_default_roles)
return;
current_roles.clear();
use_default_roles = true;
calculateAccessRights();
auto user = getUser();
setCurrentRoles(user->granted_roles.findGranted(user->default_roles));
}
boost::container::flat_set<UUID> Context::getCurrentRoles() const
@ -880,7 +876,13 @@ void Context::calculateAccessRights()
{
auto lock = getLock();
if (user_id)
access = getAccessControlManager().getContextAccess(*user_id, current_roles, use_default_roles, settings, current_database, client_info);
access = getAccessControlManager().getContextAccess(
*user_id,
current_roles ? *current_roles : std::vector<UUID>{},
/* use_default_roles = */ false,
settings,
current_database,
client_info);
}

View File

@ -175,8 +175,7 @@ private:
InputBlocksReader input_blocks_reader;
std::optional<UUID> user_id;
std::vector<UUID> current_roles;
bool use_default_roles = false;
std::shared_ptr<std::vector<UUID>> current_roles;
std::shared_ptr<const SettingsConstraintsAndProfileIDs> settings_constraints_and_current_profiles;
std::shared_ptr<const ContextAccess> access;
std::shared_ptr<const EnabledRowPolicies> initial_row_policy;

View File

@ -166,6 +166,20 @@ def test_set_role():
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 1], ["R2", 0, 1]])
def test_changing_default_roles_affects_new_sessions_only():
instance.query("CREATE USER A")
instance.query("CREATE ROLE R1, R2")
instance.query("GRANT R1, R2 TO A")
session_id = new_session_id()
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 1], ["R2", 0, 1]])
instance.query('SET DEFAULT ROLE R2 TO A')
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 0], ["R2", 0, 1]])
other_session_id = new_session_id()
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':other_session_id}) == TSV([["R2", 0, 1]])
def test_introspection():
instance.query("CREATE USER A")
instance.query("CREATE USER B")