mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-28 18:42:26 +00:00
Merge pull request #26759 from vitlibar/changing-default-roles-affects-new-sessions
Changing default roles affects new sessions only.
This commit is contained in:
commit
7b4e5f8e21
@ -799,8 +799,9 @@ void Context::setUser(const Credentials & credentials, const Poco::Net::SocketAd
|
||||
|
||||
user_id = new_user_id;
|
||||
access = std::move(new_access);
|
||||
current_roles.clear();
|
||||
use_default_roles = true;
|
||||
|
||||
auto user = access->getUser();
|
||||
current_roles = std::make_shared<std::vector<UUID>>(user->granted_roles.findGranted(user->default_roles));
|
||||
|
||||
auto default_profile_info = access->getDefaultProfileInfo();
|
||||
settings_constraints_and_current_profiles = default_profile_info->getConstraintsAndProfileIDs();
|
||||
@ -843,21 +844,16 @@ std::optional<UUID> Context::getUserID() const
|
||||
void Context::setCurrentRoles(const std::vector<UUID> & current_roles_)
|
||||
{
|
||||
auto lock = getLock();
|
||||
if (current_roles == current_roles_ && !use_default_roles)
|
||||
if (current_roles ? (*current_roles == current_roles_) : current_roles_.empty())
|
||||
return;
|
||||
current_roles = current_roles_;
|
||||
use_default_roles = false;
|
||||
current_roles = std::make_shared<std::vector<UUID>>(current_roles_);
|
||||
calculateAccessRights();
|
||||
}
|
||||
|
||||
void Context::setCurrentRolesDefault()
|
||||
{
|
||||
auto lock = getLock();
|
||||
if (use_default_roles)
|
||||
return;
|
||||
current_roles.clear();
|
||||
use_default_roles = true;
|
||||
calculateAccessRights();
|
||||
auto user = getUser();
|
||||
setCurrentRoles(user->granted_roles.findGranted(user->default_roles));
|
||||
}
|
||||
|
||||
boost::container::flat_set<UUID> Context::getCurrentRoles() const
|
||||
@ -880,7 +876,13 @@ void Context::calculateAccessRights()
|
||||
{
|
||||
auto lock = getLock();
|
||||
if (user_id)
|
||||
access = getAccessControlManager().getContextAccess(*user_id, current_roles, use_default_roles, settings, current_database, client_info);
|
||||
access = getAccessControlManager().getContextAccess(
|
||||
*user_id,
|
||||
current_roles ? *current_roles : std::vector<UUID>{},
|
||||
/* use_default_roles = */ false,
|
||||
settings,
|
||||
current_database,
|
||||
client_info);
|
||||
}
|
||||
|
||||
|
||||
|
@ -175,8 +175,7 @@ private:
|
||||
InputBlocksReader input_blocks_reader;
|
||||
|
||||
std::optional<UUID> user_id;
|
||||
std::vector<UUID> current_roles;
|
||||
bool use_default_roles = false;
|
||||
std::shared_ptr<std::vector<UUID>> current_roles;
|
||||
std::shared_ptr<const SettingsConstraintsAndProfileIDs> settings_constraints_and_current_profiles;
|
||||
std::shared_ptr<const ContextAccess> access;
|
||||
std::shared_ptr<const EnabledRowPolicies> initial_row_policy;
|
||||
|
@ -166,6 +166,20 @@ def test_set_role():
|
||||
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 1], ["R2", 0, 1]])
|
||||
|
||||
|
||||
def test_changing_default_roles_affects_new_sessions_only():
|
||||
instance.query("CREATE USER A")
|
||||
instance.query("CREATE ROLE R1, R2")
|
||||
instance.query("GRANT R1, R2 TO A")
|
||||
|
||||
session_id = new_session_id()
|
||||
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 1], ["R2", 0, 1]])
|
||||
instance.query('SET DEFAULT ROLE R2 TO A')
|
||||
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':session_id}) == TSV([["R1", 0, 0], ["R2", 0, 1]])
|
||||
|
||||
other_session_id = new_session_id()
|
||||
assert instance.http_query('SHOW CURRENT ROLES', user='A', params={'session_id':other_session_id}) == TSV([["R2", 0, 1]])
|
||||
|
||||
|
||||
def test_introspection():
|
||||
instance.query("CREATE USER A")
|
||||
instance.query("CREATE USER B")
|
||||
|
Loading…
Reference in New Issue
Block a user