thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-21 15:12:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix crash when granting ALL on cluster.

Browse Source
This commit is contained in:
Vitaly Baranov 2022-07-01 12:18:09 +02:00
parent 59236d60c9
commit ae2f586170
2 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/Access/ContextAccess.cpp
View File

@ -412,15 +412,18 @@ bool ContextAccess::checkAccessImplHelper(AccessFlags flags, const Args &... arg
return false;
};
if (is_full_access)
return access_granted();
if (user_was_dropped)
return access_denied("User has been dropped", ErrorCodes::UNKNOWN_USER);
if (flags & AccessType::CLUSTER && !access_control->doesOnClusterQueriesRequireClusterGrant())
flags &= ~AccessType::CLUSTER;
if (!flags || is_full_access)
if (!flags)
return access_granted();
if (!tryGetUser())
return access_denied("User has been dropped", ErrorCodes::UNKNOWN_USER);
/// Access to temporary tables is controlled in an unusual way, not like normal tables.
/// Creating of temporary tables is controlled by AccessType::CREATE_TEMPORARY_TABLES grant,
/// and other grants are considered as always given.
@ -600,9 +603,6 @@ void ContextAccess::checkGrantOption(const AccessRightsElements & elements) cons
template <bool throw_if_denied, typename Container, typename GetNameFunction>
bool ContextAccess::checkAdminOptionImplHelper(const Container & role_ids, const GetNameFunction & get_name_function) const
{
if (!std::size(role_ids) || is_full_access)
return true;
auto show_error = [this](const String & msg, int error_code [[maybe_unused]])
{
UNUSED(this);
@ -610,12 +610,18 @@ bool ContextAccess::checkAdminOptionImplHelper(const Container & role_ids, const
throw Exception(getUserName() + ": " + msg, error_code);
};
if (!tryGetUser())
if (is_full_access)
return true;
if (user_was_dropped)
{
show_error("User has been dropped", ErrorCodes::UNKNOWN_USER);
return false;
}
if (!std::size(role_ids))
return true;
if (isGranted(AccessType::ROLE_ADMIN))
return true;

10
tests/integration/test_access_control_on_cluster/test.py
View File

@ -49,3 +49,13 @@ def test_access_control_on_cluster():
assert "There is no user `Alex`" in ch1.query_and_get_error("SHOW CREATE USER Alex")
assert "There is no user `Alex`" in ch2.query_and_get_error("SHOW CREATE USER Alex")
assert "There is no user `Alex`" in ch3.query_and_get_error("SHOW CREATE USER Alex")
def test_grant_all_on_cluster():
ch1.query("CREATE USER IF NOT EXISTS Alex ON CLUSTER 'cluster'")
ch1.query("GRANT ALL ON *.* TO Alex ON CLUSTER 'cluster'")
assert ch1.query("SHOW GRANTS FOR Alex") == "GRANT ALL ON *.* TO Alex\n"
assert ch2.query("SHOW GRANTS FOR Alex") == "GRANT ALL ON *.* TO Alex\n"
ch1.query("DROP USER Alex ON CLUSTER 'cluster'")