forbiden grant privileges on connection to USER

Author: TCeason

src/meta/proto-conv/tests/it/v137_add_grant_object_connection.rs

@@ -36,33 +36,15 @@ use crate::common;
 //
 
 #[test]
-<<<<<<< HEAD:src/meta/proto-conv/tests/it/v137_add_grant_object_connection.rs
 fn test_decode_v137_grant_object() -> anyhow::Result<()> {
     let role_info_v137 = vec![
-        10, 2, 114, 49, 18, 214, 1, 10, 23, 10, 9, 10, 0, 160, 6, 137, 1, 168, 6, 24, 16, 128, 128,
+        10, 2, 114, 49, 18, 86, 10, 23, 10, 9, 10, 0, 160, 6, 137, 1, 168, 6, 24, 16, 128, 128,
         128, 2, 160, 6, 137, 1, 168, 6, 24, 10, 27, 10, 13, 74, 4, 10, 2, 99, 49, 160, 6, 137, 1,
-        168, 6, 24, 16, 128, 128, 128, 4, 160, 6, 137, 1, 168, 6, 24, 10, 33, 10, 22, 18, 13, 10,
-        7, 100, 101, 102, 97, 117, 108, 116, 18, 2, 100, 98, 160, 6, 137, 1, 168, 6, 24, 16, 2,
-        160, 6, 137, 1, 168, 6, 24, 10, 37, 10, 26, 26, 17, 10, 7, 100, 101, 102, 97, 117, 108,
-        116, 18, 2, 100, 98, 26, 2, 116, 98, 160, 6, 137, 1, 168, 6, 24, 16, 2, 160, 6, 137, 1,
-        168, 6, 24, 10, 24, 10, 13, 34, 4, 10, 2, 102, 49, 160, 6, 137, 1, 168, 6, 24, 16, 1, 160,
-        6, 137, 1, 168, 6, 24, 10, 26, 10, 13, 42, 4, 10, 2, 115, 49, 160, 6, 137, 1, 168, 6, 24,
-        16, 128, 128, 32, 160, 6, 137, 1, 168, 6, 24, 10, 23, 10, 9, 10, 0, 160, 6, 137, 1, 168, 6,
-        24, 16, 254, 255, 191, 7, 160, 6, 137, 1, 168, 6, 24, 160, 6, 137, 1, 168, 6, 24, 26, 23,
-        49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48, 48, 32, 85, 84, 67,
-        34, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48, 48, 32, 85,
-        84, 67, 160, 6, 137, 1, 168, 6, 24,
-=======
-fn test_decode_v136_grant_connection_object() -> anyhow::Result<()> {
-    let role_info_v136 = vec![
-        10, 2, 114, 49, 18, 86, 10, 23, 10, 9, 10, 0, 160, 6, 136, 1, 168, 6, 24, 16, 128, 128,
-        128, 2, 160, 6, 136, 1, 168, 6, 24, 10, 27, 10, 13, 74, 4, 10, 2, 99, 49, 160, 6, 136, 1,
-        168, 6, 24, 16, 128, 128, 128, 4, 160, 6, 136, 1, 168, 6, 24, 10, 23, 10, 9, 10, 0, 160, 6,
-        136, 1, 168, 6, 24, 16, 254, 255, 191, 7, 160, 6, 136, 1, 168, 6, 24, 160, 6, 136, 1, 168,
+        168, 6, 24, 16, 128, 128, 128, 4, 160, 6, 137, 1, 168, 6, 24, 10, 23, 10, 9, 10, 0, 160, 6,
+        137, 1, 168, 6, 24, 16, 254, 255, 191, 7, 160, 6, 137, 1, 168, 6, 24, 160, 6, 137, 1, 168,
         6, 24, 26, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48, 48,
         32, 85, 84, 67, 34, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58,
-        48, 48, 32, 85, 84, 67, 160, 6, 136, 1, 168, 6, 24,
->>>>>>> ffc4e86d5b (fix conversation):src/meta/proto-conv/tests/it/v136_add_grant_object_connection.rs
+        48, 48, 32, 85, 84, 67, 160, 6, 137, 1, 168, 6, 24,
     ];
     let want = || mt::principal::RoleInfo {
         name: "r1".to_string(),
@@ -95,15 +77,9 @@ fn test_decode_v136_grant_connection_object() -> anyhow::Result<()> {
 }
 
 #[test]
-<<<<<<< HEAD:src/meta/proto-conv/tests/it/v137_add_grant_object_connection.rs
 fn test_decode_v137_ownership() -> anyhow::Result<()> {
     let ownership_info_v137 = vec![
         10, 2, 114, 49, 18, 13, 50, 4, 10, 2, 99, 49, 160, 6, 137, 1, 168, 6, 24, 160, 6, 137, 1,
-=======
-fn test_decode_v136_connection_ownership() -> anyhow::Result<()> {
-    let ownership_info_v136 = vec![
-        10, 2, 114, 49, 18, 13, 50, 4, 10, 2, 99, 49, 160, 6, 136, 1, 168, 6, 24, 160, 6, 136, 1,
->>>>>>> ffc4e86d5b (fix conversation):src/meta/proto-conv/tests/it/v136_add_grant_object_connection.rs
         168, 6, 24,
     ];
 

src/query/users/src/user_mgr.rs

@@ -201,9 +201,13 @@ impl UserApiProvider {
                 user.username
             )));
         }
-        if let GrantObject::Warehouse(_) = object {
+
+        if matches!(
+            object,
+            GrantObject::Warehouse(_) | GrantObject::Connection(_)
+        ) {
             return Err(ErrorCode::IllegalUser(format!(
-                "Cannot grant warehouse privileges to user `{}`",
+                "Cannot grant warehouse|connection privileges to user `{}`",
                 user.username
             )));
         }

tests/sqllogictests/suites/base/05_ddl/05_0017_ddl_grant_role.test

@@ -256,6 +256,9 @@ create user u1 identified by '123';
 statement error 2218
 grant usage on warehouse a to u1;
 
+statement error 2218
+grant access connection on connection c1 to u1;
+
 statement ok
 GRANT create warehouse on *.* to role 'role1';
 

tests/suites/0_stateless/18_rbac/18_0015_connection_rbac.result

@@ -33,9 +33,9 @@ c3	s3	access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key
 --- only return one row c2 ---
 c2	s3	access_key_id=******min endpoint_url=******00/ region=******uto secret_access_key=******min
 c2	s3	access_key_id=******min endpoint_url=******00/ region=******uto secret_access_key=******min
---- grant access connection c1 to user c ---
+--- grant access connection c1 to role3 ---
 c1	azblob	endpoint_url=******com
---- grant access connection c1 to user c ---
+--- grant access connection c3 to role3 ---
 c3	s3	access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key=c3
 --- return three rows c1,2,3 ---
 c1	azblob	endpoint_url=******com
@@ -45,13 +45,13 @@ c3	s3	access_key_id=c3 endpoint_url=******00/ region=******uto secret_access_key
 Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c2 for user 'b'@'%' with roles [public,role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
 1
 Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c2 for user b
---- revoke access connection from c , thne user c can not drop/use connection c1,3 ---
+--- revoke access connection from role3 , thne user c can not drop/use connection c1,3 ---
 1
 1
 Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c1 for user c
 Error: APIError: QueryFailed: [1063]Permission denied: privilege ACCESS CONNECTION is required on connection c3 for user c
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c1 for user 'c'@'%' with roles [public,role2]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c3 for user 'c'@'%' with roles [public,role2]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c1 for user 'c'@'%' with roles [public,role2,role3]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [AccessConnection] is required on CONNECTION c3 for user 'c'@'%' with roles [public,role2,role3]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.
 --- user b can drop/use connection c1,3 ---
 invalid input parameter (protocol from connection_name=c1 (azblob) not match with uri protocol (s3).)
 Permission denied: privilege [Super] is required on *.* for user 'b'@'%' with roles [role1]. Note: Please ensure that your current role have the appropriate permissions to create a new Warehouse|Database|Table|UDF|Stage|Connection.

tests/suites/0_stateless/18_rbac/18_0015_connection_rbac.sh

@@ -56,9 +56,11 @@ echo "=== TEST USER B, C WITH OWNERSHIP OR CREATE/ACCESS PRIVILEGES PRIVILEGES =
 
 echo "drop role if exists role1;" | $BENDSQL_CLIENT_CONNECT
 echo "drop role if exists role2;" | $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists role3;" | $BENDSQL_CLIENT_CONNECT
 echo "create user b identified by '123';" | $BENDSQL_CLIENT_CONNECT
 echo "create role role1;" | $BENDSQL_CLIENT_CONNECT
 echo "create role role2;" | $BENDSQL_CLIENT_CONNECT
+echo "create role role3;" | $BENDSQL_CLIENT_CONNECT
 echo "grant create connection on *.* to role role1;" | $BENDSQL_CLIENT_CONNECT
 echo "grant role role1 to b;" | $BENDSQL_CLIENT_CONNECT
 echo "--- USER b failed to create conn c1 because current role is public, can not create ---"
@@ -86,11 +88,12 @@ echo "grant role role2 to c;" | $BENDSQL_CLIENT_CONNECT
 echo "--- only return one row c2 ---"
 echo "DESC CONNECTION c2;" | $USER_C_CONNECT
 echo "show connections;" | $USER_C_CONNECT
-echo "--- grant access connection c1 to user c ---"
-echo "grant access connection on connection c1 to c;" | $BENDSQL_CLIENT_CONNECT
+echo "--- grant access connection c1 to role3 ---"
+echo "grant access connection on connection c1 to role role3;" | $BENDSQL_CLIENT_CONNECT
+echo "grant role role3 to c;" | $BENDSQL_CLIENT_CONNECT
 echo "DESC CONNECTION c1;" | $USER_C_CONNECT
-echo "--- grant access connection c1 to user c ---"
-echo "grant access connection on connection c3 to c;" | $BENDSQL_CLIENT_CONNECT
+echo "--- grant access connection c3 to role3 ---"
+echo "grant access connection on connection c3 to role role3;" | $BENDSQL_CLIENT_CONNECT
 echo "DESC CONNECTION c3;" | $USER_C_CONNECT
 echo "--- return three rows c1,2,3 ---"
 echo "show connections;" | $USER_C_CONNECT
@@ -100,9 +103,9 @@ echo "drop connection if exists c2;" | $USER_B_CONNECT
 curl -s -u "b:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c2')\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
 echo "show grants on connection c2;" | $USER_B_CONNECT
 
-echo "--- revoke access connection from c , thne user c can not drop/use connection c1,3 ---"
-echo "revoke access connection on connection c1 from c;" | $BENDSQL_CLIENT_CONNECT
-echo "revoke access connection on connection c3 from c;" | $BENDSQL_CLIENT_CONNECT
+echo "--- revoke access connection from role3 , thne user c can not drop/use connection c1,3 ---"
+echo "revoke access connection on connection c1 from role role3;" | $BENDSQL_CLIENT_CONNECT
+echo "revoke access connection on connection c3 from role role3;" | $BENDSQL_CLIENT_CONNECT
 curl -s -u "c:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c1');\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
 curl -s -u "c:123" -XPOST "http://$QUERY_MYSQL_HANDLER_HOST:$QUERY_HTTP_HANDLER_PORT/v1/query" -H 'Content-Type: application/json' -d "{\"sql\": \"CREATE STAGE my_s3_stage URL = 's3://databend-toronto' CONNECTION = (CONNECTION_NAME = 'c3')\"}" | jq -r '.error.message' |grep 'Permission denied: privilege AccessConnection' |wc -l
 echo "show grants on connection c1;" | $USER_C_CONNECT
@@ -136,4 +139,5 @@ echo "drop stage if exists c3;" | $BENDSQL_CLIENT_CONNECT
 
 echo "drop role if exists role1;" | $BENDSQL_CLIENT_CONNECT
 echo "drop role if exists role2;" | $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists role3;" | $BENDSQL_CLIENT_CONNECT
 echo "unset global enable_experimental_connection_privilege_check;" | $BENDSQL_CLIENT_CONNECT