Skip to content

feat(query): add other privilige check #10600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BohuTANG merged 2 commits into from
Mar 16, 2023
Merged

feat(query): add other privilige check #10600

BohuTANG merged 2 commits into from
Mar 16, 2023

Conversation

@TCeason
Copy link
Collaborator

@TCeason TCeason commented Mar 16, 2023
edited
Loading

I hereby agree to the terms of the CLA available at: https://databend.rs/dev/policies/cla/

Summary

Add some privileges:

privilege object plan
select Database, Table ShowCreateDatabase, UseDatabase, ShowCreateTable, DescribeTable, Query
create Global, Table CreateUDF, CreateDatabase, CreateTable, CreateView
Drop Global, Table DropUDF, DropDatabase, UndropDatabase, DropTable, UndropTable, DropTableClusterKey, DropView
Alter Global, Table AlterUser, AlterUDF, RenameDatabase, RevertTable, AddTableColumn, DropTableColumn, AlterTableClusterKey, ReclusterTable, AlterView
Delete Table TruncateTable, Delete
Super Global, Table SetVariable, UnSetVariable, Kill, OptimizeTable, AnalyzeTable
Insert Table Insert
Update Table Update
CreateUser Global CreateUser
DropUser Global DropUser
CreateRole Global CreateRole
DropRole Global DropRole
Grant Global GrantShareObject, RevokeShareObject, AlterShareTenants, ShowObjectGrantPrivileges, ShowGrantTenantsOfShare, SetRole, ShowGrants, ShowRoles, GrantRole, GrantPriv, RevokePriv, RevokeRole
old_table: [Alter, Drop]; new_table: [Create, Insert] Table RenameTable

These objects share, catalog, stage, fileformat are not implemented at the grant level, So we set the object to Global.

Privilege Object Plan
Super Global CreateShare
Super Global DropShare
Super Global DescShare
Super Global ShowShares
Super Global Call
Super Global ShowCreateCatalog
Super Global CreateCatalog
Super Global DropCatalog
Super Global ListStage
Super Global CreateStage
Super Global DropStage
Super Global RemoveStage
Super Global CreateFileFormat
Super Global DropFileFormat
Super Global ShowFileFormats

And Plan::Copy has two items: IntoTable and IntoStage, the different item need to check for different privileges.

Privilege Object Plan
Instert Table CopyPlan::IntoTable
Super Global CopyPlan::IntoStage

These plans no need to check privileges:

Presign
ExplainAst
ExplainSyntax
ExistsTable

part of #10385

@vercel
Copy link

vercel bot commented Mar 16, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Comments Updated
databend ⬜️ Ignored (Inspect) Mar 16, 2023 at 0:26AM (UTC)

@mergify mergify bot added the pr-feature this PR introduces a new feature to the codebase label Mar 16, 2023
@TCeason TCeason force-pushed the modify_priv branch 2 times, most recently from 200aac6 to 74d5dff Compare March 16, 2023 08:35
@TCeason TCeason requested review from BohuTANG and andylokandy March 16, 2023 08:36
@TCeason TCeason force-pushed the modify_priv branch 3 times, most recently from 8627d7e to b0ee117 Compare March 16, 2023 08:53
andylokandy
andylokandy reviewed Mar 16, 2023
View reviewed changes
andylokandy
andylokandy reviewed Mar 16, 2023
View reviewed changes
@BohuTANG
Copy link
Member

BohuTANG commented Mar 16, 2023

Can we support complex privileges? like:

To use REPLACE , you must have both the INSERT and DELETE privileges for the table

It's INSERT&DELETE not INSERT|DELETE.

@BohuTANG BohuTANG merged commit 5f29c7f into databendlabs:main Mar 16, 2023
@TCeason TCeason mentioned this pull request Mar 20, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BohuTANG BohuTANG BohuTANG approved these changes

+1 more reviewer

@andylokandy andylokandy andylokandy left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pr-feature this PR introduces a new feature to the codebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TCeason @BohuTANG @andylokandy