Merge pull request #38674 from vitlibar/fix-crash-when-grant-all-on-cluster

Fix crash when granting ALL on cluster.
This commit is contained in:
Vitaly Baranov 2022-07-04 10:13:56 +02:00 committed by GitHub
commit b4103c1a0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 8 deletions

View File

@ -412,15 +412,18 @@ bool ContextAccess::checkAccessImplHelper(AccessFlags flags, const Args &... arg
return false;
};
if (is_full_access)
return access_granted();
if (user_was_dropped)
return access_denied("User has been dropped", ErrorCodes::UNKNOWN_USER);
if (flags & AccessType::CLUSTER && !access_control->doesOnClusterQueriesRequireClusterGrant())
flags &= ~AccessType::CLUSTER;
if (!flags || is_full_access)
if (!flags)
return access_granted();
if (!tryGetUser())
return access_denied("User has been dropped", ErrorCodes::UNKNOWN_USER);
/// Access to temporary tables is controlled in an unusual way, not like normal tables.
/// Creating of temporary tables is controlled by AccessType::CREATE_TEMPORARY_TABLES grant,
/// and other grants are considered as always given.
@ -600,9 +603,6 @@ void ContextAccess::checkGrantOption(const AccessRightsElements & elements) cons
template <bool throw_if_denied, typename Container, typename GetNameFunction>
bool ContextAccess::checkAdminOptionImplHelper(const Container & role_ids, const GetNameFunction & get_name_function) const
{
if (!std::size(role_ids) || is_full_access)
return true;
auto show_error = [this](const String & msg, int error_code [[maybe_unused]])
{
UNUSED(this);
@ -610,12 +610,18 @@ bool ContextAccess::checkAdminOptionImplHelper(const Container & role_ids, const
throw Exception(getUserName() + ": " + msg, error_code);
};
if (!tryGetUser())
if (is_full_access)
return true;
if (user_was_dropped)
{
show_error("User has been dropped", ErrorCodes::UNKNOWN_USER);
return false;
}
if (!std::size(role_ids))
return true;
if (isGranted(AccessType::ROLE_ADMIN))
return true;

View File

@ -49,3 +49,13 @@ def test_access_control_on_cluster():
assert "There is no user `Alex`" in ch1.query_and_get_error("SHOW CREATE USER Alex")
assert "There is no user `Alex`" in ch2.query_and_get_error("SHOW CREATE USER Alex")
assert "There is no user `Alex`" in ch3.query_and_get_error("SHOW CREATE USER Alex")
def test_grant_all_on_cluster():
ch1.query("CREATE USER IF NOT EXISTS Alex ON CLUSTER 'cluster'")
ch1.query("GRANT ALL ON *.* TO Alex ON CLUSTER 'cluster'")
assert ch1.query("SHOW GRANTS FOR Alex") == "GRANT ALL ON *.* TO Alex\n"
assert ch2.query("SHOW GRANTS FOR Alex") == "GRANT ALL ON *.* TO Alex\n"
ch1.query("DROP USER Alex ON CLUSTER 'cluster'")