Skip to content

Add SHOW SETTING clause and privileges #440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Mar 6, 2023
Merged

Add SHOW SETTING clause and privileges #440

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
729b704
Add SHOW SETTING clause and privileges
ali-ince Feb 1, 2023
8f58cfb
Add show setting related content
ali-ince Feb 23, 2023
95386c3
Review comments
ali-ince Feb 23, 2023
9adee28
Suggestions review comments
ali-ince Feb 24, 2023
bf7de13
Apply suggestions from code review
ali-ince Feb 24, 2023
401376d
Review comments
ali-ince Feb 24, 2023
498a0ec
Merge branch 'dev' into dev-show-settings
ali-ince Feb 24, 2023
d514bb3
Apply suggestions from code review
ali-ince Feb 27, 2023
f718ef3
Use correct position
ali-ince Feb 27, 2023
7059d7f
Apply suggestions from code review
ali-ince Feb 27, 2023
f3c4036
Update modules/ROOT/pages/access-control/dbms-administration.adoc
ali-ince Feb 27, 2023
81e0317
Review comments
ali-ince Feb 27, 2023
bbb60ed
Delete png files
ali-ince Feb 28, 2023
9262650
Another take
ali-ince Mar 3, 2023
588d4db
Merge branch 'dev' into dev-show-settings
ali-ince Mar 3, 2023
5f21656
Merge branch 'dev' into dev-show-settings
ali-ince Mar 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/ROOT/content-nav.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
** xref:clauses/load-csv.adoc[]
** xref:clauses/listing-functions.adoc[]
** xref:clauses/listing-procedures.adoc[]
** xref:clauses/listing-settings.adoc[]
** xref:clauses/transaction-clauses.adoc#query-listing-transactions[SHOW TRANSACTIONS]
** xref:clauses/transaction-clauses.adoc#query-terminate-transactions[TERMINATE TRANSACTIONS]

Expand Down
Binary file removed modules/ROOT/images/privileges_grant_and_deny_syntax.png
View file
Open in desktop
Binary file not shown.
Binary file removed modules/ROOT/images/privileges_grant_and_deny_syntax_database_privileges.png
View file
Open in desktop
Binary file not shown.
Binary file removed modules/ROOT/images/privileges_grant_and_deny_syntax_dbms_privileges.png
View file
Open in desktop
Binary file not shown.
10 changes: 1 addition & 9 deletions modules/ROOT/images/privileges_grant_and_deny_syntax_dbms_privileges.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed modules/ROOT/images/privileges_hierarchy.png
View file
Open in desktop
Binary file not shown.
Binary file removed modules/ROOT/images/privileges_hierarchy_database.png
View file
Open in desktop
Binary file not shown.
Binary file removed modules/ROOT/images/privileges_hierarchy_dbms.png
View file
Open in desktop
Binary file not shown.
15 changes: 1 addition & 14 deletions modules/ROOT/images/privileges_hierarchy_dbms.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed modules/ROOT/images/privileges_on_graph_syntax.png
View file
Open in desktop
Binary file not shown.
177 changes: 134 additions & 43 deletions modules/ROOT/pages/access-control/dbms-administration.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ CREATE ROLE globbing4 IF NOT EXISTS;
CREATE ROLE globbing5 IF NOT EXISTS;
CREATE ROLE globbing6 IF NOT EXISTS;
CREATE ROLE dbmsManager IF NOT EXISTS;
CREATE ROLE configurationViewer IF NOT EXISTS;
CREATE ROLE deniedConfigurationViewer IF NOT EXISTS;
----
////

Expand Down Expand Up @@ -1953,82 +1955,88 @@ a|Rows: 2
|===
======

[[access-control-name-globbing]]
=== Procedure and user-defined function name-globbing

The name-globbing for procedure and user defined function names is a simplified version of globbing for filename expansions.
It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single character matches.
In this case, `+*+` means 0 or more characters and `?` matches exactly one character.
[[access-control-dbms-administration-setting]]
== The DBMS `SETTING` privileges

The ability to show configuration settings can be granted via the `SHOW SETTING` privilege.
A role with this privilege is allowed to query the configuration settings matched by the xref::access-control/dbms-administration.adoc#access-control-name-globbing[name-globbing].


[NOTE]
====
The name-globbing is subject to the xref::syntax/naming.adoc[standard Cypher restrictions on valid identifiers],
with the exception that it may include dots, stars, and question marks without the need for escaping using backticks.

Each part of the name-globbing separated by dots may be individually escaped, for example, `++mine.`procedureWith%`++` but not `++mine.procedure`With%`++`.
It is also good to keep in mind that wildcard characters behave as wildcards even when escaped.
As an example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`.
The syntax descriptions use xref:access-control/index.adoc#access-control-syntax[the style] from access control.
====

The examples below only use procedures, but the same rules apply to user defined function names:

* `mine.public.exampleProcedure`
* `mine.public.exampleProcedure1`
* `mine.public.exampleProcedure2`
* `mine.public.with#Special§Characters`
* `mine.private.exampleProcedure`
* `mine.private.exampleProcedure1`
* `mine.private.exampleProcedure2`
* `mine.private.with#Special§Characters`
* `your.exampleProcedure`
.Setting privileges command syntax
[options="header", width="100%", cols="3a,2"]
|===
| Command
| Description

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1
----
| [source, syntax, role=noheader]
GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...]
ON DBMS
TO role[, ...]
| Enables the specified roles to query given configuration settings.
|===

Users with the role `globbing1` can thus run all the procedures.
The following query shows an example of how to grant this privilege:

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2
GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer
----

Users with the role `globbing2` can thus run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others.
Users with the role `configurationViewer` can then query any setting in the `server.bolt` namespace.

The updated role `configurationViewer` has privileges that only allow querying settings in the `server.bolt` namespace.
List all privileges for the role `configurationViewer` as commands by using the following query:

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3
SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS
----

Users with the role `globbing3` can thus run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1` and `mine.private.exampleProcedure2`, but none of the others.
.Result
[options="header,footer", width="100%", cols="m"]
|===
|command
|"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`"
a|Rows: 1
|===

To deny a specific setting from a role, first grant `SHOW SETTINGS *`, and then deny the unwanted setting.
For example, the following queries allow the querying of all settings, except those starting with `dbms.security`:

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4
GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer
----

Users with the role `globbing4` can thus run procedures `your.exampleProcedure`, `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others.

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5
DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer
----

Users with the role `globbing5` can thus run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but none of the others.
The resulting role has privileges that allow querying all settings except those starting with `dbms.security`.
List all privileges for the role `deniedConfigurationViewer` as commands by using the following query:

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6
SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS
----

Users with the role `globbing6` can thus run procedures `mine.public.with#Special§Characters` and `mine.private.with#Special§Characters`, but none of the others.
.Result
[options="header,footer", width="100%", cols="m"]
|===
|command
|"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`"
|"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`"
a|Rows: 2
|===

[NOTE]
====
The name-globbing may be fully or partially escaped.
Both `+*+` and `+?+` are interpreted as wildcards either way.
====
As the query result shows, access to any setting starting with `dbms.security` are blocked, but the rest can still be queried.


[[access-control-dbms-administration-all]]
Expand All @@ -2043,6 +2051,7 @@ The right to perform the following privileges can be achieved with a single comm
* Show, assign, and remove privileges.
* Execute all procedures with elevated privileges.
* Execute all user defined functions with elevated privileges.
* Show all configuration settings.

[NOTE]
====
Expand Down Expand Up @@ -2077,3 +2086,85 @@ SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS
|"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`"
a|Rows: 1
|===

[[access-control-name-globbing]]
== Name-globbing for procedures, user-defined functions, and settings

The name-globbing for procedure, user defined function, and setting names is a simplified version of globbing for filename expansions.
It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single character matches.
In this case, `+*+` means 0 or more characters and `?` matches exactly one character.

[NOTE]
====
The name-globbing is subject to the xref::syntax/naming.adoc[standard Cypher restrictions on valid identifiers],
with the exception that it may include dots, stars, and question marks without the need for escaping using backticks.

Each part of the name-globbing separated by dots may be individually escaped.
For example, `++mine.`procedureWith%`++` is allowed, but not `++mine.procedure`With%`++`.
Also, note that wildcard characters behave as wildcards even when escaped.
For example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`.
====

Given the following list of procedures:

* `mine.public.exampleProcedure`
* `mine.public.exampleProcedure1`
* `mine.public.exampleProcedure2`
* `mine.public.with#Special§Characters`
* `mine.private.exampleProcedure`
* `mine.private.exampleProcedure1`
* `mine.private.exampleProcedure2`
* `mine.private.with#Special§Characters`
* `your.exampleProcedure`

Copy link
Collaborator

@JPryce-Aklundh JPryce-Aklundh Feb 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there something missing here to explain going from name-globbing examples to the queries?

Copy link
Contributor Author

@ali-ince ali-ince Feb 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just updated the first sentence, but not sure if that's the best way - open to suggestions :)

Comment on lines +2118 to +2119
Copy link
Collaborator

@JPryce-Aklundh JPryce-Aklundh Feb 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `your.exampleProcedure`
* `your.exampleProcedure`
The following examples demonstrate how procedures with valid name-globbing patterns can be used in queries.
Note that the same rules apply to user-defined functions and settings.

Copy link
Collaborator

@Hunterness Hunterness Feb 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about switching them? Have this first, then the comment on given these procedures (and then maybe an additional comment to clarify where the examples start?) As the procedure list is more set-up to the examples it feels like we should have clarified why we only look at procedures before it

Copy link
Contributor Author

@ali-ince ali-ince Feb 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I find Jens' approach a bit more clear, but suggest we slightly change the last block;

The following examples demonstrate how name-globbing patterns can be used in queries.
Note that the same rules apply to user-defined functions and settings.

Copy link
Collaborator

@Hunterness Hunterness Feb 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any difference between your block and his?

Copy link
Contributor Author

@ali-ince ali-ince Feb 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, copy-paste error. fixed it now.

Copy link
Collaborator

@Hunterness Hunterness Mar 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still want to mention something about the examples only using procedures?

The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures.
Note that the same rules apply to user-defined functions and settings.

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1
----

Users with the role `globbing1` can run all the procedures.

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2
----

Users with the role `globbing2` can run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but no other procedures.

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3
----

Users with the role `globbing3` can run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1`, and `mine.private.exampleProcedure2`, but no other procedures.

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4
----

Users with the role `globbing4` can run procedures `your.exampleProcedure`, `mine.public.exampleProcedure`, and `mine.private.exampleProcedure`, but no other procedures.

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5
----

Users with the role `globbing5` can run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but no other procedures.

[source, cypher, role=noplay]
----
GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6
----

Users with the role `globbing6` can run procedures `mine.public.with#Special§Characters`, and `mine.private.with#Special§Characters`, but no other procedures.

[NOTE]
====
The name-globbing may be fully or partially escaped.
Both `+*+` and `+?+` are interpreted as wildcards in both cases.
====

12 changes: 11 additions & 1 deletion modules/ROOT/pages/clauses/index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,17 @@ m| xref::constraints/syntax.adoc[CREATE \| DROP CONSTRAINT]

|===

[[configuration-commands]]
== Configuration Commands

[options="header"]
|===
| Clause | Description

m| xref:clauses/listing-settings.adoc[SHOW SETTINGS]
| List configuration settings.

|===

[[importing-clauses]]
== Importing data
Expand Down Expand Up @@ -247,7 +258,6 @@ m| xref:clauses/transaction-clauses.adoc#query-terminate-transactions[TERMINATE

|===


[[writing-clauses]]
== Writing clauses

Expand Down
Loading