databendlabs · BohuTANG · Mar 16, 2023 · Mar 16, 2023 · Mar 16, 2023
diff --git a/src/meta/app/src/principal/user_grant.rs b/src/meta/app/src/principal/user_grant.rs
@@ -90,13 +90,21 @@ impl GrantEntry {
         &self.privileges
     }
 
-    pub fn verify_privilege(&self, object: &GrantObject, privilege: UserPrivilegeType) -> bool {
+    pub fn verify_privilege(
+        &self,
+        object: &GrantObject,
+        privileges: Vec<UserPrivilegeType>,
+    ) -> bool {
         // the verified object should be smaller than the object inside my grant entry.
         if !self.object.contains(object) {
             return false;
         }
 
-        self.privileges.contains(privilege)
+        let mut priv_set = UserPrivilegeSet::empty();
+        for privilege in privileges {
+            priv_set.set_privilege(privilege)
+        }
+        self.privileges.contains(BitFlags::from(priv_set))
     }
 
     pub fn matches_entry(&self, object: &GrantObject) -> bool {
@@ -156,10 +164,14 @@ impl UserGrantSet {
         self.roles.remove(role);
     }
 
-    pub fn verify_privilege(&self, object: &GrantObject, privilege: UserPrivilegeType) -> bool {
+    pub fn verify_privilege(
+        &self,
+        object: &GrantObject,
+        privilege: Vec<UserPrivilegeType>,
+    ) -> bool {
         self.entries
             .iter()
-            .any(|e| e.verify_privilege(object, privilege))
+            .any(|e| e.verify_privilege(object, privilege.clone()))
     }
 
     pub fn grant_privileges(&mut self, object: &GrantObject, privileges: UserPrivilegeSet) {

diff --git a/src/meta/app/src/principal/user_privilege.rs b/src/meta/app/src/principal/user_privilege.rs
@@ -58,6 +58,10 @@ pub enum UserPrivilegeType {
     Grant = 1 << 12,
     // Privilege to Create Stage.
     CreateStage = 1 << 13,
+    // Privilege to Drop role.
+    DropRole = 1 << 14,
+    // Privilege to Drop user.
+    DropUser = 1 << 15,
     // TODO: remove this later
     Set = 1 << 4,
 }
@@ -73,7 +77,9 @@ const ALL_PRIVILEGES: BitFlags<UserPrivilegeType> = make_bitflags!(
         | Alter
         | Super
         | CreateUser
+        | DropUser
         | CreateRole
+        | DropRole
         | Grant
         | CreateStage
         | Set
@@ -93,7 +99,9 @@ impl std::fmt::Display for UserPrivilegeType {
             UserPrivilegeType::Alter => "ALTER",
             UserPrivilegeType::Super => "SUPER",
             UserPrivilegeType::CreateUser => "CREATE USER",
+            UserPrivilegeType::DropUser => "DROP USER",
             UserPrivilegeType::CreateRole => "CREATE ROLE",
+            UserPrivilegeType::DropRole => "DROP ROLE",
             UserPrivilegeType::CreateStage => "CREATE STAGE",
             UserPrivilegeType::Grant => "GRANT",
             UserPrivilegeType::Set => "SET",
@@ -121,8 +129,7 @@ impl UserPrivilegeSet {
     /// on databases and tables, and has some Global only privileges.
     pub fn available_privileges_on_global() -> Self {
         let database_privs = Self::available_privileges_on_database();
-        let privs =
-            make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | CreateRole | Grant });
+        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | Grant });
         (database_privs.privileges | privs).into()
     }
 

diff --git a/src/meta/app/tests/it/user_grant.rs b/src/meta/app/tests/it/user_grant.rs
@@ -99,15 +99,15 @@ fn test_user_grant_entry() -> Result<()> {
     );
     assert!(grant.verify_privilege(
         &GrantObject::Database("default".into(), "db1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
     assert!(!grant.verify_privilege(
         &GrantObject::Database("default".into(), "db1".into()),
-        UserPrivilegeType::Insert
+        vec![UserPrivilegeType::Insert]
     ));
     assert!(grant.verify_privilege(
         &GrantObject::Database("default".into(), "db2".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
 
     let grant = GrantEntry::new(
@@ -116,15 +116,15 @@ fn test_user_grant_entry() -> Result<()> {
     );
     assert!(grant.verify_privilege(
         &GrantObject::Table("default".into(), "db1".into(), "table1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
     assert!(!grant.verify_privilege(
         &GrantObject::Table("default".into(), "db2".into(), "table1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
     assert!(grant.verify_privilege(
         &GrantObject::Database("default".into(), "db1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
 
     let grant = GrantEntry::new(
@@ -133,19 +133,19 @@ fn test_user_grant_entry() -> Result<()> {
     );
     assert!(grant.verify_privilege(
         &GrantObject::Table("default".into(), "db1".into(), "table1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
     assert!(!grant.verify_privilege(
         &GrantObject::Table("default".into(), "db2".into(), "table1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
     assert!(!grant.verify_privilege(
         &GrantObject::Table("default".into(), "db1".into(), "table1".into()),
-        UserPrivilegeType::Insert
+        vec![UserPrivilegeType::Insert]
     ));
     assert!(grant.verify_privilege(
         &GrantObject::Table("default".into(), "db1".into(), "table1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
 
     Ok(())
@@ -180,23 +180,23 @@ fn test_user_grant_set() -> Result<()> {
     assert_eq!(2, grants.entries().len());
     assert!(grants.verify_privilege(
         &GrantObject::Database("default".into(), "db1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
     assert!(!grants.verify_privilege(
         &GrantObject::Database("default".into(), "db1".into()),
-        UserPrivilegeType::Select
+        vec![UserPrivilegeType::Select]
     ));
     assert!(grants.verify_privilege(
         &GrantObject::Table("default".into(), "db1".into(), "table1".into()),
-        UserPrivilegeType::Create
+        vec![UserPrivilegeType::Create]
     ));
     assert!(!grants.verify_privilege(
         &GrantObject::Table("default".into(), "db1".into(), "table1".into()),
-        UserPrivilegeType::Insert
+        vec![UserPrivilegeType::Insert]
     ));
     assert!(grants.verify_privilege(
         &GrantObject::Table("default".into(), "db1".into(), "table1".into()),
-        UserPrivilegeType::Select
+        vec![UserPrivilegeType::Select]
     ));
     Ok(())
 }
diff --git a/src/query/ast/src/parser/statement.rs b/src/query/ast/src/parser/statement.rs
@@ -1359,14 +1359,16 @@ pub fn priv_type(i: Input) -> IResult<UserPrivilegeType> {
         value(UserPrivilegeType::Insert, rule! { INSERT }),
         value(UserPrivilegeType::Update, rule! { UPDATE }),
         value(UserPrivilegeType::Delete, rule! { DELETE }),
-        value(UserPrivilegeType::Drop, rule! { DROP }),
         value(UserPrivilegeType::Alter, rule! { ALTER }),
         value(UserPrivilegeType::Super, rule! { SUPER }),
         value(UserPrivilegeType::CreateUser, rule! { CREATE ~ USER }),
+        value(UserPrivilegeType::DropUser, rule! { DROP ~ USER }),
         value(UserPrivilegeType::CreateRole, rule! { CREATE ~ ROLE }),
+        value(UserPrivilegeType::DropRole, rule! { DROP ~ ROLE }),
         value(UserPrivilegeType::Grant, rule! { GRANT }),
         value(UserPrivilegeType::CreateStage, rule! { CREATE ~ STAGE }),
         value(UserPrivilegeType::Set, rule! { SET }),
+        value(UserPrivilegeType::Drop, rule! { DROP }),
         value(UserPrivilegeType::Create, rule! { CREATE }),
     ))(i)
 }

diff --git a/src/query/ast/tests/it/testdata/statement-error.txt b/src/query/ast/tests/it/testdata/statement-error.txt
@@ -250,7 +250,7 @@ error:
   --> SQL:1:15
   |
 1 | GRANT SELECT, ALL PRIVILEGES, CREATE ON * TO 'test-grant'@'localhost';
-  | ----- ------  ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `DROP`, or 5 more ...
+  | ----- ------  ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `ALTER`, or 5 more ...
   | |     |        
   | |     while parsing <privileges> ON <privileges_level>
   | while parsing `GRANT { ROLE <role_name> | schemaObjectPrivileges | ALL [ PRIVILEGES ] ON <privileges_level> } TO { [ROLE <role_name>] | [USER] <user> }`
@@ -285,7 +285,7 @@ error:
   --> SQL:1:24
   |
 1 | REVOKE SELECT, CREATE, ALL PRIVILEGES ON * FROM 'test-grant'@'localhost';
-  | ------ ------          ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `DROP`, or 5 more ...
+  | ------ ------          ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `ALTER`, or 5 more ...
   | |      |                
   | |      while parsing <privileges> ON <privileges_level>
   | while parsing `REVOKE { ROLE <role_name> | schemaObjectPrivileges | ALL [ PRIVILEGES ] ON <privileges_level> } FROM { [ROLE <role_name>] | [USER] <user> }`