fix(query): db owner role can access all tables under this db

databendlabs · May 24, 2024 · 4594d1b · 4594d1b
1 parent 0604f10
commit 4594d1b
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 3 deletions.
diff --git a/src/query/service/src/interpreters/access/privilege_access.rs b/src/query/service/src/interpreters/access/privilege_access.rs
@@ -339,13 +339,27 @@ impl PrivilegeAccess {
                 ErrorCode::UNKNOWN_DATABASE
                 | ErrorCode::UNKNOWN_TABLE
                 | ErrorCode::UNKNOWN_CATALOG => Ok(None),
-                _ => Err(e.add_message("error on validating access")),
+                _ => Err(e.add_message("error on check has_ownership")),
             })?;
         if let Some(object) = &owner_object {
-            if let Ok(ok) = session.has_ownership(object).await {
-                if ok {
+            if let OwnershipObject::Table {
+                catalog_name,
+                db_id,
+                ..
+            } = object
+            {
+                let database_owner = OwnershipObject::Database {
+                    catalog_name: catalog_name.to_string(),
+                    db_id: *db_id,
+                };
+                // If Table ownership check fails, check for Database ownership
+                if session.has_ownership(object).await?
+                    || session.has_ownership(&database_owner).await?
+                {
                     return Ok(true);
                 }
+            } else if session.has_ownership(object).await? {
+                return Ok(true);
             }
         }
         Ok(false)

diff --git a/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.result b/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.result
@@ -49,3 +49,12 @@ OWNERSHIP a  ROLE drop_role1 GRANT OWNERSHIP ON 'default'.'a'.* TO ROLE `drop_ro
 OWNERSHIP default.a.t  ROLE drop_role1 GRANT OWNERSHIP ON 'default'.'a'.'t' TO ROLE `drop_role1`
 == test create database privilege and drop object ===
 Error: APIError: ResponseError with 1003: Unknown database 'c'
+=== test db owner can access all table under this db ===
+Error: APIError: ResponseError with 1063: Permission denied: User 'u1'@'%' does not have the required privileges for database 'default'
+t1
+t2
+1
+2
+Error: APIError: ResponseError with 1063: Permission denied: privilege [Select] is required on 'default'.'db1'.'t1' for user 'u2'@'%' with roles [public,role2]
+2
+OWNERSHIP default.db1.t2  ROLE role2 GRANT OWNERSHIP ON 'default'.'db1'.'t2' TO ROLE `role2`
diff --git a/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh b/tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh
@@ -169,3 +169,42 @@ echo "drop database c" | $USER_A_CONNECT
 echo "show tables from c" | $USER_A_CONNECT
 echo "drop role if exists role1;" | $BENDSQL_CLIENT_CONNECT
 echo "drop user if exists a;" | $BENDSQL_CLIENT_CONNECT
+
+echo "=== test db owner can access all table under this db ==="
+echo "drop database if exists db1"| $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists role1"| $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists role2"| $BENDSQL_CLIENT_CONNECT
+echo "drop user if exists u1"| $BENDSQL_CLIENT_CONNECT
+echo "drop user if exists u2"| $BENDSQL_CLIENT_CONNECT
+
+echo "create database db1"| $BENDSQL_CLIENT_CONNECT
+echo "create role role1"| $BENDSQL_CLIENT_CONNECT
+echo "create role role2"| $BENDSQL_CLIENT_CONNECT
+echo "create table db1.t1(id int)"| $BENDSQL_CLIENT_CONNECT
+echo "create table db1.t2(id int)"| $BENDSQL_CLIENT_CONNECT
+echo "grant ownership on db1.* to role role1;"| $BENDSQL_CLIENT_CONNECT
+echo "grant ownership on db1.t2 to role role2;"| $BENDSQL_CLIENT_CONNECT
+echo "create user u1 identified by '123' with default_role ='role1'" | $BENDSQL_CLIENT_CONNECT
+echo "create user u2 identified by '123' with default_role ='role2'" | $BENDSQL_CLIENT_CONNECT
+echo "grant role role1 to u1" | $BENDSQL_CLIENT_CONNECT
+echo "grant role role2 to u2" | $BENDSQL_CLIENT_CONNECT
+
+echo "set role role1;show tables from default;" | $USER_U1_CONNECT
+echo "set role role1;show tables from db1;" | $USER_U1_CONNECT
+echo "set role role1;insert into db1.t1 values(1);" | $USER_U1_CONNECT
+echo "set role role1;insert into db1.t2 values(2);" | $USER_U1_CONNECT
+echo "set role role1;select * from db1.t1;" | $USER_U1_CONNECT
+echo "set role role1;select * from db1.t2;" | $USER_U1_CONNECT
+export USER_U2_CONNECT="bendsql --user=u2 --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}"
+echo "set role role2;select * from db1.t1;" | $USER_U2_CONNECT
+echo "set role role2;select * from db1.t2;" | $USER_U2_CONNECT
+
+echo "show grants for role role2;" | $BENDSQL_CLIENT_CONNECT | awk -F ' ' '{$3=""; print $0}'
+echo "set role role1;drop table db1.t2;" | $USER_U1_CONNECT
+echo "show grants for role role2;" | $BENDSQL_CLIENT_CONNECT
+
+echo "drop database if exists db1"| $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists role1"| $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists role2"| $BENDSQL_CLIENT_CONNECT
+echo "drop user if exists u1"| $BENDSQL_CLIENT_CONNECT
+echo "drop user if exists u2"| $BENDSQL_CLIENT_CONNECT