Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
2dot5
ClickHouse
提交
c604ce1c
C
ClickHouse
项目概览
2dot5
/
ClickHouse
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
C
ClickHouse
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
c604ce1c
编写于
2月 05, 2020
作者:
V
Vitaly Baranov
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add access_with_grant_option to User.
上级
c9f2713c
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
96 addition
and
58 deletion
+96
-58
dbms/src/Access/AccessRightsContext.cpp
dbms/src/Access/AccessRightsContext.cpp
+75
-50
dbms/src/Access/AccessRightsContext.h
dbms/src/Access/AccessRightsContext.h
+16
-6
dbms/src/Access/User.cpp
dbms/src/Access/User.cpp
+2
-1
dbms/src/Access/User.h
dbms/src/Access/User.h
+1
-0
dbms/src/Access/UsersConfigAccessStorage.cpp
dbms/src/Access/UsersConfigAccessStorage.cpp
+2
-1
未找到文件。
dbms/src/Access/AccessRightsContext.cpp
浏览文件 @
c604ce1c
...
...
@@ -102,10 +102,10 @@ AccessRightsContext::AccessRightsContext(const UserPtr & user_, const ClientInfo
}
template
<
int
mode
,
typename
...
Args
>
template
<
int
mode
,
bool
grant_option
,
typename
...
Args
>
bool
AccessRightsContext
::
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
Args
&
...
args
)
const
{
auto
result_access
=
calculateResultAccess
();
auto
result_access
=
calculateResultAccess
(
grant_option
);
bool
is_granted
=
result_access
->
isGranted
(
access
,
args
...);
if
(
trace_log
)
...
...
@@ -131,7 +131,16 @@ bool AccessRightsContext::checkImpl(Poco::Logger * log_, const AccessFlags & acc
LOG_WARNING
(
log_
,
user
->
getName
()
+
": "
+
msg
+
formatSkippedMessage
(
args
...));
};
if
(
readonly
&&
calculateResultAccess
(
false
,
allow_ddl
,
allow_introspection
)
->
isGranted
(
access
,
args
...))
if
(
grant_option
&&
calculateResultAccess
(
false
,
readonly
,
allow_ddl
,
allow_introspection
)
->
isGranted
(
access
,
args
...))
{
show_error
(
"Not enough privileges. "
"The required privileges have been granted, but without grant option. "
"To execute this query it's necessary to have the grant "
+
AccessRightsElement
{
access
,
args
...}.
toString
()
+
" WITH GRANT OPTION"
,
ErrorCodes
::
ACCESS_DENIED
);
}
else
if
(
readonly
&&
calculateResultAccess
(
false
,
false
,
allow_ddl
,
allow_introspection
)
->
isGranted
(
access
,
args
...))
{
if
(
interface
==
ClientInfo
::
Interface
::
HTTP
&&
http_method
==
ClientInfo
::
HTTPMethod
::
GET
)
show_error
(
...
...
@@ -141,11 +150,11 @@ bool AccessRightsContext::checkImpl(Poco::Logger * log_, const AccessFlags & acc
else
show_error
(
"Cannot execute query in readonly mode"
,
ErrorCodes
::
READONLY
);
}
else
if
(
!
allow_ddl
&&
calculateResultAccess
(
readonly
,
true
,
allow_introspection
)
->
isGranted
(
access
,
args
...))
else
if
(
!
allow_ddl
&&
calculateResultAccess
(
false
,
readonly
,
true
,
allow_introspection
)
->
isGranted
(
access
,
args
...))
{
show_error
(
"Cannot execute query. DDL queries are prohibited for the user"
,
ErrorCodes
::
QUERY_IS_PROHIBITED
);
}
else
if
(
!
allow_introspection
&&
calculateResultAccess
(
readonly
,
allow_ddl
,
true
)
->
isGranted
(
access
,
args
...))
else
if
(
!
allow_introspection
&&
calculateResultAccess
(
false
,
readonly
,
allow_ddl
,
true
)
->
isGranted
(
access
,
args
...))
{
show_error
(
"Introspection functions are disabled, because setting 'allow_introspection_functions' is set to 0"
,
ErrorCodes
::
FUNCTION_NOT_ALLOWED
);
}
...
...
@@ -153,7 +162,7 @@ bool AccessRightsContext::checkImpl(Poco::Logger * log_, const AccessFlags & acc
{
show_error
(
"Not enough privileges. To execute this query it's necessary to have the grant "
+
AccessRightsElement
{
access
,
args
...}.
toString
(),
+
AccessRightsElement
{
access
,
args
...}.
toString
()
+
(
grant_option
?
" WITH GRANT OPTION"
:
""
)
,
ErrorCodes
::
ACCESS_DENIED
);
}
...
...
@@ -161,86 +170,96 @@ bool AccessRightsContext::checkImpl(Poco::Logger * log_, const AccessFlags & acc
}
template
<
int
mode
>
template
<
int
mode
,
bool
grant_option
>
bool
AccessRightsContext
::
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessRightsElement
&
element
)
const
{
if
(
element
.
any_database
)
{
return
checkImpl
<
mode
>
(
log_
,
element
.
access_flags
);
return
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
.
access_flags
);
}
else
if
(
element
.
any_table
)
{
if
(
element
.
database
.
empty
())
return
checkImpl
<
mode
>
(
log_
,
element
.
access_flags
,
current_database
);
return
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
.
access_flags
,
current_database
);
else
return
checkImpl
<
mode
>
(
log_
,
element
.
access_flags
,
element
.
database
);
return
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
.
access_flags
,
element
.
database
);
}
else
if
(
element
.
any_column
)
{
if
(
element
.
database
.
empty
())
return
checkImpl
<
mode
>
(
log_
,
element
.
access_flags
,
current_database
,
element
.
table
);
return
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
.
access_flags
,
current_database
,
element
.
table
);
else
return
checkImpl
<
mode
>
(
log_
,
element
.
access_flags
,
element
.
database
,
element
.
table
);
return
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
.
access_flags
,
element
.
database
,
element
.
table
);
}
else
{
if
(
element
.
database
.
empty
())
return
checkImpl
<
mode
>
(
log_
,
element
.
access_flags
,
current_database
,
element
.
table
,
element
.
columns
);
return
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
.
access_flags
,
current_database
,
element
.
table
,
element
.
columns
);
else
return
checkImpl
<
mode
>
(
log_
,
element
.
access_flags
,
element
.
database
,
element
.
table
,
element
.
columns
);
return
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
.
access_flags
,
element
.
database
,
element
.
table
,
element
.
columns
);
}
}
template
<
int
mode
>
template
<
int
mode
,
bool
grant_option
>
bool
AccessRightsContext
::
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessRightsElements
&
elements
)
const
{
for
(
const
auto
&
element
:
elements
)
if
(
!
checkImpl
<
mode
>
(
log_
,
element
))
if
(
!
checkImpl
<
mode
,
grant_option
>
(
log_
,
element
))
return
false
;
return
true
;
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
,
column
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
void
AccessRightsContext
::
check
(
const
AccessRightsElement
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
);
}
void
AccessRightsContext
::
check
(
const
AccessRightsElements
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
,
column
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessRightsElement
&
access
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessRightsElements
&
access
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
,
database
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
,
database
,
table
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
,
database
,
table
,
column
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessRightsElement
&
access
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessRightsElements
&
access
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
>
(
log_
,
access
);
}
boost
::
shared_ptr
<
const
AccessRights
>
AccessRightsContext
::
calculateResultAccess
()
const
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
,
column
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
void
AccessRightsContext
::
check
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
void
AccessRightsContext
::
check
(
const
AccessRightsElement
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
);
}
void
AccessRightsContext
::
check
(
const
AccessRightsElements
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
,
column
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessRightsElement
&
access
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
const
AccessRightsElements
&
access
)
const
{
return
checkImpl
<
RETURN_FALSE_IF_ACCESS_DENIED
,
false
>
(
nullptr
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
,
database
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
,
database
,
table
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
,
database
,
table
,
column
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
,
database
,
table
,
columns
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessRightsElement
&
access
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
);
}
bool
AccessRightsContext
::
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessRightsElements
&
access
)
const
{
return
checkImpl
<
LOG_WARNING_IF_ACCESS_DENIED
,
false
>
(
log_
,
access
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessFlags
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
,
database
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
,
database
,
table
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
,
database
,
table
,
column
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
,
database
,
table
,
columns
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessRightsElement
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
);
}
void
AccessRightsContext
::
checkGrantOption
(
const
AccessRightsElements
&
access
)
const
{
checkImpl
<
THROW_IF_ACCESS_DENIED
,
true
>
(
nullptr
,
access
);
}
boost
::
shared_ptr
<
const
AccessRights
>
AccessRightsContext
::
calculateResultAccess
(
bool
grant_option
)
const
{
return
calculateResultAccess
(
readonly
,
allow_ddl
,
allow_introspection
);
return
calculateResultAccess
(
grant_option
,
readonly
,
allow_ddl
,
allow_introspection
);
}
boost
::
shared_ptr
<
const
AccessRights
>
AccessRightsContext
::
calculateResultAccess
(
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
boost
::
shared_ptr
<
const
AccessRights
>
AccessRightsContext
::
calculateResultAccess
(
bool
grant_option
,
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
{
size_t
cache_index
=
static_cast
<
size_t
>
(
readonly_
!=
readonly
)
+
static_cast
<
size_t
>
(
allow_ddl_
!=
allow_ddl
)
*
2
+
+
static_cast
<
size_t
>
(
allow_introspection_
!=
allow_introspection
)
*
3
;
+
static_cast
<
size_t
>
(
allow_introspection_
!=
allow_introspection
)
*
3
+
static_cast
<
size_t
>
(
grant_option
)
*
4
;
assert
(
cache_index
<
std
::
size
(
result_access_cache
));
auto
cached
=
result_access_cache
[
cache_index
].
load
();
if
(
cached
)
...
...
@@ -254,7 +273,7 @@ boost::shared_ptr<const AccessRights> AccessRightsContext::calculateResultAccess
auto
result_ptr
=
boost
::
make_shared
<
AccessRights
>
();
auto
&
result
=
*
result_ptr
;
result
=
user
->
access
;
result
=
grant_option
?
user
->
access_with_grant_option
:
user
->
access
;
static
const
AccessFlags
table_ddl
=
AccessType
::
CREATE_DATABASE
|
AccessType
::
CREATE_TABLE
|
AccessType
::
CREATE_VIEW
|
AccessType
::
ALTER_TABLE
|
AccessType
::
ALTER_VIEW
|
AccessType
::
DROP_DATABASE
|
AccessType
::
DROP_TABLE
|
AccessType
::
DROP_VIEW
...
...
@@ -263,12 +282,18 @@ boost::shared_ptr<const AccessRights> AccessRightsContext::calculateResultAccess
static
const
AccessFlags
table_and_dictionary_ddl
=
table_ddl
|
dictionary_ddl
;
static
const
AccessFlags
write_table_access
=
AccessType
::
INSERT
|
AccessType
::
OPTIMIZE
;
/// Anyone has access to the "system" database.
result
.
grant
(
AccessType
::
SELECT
,
"system"
);
if
(
readonly_
)
result
.
fullRevoke
(
write_table_access
|
AccessType
::
SYSTEM
);
if
(
readonly_
||
!
allow_ddl_
)
result
.
fullRevoke
(
table_and_dictionary_ddl
);
if
(
readonly_
&&
grant_option
)
result
.
fullRevoke
(
AccessType
::
ALL
);
if
(
readonly_
==
1
)
{
/// Table functions are forbidden in readonly mode.
...
...
@@ -282,7 +307,7 @@ boost::shared_ptr<const AccessRights> AccessRightsContext::calculateResultAccess
result_access_cache
[
cache_index
].
store
(
result_ptr
);
if
(
trace_log
&&
(
readonly
==
readonly_
)
&&
(
allow_ddl
==
allow_ddl_
)
&&
(
allow_introspection
==
allow_introspection_
))
LOG_TRACE
(
trace_log
,
"List of all grants: "
<<
result_ptr
->
toString
());
LOG_TRACE
(
trace_log
,
"List of all grants: "
<<
result_ptr
->
toString
()
<<
(
grant_option
?
" WITH GRANT OPTION"
:
""
)
);
return
result_ptr
;
}
...
...
dbms/src/Access/AccessRightsContext.h
浏览文件 @
c604ce1c
...
...
@@ -54,18 +54,28 @@ public:
bool
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessRightsElement
&
access
)
const
;
bool
isGranted
(
Poco
::
Logger
*
log_
,
const
AccessRightsElements
&
access
)
const
;
/// Checks if a specified access granted with grant option, and throws an exception if not.
void
checkGrantOption
(
const
AccessFlags
&
access
)
const
;
void
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
)
const
;
void
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
)
const
;
void
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
string_view
&
column
)
const
;
void
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
std
::
vector
<
std
::
string_view
>
&
columns
)
const
;
void
checkGrantOption
(
const
AccessFlags
&
access
,
const
std
::
string_view
&
database
,
const
std
::
string_view
&
table
,
const
Strings
&
columns
)
const
;
void
checkGrantOption
(
const
AccessRightsElement
&
access
)
const
;
void
checkGrantOption
(
const
AccessRightsElements
&
access
)
const
;
private:
template
<
int
mode
,
typename
...
Args
>
template
<
int
mode
,
bool
grant_option
,
typename
...
Args
>
bool
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessFlags
&
access
,
const
Args
&
...
args
)
const
;
template
<
int
mode
>
template
<
int
mode
,
bool
grant_option
>
bool
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessRightsElement
&
access
)
const
;
template
<
int
mode
>
template
<
int
mode
,
bool
grant_option
>
bool
checkImpl
(
Poco
::
Logger
*
log_
,
const
AccessRightsElements
&
access
)
const
;
boost
::
shared_ptr
<
const
AccessRights
>
calculateResultAccess
()
const
;
boost
::
shared_ptr
<
const
AccessRights
>
calculateResultAccess
(
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
;
boost
::
shared_ptr
<
const
AccessRights
>
calculateResultAccess
(
bool
grant_option
)
const
;
boost
::
shared_ptr
<
const
AccessRights
>
calculateResultAccess
(
bool
grant_option
,
UInt64
readonly_
,
bool
allow_ddl_
,
bool
allow_introspection_
)
const
;
const
UserPtr
user
;
const
UInt64
readonly
=
0
;
...
...
@@ -75,7 +85,7 @@ private:
const
ClientInfo
::
Interface
interface
=
ClientInfo
::
Interface
::
TCP
;
const
ClientInfo
::
HTTPMethod
http_method
=
ClientInfo
::
HTTPMethod
::
UNKNOWN
;
Poco
::
Logger
*
const
trace_log
=
nullptr
;
mutable
boost
::
atomic_shared_ptr
<
const
AccessRights
>
result_access_cache
[
4
];
mutable
boost
::
atomic_shared_ptr
<
const
AccessRights
>
result_access_cache
[
7
];
mutable
std
::
mutex
mutex
;
};
...
...
dbms/src/Access/User.cpp
浏览文件 @
c604ce1c
...
...
@@ -10,7 +10,8 @@ bool User::equal(const IAccessEntity & other) const
return
false
;
const
auto
&
other_user
=
typeid_cast
<
const
User
&>
(
other
);
return
(
authentication
==
other_user
.
authentication
)
&&
(
allowed_client_hosts
==
other_user
.
allowed_client_hosts
)
&&
(
access
==
other_user
.
access
)
&&
(
profile
==
other_user
.
profile
);
&&
(
access
==
other_user
.
access
)
&&
(
access_with_grant_option
==
other_user
.
access_with_grant_option
)
&&
(
profile
==
other_user
.
profile
);
}
}
dbms/src/Access/User.h
浏览文件 @
c604ce1c
...
...
@@ -16,6 +16,7 @@ struct User : public IAccessEntity
Authentication
authentication
;
AllowedClientHosts
allowed_client_hosts
{
AllowedClientHosts
::
AnyHostTag
{}};
AccessRights
access
;
AccessRights
access_with_grant_option
;
String
profile
;
bool
equal
(
const
IAccessEntity
&
other
)
const
override
;
...
...
dbms/src/Access/UsersConfigAccessStorage.cpp
浏览文件 @
c604ce1c
...
...
@@ -144,7 +144,6 @@ namespace
user
->
access
.
fullRevoke
(
AccessFlags
::
databaseLevel
());
for
(
const
String
&
database
:
*
databases
)
user
->
access
.
grant
(
AccessFlags
::
databaseLevel
(),
database
);
user
->
access
.
grant
(
AccessFlags
::
databaseLevel
(),
"system"
);
/// Anyone has access to the "system" database.
}
if
(
dictionaries
)
...
...
@@ -156,6 +155,8 @@ namespace
else
if
(
databases
)
user
->
access
.
grant
(
AccessType
::
dictGet
,
IDictionary
::
NO_DATABASE_TAG
);
user
->
access_with_grant_option
=
user
->
access
;
return
user
;
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录