mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-22 07:31:57 +00:00
Merge pull request #38674 from vitlibar/fix-crash-when-grant-all-on-cluster
Fix crash when granting ALL on cluster.
This commit is contained in:
commit
b4103c1a0e
@ -412,15 +412,18 @@ bool ContextAccess::checkAccessImplHelper(AccessFlags flags, const Args &... arg
|
||||
return false;
|
||||
};
|
||||
|
||||
if (is_full_access)
|
||||
return access_granted();
|
||||
|
||||
if (user_was_dropped)
|
||||
return access_denied("User has been dropped", ErrorCodes::UNKNOWN_USER);
|
||||
|
||||
if (flags & AccessType::CLUSTER && !access_control->doesOnClusterQueriesRequireClusterGrant())
|
||||
flags &= ~AccessType::CLUSTER;
|
||||
|
||||
if (!flags || is_full_access)
|
||||
if (!flags)
|
||||
return access_granted();
|
||||
|
||||
if (!tryGetUser())
|
||||
return access_denied("User has been dropped", ErrorCodes::UNKNOWN_USER);
|
||||
|
||||
/// Access to temporary tables is controlled in an unusual way, not like normal tables.
|
||||
/// Creating of temporary tables is controlled by AccessType::CREATE_TEMPORARY_TABLES grant,
|
||||
/// and other grants are considered as always given.
|
||||
@ -600,9 +603,6 @@ void ContextAccess::checkGrantOption(const AccessRightsElements & elements) cons
|
||||
template <bool throw_if_denied, typename Container, typename GetNameFunction>
|
||||
bool ContextAccess::checkAdminOptionImplHelper(const Container & role_ids, const GetNameFunction & get_name_function) const
|
||||
{
|
||||
if (!std::size(role_ids) || is_full_access)
|
||||
return true;
|
||||
|
||||
auto show_error = [this](const String & msg, int error_code [[maybe_unused]])
|
||||
{
|
||||
UNUSED(this);
|
||||
@ -610,12 +610,18 @@ bool ContextAccess::checkAdminOptionImplHelper(const Container & role_ids, const
|
||||
throw Exception(getUserName() + ": " + msg, error_code);
|
||||
};
|
||||
|
||||
if (!tryGetUser())
|
||||
if (is_full_access)
|
||||
return true;
|
||||
|
||||
if (user_was_dropped)
|
||||
{
|
||||
show_error("User has been dropped", ErrorCodes::UNKNOWN_USER);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!std::size(role_ids))
|
||||
return true;
|
||||
|
||||
if (isGranted(AccessType::ROLE_ADMIN))
|
||||
return true;
|
||||
|
||||
|
@ -49,3 +49,13 @@ def test_access_control_on_cluster():
|
||||
assert "There is no user `Alex`" in ch1.query_and_get_error("SHOW CREATE USER Alex")
|
||||
assert "There is no user `Alex`" in ch2.query_and_get_error("SHOW CREATE USER Alex")
|
||||
assert "There is no user `Alex`" in ch3.query_and_get_error("SHOW CREATE USER Alex")
|
||||
|
||||
|
||||
def test_grant_all_on_cluster():
|
||||
ch1.query("CREATE USER IF NOT EXISTS Alex ON CLUSTER 'cluster'")
|
||||
ch1.query("GRANT ALL ON *.* TO Alex ON CLUSTER 'cluster'")
|
||||
|
||||
assert ch1.query("SHOW GRANTS FOR Alex") == "GRANT ALL ON *.* TO Alex\n"
|
||||
assert ch2.query("SHOW GRANTS FOR Alex") == "GRANT ALL ON *.* TO Alex\n"
|
||||
|
||||
ch1.query("DROP USER Alex ON CLUSTER 'cluster'")
|
||||
|
Loading…
Reference in New Issue
Block a user