Skip to content

Commit 0f8d3a0

Browse files
TCeasonTCeason
committed
fix test
1 parent a628997 commit 0f8d3a0

File tree

3 files changed

+13
-30
lines changed

3 files changed

+13
-30
lines changed

tests/suites/0_stateless/18_rbac/18_0012_temp_table.result

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
>>>> create or replace database test
66
>>>> grant role role1 to owner
77
mysql: [Warning] Using a password on the command line interface can be insecure.
8-
ERROR 1105 (HY000) at line 1: PermissionDenied. Code: 1063, Text = Permission denied: privilege [Create] is required on 'default'.'test'.* for user 'owner'@'%' with roles [role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection..
8+
ERROR 1105 (HY000) at line 1: PermissionDenied. Code: 1063, Text = Permission denied: privilege [Create] is required on 'default'.'test'.* for user 'owner'@'%' with roles [role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
99
mysql: [Warning] Using a password on the command line interface can be insecure.
1010
2
1111
1

tests/suites/0_stateless/18_rbac/18_0015_connection_rbac.result

Lines changed: 6 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ c3 s3 access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key
66
c1 azblob endpoint_url=******com
77
c2 s3 access_key_id=******min endpoint_url=******00/ region=******uto secret_access_key=******min
88
c3 s3 access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key=c3
9-
toronto s3 access_key_id=******id> secret_access_key=******ey>
109
=== NEW LOGIC: user has super privileges can operator all connections with enable_experimental_connection_privilege_check=1 ===
1110
=== TEST USER A WITH SUPER PRIVILEGES ===
1211
--- CREATE 3 CONNECTIONS WILL SUCCESS ---
@@ -44,38 +43,23 @@ c2 s3 access_key_id=******min endpoint_url=******00/ region=******uto secret_acc
4443
c3 s3 access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key=c3
4544
--- user b can not drop connection c2 ---
4645
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c2 for user 'b'@'%' with roles [public,role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
47-
Error: APIError: QueryFailed: [4000]invalid input parameter (fail to get connection_name c2: PermissionDenied. Code: 1063, Text = Permission denied: privilege AccessConnection is required on connection c2 for user 'b'@'%'.
48-
49-
50-
)
46+
1
5147
Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c2 for user b
5248
--- revoke access connection from c , thne user c can not drop/use connection c1,3 ---
53-
Error: APIError: QueryFailed: [4000]invalid input parameter (fail to get connection_name c1: PermissionDenied. Code: 1063, Text = Permission denied: privilege AccessConnection is required on connection c1 for user 'c'@'%'.
54-
55-
56-
)
57-
Error: APIError: QueryFailed: [4000]invalid input parameter (fail to get connection_name c3: PermissionDenied. Code: 1063, Text = Permission denied: privilege AccessConnection is required on connection c3 for user 'c'@'%'.
58-
59-
60-
)
49+
1
50+
1
6151
Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c1 for user c
6252
Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c3 for user c
6353
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c1 for user 'c'@'%' with roles [public,role2]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
6454
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c3 for user 'c'@'%' with roles [public,role2]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
6555
--- user b can drop/use connection c1,3 ---
66-
Error: APIError: QueryFailed: [4000]invalid input parameter (fail to get connection_name c1: PermissionDenied. Code: 1063, Text = Permission denied: privilege AccessConnection is required on connection c1 for user 'c'@'%'.
67-
68-
69-
)
70-
Error: APIError: QueryFailed: [4000]invalid input parameter (fail to get connection_name c3: PermissionDenied. Code: 1063, Text = Permission denied: privilege AccessConnection is required on connection c3 for user 'c'@'%'.
71-
72-
73-
)
56+
invalid input parameter (protocol from connection_name=c1 (azblob) not match with uri protocol (s3).)
57+
Permission denied: privilege [Super] is required on *.* for user 'b'@'%' with roles [role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
7458
OWNERSHIP c1 NULL ROLE role1
7559
OWNERSHIP c3 NULL ROLE role1
7660
CREATE CONNECTION *.* NULL ROLE role1 GRANT CREATE CONNECTION ON *.* TO ROLE `role1`
7761
OWNERSHIP c3 NULL ROLE role1 GRANT OWNERSHIP ON CONNECTION c3 TO ROLE `role1`
7862
--- user c can drop/use connection c2 ---
79-
Error: APIError: QueryFailed: [1063]Permission denied: privilege [Super] is required on *.* for user 'c'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
63+
Permission denied: privilege [Super] is required on *.* for user 'c'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
8064
OWNERSHIP c2 NULL ROLE role2 GRANT OWNERSHIP ON CONNECTION c2 TO ROLE `role2`
8165
OWNERSHIP c2 NULL ROLE role2

tests/suites/0_stateless/18_rbac/18_0015_connection_rbac.sh

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ export USER_A_CONNECT="bendsql --user=a --password=123 --host=${QUERY_MYSQL_HAND
88
export USER_B_CONNECT="bendsql --user=b --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}"
99
export USER_C_CONNECT="bendsql --user=c --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}"
1010

11-
1211
echo "=== OLD LOGIC: user has super privileges can operator all connections with enable_experimental_connection_privilege_check=0 ==="
1312
echo "=== TEST USER A WITH SUPER PRIVILEGES ==="
1413
echo "set global enable_experimental_connection_privilege_check=0;" | $BENDSQL_CLIENT_CONNECT
@@ -98,30 +97,30 @@ echo "show connections;" | $USER_C_CONNECT
9897

9998
echo "--- user b can not drop connection c2 ---"
10099
echo "drop connection if exists c2;" | $USER_B_CONNECT
101-
echo "CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c2');" | $USER_B_CONNECT
100+
curl -s -u "b:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c2')\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
102101
echo "show grants on connection c2;" | $USER_B_CONNECT
103102

104103
echo "--- revoke access connection from c , thne user c can not drop/use connection c1,3 ---"
105104
echo "revoke access connection on connection c1 from c;" | $BENDSQL_CLIENT_CONNECT
106105
echo "revoke access connection on connection c3 from c;" | $BENDSQL_CLIENT_CONNECT
107-
echo "CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c1');" | $USER_C_CONNECT
108-
echo "CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c3');" | $USER_C_CONNECT
106+
curl -s -u "c:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c1');\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
107+
curl -s -u "c:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c3')\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
109108
echo "show grants on connection c1;" | $USER_C_CONNECT
110109
echo "show grants on connection c3;" | $USER_C_CONNECT
111110
echo "drop connection if exists c1;" | $USER_C_CONNECT
112111
echo "drop connection if exists c3;" | $USER_C_CONNECT
113112

114113
echo "--- user b can drop/use connection c1,3 ---"
115-
echo "CREATE STAGE c1 URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c1');" | $USER_C_CONNECT
116-
echo "CREATE STAGE c3 URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c3');" | $USER_C_CONNECT
114+
curl -s -u "b:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c1');\"}" | jq -r '.error.message'
115+
curl -s -u "b:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c3')\"}" | jq -r '.error.message'
117116
echo "show grants on connection c1;" | $USER_B_CONNECT
118117
echo "show grants on connection c3;" | $USER_B_CONNECT
119118
echo "drop connection if exists c1;" | $USER_B_CONNECT
120119
echo "show grants for role role1;" | $USER_B_CONNECT
121120
echo "drop connection if exists c3;" | $USER_B_CONNECT
122121

123122
echo "--- user c can drop/use connection c2 ---"
124-
echo "CREATE STAGE c2 URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c2');" | $USER_C_CONNECT
123+
curl -s -u "c:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c2')\"}" | jq -r '.error.message'
125124
echo "show grants for role role2;" | $USER_C_CONNECT
126125
echo "show grants on connection c2;" | $USER_C_CONNECT
127126
echo "drop connection if exists c2;" | $USER_C_CONNECT

0 commit comments

Comments
 (0)