Fix directory permissions for multi-directory globs. Follow-up #50559

[zvonand]

Follow-up for #50559.

Add setting ignore_access_denied_multidirectory_globs to avoid permission denied in case there are inaccessible directories/files.

Explanation

Having the following structure in user_files:

user_files/
├── data1
│   ├── f1.csv
├── data2
│   ├── f2.csv
└── test_root

Where data1, data2 are accessible by CH, but no rights to read test_root.
CH would throw:
Code: 1001. DB::Exception: std::__1::__fs::filesystem::filesystem_error: filesystem error: in directory_iterator::directory_iterator(...): Permission denied
for a query like
SELECT *, _path, _file FROM file('{data1/f1,data2/f2}.csv', CSV).

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Add setting ignore_access_denied_multidirectory_globs.

[robot-clickhouse]

This is an automated comment for commit 9e89055 with description of existing statuses. It's updated for the latest CI running

✅ Click here to open a full report in a separate page

Successful checks

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	✅ success
CI running	A meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR	✅ success
ClickHouse build check	Builds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker image for servers	The check to build and optionally push the mentioned image to docker hub	✅ success
Docs Check	Builds and tests the documentation	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integrational tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	✅ success
Mergeable Check	Checks if all other necessary checks are successful	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
Push to Dockerhub	The check for building and pushing the CI related docker images to docker hub	✅ success
SQLTest	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
SQLancer	Fuzzing tests that detect logical bugs with SQLancer tool	✅ success
Sqllogic	Run clickhouse on the sqllogic test set against sqlite and checks that all statements are passed	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	✅ success
Style Check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	✅ success

[SmitaRKulkarni]

@zvonand : In the example, SELECT *, _path, _file FROM file('{data1/f1,data2/f2}.csv', CSV) if user doesn't have rights to data2 looks like we would just skip it without throwing any error.

[zvonand]

Looks like you're right, didn't think of this.
I'll take a look again.

Will think of a nice way to check if the checked path matches the provided glob. If not -- ignore error, otherwise throw it

[zvonand]

Turns out it's not an easy thing to implement, and I'm not sure it is worth it.
AFAIK there is no easy and good way to match string to be a prefix of regex. This would require introducing a rather complex FSM into the code. It may also be very slow, as it would be a lot of creating and modifying strings.

The question is how critical this silent ignore is?
Globs already work like this, even w/o my previous PR: for a query like SELECT *, _path, _file FROM file('{data1,data2}/{f1,f2}.csv', CSV) there will be no error thrown in case one of specified files or directories don't exist. If at least one matching file exists, it will keep silence.

[zvonand]

@SmitaRKulkarni

IMO we could append the docs with something like a glob with '/' in curly braces will ignore directories that cannot be accessed.

I don't think that making the code twice as unreadable and three times as complex is a good idea for such a small issue.
Also, it doesn't affect old workflow, it is only about {foo/bar,x/y/z} globs.

I think it is fine to set some limits for a newly introduced feature :)

[alexey-milovidov]

Throwing an exception is better than silently ignoring the files.
You can introduce a new behavior under a setting, but it should be disabled by default.

[zvonand]

Throwing an exception is better than silently ignoring the files.

In general, sure it is. But this limits the use cases, as there are often inaccessible directories where you don't need to go :).

Also, I added a docs update to this PR. It does not affect behavior prior to #50559. So I don't think it is a big deal to modify a thing that no one has used yet.

However, a setting may be a good idea. But there are already tons of them, so I'm afraid it would be difficult to find :)

[alexey-milovidov]

In the example from the description:

Where data1, data2 are accessible by CH, but no rights to read test_root.
SELECT *, _path, _file FROM file('{data1/f1,data2/f2}.csv', CSV).

Why this query will even attempt to access test_root?

[zvonand]

Why this query will even attempt to access test_root?

See this comment

tldr: because there is no way to match a regex prefix against a string (kind of "reverse" matching -- match a prefix of a regex against a given string)
Trying to do this means reinventing regex (constructing a fsm that parses regex manually, and that will definitely be big, non-optimal and error-prone for sure)

the only working approach is to just go recursively inside all directories that are there (until some estimated depth limit is hit) and match the path against a full regex

[alexey-milovidov]

Ok. So, we need to traverse the whole directory tree to match by paths (rather than by separate components). That's understandable.

[alexey-milovidov]

But it is still a problem - we are doing it the wrong way.

{x,y} - this is a generator, not a matcher.
It should iteratively generate x and y instead of constructing a regexp and matching by regexp.

[alexey-milovidov]

We will have to rewrite all of this in the future and drop the setting you've introduced :(

[zvonand]

We will have to rewrite all of this in the future and drop the setting you've introduced :(

I will do it.

[hodgesrm]

Hi @zvonand,

What is the proposed fix?
Seems as if you could parse the string, conclude there are no globs, and generate the list. This would eliminate the need to search (performance hit) and eliminate permission issues.

[zvonand]

Seems as if you could parse the string, conclude there are no globs, and generate the list. This would eliminate the need to search (performance hit) and eliminate permission issues.

Yes, exactly like this

[zvonand]

@alexey-milovidov could you please put a can be tested to #54863 (follow-up for these two PRs) ?
Let me finish this and forget about it 😃