From d2ff1e5dd47f2c9bce0b5f69a7f371a4ca6ec74f Mon Sep 17 00:00:00 2001
From: Vitaly Baranov <vitbar@yandex-team.ru>
Date: Wed, 5 Feb 2020 06:17:43 +0300
Subject: [PATCH] Implement partial revokes.

---
 dbms/src/Core/Settings.h                          |  2 ++
 dbms/src/Interpreters/InterpreterGrantQuery.cpp   |  6 ++++++
 .../0_stateless/01074_partial_revokes.reference   |  5 +++++
 .../queries/0_stateless/01074_partial_revokes.sql | 15 +++++++++++++++
 4 files changed, 28 insertions(+)
 create mode 100644 dbms/tests/queries/0_stateless/01074_partial_revokes.reference
 create mode 100644 dbms/tests/queries/0_stateless/01074_partial_revokes.sql

diff --git a/dbms/src/Core/Settings.h b/dbms/src/Core/Settings.h
index e68eb45d664..0cac16b8e73 100644
--- a/dbms/src/Core/Settings.h
+++ b/dbms/src/Core/Settings.h
@@ -392,6 +392,8 @@ struct Settings : public SettingsCollection<Settings>
     M(SettingBool, optimize_if_chain_to_miltiif, false, "Replace if(cond1, then1, if(cond2, ...)) chains to multiIf. Currently it's not beneficial for numeric types.", 0) \
     M(SettingBool, allow_experimental_alter_materialized_view_structure, false, "Allow atomic alter on Materialized views. Work in progress.", 0) \
     \
+    M(SettingBool, partial_revokes, false, "Makes it possible to revoke privileges partially.", 0) \
+    \
     /** Obsolete settings that do nothing but left for compatibility reasons. Remove each one after half a year of obsolescence. */ \
     \
     M(SettingBool, allow_experimental_low_cardinality_type, true, "Obsolete setting, does nothing. Will be removed after 2019-08-13", 0) \
diff --git a/dbms/src/Interpreters/InterpreterGrantQuery.cpp b/dbms/src/Interpreters/InterpreterGrantQuery.cpp
index a3f167dc206..bf09b7cd61f 100644
--- a/dbms/src/Interpreters/InterpreterGrantQuery.cpp
+++ b/dbms/src/Interpreters/InterpreterGrantQuery.cpp
@@ -32,6 +32,12 @@ BlockIO InterpreterGrantQuery::execute()
             if (query.grant_option)
                 updated_user->access_with_grant_option.grant(query.access_rights_elements, current_database);
         }
+        else if (context.getSettingsRef().partial_revokes)
+        {
+            updated_user->access_with_grant_option.partialRevoke(query.access_rights_elements, current_database);
+            if (!query.grant_option)
+                updated_user->access.partialRevoke(query.access_rights_elements, current_database);
+        }
         else
         {
             updated_user->access_with_grant_option.revoke(query.access_rights_elements, current_database);
diff --git a/dbms/tests/queries/0_stateless/01074_partial_revokes.reference b/dbms/tests/queries/0_stateless/01074_partial_revokes.reference
new file mode 100644
index 00000000000..e64d439b5b2
--- /dev/null
+++ b/dbms/tests/queries/0_stateless/01074_partial_revokes.reference
@@ -0,0 +1,5 @@
+A
+GRANT SELECT ON *.* TO test_user_01074
+B
+GRANT SELECT ON *.* TO test_user_01074
+REVOKE SELECT ON db.* FROM test_user_01074
diff --git a/dbms/tests/queries/0_stateless/01074_partial_revokes.sql b/dbms/tests/queries/0_stateless/01074_partial_revokes.sql
new file mode 100644
index 00000000000..af7048a0815
--- /dev/null
+++ b/dbms/tests/queries/0_stateless/01074_partial_revokes.sql
@@ -0,0 +1,15 @@
+DROP USER IF EXISTS test_user_01074;
+CREATE USER test_user_01074;
+
+SELECT 'A';
+SET partial_revokes=0;
+GRANT SELECT ON *.* TO test_user_01074;
+REVOKE SELECT ON db.* FROM test_user_01074;
+SHOW GRANTS FOR test_user_01074;
+
+SELECT 'B';
+SET partial_revokes=1;
+REVOKE SELECT ON db.* FROM test_user_01074;
+SHOW GRANTS FOR test_user_01074;
+
+DROP USER test_user_01074;