Skip to content

Commit 837b9e7

Browse files
BohuTANGBohuTANG
committed
chore(query): Move privilege check to access check
1 parent fa1fba8 commit 837b9e7

File tree

3 files changed

+143
-1
lines changed

3 files changed

+143
-1
lines changed

src/query/service/src/interpreters/access/accessor.rs

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ use std::sync::Arc;
1818
use common_exception::Result;
1919
use common_legacy_planners::PlanNode;
2020

21+
use crate::interpreters::access::PrivilegeAccess;
2122
use crate::interpreters::ManagementModeAccess;
2223
use crate::sessions::QueryContext;
2324
use crate::sql::plans::Plan;
@@ -39,7 +40,11 @@ pub struct Accessor {
3940
impl Accessor {
4041
pub fn create(ctx: Arc<QueryContext>) -> Self {
4142
let mut accessors: HashMap<String, Box<dyn AccessChecker>> = Default::default();
42-
accessors.insert("management".to_string(), ManagementModeAccess::create(ctx));
43+
accessors.insert(
44+
"management".to_string(),
45+
ManagementModeAccess::create(ctx.clone()),
46+
);
47+
accessors.insert("privilege".to_string(), PrivilegeAccess::create(ctx));
4348
Accessor { accessors }
4449
}
4550

src/query/service/src/interpreters/access/mod.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,9 @@
1414

1515
mod accessor;
1616
mod management_mode_access;
17+
mod privilege_access;
1718

1819
pub use accessor::AccessChecker;
1920
pub use accessor::Accessor;
2021
pub use management_mode_access::ManagementModeAccess;
22+
pub use privilege_access::PrivilegeAccess;

src/query/service/src/interpreters/access/privilege_access.rs

Lines changed: 135 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,135 @@
1+
// Copyright 2022 Datafuse Labs.
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
use std::sync::Arc;
16+
17+
use common_exception::Result;
18+
use common_legacy_planners::PlanNode;
19+
use common_meta_types::GrantObject;
20+
use common_meta_types::UserPrivilegeType;
21+
22+
use crate::interpreters::access::AccessChecker;
23+
use crate::sessions::QueryContext;
24+
use crate::sql::plans::Plan;
25+
26+
pub struct PrivilegeAccess {
27+
ctx: Arc<QueryContext>,
28+
}
29+
30+
impl PrivilegeAccess {
31+
pub fn create(ctx: Arc<QueryContext>) -> Box<dyn AccessChecker> {
32+
Box::new(PrivilegeAccess { ctx })
33+
}
34+
}
35+
36+
#[async_trait::async_trait]
37+
impl AccessChecker for PrivilegeAccess {
38+
async fn check(&self, plan: &PlanNode) -> Result<()> {
39+
match plan {
40+
PlanNode::Empty(_) => {}
41+
PlanNode::Stage(_) => {}
42+
PlanNode::Broadcast(_) => {}
43+
PlanNode::Remote(_) => {}
44+
PlanNode::Projection(_) => {}
45+
PlanNode::Expression(_) => {}
46+
PlanNode::AggregatorPartial(_) => {}
47+
PlanNode::AggregatorFinal(_) => {}
48+
PlanNode::Filter(_) => {}
49+
PlanNode::Having(_) => {}
50+
PlanNode::WindowFunc(_) => {}
51+
PlanNode::Sort(_) => {}
52+
PlanNode::Limit(_) => {}
53+
PlanNode::LimitBy(_) => {}
54+
PlanNode::ReadSource(_) => {}
55+
PlanNode::SubQueryExpression(_) => {}
56+
PlanNode::Sink(_) => {}
57+
PlanNode::Explain(_) => {}
58+
PlanNode::Select(_) => {}
59+
PlanNode::Insert(_) => {}
60+
PlanNode::Delete(_) => {}
61+
}
62+
Ok(())
63+
}
64+
65+
async fn check_new(&self, plan: &Plan) -> Result<()> {
66+
match plan {
67+
Plan::Query { .. } => {}
68+
Plan::Explain { .. } => {}
69+
Plan::Copy(_) => {}
70+
Plan::Call(_) => {}
71+
Plan::ShowCreateDatabase(_) => {}
72+
Plan::CreateDatabase(_) => {}
73+
Plan::DropDatabase(_) => {}
74+
Plan::UndropDatabase(_) => {}
75+
Plan::RenameDatabase(_) => {}
76+
Plan::UseDatabase(_) => {}
77+
Plan::ShowCreateTable(_) => {}
78+
Plan::DescribeTable(_) => {}
79+
Plan::CreateTable(_) => {}
80+
Plan::DropTable(_) => {}
81+
Plan::UndropTable(_) => {}
82+
Plan::RenameTable(_) => {}
83+
Plan::AlterTableClusterKey(_) => {}
84+
Plan::DropTableClusterKey(_) => {}
85+
Plan::ReclusterTable(_) => {}
86+
Plan::TruncateTable(_) => {}
87+
Plan::OptimizeTable(_) => {}
88+
Plan::ExistsTable(_) => {}
89+
Plan::Insert(_) => {}
90+
Plan::Delete(_) => {}
91+
Plan::CreateView(_) => {}
92+
Plan::AlterView(_) => {}
93+
Plan::DropView(plan) => {
94+
self.ctx
95+
.get_current_session()
96+
.validate_privilege(
97+
&GrantObject::Database(plan.catalog.clone(), plan.database.clone()),
98+
UserPrivilegeType::Drop,
99+
)
100+
.await?;
101+
}
102+
Plan::AlterUser(_) => {}
103+
Plan::CreateUser(_) => {}
104+
Plan::DropUser(_) => {}
105+
Plan::CreateUDF(_) => {}
106+
Plan::AlterUDF(_) => {}
107+
Plan::DropUDF(_) => {}
108+
Plan::CreateRole(_) => {}
109+
Plan::DropRole(_) => {}
110+
Plan::GrantRole(_) => {}
111+
Plan::GrantPriv(_) => {}
112+
Plan::ShowGrants(_) => {}
113+
Plan::RevokePriv(_) => {}
114+
Plan::RevokeRole(_) => {}
115+
Plan::ListStage(_) => {}
116+
Plan::CreateStage(_) => {}
117+
Plan::DropStage(_) => {}
118+
Plan::RemoveStage(_) => {}
119+
Plan::Presign(_) => {}
120+
Plan::SetVariable(_) => {}
121+
Plan::Kill(_) => {}
122+
Plan::CreateShare(_) => {}
123+
Plan::DropShare(_) => {}
124+
Plan::GrantShareObject(_) => {}
125+
Plan::RevokeShareObject(_) => {}
126+
Plan::AlterShareTenants(_) => {}
127+
Plan::DescShare(_) => {}
128+
Plan::ShowShares(_) => {}
129+
Plan::ShowObjectGrantPrivileges(_) => {}
130+
Plan::ShowGrantTenantsOfShare(_) => {}
131+
}
132+
133+
Ok(())
134+
}
135+
}

0 commit comments

Comments
 (0)