Correct revoke for the partially granted rights.

[pufit]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Improvements for the access checks, allowing to revoke of unpossessed rights in case the target user doesn't have the revoking grants either.
Example:

GRANT SELECT ON *.* TO user1;
REVOKE SELECT ON system.* FROM user1;

GRANT CURRENT GRANTS ON *.* TO user2;  -- by user1
REVOKE ALL ON *.* FROM user2;  -- by user1

In the example above, both user1 and user2 don't have the SELECT ON system.* permission, but the REVOKE ALL query will succeed.

Closes #58837

Documentation entry for user-facing changes

[robot-clickhouse]

This is an automated comment for commit 10e91c5 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	❌ failure
CI running	A meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR	⏳ pending
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	❌ failure
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	❌ failure

Successful checks

Check name	Description	Status
A Sync	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
ClickBench	Runs [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table	✅ success
ClickHouse build check	Builds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker keeper image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docker server image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docs check	Builds and tests the documentation	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integrational tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	✅ success
Mergeable Check	Checks if all other necessary checks are successful	✅ success
PR Check	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Style check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	✅ success

[vitlibar]

Above your code in this function you can see the code starting with the comment:

        /// Special case for the command REVOKE: it's possible that the current user doesn't have
        /// the access granted with GRANT OPTION but it's still ok because the roles or users
        /// from whom the access rights will be revoked don't have the specified access granted either.
        ///
        /// For example, to execute
        /// GRANT ALL ON mydb.* TO role1
        /// REVOKE ALL ON *.* FROM role1
        /// the current user needs to have the grants only on the 'mydb' database.

Why isn't it enough?

[pufit]

Because there is no access element that can atomically represent GRANT ALL ON *.*; REVOKE ALL ON mydb.*;
Therefore, if we try to execute REVOKE ALL ON *.* from the user with the exact same rights, element_to_revoke will contain only REVOKE ALL ON *.* and the request will fail.

[vitlibar]

Thank you for the explanation, I see it now.

[vitlibar]

What is the point of calling current_user_access.checkGrantOption(elements_to_revoke) at the end of this function now? I mean it seems you've already checked everything in containsWithGrantOption().

[pufit]

Actually, the only reason is that I want to reuse the nice exception message from the checkGrantOption function.

[vitlibar]

Let's move throwing of this nice exception message to a separate function then maybe?

[vitlibar]

We definitely need a test for that.

[vitlibar]

It feels logically more right for this code to appear a bit earlier - before we calculate elements_to_revoke.

[vitlibar]

When you'll be adding a test please make sure you add test cases for all these paths of evaluation.

[pufit]

We definitely need a test for that.

Oops, I had written some tests but forgot to git add them 😅

[pufit]

AST fuzzer - #56640