mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-21 15:12:02 +00:00
Merge pull request #25619 from vitlibar/new-tests-for-select-privilege
Add tests for checking access rights for SELECT.
This commit is contained in:
commit
f90cfae368
@ -177,3 +177,61 @@ def test_select_count():
|
||||
|
||||
instance.query("GRANT SELECT ON default.table1 TO A")
|
||||
assert instance.query(select_query, user = 'A') == "0\n"
|
||||
|
||||
|
||||
def test_select_where():
|
||||
# User should have grants for the columns used in WHERE.
|
||||
instance.query("CREATE TABLE table1(a String, b UInt8) ENGINE = MergeTree ORDER BY b")
|
||||
instance.query("INSERT INTO table1 VALUES ('xxx', 0), ('yyy', 1), ('zzz', 0)")
|
||||
instance.query("GRANT SELECT(a) ON default.table1 TO A")
|
||||
|
||||
select_query = "SELECT a FROM table1 WHERE b = 0"
|
||||
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
|
||||
|
||||
instance.query("GRANT SELECT(b) ON default.table1 TO A")
|
||||
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
|
||||
|
||||
instance.query("REVOKE SELECT ON default.table1 FROM A")
|
||||
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
|
||||
|
||||
instance.query("GRANT SELECT ON default.table1 TO A")
|
||||
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
|
||||
|
||||
|
||||
def test_select_prewhere():
|
||||
# User should have grants for the columns used in PREWHERE.
|
||||
instance.query("CREATE TABLE table1(a String, b UInt8) ENGINE = MergeTree ORDER BY b")
|
||||
instance.query("INSERT INTO table1 VALUES ('xxx', 0), ('yyy', 1), ('zzz', 0)")
|
||||
instance.query("GRANT SELECT(a) ON default.table1 TO A")
|
||||
|
||||
select_query = "SELECT a FROM table1 PREWHERE b = 0"
|
||||
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
|
||||
|
||||
instance.query("GRANT SELECT(b) ON default.table1 TO A")
|
||||
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
|
||||
|
||||
instance.query("REVOKE SELECT ON default.table1 FROM A")
|
||||
assert "it's necessary to have grant SELECT(a, b) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
|
||||
|
||||
instance.query("GRANT SELECT ON default.table1 TO A")
|
||||
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
|
||||
|
||||
|
||||
def test_select_with_row_policy():
|
||||
# Normal users should not aware of the existence of row policy filters.
|
||||
instance.query("CREATE TABLE table1(a String, b UInt8) ENGINE = MergeTree ORDER BY b")
|
||||
instance.query("INSERT INTO table1 VALUES ('xxx', 0), ('yyy', 1), ('zzz', 0)")
|
||||
instance.query("CREATE ROW POLICY pol1 ON table1 USING b = 0 TO A")
|
||||
|
||||
select_query = "SELECT a FROM table1"
|
||||
select_query2 = "SELECT count() FROM table1"
|
||||
assert "it's necessary to have grant SELECT(a) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
|
||||
assert "it's necessary to have grant SELECT for at least one column on default.table1" in instance.query_and_get_error(select_query2, user = 'A')
|
||||
|
||||
instance.query("GRANT SELECT(a) ON default.table1 TO A")
|
||||
assert instance.query(select_query, user = 'A') == "xxx\nzzz\n"
|
||||
assert instance.query(select_query2, user = 'A') == "2\n"
|
||||
|
||||
instance.query("REVOKE SELECT(a) ON default.table1 FROM A")
|
||||
assert "it's necessary to have grant SELECT(a) ON default.table1" in instance.query_and_get_error(select_query, user = 'A')
|
||||
assert "it's necessary to have grant SELECT for at least one column on default.table1" in instance.query_and_get_error(select_query2, user = 'A')
|
||||
|
Loading…
Reference in New Issue
Block a user