Merge pull request ClickHouse#80026 from ClickHouse/pufit/another-25.4-release-fix

`enable_user_name_access_type` must not affect `DEFINER` access type

Author: nikitamikhaylov

src/Access/Common/AccessFlags.cpp

@@ -103,6 +103,7 @@ namespace
         const Flags & getDictionaryFlags() const { return all_flags_for_target[DICTIONARY]; }
         const Flags & getTableEngineFlags() const { return all_flags_for_target[TABLE_ENGINE]; }
         const Flags & getUserNameFlags() const { return all_flags_for_target[USER_NAME]; }
+        const Flags & getDefinerFlags() const { return all_flags_for_target[DEFINER]; }
         const Flags & getNamedCollectionFlags() const { return all_flags_for_target[NAMED_COLLECTION]; }
         const Flags & getAllFlagsGrantableOnGlobalLevel() const { return getAllFlags(); }
         const Flags & getAllFlagsGrantableOnGlobalWithParameterLevel() const { return getGlobalWithParameterFlags(); }
@@ -124,6 +125,7 @@ namespace
             NAMED_COLLECTION = 5,
             USER_NAME = 6,
             TABLE_ENGINE = 7,
+            DEFINER = 8,
         };
 
         struct Node;
@@ -302,7 +304,7 @@ namespace
                 collectAllFlags(child.get());
 
             all_flags_grantable_on_table_level = all_flags_for_target[TABLE] | all_flags_for_target[DICTIONARY] | all_flags_for_target[COLUMN];
-            all_flags_grantable_on_global_with_parameter_level = all_flags_for_target[NAMED_COLLECTION] | all_flags_for_target[USER_NAME] | all_flags_for_target[TABLE_ENGINE];
+            all_flags_grantable_on_global_with_parameter_level = all_flags_for_target[NAMED_COLLECTION] | all_flags_for_target[USER_NAME] | all_flags_for_target[TABLE_ENGINE] | all_flags_for_target[DEFINER];
             all_flags_grantable_on_database_level = all_flags_for_target[DATABASE] | all_flags_grantable_on_table_level;
         }
 
@@ -353,7 +355,7 @@ namespace
         std::unordered_map<std::string_view, Flags> keyword_to_flags_map;
         std::vector<Flags> access_type_to_flags_mapping;
         Flags all_flags;
-        Flags all_flags_for_target[static_cast<size_t>(TABLE_ENGINE) + 1];
+        Flags all_flags_for_target[static_cast<size_t>(DEFINER) + 1];
         Flags all_flags_grantable_on_database_level;
         Flags all_flags_grantable_on_table_level;
         Flags all_flags_grantable_on_global_with_parameter_level;
@@ -377,11 +379,15 @@ std::unordered_map<AccessFlags::ParameterType, AccessFlags> AccessFlags::splitIn
     if (user_flags)
         result.emplace(ParameterType::USER_NAME, user_flags);
 
+    auto definer_flags = AccessFlags::allDefinerFlags() & *this;
+    if (definer_flags)
+        result.emplace(ParameterType::DEFINER, definer_flags);
+
     auto table_engine_flags = AccessFlags::allTableEngineFlags() & *this;
     if (table_engine_flags)
         result.emplace(ParameterType::TABLE_ENGINE, table_engine_flags);
 
-    auto other_flags = (~named_collection_flags & ~user_flags & ~table_engine_flags) & *this;
+    auto other_flags = (~named_collection_flags & ~user_flags & ~definer_flags & ~table_engine_flags) & *this;
     if (other_flags)
         result.emplace(ParameterType::NONE, other_flags);
 
@@ -400,6 +406,9 @@ AccessFlags::ParameterType AccessFlags::getParameterType() const
     if (AccessFlags::allUserNameFlags().contains(*this))
         return AccessFlags::USER_NAME;
 
+    if (AccessFlags::allDefinerFlags().contains(*this))
+        return AccessFlags::DEFINER;
+
     /// All flags refer to TABLE ENGINE access type.
     if (AccessFlags::allTableEngineFlags().contains(*this))
         return AccessFlags::TABLE_ENGINE;
@@ -423,6 +432,7 @@ AccessFlags AccessFlags::allColumnFlags() { return Helper::instance().getColumnF
 AccessFlags AccessFlags::allDictionaryFlags() { return Helper::instance().getDictionaryFlags(); }
 AccessFlags AccessFlags::allNamedCollectionFlags() { return Helper::instance().getNamedCollectionFlags(); }
 AccessFlags AccessFlags::allUserNameFlags() { return Helper::instance().getUserNameFlags(); }
+AccessFlags AccessFlags::allDefinerFlags() { return Helper::instance().getDefinerFlags(); }
 AccessFlags AccessFlags::allTableEngineFlags() { return Helper::instance().getTableEngineFlags(); }
 AccessFlags AccessFlags::allFlagsGrantableOnGlobalLevel() { return Helper::instance().getAllFlagsGrantableOnGlobalLevel(); }
 AccessFlags AccessFlags::allFlagsGrantableOnGlobalWithParameterLevel() { return Helper::instance().getAllFlagsGrantableOnGlobalWithParameterLevel(); }

src/Access/Common/AccessFlags.h

@@ -59,6 +59,7 @@ class AccessFlags
         TABLE_ENGINE,
         NAMED_COLLECTION,
         USER_NAME,
+        DEFINER,
     };
     ParameterType getParameterType() const;
     std::unordered_map<ParameterType, AccessFlags> splitIntoParameterTypes() const;
@@ -108,6 +109,9 @@ class AccessFlags
     /// Returns all the flags related to a user.
     static AccessFlags allUserNameFlags();
 
+    /// Returns all the flags related to a definer.
+    static AccessFlags allDefinerFlags();
+
     /// Returns all the flags related to a table engine.
     static AccessFlags allTableEngineFlags();
 

src/Access/Common/AccessType.h

@@ -159,7 +159,7 @@ enum class AccessType : uint8_t
     M(SHOW_NAMED_COLLECTIONS_SECRETS, "SHOW NAMED COLLECTIONS SECRETS", NAMED_COLLECTION, NAMED_COLLECTION_ADMIN) \
     M(NAMED_COLLECTION, "NAMED COLLECTION USAGE, USE NAMED COLLECTION", NAMED_COLLECTION, NAMED_COLLECTION_ADMIN) \
     M(NAMED_COLLECTION_ADMIN, "NAMED COLLECTION CONTROL", NAMED_COLLECTION, ALL) \
-    M(SET_DEFINER, "", USER_NAME, ALL) \
+    M(SET_DEFINER, "", DEFINER, ALL) \
     \
     M(TABLE_ENGINE, "TABLE ENGINE", TABLE_ENGINE, ALL) \
     \

src/Access/tests/gtest_access_rights_ops.cpp

@@ -288,7 +288,8 @@ TEST(AccessRights, Union)
               "SYSTEM DROP REPLICA, SYSTEM SYNC REPLICA, SYSTEM RESTART REPLICA, "
               "SYSTEM RESTORE REPLICA, SYSTEM WAIT LOADING PARTS, SYSTEM SYNC DATABASE REPLICA, SYSTEM FLUSH DISTRIBUTED, "
               "SYSTEM LOAD PRIMARY KEY, SYSTEM UNLOAD PRIMARY KEY, dictGet ON db1.*, GRANT TABLE ENGINE ON db1, "
-              "GRANT CREATE USER, ALTER USER, DROP USER, CREATE ROLE, ALTER ROLE, DROP ROLE, SET DEFINER ON db1, "
+              "GRANT SET DEFINER ON db1, "
+              "GRANT CREATE USER, ALTER USER, DROP USER, CREATE ROLE, ALTER ROLE, DROP ROLE ON db1, "
               "GRANT NAMED COLLECTION ADMIN ON db1");
 
     lhs = {};

src/Storages/System/StorageSystemPrivileges.cpp

@@ -31,6 +31,7 @@ namespace
         NAMED_COLLECTION,
         USER_NAME,
         TABLE_ENGINE,
+        DEFINER,
     };
 
     DataTypeEnum8::Values getLevelEnumValues()
@@ -45,6 +46,7 @@ namespace
         enum_values.emplace_back("NAMED_COLLECTION", static_cast<Int8>(NAMED_COLLECTION));
         enum_values.emplace_back("USER_NAME", static_cast<Int8>(USER_NAME));
         enum_values.emplace_back("TABLE_ENGINE", static_cast<Int8>(TABLE_ENGINE));
+        enum_values.emplace_back("DEFINER", static_cast<Int8>(DEFINER));
         return enum_values;
     }
 }

tests/integration/test_enable_user_name_access_type/test.py

@@ -1,7 +1,7 @@
 from helpers.cluster import ClickHouseCluster
 
 
-def test_startup_scripts():
+def test_enable_username_access_type():
     cluster = ClickHouseCluster(__file__)
 
     node = cluster.add_instance(
@@ -17,11 +17,12 @@ def test_startup_scripts():
         cluster.start()
         node.query("CREATE USER foobar")
         node.query("GRANT CREATE USER ON * TO foobar")
+        node.query("GRANT SET DEFINER ON * TO foobar")
         assert (
-                node.query(
+                sorted(node.query(
                     "SHOW GRANTS FOR foobar"
-                )
-                == "GRANT CREATE USER ON *.* TO foobar\n"
+                ).strip().split('\n'))
+                == ["GRANT CREATE USER ON *.* TO foobar", "GRANT SET DEFINER ON * TO foobar"]
         )
         node.query("DROP USER foobar")
     finally:

tests/queries/0_stateless/01271_show_privileges.reference

@@ -110,7 +110,7 @@ SHOW NAMED COLLECTIONS	['SHOW NAMED COLLECTIONS']	NAMED_COLLECTION	NAMED COLLECT
 SHOW NAMED COLLECTIONS SECRETS	['SHOW NAMED COLLECTIONS SECRETS']	NAMED_COLLECTION	NAMED COLLECTION ADMIN
 NAMED COLLECTION	['NAMED COLLECTION USAGE','USE NAMED COLLECTION']	NAMED_COLLECTION	NAMED COLLECTION ADMIN
 NAMED COLLECTION ADMIN	['NAMED COLLECTION CONTROL']	NAMED_COLLECTION	ALL
-SET DEFINER	[]	USER_NAME	ALL
+SET DEFINER	[]	DEFINER	ALL
 TABLE ENGINE	['TABLE ENGINE']	TABLE_ENGINE	ALL
 SYSTEM SHUTDOWN	['SYSTEM KILL','SHUTDOWN']	GLOBAL	SYSTEM
 SYSTEM DROP DNS CACHE	['SYSTEM DROP DNS','DROP DNS CACHE','DROP DNS']	GLOBAL	SYSTEM DROP CACHE