Add check access database for system tables #2856
Conversation
|
I don't know how to check |
zhang2014
force-pushed
the
feature/add_check_access_database_for_system_tables
branch
from
01660c6
to
2611769
Compare
zhang2014
force-pushed
the
feature/add_check_access_database_for_system_tables
branch
from
2611769
to
59b2581
Compare
|
I think system database should be generally available for all the users - as it contain system.number, system.one and other very handy tables. Only few tables can be considered as potentially unsafe: system.query_log, system.zookeeper. System.processes can be limited to current user only for users with limited access. |
dbms/src/Interpreters/Context.cpp
Outdated
| @@ -618,6 +618,13 @@ void Context::checkDatabaseAccessRights(const std::string & database_name) const | |||
| checkDatabaseAccessRightsImpl(database_name); | |||
| } | |||
|
|
|||
| bool Context::isDatabaseAccessRights(const String & database_name) const | |||
There was a problem hiding this comment.
isDatabaseAccessRights -> hasDatabaseAccessRights
|
@filimonov This pull request just filters content of system tables, that contain information about another tables. All system tables remain available, but only with information about tables that the user is allowed to see. |
|
@zhang2014 We can't filter system.processes, system.query_log, because they don't contain information about database. Even more, the query can use multiple databases. Lets just leave it as is. |
|
@zhang2014 The only missing part is integration test. |
zhang2014
force-pushed
the
feature/add_check_access_database_for_system_tables
branch
from
430b42c
to
e51264c
Compare
I'm not sure it's necessary. It helps, though, to shield messy data from multiple user scenarios.
I hereby agree to the terms of the CLA available at: https://yandex.ru/legal/cla/?lang=en