Skip to content
Permalink
Browse files
[feature] support row policy filter (#9206)
  • Loading branch information
stalary committed May 11, 2022
1 parent 289608c commit f11d32021392efa0b1f464b75718b151e665c565
Showing 32 changed files with 1,832 additions and 140 deletions.
@@ -633,6 +633,7 @@ module.exports = [
"CREATE-FUNCTION",
"CREATE-INDEX",
"CREATE-MATERIALIZED-VIEW",
"CREATE-POLICY",
"CREATE-RESOURCE",
"CREATE-SQL-BLOCK-RULE",
"CREATE-TABLE-LIKE",
@@ -633,6 +633,7 @@ module.exports = [
"CREATE-FUNCTION",
"CREATE-INDEX",
"CREATE-MATERIALIZED-VIEW",
"CREATE-POLICY",
"CREATE-RESOURCE",
"CREATE-SQL-BLOCK-RULE",
"CREATE-TABLE-LIKE",
@@ -0,0 +1,84 @@
---
{
"title": "CREATE-POLICY",
"language": "en"
}
---

<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->

## CREATE-POLICY

### Name

CREATE POLICY

### Description

Create security policies and explain to view the rewritten SQL.

#### 行安全策略
grammar:

```sql
CREATE ROW POLICY test_row_policy_1 ON test.table1
AS {RESTRICTIVE|PERMISSIVE} TO test USING (id in (1, 2));
```

illustrate:

- filterType:It is usual to constrict a set of policies through AND. PERMISSIVE to constrict a set of policies through OR
- Configure multiple policies. First, merge the RESTRICTIVE policy with the PERMISSIVE policy
- It is connected with AND between RESTRICTIVE AND PERMISSIVE
- It cannot be created for users root and admin

### Example

1. Create a set of row security policies

```sql
CREATE ROW POLICY test_row_policy_1 ON test.table1
AS RESTRICTIVE TO test USING (c1 = 'a');
```
```sql
CREATE ROW POLICY test_row_policy_2 ON test.table1
AS RESTRICTIVE TO test USING (c2 = 'b');
```
```sql
CREATE ROW POLICY test_row_policy_3 ON test.table1
AS PERMISSIVE TO test USING (c3 = 'c');
```
```sql
CREATE ROW POLICY test_row_policy_3 ON test.table1
AS PERMISSIVE TO test USING (c4 = 'd');
```

When we execute the query on Table1, the rewritten SQL is

```sql
select * from (select * from table1 where c1 = 'a' and c2 = 'b' or c3 = 'c' or c4 = 'd')
```

### Keywords

CREATE, POLICY

### Best Practice

@@ -0,0 +1,84 @@
---
{
"title": "CREATE-POLICY",
"language": "zh-CN"
}
---

<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->

## CREATE-POLICY

### Name

CREATE POLICY

### Description

创建安全策略,explain 可以查看改写后的 SQL。

#### 行安全策略
语法:

```sql
CREATE ROW POLICY test_row_policy_1 ON test.table1
AS {RESTRICTIVE|PERMISSIVE} TO test USING (id in (1, 2));
```

参数说明:

- filterType:RESTRICTIVE 将一组策略通过 AND 连接, PERMISSIVE 将一组策略通过 OR 连接
- 配置多个策略首先合并 RESTRICTIVE 的策略,再添加 PERMISSIVE 的策略
- RESTRICTIVE 和 PERMISSIVE 之间通过 AND 连接的
- 不允许对 root 和 admin 用户创建

### Example

1. 创建一组行安全策略

```sql
CREATE ROW POLICY test_row_policy_1 ON test.table1
AS RESTRICTIVE TO test USING (c1 = 'a');
```
```sql
CREATE ROW POLICY test_row_policy_2 ON test.table1
AS RESTRICTIVE TO test USING (c2 = 'b');
```
```sql
CREATE ROW POLICY test_row_policy_3 ON test.table1
AS PERMISSIVE TO test USING (c3 = 'c');
```
```sql
CREATE ROW POLICY test_row_policy_3 ON test.table1
AS PERMISSIVE TO test USING (c4 = 'd');
```

当我们执行对 table1 的查询时被改写后的 sql 为

```sql
select * from (select * from table1 where c1 = 'a' and c2 = 'b' or c3 = 'c' or c4 = 'd')
```

### Keywords

CREATE, POLICY

### Best Practice

@@ -0,0 +1,64 @@
---
{
"title": "DROP-POLICY",
"language": "zh-CN"
}
---

<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->

## DROP-POLICY

### Name

DROP POLICY

### Description

删除安全策略

#### 行安全策略

语法:

```sql
DROP ROW POLICY test_row_policy_1 on table1 [FOR user];
```

### Example

1. 删除 table1 的 test_row_policy_1

```sql
DROP ROW POLICY test_row_policy_1 on table1
```

2. 删除 table1 作用于 test 的 test_row_policy_1 行安全策略

```sql
DROP ROW POLICY test_row_policy_1 on table1 for test
```

### Keywords

DROP, POLICY

### Best Practice

@@ -0,0 +1,79 @@
---
{
"title": "SHOW-ROW-POLICY",
"language": "zh-CN"
}
---

<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->

## SHOW-POLICY

### Name

SHOW ROW POLICY

### Description

查看当前 DB 下的行安全策略

语法:

```sql
SHOW ROW POLICY [FOR user]
```

### Example

1. 查看所有安全策略。

```sql
mysql> SHOW ROW POLICY;
+-------------------+----------------------+-----------+------+-------------+-------------------+------+-------------------------------------------------------------------------------------------------------------------------------------------+
| PolicyName | DbName | TableName | Type | FilterType | WherePredicate | User | OriginStmt |
+-------------------+----------------------+-----------+------+-------------+-------------------+------+-------------------------------------------------------------------------------------------------------------------------------------------+
| test_row_policy_1 | default_cluster:test | table1 | ROW | RESTRICTIVE | `id` IN (1, 2) | root | /* ApplicationName=DataGrip 2021.3.4 */ CREATE ROW POLICY test_row_policy_1 ON test.table1 AS RESTRICTIVE TO root USING (id in (1, 2));
|
| test_row_policy_2 | default_cluster:test | table1 | ROW | RESTRICTIVE | `col1` = 'col1_1' | root | /* ApplicationName=DataGrip 2021.3.4 */ CREATE ROW POLICY test_row_policy_2 ON test.table1 AS RESTRICTIVE TO root USING (col1='col1_1');
|
+-------------------+----------------------+-----------+------+-------------+-------------------+------+-------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
```

2. 指定用户名查询

```sql
mysql> SHOW ROW POLICY FOR test;
+-------------------+----------------------+-----------+------+------------+-------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| PolicyName | DbName | TableName | Type | FilterType | WherePredicate | User | OriginStmt |
+-------------------+----------------------+-----------+------+------------+-------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| test_row_policy_3 | default_cluster:test | table1 | ROW | PERMISSIVE | `col1` = 'col1_2' | default_cluster:test | /* ApplicationName=DataGrip 2021.3.4 */ CREATE ROW POLICY test_row_policy_3 ON test.table1 AS PERMISSIVE TO test USING (col1='col1_2');
|
+-------------------+----------------------+-----------+------+------------+-------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.01 sec)
```


### Keywords

SHOW, POLICY

### Best Practice

@@ -55,7 +55,7 @@ SHOW SQL_BLOCK_RULE [FOR RULE_NAME];
2 rows in set (0.01 sec)
```

2. 制定规则名查询
2. 指定规则名查询

```sql
mysql> SHOW SQL_BLOCK_RULE FOR test_rule2;
@@ -36,8 +36,10 @@ public final class FeMetaVersion {
public static final int VERSION_107 = 107;
// add storage_cold_medium and remote_storage_resource_name in DataProperty
public static final int VERSION_108 = 108;
// add row policy
public static final int VERSION_109 = 109;
// note: when increment meta version, should assign the latest version to VERSION_CURRENT
public static final int VERSION_CURRENT = VERSION_108;
public static final int VERSION_CURRENT = VERSION_109;

// all logs meta version should >= the minimum version, so that we could remove many if clause, for example
// if (FE_METAVERSION < VERSION_94) ...

0 comments on commit f11d320

Please sign in to comment.