mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-12-15 10:52:30 +00:00
01e1c5345a
In case you have different roles for the same user on multiple clusters, ON CLUSTER query can help to overcome some limitations. Consider the following example: - cluster_with_data, dev_user (readonly=2) - stage_cluster, dev_user (readonly=0) So when you will execute the following query from stage_cluster, it will be successfully executed, since ON CLUSTER queries has different system profile: DROP DATABASE default ON CLUSTER cluster_with_data This is not 100% safe, but at least something. Note, that right now only ON CLUSTER query it self is supported, but separate clusters are not (i.e. GRANT CLUSTER some_cluster_name TO default), since right now grants sticked to database+. v2: on_cluster_queries_require_cluster_grant v3: fix test and process flags as bit mask Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
32 lines
1.4 KiB
Bash
Executable File
32 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
|
|
# shellcheck source=../shell_config.sh
|
|
. "$CURDIR"/../shell_config.sh
|
|
|
|
function cleanup()
|
|
{
|
|
$CLICKHOUSE_CLIENT -nmq "
|
|
DROP USER IF EXISTS with_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME;
|
|
DROP USER IF EXISTS without_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME;
|
|
DROP DATABASE IF EXISTS db_with_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME;
|
|
"
|
|
}
|
|
cleanup
|
|
trap cleanup EXIT
|
|
|
|
$CLICKHOUSE_CLIENT -nmq "
|
|
CREATE USER with_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME;
|
|
CREATE USER without_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME;
|
|
|
|
GRANT CLUSTER, CREATE ON *.* TO with_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME;
|
|
GRANT CREATE ON *.* TO without_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME;
|
|
"
|
|
|
|
echo "with_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME"
|
|
$CLICKHOUSE_CLIENT --user "with_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME" -q "CREATE DATABASE IF NOT EXISTS db_with_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME ON CLUSTER test_shard_localhost" >/dev/null
|
|
echo "without_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME"
|
|
$CLICKHOUSE_CLIENT --user "without_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME" -q "CREATE DATABASE IF NOT EXISTS db_without_on_cluster_$CLICKHOUSE_TEST_UNIQUE_NAME ON CLUSTER test_shard_localhost" |& {
|
|
grep -m1 -F -o "Not enough privileges. To execute this query it's necessary to have grant CLUSTER ON *.*. (ACCESS_DENIED)"
|
|
}
|