mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-09-19 16:20:50 +00:00
Merge pull request #65359 from joelynch/joelynch/dict-acl-bypass
Fix more dictGet ACL bypasses
This commit is contained in:
commit
f01a285f60
@ -1,3 +1,4 @@
|
||||
#include <Access/Common/AccessFlags.h>
|
||||
#include <Storages/StorageDictionary.h>
|
||||
#include <Storages/StorageFactory.h>
|
||||
#include <DataTypes/DataTypesNumber.h>
|
||||
@ -162,6 +163,7 @@ Pipe StorageDictionary::read(
|
||||
{
|
||||
auto registered_dictionary_name = location == Location::SameDatabaseAndNameAsDictionary ? getStorageID().getInternalDictionaryName() : dictionary_name;
|
||||
auto dictionary = getContext()->getExternalDictionariesLoader().getDictionary(registered_dictionary_name, local_context);
|
||||
local_context->checkAccess(AccessType::dictGet, dictionary->getDatabaseOrNoDatabaseTag(), dictionary->getDictionaryID().getTableName());
|
||||
return dictionary->read(column_names, max_block_size, threads);
|
||||
}
|
||||
|
||||
|
@ -80,7 +80,6 @@ ColumnsDescription TableFunctionDictionary::getActualTableStructure(ContextPtr c
|
||||
StoragePtr TableFunctionDictionary::executeImpl(
|
||||
const ASTPtr &, ContextPtr context, const std::string & table_name, ColumnsDescription, bool is_insert_query) const
|
||||
{
|
||||
context->checkAccess(AccessType::dictGet, getDatabaseName(), table_name);
|
||||
StorageID dict_id(getDatabaseName(), table_name);
|
||||
auto dictionary_table_structure = getActualTableStructure(context, is_insert_query);
|
||||
|
||||
|
@ -0,0 +1,2 @@
|
||||
ACCESS_DENIED
|
||||
ACCESS_DENIED
|
41
tests/queries/0_stateless/03199_dictionary_table_access.sh
Executable file
41
tests/queries/0_stateless/03199_dictionary_table_access.sh
Executable file
@ -0,0 +1,41 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
CUR_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
|
||||
# shellcheck source=../shell_config.sh
|
||||
. "$CUR_DIR"/../shell_config.sh
|
||||
|
||||
username="user_${CLICKHOUSE_TEST_UNIQUE_NAME}"
|
||||
dictname="dict_${CLICKHOUSE_TEST_UNIQUE_NAME}"
|
||||
dicttablename="dict_table_${CLICKHOUSE_TEST_UNIQUE_NAME}"
|
||||
|
||||
${CLICKHOUSE_CLIENT} -nm --query "
|
||||
CREATE DICTIONARY IF NOT EXISTS ${dictname}
|
||||
(
|
||||
id UInt64,
|
||||
value UInt64
|
||||
)
|
||||
PRIMARY KEY id
|
||||
SOURCE(NULL())
|
||||
LAYOUT(FLAT())
|
||||
LIFETIME(MIN 0 MAX 1000);
|
||||
CREATE USER IF NOT EXISTS ${username} NOT IDENTIFIED;
|
||||
GRANT SELECT, CREATE TEMPORARY TABLE ON *.* to ${username};
|
||||
SELECT * FROM ${dictname};
|
||||
CREATE TABLE ${dicttablename} (id UInt64, value UInt64)
|
||||
ENGINE = Dictionary(${CLICKHOUSE_DATABASE}.${dictname});
|
||||
SELECT * FROM ${dicttablename};
|
||||
"
|
||||
|
||||
$CLICKHOUSE_CLIENT -nm --user="${username}" --query "
|
||||
SELECT * FROM ${dictname};
|
||||
" 2>&1 | grep -o ACCESS_DENIED | uniq
|
||||
|
||||
$CLICKHOUSE_CLIENT -nm --user="${username}" --query "
|
||||
SELECT * FROM ${dicttablename};
|
||||
" 2>&1 | grep -o ACCESS_DENIED | uniq
|
||||
|
||||
${CLICKHOUSE_CLIENT} -nm --query "
|
||||
DROP TABLE IF EXISTS ${dicttablename} SYNC;
|
||||
DROP DICTIONARY IF EXISTS ${dictname};
|
||||
DROP USER IF EXISTS ${username};
|
||||
"
|
Loading…
Reference in New Issue
Block a user