Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
2dot5
ClickHouse
提交
63079c40
C
ClickHouse
项目概览
2dot5
/
ClickHouse
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
C
ClickHouse
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
63079c40
编写于
2月 01, 2020
作者:
V
Vitaly Baranov
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Optimize access checking.
上级
caeed69f
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
30 addition
and
21 deletion
+30
-21
dbms/src/Access/AccessRightsContext.cpp
dbms/src/Access/AccessRightsContext.cpp
+26
-16
dbms/src/Access/AccessRightsContext.h
dbms/src/Access/AccessRightsContext.h
+4
-5
未找到文件。
dbms/src/Access/AccessRightsContext.cpp
浏览文件 @
63079c40
...
...
@@ -4,6 +4,7 @@
#include <Core/Settings.h>
#include <Poco/Logger.h>
#include <common/logger_useful.h>
#include <boost/smart_ptr/make_shared_object.hpp>
#include <assert.h>
...
...
@@ -81,7 +82,9 @@ namespace
AccessRightsContext
::
AccessRightsContext
()
{
result_access_cache
[
0
].
emplace
().
grant
(
AccessType
::
ALL
);
auto
everything_granted
=
boost
::
make_shared
<
AccessRights
>
();
everything_granted
->
grant
(
AccessType
::
ALL
);
result_access_cache
[
0
]
=
std
::
move
(
everything_granted
);
}
...
...
@@ -102,9 +105,8 @@ AccessRightsContext::AccessRightsContext(const ClientInfo & client_info_, const
template
<
int
mode
,
typename
...
Args
>
bool
AccessRightsContext
::
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
Args
&
...
args
)
const
{
std
::
lock_guard
lock
{
mutex
};
const
auto
&
result_access
=
calculateResultAccess
();
bool
is_granted
=
result_access
.
isGranted
(
access
,
args
...);
auto
result_access
=
calculateResultAccess
();
bool
is_granted
=
result_access
->
isGranted
(
access
,
args
...);
if
(
trace_log
)
LOG_TRACE
(
trace_log
,
"Access "
<<
(
is_granted
?
"granted"
:
"denied"
)
<<
": "
<<
(
AccessRightsElement
{
access
,
args
...}.
toString
()));
...
...
@@ -129,7 +131,7 @@ bool AccessRightsContext::checkImpl(Poco::Logger * log_, const AccessFlags & acc
LOG_WARNING
(
log_
,
msg
+
formatSkippedMessage
(
args
...));
};
if
(
readonly
&&
calculateResultAccess
(
false
,
allow_ddl
,
allow_introspection
)
.
isGranted
(
access
,
args
...))
if
(
readonly
&&
calculateResultAccess
(
false
,
allow_ddl
,
allow_introspection
)
->
isGranted
(
access
,
args
...))
{
if
(
interface
==
ClientInfo
::
Interface
::
HTTP
&&
http_method
==
ClientInfo
::
HTTPMethod
::
GET
)
show_error
(
...
...
@@ -139,11 +141,11 @@ bool AccessRightsContext::checkImpl(Poco::Logger * log_, const AccessFlags & acc
else
show_error
(
"Cannot execute query in readonly mode"
,
ErrorCodes
::
READONLY
);
}
else
if
(
!
allow_ddl
&&
calculateResultAccess
(
readonly
,
true
,
allow_introspection
)
.
isGranted
(
access
,
args
...))
else
if
(
!
allow_ddl
&&
calculateResultAccess
(
readonly
,
true
,
allow_introspection
)
->
isGranted
(
access
,
args
...))
{
show_error
(
"Cannot execute query. DDL queries are prohibited for the user"
,
ErrorCodes
::
QUERY_IS_PROHIBITED
);
}
else
if
(
!
allow_introspection
&&
calculateResultAccess
(
readonly
,
allow_ddl
,
true
)
.
isGranted
(
access
,
args
...))
else
if
(
!
allow_introspection
&&
calculateResultAccess
(
readonly
,
allow_ddl
,
true
)
->
isGranted
(
access
,
args
...))
{
show_error
(
"Introspection functions are disabled, because setting 'allow_introspection_functions' is set to 0"
,
ErrorCodes
::
FUNCTION_NOT_ALLOWED
);
}
...
...
@@ -227,25 +229,32 @@ bool AccessRightsContext::isGranted(Poco::Logger * log_, const AccessRightsEleme
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessRightsElements
&
access
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
);
}
const
AccessRights
&
AccessRightsContext
::
calculateResultAccess
()
const
boost
::
shared_ptr
<
const
AccessRights
>
AccessRightsContext
::
calculateResultAccess
()
const
{
if
(
result_access_cache
[
0
])
return
*
result_access_cache
[
0
];
auto
res
=
result_access_cache
[
0
].
load
();
if
(
res
)
return
res
;
return
calculateResultAccess
(
readonly
,
allow_ddl
,
allow_introspection
);
}
const
AccessRights
&
AccessRightsContext
::
calculateResultAccess
(
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
boost
::
shared_ptr
<
const
AccessRights
>
AccessRightsContext
::
calculateResultAccess
(
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
{
size_t
cache_index
=
static_cast
<
size_t
>
(
readonly_
!=
readonly
)
+
static_cast
<
size_t
>
(
allow_ddl_
!=
allow_ddl
)
*
2
+
+
static_cast
<
size_t
>
(
allow_introspection_
!=
allow_introspection
)
*
3
;
assert
(
cache_index
<
std
::
size
(
result_access_cache
));
auto
&
cached_result
=
result_access_cache
[
cache_index
];
auto
cached
=
result_access_cache
[
cache_index
].
load
();
if
(
cached
)
return
cached
;
std
::
lock_guard
lock
{
mutex
};
cached
=
result_access_cache
[
cache_index
].
load
();
if
(
cached
)
return
cached
;
if
(
cached_result
)
return
*
cached_result
;
auto
&
result
=
cached_result
.
emplace
();
auto
result_ptr
=
boost
::
make_shared
<
AccessRights
>
();
auto
&
result
=
*
result_ptr
;
result
=
granted_to_user
;
...
...
@@ -272,7 +281,8 @@ const AccessRights & AccessRightsContext::calculateResultAccess(UInt64 readonly_
if
(
!
allow_introspection_
)
result
.
fullRevoke
(
AccessType
::
INTROSPECTION
);
return
result
;
result_access_cache
[
cache_index
].
store
(
result_ptr
);
return
std
::
move
(
result_ptr
);
}
}
dbms/src/Access/AccessRightsContext.h
浏览文件 @
63079c40
...
...
@@ -2,15 +2,14 @@
#include <Access/AccessRights.h>
#include <Interpreters/ClientInfo.h>
#include <boost/smart_ptr/atomic_shared_ptr.hpp>
#include <mutex>
#include <optional>
namespace
Poco
{
class
Logger
;
}
namespace
DB
{
class
Exception
;
struct
Settings
;
...
...
@@ -63,8 +62,8 @@ private:
template
<
int
mode
>
bool
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessRightsElements
&
access
)
const
;
const
AccessRights
&
calculateResultAccess
()
const
;
const
AccessRights
&
calculateResultAccess
(
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
;
boost
::
shared_ptr
<
const
AccessRights
>
calculateResultAccess
()
const
;
boost
::
shared_ptr
<
const
AccessRights
>
calculateResultAccess
(
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
;
const
String
user_name
;
const
AccessRights
granted_to_user
;
...
...
@@ -75,7 +74,7 @@ private:
const
ClientInfo
::
Interface
interface
=
ClientInfo
::
Interface
::
TCP
;
const
ClientInfo
::
HTTPMethod
http_method
=
ClientInfo
::
HTTPMethod
::
UNKNOWN
;
Poco
::
Logger
*
const
trace_log
=
nullptr
;
mutable
std
::
optional
<
AccessRights
>
result_access_cache
[
4
];
mutable
boost
::
atomic_shared_ptr
<
const
AccessRights
>
result_access_cache
[
4
];
mutable
std
::
mutex
mutex
;
};
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录