[ISSUE-2894][PATCH-1] Add parser on GRANT .. TO database.table

[flaneur2020]

I hereby agree to the terms of the CLA available at: https://databend.rs/policies/cla/

Summary

• add parser about grant privilege on database.table
• add GrantObject in the grant plan
• sanity check on interpreting the grant privilege plan
• test cases on the sanity check

maybe in another PR:

• grant user privilege on database & tables logic in the user manager

Changelog

• Improvement

Related Issues

Fixes #2894

Test Plan

Unit Tests

Stateless Tests

[databend-bot]

Thanks for the contribution!
I have applied any labels matching special text in your PR Changelog.

Please review the labels and make any necessary changes.

[codecov-commenter]

Codecov Report

Merging #2901 (a232378) into main (9565a41) will increase coverage by 0%.
The diff coverage is 73%.

@@          Coverage Diff           @@
##            main   #2901    +/-   ##
======================================
  Coverage     68%     68%            
======================================
  Files        635     636     +1     
  Lines      33599   33680    +81     
======================================
+ Hits       22885   23006   +121     
+ Misses     10714   10674    -40     

Impacted Files	Coverage Δ
...ry/src/interpreters/interpreter_grant_privilege.rs	64% <33%> (-16%)	⬇️
common/meta/types/src/grant_object.rs	40% <40%> (ø)
query/src/sql/statements/statement_grant.rs	75% <66%> (-17%)	⬇️
query/src/sql/sql_parser_test.rs	79% <81%> (+<1%)	⬆️
query/src/sql/sql_parser.rs	84% <95%> (+<1%)	⬆️
common/planners/src/plan_grant_privilege.rs	88% <100%> (+1%)	⬆️
metasrv/src/meta_service/network.rs	78% <0%> (+1%)	⬆️
query/src/catalogs/catalog.rs	36% <0%> (+4%)	⬆️
common/base/src/http_shutdown_handlers.rs	49% <0%> (+40%)	⬆️
metasrv/src/api/http_service.rs	72% <0%> (+62%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9565a41...a232378. Read the comment docs.

[BohuTANG]

How these codes is shown in this patch, I rember that it's in another patch

[flaneur2020]

in the earlier days there's only exists_database but no exists_table yet, there's another PR working on this?

if it's true i'd avoid adding exists_table func in this PR to avoid conflicting q.q

[flaneur2020]

I've reverted the changes on the catalog trait, plz help review again

[BohuTANG]

There is a suggesstion and a question:

Suggesstion:
It would be nice to do add an exists_table method to the Catalog trait (failed on code reusing on meeting an warning about in another patch not this one.

Question:
From my understand, the privileges is grant to the role not the user, in this patch it still grant to user, we will do it in another patch(like the ... create role... patch) in future?

[flaneur2020]

From my understand, the privileges is grant to the role not the user, in this patch it still grant to user,

the privileges is both granted to the user and role? 🤔 in mysql the privileges one user finally gets is the privileges she directly get granted add the user's roles' privileges

we will do it in another patch(like the ... create role... patch) in future?

yes, we'd also add the logic about grant the privileges to roles in the future pull requests

[BohuTANG]

From my understand, the privileges is grant to the role not the user, in this patch it still grant to user,

the privileges is both granted to the user and role? thinking in mysql the privileges one user finally gets is the privileges she directly get granted add the user's roles' privileges

Privileges are granted to roles, and roles are granted to users.

the privileges is both granted to the user and role? -- This is for forward compatibility, they had no role before.

we will do it in another patch(like the ... create role... patch) in future?

yes, we'd also add the logic about grant the privileges to roles in the future pull requests

[BohuTANG]

in mysql the privileges one user finally gets is the privileges she directly get granted add the user's roles' privileges

Not true.
Thinking a case:
if a role is dropped, the user role is drop and his pivileges has gone also, not revoke the privileges from the user.

Updated:
I misunderstood it, sorry

[flaneur2020]

in mysql the privileges one user finally gets is the privileges she directly get granted add the user's roles' privileges

Not true. Thinking a case: if a role is dropped, the user role is drop and his pivileges has gone also, not revoke the privileges from the user.

it's right, when a role is dropped, the user stil has his own privileges left:

consider a scenary like a user has got a role with CREATE ON db1 privilege, and SELECT ON db2 which directly granted to the user.

after dropping the role, she stil remains the SELECT privilege on db2

[BohuTANG]

in mysql the privileges one user finally gets is the privileges she directly get granted add the user's roles' privileges
Not true. Thinking a case: if a role is dropped, the user role is drop and his pivileges has gone also, not revoke the privileges from the user.

it's right, when a role is dropped, the user stil has his own privileges left:

consider a scenary like a user has got a role with CREATE ON db1 privilege, and SELECT ON db2 which directly granted to the user.

If the CREATE ON db1 privilege is role1, SELECT ON db2 is role2, a user can only grant one of them at a time.

after dropping the role, she stil remains the SELECT privilege on db2

[BohuTANG]

The follow model is more simple for us(ClickHouse did them too, see):
Privileges are granted to roles, and roles are granted to users.

CREATE USER bohu@'%';
CREATE ROLE systemadmin;
GRANT SELECT ON system.* TO systemadmin;
GRANT systemadmin TO bohu;

[flaneur2020]

the privileges is both granted to the user and role? -- This is for forward compatibility, they had no role before.

the user privilege + role privileges is commonly used in the popular DBMS? 🤔

it's also available in clickhouse: https://clickhouse.com/docs/en/sql-reference/statements/grant/

GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] ON {db.table|db.*|*.*|table|*} TO {user | role | CURRENT_USER} [,...] [WITH GRANT OPTION] [WITH REPLACE OPTION]

a GRANT statement can works to user or role. it seems postgres is also the same: https://tableplus.com/blog/2018/04/postgresql-how-to-grant-access-to-users.html

imo RBAC is powerful but it has a bit higher bar than the user privileges, it has its own scenary 🤔

[BohuTANG]

For many DBMS, user and role is called object, and the privileges can grant to object, I guess they keep it, but it's more complex.
We can follow the easy way, make it work, make it right :D

[flaneur2020]

For many DBMS, user and role is called object, and the privileges can grant to object, I guess they keep it, but it's more complex. We can follow the easy way, make it work, make it right :D

in the current code base, adding GRANT to role needs some works in a sequence of PRs, in my previous thought, we can follow these steps:

1. we already has a code base about grant an user some privilege
2. add fine grained privileges on users
3. the checking privilege logics
4. allow grant privilege to roles, and grant roles to user
5. allow grant roles to role

user privilege + rbac has more complexity than the RBAC only solution at last, but RBAC has more complexity than the user privilege upfront 🤔

[BohuTANG]

case by case match is more complex, but not quite sure if there is a regular check for the pattern?

[BohuTANG]

Or we can first to check database_pattern and then table_pattern

[flaneur2020]

it seems we can seperate the grant object (global, database, or table) in the parsing phase

[flaneur2020]

how about adding a GrantObject enum on this?

it'd has three hands:

• Global
• Database(String)
• Table(Option, String) // if the database is not specified, taking the current db in session

[flaneur2020]

@BohuTANG I've refactored out an GrantObject enum, and checked *.table as invalid syntax in the parsing phase

please help review again when you get time 🤝

[BohuTANG]

/lgtm

[databend-bot]

Wait for another reviewer approval

[BohuTANG]

I saw some sub-tasks in #2894, it would be better to create a sub-task issue of the main issue #2894 for each PR, the PR will close the sub-task when it closed

I re-open the issue #2894