mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-20 00:30:49 +00:00
ignore_on_cluster_for_grants
This commit is contained in:
parent
945fbb3211
commit
c41511e51c
@ -7,6 +7,7 @@
|
||||
#include <Access/RolesOrUsersSet.h>
|
||||
#include <Access/User.h>
|
||||
#include <Interpreters/Context.h>
|
||||
#include <Interpreters/removeOnClusterClauseIfNeeded.h>
|
||||
#include <Interpreters/QueryLog.h>
|
||||
#include <Interpreters/executeDDLQueryOnCluster.h>
|
||||
#include <boost/range/algorithm/copy.hpp>
|
||||
@ -396,7 +397,8 @@ namespace
|
||||
|
||||
BlockIO InterpreterGrantQuery::execute()
|
||||
{
|
||||
auto & query = query_ptr->as<ASTGrantQuery &>();
|
||||
const auto updated_query = removeOnClusterClauseIfNeeded(query_ptr, getContext());
|
||||
auto & query = updated_query->as<ASTGrantQuery &>();
|
||||
|
||||
query.replaceCurrentUserTag(getContext()->getUserName());
|
||||
query.access_rights_elements.eraseNonGrantable();
|
||||
@ -430,7 +432,7 @@ BlockIO InterpreterGrantQuery::execute()
|
||||
current_user_access->checkGranteesAreAllowed(grantees);
|
||||
DDLQueryOnClusterParams params;
|
||||
params.access_to_check = std::move(required_access);
|
||||
return executeDDLQueryOnCluster(query_ptr, getContext(), params);
|
||||
return executeDDLQueryOnCluster(updated_query, getContext(), params);
|
||||
}
|
||||
|
||||
/// Check if the current user has corresponding access rights granted with grant option.
|
||||
|
@ -14,6 +14,7 @@
|
||||
#include <Parsers/Access/ASTCreateSettingsProfileQuery.h>
|
||||
#include <Parsers/Access/ASTCreateUserQuery.h>
|
||||
#include <Parsers/Access/ASTDropAccessEntityQuery.h>
|
||||
#include <Parsers/Access/ASTGrantQuery.h>
|
||||
|
||||
|
||||
namespace DB
|
||||
@ -33,7 +34,8 @@ static bool isAccessControlQuery(const ASTPtr & query)
|
||||
|| query->as<ASTCreateRoleQuery>()
|
||||
|| query->as<ASTCreateRowPolicyQuery>()
|
||||
|| query->as<ASTCreateSettingsProfileQuery>()
|
||||
|| query->as<ASTDropAccessEntityQuery>();
|
||||
|| query->as<ASTDropAccessEntityQuery>()
|
||||
|| query->as<ASTGrantQuery>();
|
||||
}
|
||||
|
||||
ASTPtr removeOnClusterClauseIfNeeded(const ASTPtr & query, ContextPtr context, const WithoutOnClusterASTRewriteParams & params)
|
||||
|
@ -114,6 +114,41 @@ def test_create_replicated_on_cluster_ignore(started_cluster, entity):
|
||||
node1.query(f"DROP {entity.keyword} {entity.name} {entity.options}")
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"use_on_cluster",
|
||||
[
|
||||
pytest.param(False, id="Without_on_cluster"),
|
||||
pytest.param(True, id="With_ignored_on_cluster"),
|
||||
],
|
||||
)
|
||||
def test_grant_revoke_replicated(started_cluster, use_on_cluster: bool):
|
||||
node1.replace_config(
|
||||
"/etc/clickhouse-server/users.d/users.xml",
|
||||
inspect.cleandoc(
|
||||
f"""
|
||||
<clickhouse>
|
||||
<profiles>
|
||||
<default>
|
||||
<ignore_on_cluster_for_replicated_access_entities_queries>{int(use_on_cluster)}</ignore_on_cluster_for_replicated_access_entities_queries>
|
||||
</default>
|
||||
</profiles>
|
||||
</clickhouse>
|
||||
"""
|
||||
),
|
||||
)
|
||||
node1.query("SYSTEM RELOAD CONFIG")
|
||||
on_cluster = "ON CLUSTER default" if use_on_cluster else ""
|
||||
|
||||
node1.query(f"CREATE USER theuser {on_cluster}")
|
||||
|
||||
assert node1.query(f"GRANT {on_cluster} SELECT ON *.* to theuser") == ""
|
||||
|
||||
assert node2.query(f"SHOW GRANTS FOR theuser") == "GRANT SELECT ON *.* TO theuser\n"
|
||||
|
||||
assert node1.query(f"REVOKE {on_cluster} SELECT ON *.* from theuser") == ""
|
||||
node1.query(f"DROP USER theuser {on_cluster}")
|
||||
|
||||
|
||||
@pytest.mark.parametrize("entity", entities, ids=get_entity_id)
|
||||
def test_create_replicated_if_not_exists_on_cluster(started_cluster, entity):
|
||||
node1.query(
|
||||
|
Loading…
Reference in New Issue
Block a user