Merge pull request ClickHouse#88976 from ClickHouse/backport/25.8/88968

clickhouse-gh[bot] · web-flow · commit 1d505022617e · 2025-10-25T03:15:14.000Z
Backport ClickHouse#88968 to 25.8: Fix SET DEFINER access check for ephemeral users
diff --git a/src/Interpreters/InterpreterCreateQuery.cpp b/src/Interpreters/InterpreterCreateQuery.cpp
@@ -2498,8 +2498,10 @@ void InterpreterCreateQuery::processSQLSecurityOption(ContextMutablePtr context_
     if (sql_security.definer && !skip_check_permissions)
     {
         auto definer_name = sql_security.definer->toString();
-        auto & access_control = context_->getAccessControl();
+        if (definer_name != current_user_name)
+            context_->checkAccess(AccessType::SET_DEFINER, definer_name);
 
+        auto & access_control = context_->getAccessControl();
         const auto user = access_control.read<User>(definer_name);
         if (access_control.isEphemeral(access_control.getID<User>(definer_name)))
         {
@@ -2511,9 +2513,6 @@ void InterpreterCreateQuery::processSQLSecurityOption(ContextMutablePtr context_
             new_user->authentication_methods.emplace_back(AuthenticationType::NO_AUTHENTICATION);
             access_control.insertOrReplace(new_user);
         }
-
-        if (definer_name != current_user_name)
-            context_->checkAccess(AccessType::SET_DEFINER, definer_name);
     }
 
     if (sql_security.type == SQLSecurityType::NONE && !skip_check_permissions)
diff --git a/tests/queries/0_stateless/03701_check_ephemeral_set_definer_access.reference b/tests/queries/0_stateless/03701_check_ephemeral_set_definer_access.reference
diff --git a/tests/queries/0_stateless/03701_check_ephemeral_set_definer_access.sh b/tests/queries/0_stateless/03701_check_ephemeral_set_definer_access.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# Tags: no-replicated-database, no-async-insert, no-fasttest
+
+CUR_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CUR_DIR"/../shell_config.sh
+
+user="user03701_${CLICKHOUSE_DATABASE}_$RANDOM"
+db=${CLICKHOUSE_DATABASE}
+
+${CLICKHOUSE_CLIENT} <<EOF
+-- Cleanup
+DROP USER IF EXISTS $user;
+CREATE USER $user IN memory;
+GRANT ALL ON *.* TO $user;
+REVOKE SET DEFINER ON * FROM $user;
+
+CREATE TABLE $db.source (x Int64) ENGINE = MergeTree() ORDER BY x;
+EOF
+
+${CLICKHOUSE_CLIENT} --user $user <<EOF
+CREATE MATERIALIZED VIEW $db.test_view
+(
+    x Int64
+)
+ENGINE = MergeTree() ORDER BY x
+DEFINER = CURRENT_USER SQL SECURITY DEFINER
+AS SELECT x FROM $db.source;
+EOF
+
+${CLICKHOUSE_CLIENT} <<EOF
+DROP USER IF EXISTS $user;
+EOF

Original file line number	Diff line number	Diff line change
`@@ -2498,8 +2498,10 @@ void InterpreterCreateQuery::processSQLSecurityOption(ContextMutablePtr context_`
`2498`	`2498`	`if (sql_security.definer && !skip_check_permissions)`
`2499`	`2499`	`{`
`2500`	`2500`	`auto definer_name = sql_security.definer->toString();`
`2501`		`- auto & access_control = context_->getAccessControl();`
	`2501`	`+ if (definer_name != current_user_name)`
	`2502`	`+ context_->checkAccess(AccessType::SET_DEFINER, definer_name);`
`2502`	`2503`
	`2504`	`+ auto & access_control = context_->getAccessControl();`
`2503`	`2505`	`const auto user = access_control.read<User>(definer_name);`
`2504`	`2506`	`if (access_control.isEphemeral(access_control.getID<User>(definer_name)))`
`2505`	`2507`	`{`
`@@ -2511,9 +2513,6 @@ void InterpreterCreateQuery::processSQLSecurityOption(ContextMutablePtr context_`
`2511`	`2513`	`new_user->authentication_methods.emplace_back(AuthenticationType::NO_AUTHENTICATION);`
`2512`	`2514`	`access_control.insertOrReplace(new_user);`
`2513`	`2515`	`}`
`2514`		`-`
`2515`		`- if (definer_name != current_user_name)`
`2516`		`- context_->checkAccess(AccessType::SET_DEFINER, definer_name);`
`2517`	`2516`	`}`
`2518`	`2517`
`2519`	`2518`	`if (sql_security.type == SQLSecurityType::NONE && !skip_check_permissions)`