Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(query): db owner role can access all tables under this db #15634

Merged
merged 1 commit into from
May 29, 2024
Merged

fix(query): db owner role can access all tables under this db #15634

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 17 additions & 3 deletions src/query/service/src/interpreters/access/privilege_access.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -339,13 +339,27 @@ impl PrivilegeAccess {
ErrorCode::UNKNOWN_DATABASE
| ErrorCode::UNKNOWN_TABLE
| ErrorCode::UNKNOWN_CATALOG => Ok(None),
_ => Err(e.add_message("error on validating access")),
_ => Err(e.add_message("error on check has_ownership")),
})?;
if let Some(object) = &owner_object {
if let Ok(ok) = session.has_ownership(object).await {
if ok {
if let OwnershipObject::Table {
catalog_name,
db_id,
..
} = object
{
let database_owner = OwnershipObject::Database {
catalog_name: catalog_name.to_string(),
db_id: *db_id,
};
// If Table ownership check fails, check for Database ownership
if session.has_ownership(object).await?
|| session.has_ownership(&database_owner).await?
{
return Ok(true);
}
} else if session.has_ownership(object).await? {
return Ok(true);
}
}
Ok(false)
Expand Down
9 changes: 9 additions & 0 deletions tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.result
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,12 @@ OWNERSHIP a ROLE drop_role1 GRANT OWNERSHIP ON 'default'.'a'.* TO ROLE `drop_ro
OWNERSHIP default.a.t ROLE drop_role1 GRANT OWNERSHIP ON 'default'.'a'.'t' TO ROLE `drop_role1`
== test create database privilege and drop object ===
Error: APIError: ResponseError with 1003: Unknown database 'c'
=== test db owner can access all table under this db ===
Error: APIError: ResponseError with 1063: Permission denied: User 'u1'@'%' does not have the required privileges for database 'default'
t1
t2
1
2
Error: APIError: ResponseError with 1063: Permission denied: privilege [Select] is required on 'default'.'db1'.'t1' for user 'u2'@'%' with roles [public,role2]
2
OWNERSHIP default.db1.t2 ROLE role2 GRANT OWNERSHIP ON 'default'.'db1'.'t2' TO ROLE `role2`
39 changes: 39 additions & 0 deletions tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,3 +169,42 @@ echo "drop database c" | $USER_A_CONNECT
echo "show tables from c" | $USER_A_CONNECT
echo "drop role if exists role1;" | $BENDSQL_CLIENT_CONNECT
echo "drop user if exists a;" | $BENDSQL_CLIENT_CONNECT

echo "=== test db owner can access all table under this db ==="
echo "drop database if exists db1"| $BENDSQL_CLIENT_CONNECT
echo "drop role if exists role1"| $BENDSQL_CLIENT_CONNECT
echo "drop role if exists role2"| $BENDSQL_CLIENT_CONNECT
echo "drop user if exists u1"| $BENDSQL_CLIENT_CONNECT
echo "drop user if exists u2"| $BENDSQL_CLIENT_CONNECT

echo "create database db1"| $BENDSQL_CLIENT_CONNECT
echo "create role role1"| $BENDSQL_CLIENT_CONNECT
echo "create role role2"| $BENDSQL_CLIENT_CONNECT
echo "create table db1.t1(id int)"| $BENDSQL_CLIENT_CONNECT
echo "create table db1.t2(id int)"| $BENDSQL_CLIENT_CONNECT
echo "grant ownership on db1.* to role role1;"| $BENDSQL_CLIENT_CONNECT
echo "grant ownership on db1.t2 to role role2;"| $BENDSQL_CLIENT_CONNECT
echo "create user u1 identified by '123' with default_role ='role1'" | $BENDSQL_CLIENT_CONNECT
echo "create user u2 identified by '123' with default_role ='role2'" | $BENDSQL_CLIENT_CONNECT
echo "grant role role1 to u1" | $BENDSQL_CLIENT_CONNECT
echo "grant role role2 to u2" | $BENDSQL_CLIENT_CONNECT

echo "set role role1;show tables from default;" | $USER_U1_CONNECT
echo "set role role1;show tables from db1;" | $USER_U1_CONNECT
echo "set role role1;insert into db1.t1 values(1);" | $USER_U1_CONNECT
echo "set role role1;insert into db1.t2 values(2);" | $USER_U1_CONNECT
echo "set role role1;select * from db1.t1;" | $USER_U1_CONNECT
echo "set role role1;select * from db1.t2;" | $USER_U1_CONNECT
export USER_U2_CONNECT="bendsql --user=u2 --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}"
echo "set role role2;select * from db1.t1;" | $USER_U2_CONNECT
echo "set role role2;select * from db1.t2;" | $USER_U2_CONNECT

echo "show grants for role role2;" | $BENDSQL_CLIENT_CONNECT | awk -F ' ' '{$3=""; print $0}'
echo "set role role1;drop table db1.t2;" | $USER_U1_CONNECT
echo "show grants for role role2;" | $BENDSQL_CLIENT_CONNECT

echo "drop database if exists db1"| $BENDSQL_CLIENT_CONNECT
echo "drop role if exists role1"| $BENDSQL_CLIENT_CONNECT
echo "drop role if exists role2"| $BENDSQL_CLIENT_CONNECT
echo "drop user if exists u1"| $BENDSQL_CLIENT_CONNECT
echo "drop user if exists u2"| $BENDSQL_CLIENT_CONNECT
Loading