diff --git a/src/meta/app/src/principal/user_privilege.rs b/src/meta/app/src/principal/user_privilege.rs index 37960e7a12c50..4d22e6a8cb976 100644 --- a/src/meta/app/src/principal/user_privilege.rs +++ b/src/meta/app/src/principal/user_privilege.rs @@ -97,36 +97,6 @@ pub enum UserPrivilegeType { CreateDataMask = 1 << 16, } -const ALL_PRIVILEGES: BitFlags = make_bitflags!( - UserPrivilegeType::{ - Create - | Select - | Insert - | Update - | Delete - | Drop - | Alter - | Super - | CreateUser - | DropUser - | CreateRole - | DropRole - | Grant - | CreateStage - | Set - | CreateDataMask - | CreateMaskingPolicy - | ApplyMaskingPolicy - | Ownership - | Read - | Write - | CreateDatabase - | CreateWarehouse - | CreateConnection - | AccessConnection - } -); - impl Display for UserPrivilegeType { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { write!(f, "{}", match self { @@ -345,11 +315,6 @@ impl UserPrivilegeSet { } } - // TODO: remove this, as ALL has different meanings on different objects - pub fn all_privileges() -> Self { - ALL_PRIVILEGES.into() - } - pub fn set_privilege(&mut self, privilege: UserPrivilegeType) { self.privileges |= privilege; } @@ -357,14 +322,6 @@ impl UserPrivilegeSet { pub fn has_privilege(&self, privilege: UserPrivilegeType) -> bool { self.privileges.contains(privilege) } - - pub fn set_all_privileges(&mut self) { - self.privileges |= ALL_PRIVILEGES; - } - - pub fn is_all_privileges(&self) -> bool { - self.privileges == ALL_PRIVILEGES - } } impl Display for UserPrivilegeSet { diff --git a/src/meta/app/tests/it/user_privilege.rs b/src/meta/app/tests/it/user_privilege.rs index 0966a669b4a00..dd06dd1b33d92 100644 --- a/src/meta/app/tests/it/user_privilege.rs +++ b/src/meta/app/tests/it/user_privilege.rs @@ -26,7 +26,7 @@ fn test_user_privilege() -> Result<()> { let r = privileges.has_privilege(UserPrivilegeType::Insert); assert!(r); - privileges.set_all_privileges(); + privileges |= UserPrivilegeSet::available_privileges_on_global(); let r = privileges.has_privilege(UserPrivilegeType::Create); assert!(r); diff --git a/src/query/service/src/interpreters/access/privilege_access.rs b/src/query/service/src/interpreters/access/privilege_access.rs index 6414bf8bd8833..4b10d57c1f274 100644 --- a/src/query/service/src/interpreters/access/privilege_access.rs +++ b/src/query/service/src/interpreters/access/privilege_access.rs @@ -1725,7 +1725,7 @@ impl AccessChecker for PrivilegeAccess { .validate_access( &GrantObject::Global, UserPrivilegeType::CreateMaskingPolicy, - false, + true, false, ) .await?; diff --git a/src/query/service/src/interpreters/interpreter_privilege_grant.rs b/src/query/service/src/interpreters/interpreter_privilege_grant.rs index fc817198823e8..8dcf357948ed5 100644 --- a/src/query/service/src/interpreters/interpreter_privilege_grant.rs +++ b/src/query/service/src/interpreters/interpreter_privilege_grant.rs @@ -22,6 +22,7 @@ use databend_common_meta_app::principal::GrantObject; use databend_common_meta_app::principal::OwnershipObject; use databend_common_meta_app::principal::PrincipalIdentity; use databend_common_meta_app::principal::UserPrivilegeSet; +use databend_common_meta_app::principal::UserPrivilegeType; use databend_common_meta_app::principal::UserPrivilegeType::Ownership; use databend_common_meta_app::tenant::Tenant; use databend_common_sql::plans::GrantPrivilegePlan; @@ -216,7 +217,7 @@ impl Interpreter for GrantPrivilegeInterpreter { let plan = self.plan.clone(); - validate_grant_privileges(&plan.on, plan.priv_types)?; + validate_grant_privileges(&plan.principal, &plan.on, plan.priv_types)?; validate_grant_object_exists(&self.ctx, &plan.on).await?; // TODO: check user existence @@ -273,7 +274,11 @@ impl Interpreter for GrantPrivilegeInterpreter { /// Check if there's any privilege which can not be granted to this GrantObject. /// Some global privileges can not be granted to a database or table, for example, /// a KILL statement is meaningless for a table. -pub fn validate_grant_privileges(object: &GrantObject, privileges: UserPrivilegeSet) -> Result<()> { +pub fn validate_grant_privileges( + principal: &PrincipalIdentity, + object: &GrantObject, + privileges: UserPrivilegeSet, +) -> Result<()> { let available_privileges = object.available_privileges(true); let ok = privileges .iter() @@ -283,5 +288,26 @@ pub fn validate_grant_privileges(object: &GrantObject, privileges: UserPrivilege "Illegal GRANT/REVOKE command; please consult the manual to see which privileges can be used", )); } + if matches!(principal, PrincipalIdentity::User(_)) + && privileges.iter().any(is_create_ownership_object_privilege) + { + return Err(ErrorCode::IllegalGrant( + "CREATE-like privileges cannot be granted directly to USER; please grant them to a role" + )); + } Ok(()) } + +fn is_create_ownership_object_privilege(privilege: UserPrivilegeType) -> bool { + matches!( + privilege, + UserPrivilegeType::Create + | UserPrivilegeType::CreateStage + | UserPrivilegeType::CreateDatabase + | UserPrivilegeType::CreateWarehouse + | UserPrivilegeType::CreateConnection + | UserPrivilegeType::CreateSequence + | UserPrivilegeType::CreateProcedure + | UserPrivilegeType::CreateMaskingPolicy + ) +} diff --git a/src/query/users/tests/it/role_mgr.rs b/src/query/users/tests/it/role_mgr.rs index 738048957331b..269488d192cc4 100644 --- a/src/query/users/tests/it/role_mgr.rs +++ b/src/query/users/tests/it/role_mgr.rs @@ -102,7 +102,7 @@ async fn test_role_manager() -> Result<()> { &tenant, &role_name, GrantObject::Global, - UserPrivilegeSet::all_privileges(), + UserPrivilegeSet::available_privileges_on_global(), ) .await?; let role = role_mgr.get_role(&tenant, role_name.clone()).await?; @@ -118,7 +118,7 @@ async fn test_role_manager() -> Result<()> { &tenant, &role_name, GrantObject::Global, - UserPrivilegeSet::all_privileges(), + UserPrivilegeSet::available_privileges_on_global(), ) .await?; diff --git a/src/query/users/tests/it/user_mgr.rs b/src/query/users/tests/it/user_mgr.rs index bebd10516c646..1342e84c773b4 100644 --- a/src/query/users/tests/it/user_mgr.rs +++ b/src/query/users/tests/it/user_mgr.rs @@ -162,7 +162,7 @@ async fn test_user_manager() -> Result<()> { &tenant, user_info.identity(), GrantObject::Global, - UserPrivilegeSet::all_privileges(), + UserPrivilegeSet::available_privileges_on_global(), ) .await?; let user_info = user_mgr.get_user(&tenant, user_info.identity()).await?; @@ -173,7 +173,7 @@ async fn test_user_manager() -> Result<()> { &tenant, user_info.identity(), GrantObject::Global, - UserPrivilegeSet::all_privileges(), + UserPrivilegeSet::available_privileges_on_global(), ) .await?; let user_info = user_mgr.get_user(&tenant, user_info.identity()).await?; diff --git a/tests/nox/java_client/prepare.py b/tests/nox/java_client/prepare.py index 0276ac0638abb..8ccfe518be54f 100644 --- a/tests/nox/java_client/prepare.py +++ b/tests/nox/java_client/prepare.py @@ -2,6 +2,7 @@ from pathlib import Path import requests from requests.auth import HTTPBasicAuth +import time def main(): @@ -29,21 +30,62 @@ def download_jdbc(version): resp.raise_for_status() target.write_bytes(resp.content) - def create_user(): requests.post( "http://localhost:8000/v1/query/", auth=HTTPBasicAuth("root", ""), headers={"Content-Type": "application/json"}, - json={"sql": "CREATE USER IF NOT EXISTS databend IDENTIFIED BY 'databend'"}, + json={"sql": "DROP USER IF EXISTS databend"}, ).raise_for_status() requests.post( "http://localhost:8000/v1/query/", auth=HTTPBasicAuth("root", ""), headers={"Content-Type": "application/json"}, - json={"sql": "GRANT ALL ON *.* TO databend"}, + json={"sql": "DROP ROLE IF EXISTS test_jdbc"}, + ).raise_for_status() + requests.post( + "http://localhost:8000/v1/query/", + auth=HTTPBasicAuth("root", ""), + headers={"Content-Type": "application/json"}, + json={"sql": "CREATE USER databend IDENTIFIED BY 'databend' with default_role='test_jdbc'"}, + ).raise_for_status() + requests.post( + "http://localhost:8000/v1/query/", + auth=HTTPBasicAuth("root", ""), + headers={"Content-Type": "application/json"}, + json={"sql": "CREATE ROLE test_jdbc"}, + ).raise_for_status() + requests.post( + "http://localhost:8000/v1/query/", + auth=HTTPBasicAuth("root", ""), + headers={"Content-Type": "application/json"}, + json={"sql": "GRANT ALL ON *.* TO ROLE test_jdbc"}, + ).raise_for_status() + requests.post( + "http://localhost:8000/v1/query/", + auth=HTTPBasicAuth("root", ""), + headers={"Content-Type": "application/json"}, + json={"sql": "GRANT ROLE test_jdbc TO USER databend"}, + ).raise_for_status() + time.sleep(16) + requests.post( + "http://localhost:8001/v1/query/", + auth=HTTPBasicAuth("root", ""), + headers={"Content-Type": "application/json"}, + json={"sql": "SHOW GRANTS FOR USER databend"}, + ).raise_for_status() + requests.post( + "http://localhost:8002/v1/query/", + auth=HTTPBasicAuth("root", ""), + headers={"Content-Type": "application/json"}, + json={"sql": "SHOW GRANTS FOR USER databend"}, + ).raise_for_status() + requests.post( + "http://localhost:8003/v1/query/", + auth=HTTPBasicAuth("root", ""), + headers={"Content-Type": "application/json"}, + json={"sql": "SHOW GRANTS FOR USER databend"}, ).raise_for_status() - def download_testng(): urls = [ diff --git a/tests/sqllogictests/suites/base/06_show/06_0007_show_roles.test b/tests/sqllogictests/suites/base/06_show/06_0007_show_roles.test index bd1ac393c55fc..8a2fb02ed5545 100644 --- a/tests/sqllogictests/suites/base/06_show/06_0007_show_roles.test +++ b/tests/sqllogictests/suites/base/06_show/06_0007_show_roles.test @@ -61,9 +61,6 @@ grant role b to role a; statement ok grant role a to a; -statement ok -grant create database on *.* to a; - statement ok set enable_expand_roles=1; @@ -87,7 +84,7 @@ select grants from show_grants('user', 'a') order by object_id; GRANT SELECT ON 'default'.'default'.'t' TO 'a'@'%' GRANT OWNERSHIP ON 'default'.'default'.'t' TO 'a'@'%' GRANT OWNERSHIP ON 'default'.'default'.'t1' TO 'a'@'%' -GRANT SELECT,INSERT,CREATE DATABASE ON *.* TO 'a'@'%' +GRANT SELECT,INSERT ON *.* TO 'a'@'%' statement ok set enable_expand_roles=0; @@ -114,7 +111,6 @@ select grants from show_grants('user', 'a') order by object_id; GRANT ROLE a to 'a'@'%' GRANT ROLE b to 'a'@'%' GRANT ROLE public to 'a'@'%' -GRANT CREATE DATABASE ON *.* TO 'a'@'%' statement ok unset enable_expand_roles; diff --git a/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh b/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh index be036ff7d3f06..9e8489b4f0e21 100755 --- a/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh +++ b/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh @@ -135,7 +135,7 @@ echo "create role drop_role;" | $BENDSQL_CLIENT_CONNECT echo "create role drop_role1;" | $BENDSQL_CLIENT_CONNECT echo "create user u1 identified by '123' with DEFAULT_ROLE='drop_role'" | $BENDSQL_CLIENT_CONNECT echo "grant role drop_role to u1;" | $BENDSQL_CLIENT_CONNECT -echo "grant create database on *.* to u1;" | $BENDSQL_CLIENT_CONNECT +echo "grant create database on *.* to role drop_role;" | $BENDSQL_CLIENT_CONNECT export USER_U1_CONNECT="bendsql --user=u1 --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}" echo "create database a" | $USER_U1_CONNECT diff --git a/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.result b/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.result index e40ab99fb02c5..8d77615023a70 100644 --- a/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.result +++ b/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.result @@ -16,14 +16,14 @@ 1 >>>> revoke create on default.* from role role1 need failed: with 1063 -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1] +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1,role2] need failed: with 1063 -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1] +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1,role2] >>>> grant ownership on default.v_t_owner to role role1 >>>> create view v_t as select * from t >>>> create view v_t_union as select * from t union all select * from t_owner 'select * from v_t order by id' failed. -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1] +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1,role2] >>>> grant select on default.v_t to owner >>>> grant select on default.v_t_union to owner 1 @@ -43,7 +43,7 @@ Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is req === create view as select view === >>>> revoke select on default.v_t from owner >>>> grant select on default.t to owner -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1] +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1,role2] >>>> grant select on default.v_t to owner >>>> grant select on default.t to owner >>>> grant select on default.v_t1 to owner diff --git a/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.sh b/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.sh index 8548a0ec0980b..0f070299d49a0 100755 --- a/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.sh +++ b/tests/suites/0_stateless/18_rbac/18_0004_view_privilege.sh @@ -26,8 +26,15 @@ echo 'create table t_owner(c1 int)' | $TEST_USER_CONNECT echo 'insert into t_owner values(2)' | $TEST_USER_CONNECT stmt 'revoke create on default.* from role role1' +echo 'drop role if exists role2' | $BENDSQL_CLIENT_CONNECT +echo 'create role role2' | $BENDSQL_CLIENT_CONNECT +echo 'grant create on default.* to role role2' | $BENDSQL_CLIENT_CONNECT +echo 'grant role role2 to owner' | $BENDSQL_CLIENT_CONNECT +echo 'alter user owner with default_role=role2' | $BENDSQL_CLIENT_CONNECT + echo 'need failed: with 1063' echo 'create view v_t as select * from t' | $TEST_USER_CONNECT + echo 'need failed: with 1063' echo 'create view v_t_union as select * from t union all select * from t_owner' | $TEST_USER_CONNECT echo 'create view v_t_owner as select * from t_owner' | $TEST_USER_CONNECT @@ -67,3 +74,4 @@ stmt 'drop view if exists v_t_union' stmt 'drop view if exists v_t1' stmt 'drop user if exists owner' stmt 'drop role if exists role1' +echo 'drop role if exists role2' | $BENDSQL_CLIENT_CONNECT diff --git a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result index 03362b734c4f8..ec268ea2684c6 100644 --- a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result +++ b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result @@ -113,19 +113,19 @@ Error: APIError: QueryFailed: [1063]Permission denied: No privilege on database Error: APIError: QueryFailed: [1063]Permission denied: No privilege on table root_table for user b. Error: APIError: QueryFailed: [1063]Permission denied: No privilege on table root_table for user b. 1 1 -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public] -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Object -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'b'@'%' with roles [public] -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Object -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Object -Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public] +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public,role_test_b] +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public,role_test_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'b'@'%' with roles [public,role_test_b] +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public,role_test_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public,role_test_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public,role_test_b] 0 1 a b/data_UUID_0000_00000000.parquet 1 0 NULL NULL === check db/table_id === Read s3 USER b GRANT Read ON STAGE s3 TO 'b'@'%' -CREATE default USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%' SELECT system USER b GRANT SELECT ON 'default'.'system'.* TO 'b'@'%' +CREATE default USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%' SELECT,INSERT,DELETE default.default.t USER b GRANT SELECT,INSERT,DELETE ON 'default'.'default'.'t' TO 'b'@'%' SELECT default.default.t1 USER b GRANT SELECT ON 'default'.'default'.'t1' TO 'b'@'%' SELECT,INSERT default.c.t USER b GRANT SELECT,INSERT ON 'default'.'c'.'t' TO 'b'@'%' @@ -133,8 +133,8 @@ OWNERSHIP default.default.t2 USER b GRANT OWNERSHIP ON 'default'.'default'.'t2' 1 1 Read s3 USER b GRANT Read ON STAGE s3 TO 'b'@'%' -CREATE default USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%' SELECT system USER b GRANT SELECT ON 'default'.'system'.* TO 'b'@'%' +CREATE default USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%' SELECT,INSERT,DELETE default.default.t USER b GRANT SELECT,INSERT,DELETE ON 'default'.'default'.'t' TO 'b'@'%' SELECT default.default.t1 USER b GRANT SELECT ON 'default'.'default'.'t1' TO 'b'@'%' SELECT,INSERT default.c.t1 USER b GRANT SELECT,INSERT ON 'default'.'c'.'t1' TO 'b'@'%' @@ -143,8 +143,8 @@ OWNERSHIP default.default.t2 USER b GRANT OWNERSHIP ON 'default'.'default'.'t2' 1 2 Read s3 USER b GRANT Read ON STAGE s3 TO 'b'@'%' -CREATE default USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%' SELECT system USER b GRANT SELECT ON 'default'.'system'.* TO 'b'@'%' +CREATE default USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%' SELECT,INSERT,DELETE default.default.t USER b GRANT SELECT,INSERT,DELETE ON 'default'.'default'.'t' TO 'b'@'%' SELECT default.default.t1 USER b GRANT SELECT ON 'default'.'default'.'t1' TO 'b'@'%' SELECT,INSERT default.d.t1 USER b GRANT SELECT,INSERT ON 'default'.'d'.'t1' TO 'b'@'%' diff --git a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh index 980ff964f22f8..c2870a158329f 100755 --- a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh +++ b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh @@ -238,7 +238,11 @@ echo "drop stage if exists s3;" | $BENDSQL_CLIENT_CONNECT echo "create table t(id int)" | $BENDSQL_CLIENT_CONNECT echo "create table t1(id int)" | $BENDSQL_CLIENT_CONNECT -echo "grant create on default.* to b" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists role_test_b" | $BENDSQL_CLIENT_CONNECT +echo "create role role_test_b" | $BENDSQL_CLIENT_CONNECT +echo "grant role role_test_b to b" | $BENDSQL_CLIENT_CONNECT +echo "grant create on default.* to role role_test_b" | $BENDSQL_CLIENT_CONNECT +echo "alter user b with default_role=role_test_b" | $BENDSQL_CLIENT_CONNECT echo "grant insert, delete on default.t to b" | $BENDSQL_CLIENT_CONNECT echo "grant select on system.* to b" | $BENDSQL_CLIENT_CONNECT @@ -328,4 +332,5 @@ echo "SET variable a = 'a';" | $USER_C_CONNECT echo "set global max_threads=1000;" | $USER_C_CONNECT 2>&1 | grep "Super" | wc -l echo "unset global max_threads;" | $USER_C_CONNECT 2>&1 | grep "Super" | wc -l echo "drop user if exists c" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists role_test_b" | $BENDSQL_CLIENT_CONNECT echo "=== set privilege check succ ===" diff --git a/tests/suites/0_stateless/18_rbac/18_0009_set_role.result b/tests/suites/0_stateless/18_rbac/18_0009_set_role.result index 67d75ed97c993..e860c0890bbcd 100644 --- a/tests/suites/0_stateless/18_rbac/18_0009_set_role.result +++ b/tests/suites/0_stateless/18_rbac/18_0009_set_role.result @@ -44,4 +44,3 @@ Error: APIError: QueryFailed: [1063]Permission denied: privilege [CreateDatabase Error: APIError: QueryFailed: [1063]Permission denied: privilege [CreateDatabase] is required on *.* for user 'test_c'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Object OWNERSHIP db_c ROLE role_c GRANT OWNERSHIP ON 'default'.'db_c'.* TO ROLE `role_c` OWNERSHIP db_d ROLE role_c GRANT OWNERSHIP ON 'default'.'db_d'.* TO ROLE `role_c` -OWNERSHIP db_e ROLE public GRANT OWNERSHIP ON 'default'.'db_e'.* TO ROLE `public` diff --git a/tests/suites/0_stateless/18_rbac/18_0009_set_role.sh b/tests/suites/0_stateless/18_rbac/18_0009_set_role.sh index cb578a5d96a24..5faa383d40bcd 100755 --- a/tests/suites/0_stateless/18_rbac/18_0009_set_role.sh +++ b/tests/suites/0_stateless/18_rbac/18_0009_set_role.sh @@ -101,7 +101,12 @@ echo 'SET ROLE role_c;SET SECONDARY ROLES ALL;create database db_d' | $TEST_C_CO echo "show grants for role role_c where object_name in ('db_c', 'db_d')" | $TEST_C_CONNECT | awk -F ' ' '{$3=""; print $0}' echo 'revoke ROLE `role_c` from test_c' | $BENDSQL_CLIENT_CONNECT -echo 'grant all on *.* to test_c' | $BENDSQL_CLIENT_CONNECT +echo 'drop ROLE if exists `role_test`' | $BENDSQL_CLIENT_CONNECT +echo 'create ROLE `role_test`' | $BENDSQL_CLIENT_CONNECT +echo 'grant all on *.* to role `role_test`' | $BENDSQL_CLIENT_CONNECT +echo 'grant ROLE `role_test` to test_c' | $BENDSQL_CLIENT_CONNECT +echo "alter user test_c with default_role='role_test'" | $BENDSQL_CLIENT_CONNECT + echo 'create database db_e' | $TEST_C_CONNECT echo "show grants for role public where object_name in ('db_e')" | $TEST_C_CONNECT | awk -F ' ' '{$3=""; print $0}' @@ -110,3 +115,4 @@ echo 'drop database if exists db_d' | $BENDSQL_CLIENT_CONNECT echo 'drop database if exists db_e' | $BENDSQL_CLIENT_CONNECT echo "DROP USER if exists 'test_c';" | $BENDSQL_CLIENT_CONNECT echo "DROP role if exists 'role_c';" | $BENDSQL_CLIENT_CONNECT +echo 'drop ROLE if exists `role_test`' | $BENDSQL_CLIENT_CONNECT diff --git a/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.result b/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.result index e150ad29b109f..bcd84c9cd2107 100644 --- a/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.result +++ b/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.result @@ -21,7 +21,7 @@ Error: APIError: QueryFailed: [1063]Permission denied: privilege [CreateSequence 3 --- transform seq2'ownership from role1 to role2 --- --- USER failed to desc conn seq2, seq2 role is role2 --- -Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq2 for user 'b'@'%' with roles [public,role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq2 for user 'b'@'%' with roles [public,role1,role_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object 2 --- only return one row seq2 --- 1 @@ -33,7 +33,7 @@ Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence --- return three rows seq1,2,3 --- 3 --- user b can not drop sequence seq2 --- -Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq2 for user 'b'@'%' with roles [public,role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq2 for user 'b'@'%' with roles [public,role1,role_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS SEQUENCE is required on sequence seq2 Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS SEQUENCE is required on sequence seq2 Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS SEQUENCE is required on sequence seq2 @@ -47,8 +47,8 @@ Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS SEQUENCE Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS SEQUENCE is required on sequence seq3 Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS SEQUENCE is required on sequence seq1 for user c Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS SEQUENCE is required on sequence seq3 for user c -Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq1 for user 'c'@'%' with roles [public,role2,role3]. Note: Please ensure that your current role have the appropriate permissions to create a new Object -Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq3 for user 'c'@'%' with roles [public,role2,role3]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq1 for user 'c'@'%' with roles [public,role2,role3,role_c]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence] is required on SEQUENCE seq3 for user 'c'@'%' with roles [public,role2,role3,role_c]. Note: Please ensure that your current role have the appropriate permissions to create a new Object --- user b can drop/use sequence seq1,3 --- 1 1 @@ -66,7 +66,7 @@ Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessSequence 4 1 OWNERSHIP seq1 NULL ROLE role1 OWNERSHIP seq3 NULL ROLE role1 -CREATE SEQUENCE *.* NULL ROLE role1 GRANT CREATE SEQUENCE ON *.* TO ROLE `role1` +CREATE,CREATE SEQUENCE *.* NULL ROLE role1 GRANT CREATE,CREATE SEQUENCE ON *.* TO ROLE `role1` OWNERSHIP seq3 NULL ROLE role1 GRANT OWNERSHIP ON SEQUENCE seq3 TO ROLE `role1` --- user c can drop/use sequence seq2 --- 1 diff --git a/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.sh b/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.sh index 8ad506a630dd2..72838b050eeef 100755 --- a/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.sh +++ b/tests/suites/0_stateless/18_rbac/18_0016_seq_rbac.sh @@ -9,7 +9,7 @@ export USER_B_CONNECT="bendsql --user=b --password=123 --host=${QUERY_MYSQL_HAND export USER_C_CONNECT="bendsql --user=c --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}" for seq in $(echo "select name from show_sequences();" | $BENDSQL_CLIENT_CONNECT); do - echo "drop sequence if exists $seq;" | $BENDSQL_CLIENT_CONNECT + echo "drop sequence if exists `$seq`;" | $BENDSQL_CLIENT_CONNECT done echo "=== OLD LOGIC: user has super privileges can operator all sequences with enable_experimental_sequence_privilege_check=0 ===" @@ -23,12 +23,21 @@ echo "drop role if exists role2;" | $BENDSQL_CLIENT_CONNECT echo "drop user if exists a;" | $BENDSQL_CLIENT_CONNECT echo "drop user if exists b;" | $BENDSQL_CLIENT_CONNECT echo "drop user if exists c;" | $BENDSQL_CLIENT_CONNECT -echo "create user a identified by '123';" | $BENDSQL_CLIENT_CONNECT -echo "create user b identified by '123';" | $BENDSQL_CLIENT_CONNECT -echo "create user c identified by '123';" | $BENDSQL_CLIENT_CONNECT -echo "grant super on *.* to a;" | $BENDSQL_CLIENT_CONNECT -echo "grant select, insert, create on *.* to b" | $BENDSQL_CLIENT_CONNECT -echo "grant select, insert, create on *.* to c" | $BENDSQL_CLIENT_CONNECT +echo "create user a identified by '123' with default_role='role_a';" | $BENDSQL_CLIENT_CONNECT +echo "create user b identified by '123' with default_role='role_b';" | $BENDSQL_CLIENT_CONNECT +echo "create user c identified by '123' with default_role='role_c';" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists role_a;" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists role_b;" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists role_c;" | $BENDSQL_CLIENT_CONNECT +echo "create role if not exists role_a;" | $BENDSQL_CLIENT_CONNECT +echo "create role if not exists role_b;" | $BENDSQL_CLIENT_CONNECT +echo "create role if not exists role_c;" | $BENDSQL_CLIENT_CONNECT +echo "grant role role_a to a;" | $BENDSQL_CLIENT_CONNECT +echo "grant role role_b to b;" | $BENDSQL_CLIENT_CONNECT +echo "grant role role_c to c;" | $BENDSQL_CLIENT_CONNECT +echo "grant super on *.* to role role_a;" | $BENDSQL_CLIENT_CONNECT +echo "grant select, insert, create on *.* to role role_b" | $BENDSQL_CLIENT_CONNECT +echo "grant select, insert, create on *.* to role role_c" | $BENDSQL_CLIENT_CONNECT echo "drop table if exists tmp_b;" | $BENDSQL_CLIENT_CONNECT echo "drop table if exists tmp_b1;" | $BENDSQL_CLIENT_CONNECT echo "drop table if exists tmp_b2;" | $BENDSQL_CLIENT_CONNECT @@ -69,9 +78,10 @@ echo "drop role if exists role3;" | $BENDSQL_CLIENT_CONNECT echo "create role role1;" | $BENDSQL_CLIENT_CONNECT echo "create role role2;" | $BENDSQL_CLIENT_CONNECT echo "create role role3;" | $BENDSQL_CLIENT_CONNECT -echo "grant create sequence on *.* to role role1;" | $BENDSQL_CLIENT_CONNECT +echo "grant create sequence, create on *.* to role role1;" | $BENDSQL_CLIENT_CONNECT echo "grant role role1 to b;" | $BENDSQL_CLIENT_CONNECT echo "--- USER b failed to create conn seq1 because current role is public, can not create ---" +echo "alter user b with default_role='public';" | $BENDSQL_CLIENT_CONNECT echo "CREATE sequence seq1" | $USER_B_CONNECT echo "alter user b with default_role='role1';" | $BENDSQL_CLIENT_CONNECT @@ -116,7 +126,7 @@ echo "show grants on sequence seq2;" | $USER_B_CONNECT echo "--- revoke access sequence from role3 , thne user c can not drop/use sequence seq1,3 ---" echo "revoke access sequence on sequence seq1 from role role3;" | $BENDSQL_CLIENT_CONNECT echo "revoke access sequence on sequence seq3 from role role3;" | $BENDSQL_CLIENT_CONNECT -echo "grant select, insert, create on *.* to c" | $BENDSQL_CLIENT_CONNECT +echo "grant select, insert, create on *.* to role role_c" | $BENDSQL_CLIENT_CONNECT echo "INSERT INTO tmp_b values(nextval(seq1));" | $USER_C_CONNECT echo "INSERT INTO tmp_b values(nextval(seq3));" | $USER_C_CONNECT echo "INSERT INTO tmp_b select nextval(seq1) from numbers(2);" | $USER_C_CONNECT diff --git a/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.result b/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.result index f865577c3ff20..9ecd3ed0bc561 100644 --- a/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.result +++ b/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.result @@ -16,8 +16,8 @@ >>>> GRANT ROLE role_mask_create TO mask_create >>>> CREATE USER mask_desc IDENTIFIED BY '123' with default_role='mask_desc' #### create privilege requires CREATE MASKING POLICY -Error: APIError: QueryFailed: [1063]Permission denied: privilege [CreateMaskingPolicy] is required on *.* for user 'mask_create'@'%' with roles [public,role_mask_create]. Note: Please ensure that your current role have the appropriate permissions to create a new Object ->>>> GRANT CREATE MASKING POLICY ON *.* TO USER mask_create +Error: APIError: QueryFailed: [1063]Permission denied: privilege [CreateMaskingPolicy] is required on *.* for user 'mask_create'@'%' with roles [role_mask_create]. Note: Please ensure that your current role have the appropriate permissions to create a new Object +>>>> GRANT CREATE MASKING POLICY ON *.* TO role role_mask_create >>>> CREATE MASKING POLICY mask_email AS (val STRING) RETURNS STRING -> 'EMAIL' Error: APIError: QueryFailed: [1063]Permission denied: APPLY MASKING POLICY or OWNERSHIP is required on MASKING POLICY mask_phone for user 'mask_apply'@'%' 1 diff --git a/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.sh b/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.sh index d3232754dc5ea..ad636c5047aab 100755 --- a/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.sh +++ b/tests/suites/5_ee/10_rbac/10_0001_masking_policy_rbac.sh @@ -29,7 +29,7 @@ export USER_MASK_APPLY="bendsql --user=mask_apply --password=123 --host=${QUERY_ comment "create privilege requires CREATE MASKING POLICY" echo "CREATE MASKING POLICY mask_phone AS (val STRING) RETURNS STRING -> concat('***', right(val, 2));" | $USER_MASK_CREATE -stmt "GRANT CREATE MASKING POLICY ON *.* TO USER mask_create" +stmt "GRANT CREATE MASKING POLICY ON *.* TO role role_mask_create" echo "CREATE MASKING POLICY mask_phone AS (val STRING) RETURNS STRING -> concat('***', right(val, 2));" | $USER_MASK_CREATE stmt "CREATE MASKING POLICY mask_email AS (val STRING) RETURNS STRING -> 'EMAIL'" #expect failure for user without privileges