add backward compatibility

2024-09-20 00:30:49 +00:00 · 2024-02-20 02:11:31 +00:00 · 2024-02-20 02:11:31 +00:00 · afa7a95c8c
commit afa7a95c8c
parent 2a88f61c96
6 changed files with 23 additions and 1 deletions
--- a/docs/en/sql-reference/statements/grant.md
+++ b/docs/en/sql-reference/statements/grant.md
@ -201,6 +201,7 @@ Hierarchy of privileges:
    - `S3`
 - [dictGet](#grant-dictget)
 - [displaySecretsInShowAndSelect](#grant-display-secrets)
+- [TABLE ENGINE](#grant-table-engine)

 Examples of how this hierarchy is treated:

@ -495,6 +496,15 @@ and
 [`format_display_secrets_in_show_and_select` format setting](../../operations/settings/formats#format_display_secrets_in_show_and_select)
 are turned on.

+### TABLE ENGINE
+
+Allows using a specified table engine when creating a table. Applies to [table engines](../../engines/table-engines/index.md).
+
+**Examples**
+
+- `GRANT TABLE ENGINE ON * TO john`
+- `GRANT TABLE ENGINE ON TinyLog TO john`
+
 ### ALL

 Grants all the privileges on regulated entity to a user account or a role.
--- a/programs/server/config.xml
+++ b/programs/server/config.xml
@ -742,6 +742,10 @@
             It also enables 'changeable_in_readonly' constraint type -->
        <settings_constraints_replace_previous>true</settings_constraints_replace_previous>

+        <!-- By default, for backward compatibility create table with a specific table engine ignores grant,
+             however you can change this behaviour by setting this to true -->
+        <table_engines_require_grant>false</table_engines_require_grant>
+
        <!-- Number of seconds since last access a role is stored in the Role Cache -->
        <role_cache_expiration_time_seconds>600</role_cache_expiration_time_seconds>
    </access_control_improvements>
--- a/src/Access/AccessControl.cpp
+++ b/src/Access/AccessControl.cpp
@ -285,6 +285,7 @@ void AccessControl::setUpFromMainConfig(const Poco::Util::AbstractConfiguration
    setSelectFromSystemDatabaseRequiresGrant(config_.getBool("access_control_improvements.select_from_system_db_requires_grant", false));
    setSelectFromInformationSchemaRequiresGrant(config_.getBool("access_control_improvements.select_from_information_schema_requires_grant", false));
    setSettingsConstraintsReplacePrevious(config_.getBool("access_control_improvements.settings_constraints_replace_previous", false));
+    setTableEnginesRequireGrant(config_.getBool("access_control_improvements.table_engines_require_grant", false));

    addStoragesFromMainConfig(config_, config_path_, get_zookeeper_function_);

--- a/src/Access/AccessControl.h
+++ b/src/Access/AccessControl.h
@ -182,6 +182,9 @@ public:
    void setSettingsConstraintsReplacePrevious(bool enable) { settings_constraints_replace_previous = enable; }
    bool doesSettingsConstraintsReplacePrevious() const { return settings_constraints_replace_previous; }

+    void setTableEnginesRequireGrant(bool enable) { table_engines_require_grant = enable; }
+    bool doesTableEnginesRequireGrant() const { return table_engines_require_grant; }
+
    std::shared_ptr<const ContextAccess> getContextAccess(const ContextAccessParams & params) const;

    std::shared_ptr<const EnabledRoles> getEnabledRoles(
@ -258,6 +261,7 @@ private:
    std::atomic_bool select_from_system_db_requires_grant = false;
    std::atomic_bool select_from_information_schema_requires_grant = false;
    std::atomic_bool settings_constraints_replace_previous = false;
+    std::atomic_bool table_engines_require_grant = false;
    std::atomic_int bcrypt_workfactor = 12;
    std::atomic<AuthenticationType> default_password_type = AuthenticationType::SHA256_PASSWORD;
 };
--- a/src/Access/Common/AccessType.h
+++ b/src/Access/Common/AccessType.h
@ -12,7 +12,7 @@ enum class AccessType
 /// Macro M should be defined as M(name, aliases, node_type, parent_group_name)
 /// where name is identifier with underscores (instead of spaces);
 /// aliases is a string containing comma-separated list;
-/// node_type either specifies access type's level (GLOBAL/NAMED_COLLECTION/DATABASE/TABLE/DICTIONARY/VIEW/COLUMNS),
+/// node_type either specifies access type's level (GLOBAL/NAMED_COLLECTION/TABLE_ENGINE/DATABASE/TABLE/DICTIONARY/VIEW/COLUMNS),
 /// or specifies that the access type is a GROUP of other access types;
 /// parent_group_name is the name of the group containing this access type (or NONE if there is no such group).
 /// NOTE A parent group must be declared AFTER all its children.
--- a/src/Access/ContextAccess.cpp
+++ b/src/Access/ContextAccess.cpp
@ -547,6 +547,9 @@ bool ContextAccess::checkAccessImplHelper(AccessFlags flags, const Args &... arg
    if (flags & AccessType::CLUSTER && !access_control->doesOnClusterQueriesRequireClusterGrant())
        flags &= ~AccessType::CLUSTER;

+    if (flags & AccessType::TABLE_ENGINE && !access_control->doesTableEnginesRequireGrant())
+        flags &= ~AccessType::TABLE_ENGINE;
+
    if (!flags)
        return true;