Merge pull request #65359 from joelynch/joelynch/dict-acl-bypass

Fix more dictGet ACL bypasses

src/Storages/StorageDictionary.cpp

@@ -1,3 +1,4 @@
+#include <Access/Common/AccessFlags.h>
 #include <Storages/StorageDictionary.h>
 #include <Storages/StorageFactory.h>
 #include <DataTypes/DataTypesNumber.h>
@@ -162,6 +163,7 @@ Pipe StorageDictionary::read(
 {
     auto registered_dictionary_name = location == Location::SameDatabaseAndNameAsDictionary ? getStorageID().getInternalDictionaryName() : dictionary_name;
     auto dictionary = getContext()->getExternalDictionariesLoader().getDictionary(registered_dictionary_name, local_context);
+    local_context->checkAccess(AccessType::dictGet, dictionary->getDatabaseOrNoDatabaseTag(), dictionary->getDictionaryID().getTableName());
     return dictionary->read(column_names, max_block_size, threads);
 }
 

src/TableFunctions/TableFunctionDictionary.cpp

@@ -80,7 +80,6 @@ ColumnsDescription TableFunctionDictionary::getActualTableStructure(ContextPtr c
 StoragePtr TableFunctionDictionary::executeImpl(
     const ASTPtr &, ContextPtr context, const std::string & table_name, ColumnsDescription, bool is_insert_query) const
 {
-    context->checkAccess(AccessType::dictGet, getDatabaseName(), table_name);
     StorageID dict_id(getDatabaseName(), table_name);
     auto dictionary_table_structure = getActualTableStructure(context, is_insert_query);
 

tests/queries/0_stateless/03199_dictionary_table_access.reference

@@ -0,0 +1,2 @@
+ACCESS_DENIED
+ACCESS_DENIED

tests/queries/0_stateless/03199_dictionary_table_access.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+CUR_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CUR_DIR"/../shell_config.sh
+
+username="user_${CLICKHOUSE_TEST_UNIQUE_NAME}"
+dictname="dict_${CLICKHOUSE_TEST_UNIQUE_NAME}"
+dicttablename="dict_table_${CLICKHOUSE_TEST_UNIQUE_NAME}"
+
+${CLICKHOUSE_CLIENT} -nm --query "
+    CREATE DICTIONARY IF NOT EXISTS ${dictname}
+    (
+        id UInt64,
+        value UInt64
+    )
+    PRIMARY KEY id
+    SOURCE(NULL())
+    LAYOUT(FLAT())
+    LIFETIME(MIN 0 MAX 1000);
+    CREATE USER IF NOT EXISTS ${username} NOT IDENTIFIED;
+    GRANT SELECT, CREATE TEMPORARY TABLE ON *.* to ${username};
+    SELECT * FROM ${dictname};
+    CREATE TABLE ${dicttablename} (id UInt64, value UInt64)
+    ENGINE = Dictionary(${CLICKHOUSE_DATABASE}.${dictname});
+    SELECT * FROM ${dicttablename};
+"
+
+$CLICKHOUSE_CLIENT -nm --user="${username}" --query "
+    SELECT * FROM ${dictname};
+" 2>&1 | grep -o ACCESS_DENIED | uniq
+
+$CLICKHOUSE_CLIENT -nm --user="${username}" --query "
+    SELECT * FROM ${dicttablename};
+" 2>&1 | grep -o ACCESS_DENIED | uniq
+
+${CLICKHOUSE_CLIENT} -nm --query "
+    DROP TABLE IF EXISTS ${dicttablename} SYNC;
+    DROP DICTIONARY IF EXISTS ${dictname};
+    DROP USER IF EXISTS ${username};
+"