Allow to hide only values from system.named_collections

src/Access/Common/AccessType.h

@@ -135,6 +135,7 @@ enum class AccessType
     M(SHOW_SETTINGS_PROFILES, "SHOW PROFILES, SHOW CREATE SETTINGS PROFILE, SHOW CREATE PROFILE", GLOBAL, SHOW_ACCESS) \
     M(SHOW_ACCESS, "", GROUP, ACCESS_MANAGEMENT) \
     M(SHOW_NAMED_COLLECTIONS, "SHOW NAMED COLLECTIONS", GLOBAL, ACCESS_MANAGEMENT) \
+    M(SHOW_NAMED_COLLECTIONS_SECRETS, "SHOW NAMED COLLECTIONS SECRETS", GLOBAL, ACCESS_MANAGEMENT) \
     M(ACCESS_MANAGEMENT, "", GROUP, ALL) \
     \
     M(SYSTEM_SHUTDOWN, "SYSTEM KILL, SHUTDOWN", GLOBAL, SYSTEM) \

src/Access/UsersConfigAccessStorage.cpp

@@ -239,6 +239,12 @@ namespace
             user->access.revoke(AccessType::SHOW_NAMED_COLLECTIONS);
         }
 
+        bool show_named_collections_secrets = config.getBool(user_config + ".show_named_collections_secrets", false);
+        if (!show_named_collections_secrets)
+        {
+            user->access.revoke(AccessType::SHOW_NAMED_COLLECTIONS_SECRETS);
+        }
+
         String default_database = config.getString(user_config + ".default_database", "");
         user->default_database = default_database;
 

src/Storages/System/StorageSystemNamedCollections.cpp

@@ -9,6 +9,7 @@
 #include <Access/Common/AccessFlags.h>
 #include <Columns/ColumnMap.h>
 #include <Common/NamedCollections/NamedCollections.h>
+#include <Access/ContextAccess.h>
 
 
 namespace DB
@@ -30,6 +31,7 @@ StorageSystemNamedCollections::StorageSystemNamedCollections(const StorageID & t
 void StorageSystemNamedCollections::fillData(MutableColumns & res_columns, ContextPtr context, const SelectQueryInfo &) const
 {
     context->checkAccess(AccessType::SHOW_NAMED_COLLECTIONS);
+    const auto & access = context->getAccess();
 
     auto collections = NamedCollectionFactory::instance().getAll();
     for (const auto & [name, collection] : collections)
@@ -47,7 +49,10 @@ void StorageSystemNamedCollections::fillData(MutableColumns & res_columns, Conte
         for (const auto & key : collection->getKeys())
         {
             key_column.insertData(key.data(), key.size());
-            value_column.insert(collection->get<String>(key));
+            if (access->isGranted(AccessType::SHOW_NAMED_COLLECTIONS_SECRETS))
+                value_column.insert(collection->get<String>(key));
+            else
+                value_column.insert("[HIDDEN]");
             size++;
         }
 

tests/integration/test_named_collections/configs/users.d/users.xml

@@ -5,6 +5,7 @@
             <profile>default</profile>
             <quota>default</quota>
             <show_named_collections>1</show_named_collections>
+            <show_named_collections_secrets>1</show_named_collections_secrets>
         </default>
     </users>
 </clickhouse>

tests/integration/test_named_collections/test.py

@@ -102,7 +102,23 @@ def test_access(cluster):
         ["bash", "-c", f"cat /etc/clickhouse-server/users.d/users.xml"]
     )
     node.restart_clickhouse()
-    assert int(node.query("select count() from system.named_collections")) > 0
+    assert node.query("select collection['key1'] from system.named_collections").strip() == "value1"
+    replace_in_users_config(
+        node, "show_named_collections_secrets>1", "show_named_collections_secrets>0"
+    )
+    assert "show_named_collections_secrets>0" in node.exec_in_container(
+        ["bash", "-c", f"cat /etc/clickhouse-server/users.d/users.xml"]
+    )
+    node.restart_clickhouse()
+    assert node.query("select collection['key1'] from system.named_collections").strip() == "[HIDDEN]"
+    replace_in_users_config(
+        node, "show_named_collections_secrets>0", "show_named_collections_secrets>1"
+    )
+    assert "show_named_collections_secrets>1" in node.exec_in_container(
+        ["bash", "-c", f"cat /etc/clickhouse-server/users.d/users.xml"]
+    )
+    node.restart_clickhouse()
+    assert node.query("select collection['key1'] from system.named_collections").strip() == "value1"
 
 
 def test_config_reload(cluster):