Skip to content

Commit a0e5a75

Browse files
committed
forbiden grant privileges on connection to USER
1 parent 0f8d3a0 commit a0e5a75

File tree

5 files changed

+29
-42
lines changed

5 files changed

+29
-42
lines changed

src/meta/proto-conv/tests/it/v137_add_grant_object_connection.rs

Lines changed: 4 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -36,33 +36,15 @@ use crate::common;
3636
//
3737

3838
#[test]
39-
<<<<<<< HEAD:src/meta/proto-conv/tests/it/v137_add_grant_object_connection.rs
4039
fn test_decode_v137_grant_object() -> anyhow::Result<()> {
4140
let role_info_v137 = vec![
42-
10, 2, 114, 49, 18, 214, 1, 10, 23, 10, 9, 10, 0, 160, 6, 137, 1, 168, 6, 24, 16, 128, 128,
41+
10, 2, 114, 49, 18, 86, 10, 23, 10, 9, 10, 0, 160, 6, 137, 1, 168, 6, 24, 16, 128, 128,
4342
128, 2, 160, 6, 137, 1, 168, 6, 24, 10, 27, 10, 13, 74, 4, 10, 2, 99, 49, 160, 6, 137, 1,
44-
168, 6, 24, 16, 128, 128, 128, 4, 160, 6, 137, 1, 168, 6, 24, 10, 33, 10, 22, 18, 13, 10,
45-
7, 100, 101, 102, 97, 117, 108, 116, 18, 2, 100, 98, 160, 6, 137, 1, 168, 6, 24, 16, 2,
46-
160, 6, 137, 1, 168, 6, 24, 10, 37, 10, 26, 26, 17, 10, 7, 100, 101, 102, 97, 117, 108,
47-
116, 18, 2, 100, 98, 26, 2, 116, 98, 160, 6, 137, 1, 168, 6, 24, 16, 2, 160, 6, 137, 1,
48-
168, 6, 24, 10, 24, 10, 13, 34, 4, 10, 2, 102, 49, 160, 6, 137, 1, 168, 6, 24, 16, 1, 160,
49-
6, 137, 1, 168, 6, 24, 10, 26, 10, 13, 42, 4, 10, 2, 115, 49, 160, 6, 137, 1, 168, 6, 24,
50-
16, 128, 128, 32, 160, 6, 137, 1, 168, 6, 24, 10, 23, 10, 9, 10, 0, 160, 6, 137, 1, 168, 6,
51-
24, 16, 254, 255, 191, 7, 160, 6, 137, 1, 168, 6, 24, 160, 6, 137, 1, 168, 6, 24, 26, 23,
52-
49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48, 48, 32, 85, 84, 67,
53-
34, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48, 48, 32, 85,
54-
84, 67, 160, 6, 137, 1, 168, 6, 24,
55-
=======
56-
fn test_decode_v136_grant_connection_object() -> anyhow::Result<()> {
57-
let role_info_v136 = vec![
58-
10, 2, 114, 49, 18, 86, 10, 23, 10, 9, 10, 0, 160, 6, 136, 1, 168, 6, 24, 16, 128, 128,
59-
128, 2, 160, 6, 136, 1, 168, 6, 24, 10, 27, 10, 13, 74, 4, 10, 2, 99, 49, 160, 6, 136, 1,
60-
168, 6, 24, 16, 128, 128, 128, 4, 160, 6, 136, 1, 168, 6, 24, 10, 23, 10, 9, 10, 0, 160, 6,
61-
136, 1, 168, 6, 24, 16, 254, 255, 191, 7, 160, 6, 136, 1, 168, 6, 24, 160, 6, 136, 1, 168,
43+
168, 6, 24, 16, 128, 128, 128, 4, 160, 6, 137, 1, 168, 6, 24, 10, 23, 10, 9, 10, 0, 160, 6,
44+
137, 1, 168, 6, 24, 16, 254, 255, 191, 7, 160, 6, 137, 1, 168, 6, 24, 160, 6, 137, 1, 168,
6245
6, 24, 26, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48, 48,
6346
32, 85, 84, 67, 34, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58,
64-
48, 48, 32, 85, 84, 67, 160, 6, 136, 1, 168, 6, 24,
65-
>>>>>>> ffc4e86d5b (fix conversation):src/meta/proto-conv/tests/it/v136_add_grant_object_connection.rs
47+
48, 48, 32, 85, 84, 67, 160, 6, 137, 1, 168, 6, 24,
6648
];
6749
let want = || mt::principal::RoleInfo {
6850
name: "r1".to_string(),
@@ -95,15 +77,9 @@ fn test_decode_v136_grant_connection_object() -> anyhow::Result<()> {
9577
}
9678

9779
#[test]
98-
<<<<<<< HEAD:src/meta/proto-conv/tests/it/v137_add_grant_object_connection.rs
9980
fn test_decode_v137_ownership() -> anyhow::Result<()> {
10081
let ownership_info_v137 = vec![
10182
10, 2, 114, 49, 18, 13, 50, 4, 10, 2, 99, 49, 160, 6, 137, 1, 168, 6, 24, 160, 6, 137, 1,
102-
=======
103-
fn test_decode_v136_connection_ownership() -> anyhow::Result<()> {
104-
let ownership_info_v136 = vec![
105-
10, 2, 114, 49, 18, 13, 50, 4, 10, 2, 99, 49, 160, 6, 136, 1, 168, 6, 24, 160, 6, 136, 1,
106-
>>>>>>> ffc4e86d5b (fix conversation):src/meta/proto-conv/tests/it/v136_add_grant_object_connection.rs
10783
168, 6, 24,
10884
];
10985

src/query/users/src/user_mgr.rs

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -201,9 +201,13 @@ impl UserApiProvider {
201201
user.username
202202
)));
203203
}
204-
if let GrantObject::Warehouse(_) = object {
204+
205+
if matches!(
206+
object,
207+
GrantObject::Warehouse(_) | GrantObject::Connection(_)
208+
) {
205209
return Err(ErrorCode::IllegalUser(format!(
206-
"Cannot grant warehouse privileges to user `{}`",
210+
"Cannot grant warehouse|connection privileges to user `{}`",
207211
user.username
208212
)));
209213
}

tests/sqllogictests/suites/base/05_ddl/05_0017_ddl_grant_role.test

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -256,6 +256,9 @@ create user u1 identified by '123';
256256
statement error 2218
257257
grant usage on warehouse a to u1;
258258

259+
statement error 2218
260+
grant access connection on connection c1 to u1;
261+
259262
statement ok
260263
GRANT create warehouse on *.* to role 'role1';
261264

tests/suites/0_stateless/18_rbac/18_0015_connection_rbac.result

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,9 @@ c3 s3 access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key
3333
--- only return one row c2 ---
3434
c2 s3 access_key_id=******min endpoint_url=******00/ region=******uto secret_access_key=******min
3535
c2 s3 access_key_id=******min endpoint_url=******00/ region=******uto secret_access_key=******min
36-
--- grant access connection c1 to user c ---
36+
--- grant access connection c1 to role3 ---
3737
c1 azblob endpoint_url=******com
38-
--- grant access connection c1 to user c ---
38+
--- grant access connection c3 to role3 ---
3939
c3 s3 access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key=c3
4040
--- return three rows c1,2,3 ---
4141
c1 azblob endpoint_url=******com
@@ -45,13 +45,13 @@ c3 s3 access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key
4545
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c2 for user 'b'@'%' with roles [public,role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
4646
1
4747
Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c2 for user b
48-
--- revoke access connection from c , thne user c can not drop/use connection c1,3 ---
48+
--- revoke access connection from role3 , thne user c can not drop/use connection c1,3 ---
4949
1
5050
1
5151
Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c1 for user c
5252
Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c3 for user c
53-
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c1 for user 'c'@'%' with roles [public,role2]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
54-
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c3 for user 'c'@'%' with roles [public,role2]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
53+
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c1 for user 'c'@'%' with roles [public,role2,role3]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
54+
Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c3 for user 'c'@'%' with roles [public,role2,role3]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
5555
--- user b can drop/use connection c1,3 ---
5656
invalid input parameter (protocol from connection_name=c1 (azblob) not match with uri protocol (s3).)
5757
Permission denied: privilege [Super] is required on *.* for user 'b'@'%' with roles [role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.

tests/suites/0_stateless/18_rbac/18_0015_connection_rbac.sh

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -56,9 +56,11 @@ echo "=== TEST USER B, C WITH OWNERSHIP OR CREATE/ACCESS PRIVILEGES PRIVILEGES =
5656

5757
echo "drop role if exists role1;" | $BENDSQL_CLIENT_CONNECT
5858
echo "drop role if exists role2;" | $BENDSQL_CLIENT_CONNECT
59+
echo "drop role if exists role3;" | $BENDSQL_CLIENT_CONNECT
5960
echo "create user b identified by '123';" | $BENDSQL_CLIENT_CONNECT
6061
echo "create role role1;" | $BENDSQL_CLIENT_CONNECT
6162
echo "create role role2;" | $BENDSQL_CLIENT_CONNECT
63+
echo "create role role3;" | $BENDSQL_CLIENT_CONNECT
6264
echo "grant create connection on *.* to role role1;" | $BENDSQL_CLIENT_CONNECT
6365
echo "grant role role1 to b;" | $BENDSQL_CLIENT_CONNECT
6466
echo "--- USER b failed to create conn c1 because current role is public, can not create ---"
@@ -86,11 +88,12 @@ echo "grant role role2 to c;" | $BENDSQL_CLIENT_CONNECT
8688
echo "--- only return one row c2 ---"
8789
echo "DESC CONNECTION c2;" | $USER_C_CONNECT
8890
echo "show connections;" | $USER_C_CONNECT
89-
echo "--- grant access connection c1 to user c ---"
90-
echo "grant access connection on connection c1 to c;" | $BENDSQL_CLIENT_CONNECT
91+
echo "--- grant access connection c1 to role3 ---"
92+
echo "grant access connection on connection c1 to role role3;" | $BENDSQL_CLIENT_CONNECT
93+
echo "grant role role3 to c;" | $BENDSQL_CLIENT_CONNECT
9194
echo "DESC CONNECTION c1;" | $USER_C_CONNECT
92-
echo "--- grant access connection c1 to user c ---"
93-
echo "grant access connection on connection c3 to c;" | $BENDSQL_CLIENT_CONNECT
95+
echo "--- grant access connection c3 to role3 ---"
96+
echo "grant access connection on connection c3 to role role3;" | $BENDSQL_CLIENT_CONNECT
9497
echo "DESC CONNECTION c3;" | $USER_C_CONNECT
9598
echo "--- return three rows c1,2,3 ---"
9699
echo "show connections;" | $USER_C_CONNECT
@@ -100,9 +103,9 @@ echo "drop connection if exists c2;" | $USER_B_CONNECT
100103
curl -s -u "b:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c2')\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
101104
echo "show grants on connection c2;" | $USER_B_CONNECT
102105

103-
echo "--- revoke access connection from c , thne user c can not drop/use connection c1,3 ---"
104-
echo "revoke access connection on connection c1 from c;" | $BENDSQL_CLIENT_CONNECT
105-
echo "revoke access connection on connection c3 from c;" | $BENDSQL_CLIENT_CONNECT
106+
echo "--- revoke access connection from role3 , thne user c can not drop/use connection c1,3 ---"
107+
echo "revoke access connection on connection c1 from role role3;" | $BENDSQL_CLIENT_CONNECT
108+
echo "revoke access connection on connection c3 from role role3;" | $BENDSQL_CLIENT_CONNECT
106109
curl -s -u "c:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c1');\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
107110
curl -s -u "c:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c3')\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
108111
echo "show grants on connection c1;" | $USER_C_CONNECT
@@ -136,4 +139,5 @@ echo "drop stage if exists c3;" | $BENDSQL_CLIENT_CONNECT
136139

137140
echo "drop role if exists role1;" | $BENDSQL_CLIENT_CONNECT
138141
echo "drop role if exists role2;" | $BENDSQL_CLIENT_CONNECT
142+
echo "drop role if exists role3;" | $BENDSQL_CLIENT_CONNECT
139143
echo "unset global enable_experimental_connection_privilege_check;" | $BENDSQL_CLIENT_CONNECT

0 commit comments

Comments
 (0)