Merge pull request ClickHouse#91765 from ClickHouse/backport/25.8/90928

Backport ClickHouse#90928 to 25.8: Fix handling global grants with wildcard revokes

Author: pufit

src/Access/AccessRights.cpp

@@ -239,8 +239,8 @@ namespace
         {
             case GLOBAL_LEVEL: return AccessFlags::allFlagsGrantableOnGlobalLevel();
             case DATABASE_LEVEL: return AccessFlags::allFlagsGrantableOnDatabaseLevel() | AccessFlags::allFlagsGrantableOnGlobalWithParameterLevel();
-            case TABLE_LEVEL: return AccessFlags::allFlagsGrantableOnTableLevel() | AccessFlags::allSourceFlags();
-            case COLUMN_LEVEL: return AccessFlags::allFlagsGrantableOnColumnLevel();
+            case TABLE_LEVEL: return AccessFlags::allFlagsGrantableOnTableLevel() | AccessFlags::allSourceFlags() | AccessFlags::allFlagsGrantableOnGlobalWithParameterLevel();
+            case COLUMN_LEVEL: return AccessFlags::allFlagsGrantableOnColumnLevel() | AccessFlags::allFlagsGrantableOnGlobalWithParameterLevel();
         }
         chassert(false);
     }

src/Access/tests/gtest_access_rights_ops.cpp

@@ -547,6 +547,21 @@ TEST(AccessRights, Filter)
     ASSERT_EQ(res.size(), 0);
 }
 
+TEST(AccessRights, RevokeWithParameters)
+{
+    AccessRights root;
+    root.grantWithGrantOption(AccessType::SELECT);
+    root.grantWithGrantOption(AccessType::CREATE_USER);
+    root.revokeWildcard(AccessType::SELECT, "default", "zoo");
+    ASSERT_EQ(root.toString(), "GRANT SELECT ON *.* WITH GRANT OPTION, GRANT CREATE USER ON * WITH GRANT OPTION, REVOKE SELECT ON default.zoo*");
+
+    root = {};
+    root.grantWithGrantOption(AccessType::SELECT);
+    root.grantWithGrantOption(AccessType::CREATE_USER);
+    root.revokeWildcard(AccessType::SELECT, "default", "foo", "bar");
+    ASSERT_EQ(root.toString(), "GRANT SELECT ON *.* WITH GRANT OPTION, GRANT CREATE USER ON * WITH GRANT OPTION, REVOKE SELECT(bar*) ON default.foo");
+}
+
 TEST(AccessRights, ParialRevokeWithGrantOption)
 {
     AccessRights root;