thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-10 01:25:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add tests for checking access rights for SELECT.

Browse Source
This commit is contained in:
Vitaly Baranov 2021-06-23 11:08:58 +03:00
parent dbb2532e88
commit c6d877d10b
1 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
tests/integration/test_select_access_rights/test.py
View File

@ -177,3 +177,61 @@ def test_select_count():
instance.query("GRANT SELECT ON default.table1 TO A")
assert instance.query(select_query, user = 'A') == "0\n"
def test_select_where():
# User should have grants for the columns used in WHERE.
instance.query("CREATE TABLE table1(a String, b UInt8) ENGINE = MergeTree ORDER BY b")
instance.query("INSERT INTO table1 VALUES ('xxx', 0), ('yyy', 1), ('zzz', 0)")
instance.query("GRANT SELECT(a) ON default.table1 TO A")
select_query = "SELECT a FROM table1 WHERE b = 0"
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
instance.query("GRANT SELECT(b) ON default.table1 TO A")
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
instance.query("REVOKE SELECT ON default.table1 FROM A")
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
instance.query("GRANT SELECT ON default.table1 TO A")
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
def test_select_prewhere():
# User should have grants for the columns used in PREWHERE.
instance.query("CREATE TABLE table1(a String, b UInt8) ENGINE = MergeTree ORDER BY b")
instance.query("INSERT INTO table1 VALUES ('xxx', 0), ('yyy', 1), ('zzz', 0)")
instance.query("GRANT SELECT(a) ON default.table1 TO A")
select_query = "SELECT a FROM table1 PREWHERE b = 0"
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
instance.query("GRANT SELECT(b) ON default.table1 TO A")
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
instance.query("REVOKE SELECT ON default.table1 FROM A")
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
instance.query("GRANT SELECT ON default.table1 TO A")
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
def test_select_with_row_policy():
# Normal users should not aware of the existence of row policy filters.
instance.query("CREATE TABLE table1(a String, b UInt8) ENGINE = MergeTree ORDER BY b")
instance.query("INSERT INTO table1 VALUES ('xxx', 0), ('yyy', 1), ('zzz', 0)")
instance.query("CREATE ROW POLICY pol1 ON table1 USING b = 0 TO A")
select_query = "SELECT a FROM table1"
select_query2 = "SELECT count() FROM table1"
assert "it's necessary to have grant SELECT(a) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
assert "it's necessary to have grant SELECT for at least one column on default.table1" in instance.query_and_get_error(select_query2, user = 'A')
instance.query("GRANT SELECT(a) ON default.table1 TO A")
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
assert instance.query(select_query2, user = 'A') == "2\n"
instance.query("REVOKE SELECT(a) ON default.table1 FROM A")
assert "it's necessary to have grant SELECT(a) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
assert "it's necessary to have grant SELECT for at least one column on default.table1" in instance.query_and_get_error(select_query2, user = 'A')