thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-10 01:25:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

add backward compatibility

Browse Source
This commit is contained in:
jsc0218 2024-02-20 02:11:31 +00:00
parent 2a88f61c96
commit afa7a95c8c
6 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/en/sql-reference/statements/grant.md
View File

@ -201,6 +201,7 @@ Hierarchy of privileges:
- `S3` - `S3`
- [dictGet](#grant-dictget) - [dictGet](#grant-dictget)
- [displaySecretsInShowAndSelect](#grant-display-secrets) - [displaySecretsInShowAndSelect](#grant-display-secrets)
- [TABLE ENGINE](#grant-table-engine)
Examples of how this hierarchy is treated: Examples of how this hierarchy is treated:
@ -495,6 +496,15 @@ and
[`format_display_secrets_in_show_and_select` format setting](../../operations/settings/formats#format_display_secrets_in_show_and_select) [`format_display_secrets_in_show_and_select` format setting](../../operations/settings/formats#format_display_secrets_in_show_and_select)
are turned on. are turned on.
### TABLE ENGINE
Allows using a specified table engine when creating a table. Applies to [table engines](../../engines/table-engines/index.md).
**Examples**
- `GRANT TABLE ENGINE ON * TO john`
- `GRANT TABLE ENGINE ON TinyLog TO john`
### ALL ### ALL
Grants all the privileges on regulated entity to a user account or a role. Grants all the privileges on regulated entity to a user account or a role.

4
programs/server/config.xml
View File

@ -742,6 +742,10 @@
It also enables 'changeable_in_readonly' constraint type --> It also enables 'changeable_in_readonly' constraint type -->
<settings_constraints_replace_previous>true</settings_constraints_replace_previous> <settings_constraints_replace_previous>true</settings_constraints_replace_previous>
<!-- By default, for backward compatibility create table with a specific table engine ignores grant,
however you can change this behaviour by setting this to true -->
<table_engines_require_grant>false</table_engines_require_grant>
<!-- Number of seconds since last access a role is stored in the Role Cache --> <!-- Number of seconds since last access a role is stored in the Role Cache -->
<role_cache_expiration_time_seconds>600</role_cache_expiration_time_seconds> <role_cache_expiration_time_seconds>600</role_cache_expiration_time_seconds>
</access_control_improvements> </access_control_improvements>

1
src/Access/AccessControl.cpp
View File

@ -285,6 +285,7 @@ void AccessControl::setUpFromMainConfig(const Poco::Util::AbstractConfiguration
setSelectFromSystemDatabaseRequiresGrant(config_.getBool("access_control_improvements.select_from_system_db_requires_grant", false)); setSelectFromSystemDatabaseRequiresGrant(config_.getBool("access_control_improvements.select_from_system_db_requires_grant", false));
setSelectFromInformationSchemaRequiresGrant(config_.getBool("access_control_improvements.select_from_information_schema_requires_grant", false)); setSelectFromInformationSchemaRequiresGrant(config_.getBool("access_control_improvements.select_from_information_schema_requires_grant", false));
setSettingsConstraintsReplacePrevious(config_.getBool("access_control_improvements.settings_constraints_replace_previous", false)); setSettingsConstraintsReplacePrevious(config_.getBool("access_control_improvements.settings_constraints_replace_previous", false));
setTableEnginesRequireGrant(config_.getBool("access_control_improvements.table_engines_require_grant", false));
addStoragesFromMainConfig(config_, config_path_, get_zookeeper_function_); addStoragesFromMainConfig(config_, config_path_, get_zookeeper_function_);

4
src/Access/AccessControl.h
View File

@ -182,6 +182,9 @@ public:
void setSettingsConstraintsReplacePrevious(bool enable) { settings_constraints_replace_previous = enable; } void setSettingsConstraintsReplacePrevious(bool enable) { settings_constraints_replace_previous = enable; }
bool doesSettingsConstraintsReplacePrevious() const { return settings_constraints_replace_previous; } bool doesSettingsConstraintsReplacePrevious() const { return settings_constraints_replace_previous; }
void setTableEnginesRequireGrant(bool enable) { table_engines_require_grant = enable; }
bool doesTableEnginesRequireGrant() const { return table_engines_require_grant; }
std::shared_ptr<const ContextAccess> getContextAccess(const ContextAccessParams & params) const; std::shared_ptr<const ContextAccess> getContextAccess(const ContextAccessParams & params) const;
std::shared_ptr<const EnabledRoles> getEnabledRoles( std::shared_ptr<const EnabledRoles> getEnabledRoles(
@ -258,6 +261,7 @@ private:
std::atomic_bool select_from_system_db_requires_grant = false; std::atomic_bool select_from_system_db_requires_grant = false;
std::atomic_bool select_from_information_schema_requires_grant = false; std::atomic_bool select_from_information_schema_requires_grant = false;
std::atomic_bool settings_constraints_replace_previous = false; std::atomic_bool settings_constraints_replace_previous = false;
std::atomic_bool table_engines_require_grant = false;
std::atomic_int bcrypt_workfactor = 12; std::atomic_int bcrypt_workfactor = 12;
std::atomic<AuthenticationType> default_password_type = AuthenticationType::SHA256_PASSWORD; std::atomic<AuthenticationType> default_password_type = AuthenticationType::SHA256_PASSWORD;
}; };

2
src/Access/Common/AccessType.h
View File

@ -12,7 +12,7 @@ enum class AccessType
/// Macro M should be defined as M(name, aliases, node_type, parent_group_name) /// Macro M should be defined as M(name, aliases, node_type, parent_group_name)
/// where name is identifier with underscores (instead of spaces); /// where name is identifier with underscores (instead of spaces);
/// aliases is a string containing comma-separated list; /// aliases is a string containing comma-separated list;
/// node_type either specifies access type's level (GLOBAL/NAMED_COLLECTION/DATABASE/TABLE/DICTIONARY/VIEW/COLUMNS), /// node_type either specifies access type's level (GLOBAL/NAMED_COLLECTION/TABLE_ENGINE/DATABASE/TABLE/DICTIONARY/VIEW/COLUMNS),
/// or specifies that the access type is a GROUP of other access types; /// or specifies that the access type is a GROUP of other access types;
/// parent_group_name is the name of the group containing this access type (or NONE if there is no such group). /// parent_group_name is the name of the group containing this access type (or NONE if there is no such group).
/// NOTE A parent group must be declared AFTER all its children. /// NOTE A parent group must be declared AFTER all its children.

3
src/Access/ContextAccess.cpp
View File

@ -547,6 +547,9 @@ bool ContextAccess::checkAccessImplHelper(AccessFlags flags, const Args &... arg
if (flags & AccessType::CLUSTER && !access_control->doesOnClusterQueriesRequireClusterGrant()) if (flags & AccessType::CLUSTER && !access_control->doesOnClusterQueriesRequireClusterGrant())
flags &= ~AccessType::CLUSTER; flags &= ~AccessType::CLUSTER;
if (flags & AccessType::TABLE_ENGINE && !access_control->doesTableEnginesRequireGrant())
flags &= ~AccessType::TABLE_ENGINE;
if (!flags) if (!flags)
return true; return true;