Use SET_NON_GRANTED_ROLE error code instead of ACCESS_DENIED

Author: slvrtrn

src/Server/HTTPHandler.cpp

@@ -119,7 +119,7 @@ namespace ErrorCodes
     extern const int WRONG_PASSWORD;
     extern const int REQUIRED_PASSWORD;
     extern const int AUTHENTICATION_FAILED;
-    extern const int ACCESS_DENIED;
+    extern const int SET_NON_GRANTED_ROLE;
 
     extern const int INVALID_SESSION_TIMEOUT;
     extern const int HTTP_LENGTH_REQUIRED;
@@ -198,7 +198,7 @@ static Poco::Net::HTTPResponse::HTTPStatus exceptionCodeToHTTPStatus(int excepti
     else if (exception_code == ErrorCodes::UNKNOWN_USER ||
              exception_code == ErrorCodes::WRONG_PASSWORD ||
              exception_code == ErrorCodes::AUTHENTICATION_FAILED ||
-             exception_code == ErrorCodes::ACCESS_DENIED)
+             exception_code == ErrorCodes::SET_NON_GRANTED_ROLE)
     {
         return HTTPResponse::HTTP_FORBIDDEN;
     }
@@ -748,7 +748,7 @@ void HTTPHandler::processQuery(
                 if (user->granted_roles.isGranted(role_id))
                     roles_ids.push_back(role_id);
                 else
-                    throw Exception(ErrorCodes::ACCESS_DENIED, "Role {} is not granted to the current user", role_params_it->second);
+                    throw Exception(ErrorCodes::SET_NON_GRANTED_ROLE, "Role {} should be granted to set as a current", role_params_it->second);
             }
         }
         context->setCurrentRoles(roles_ids);

tests/queries/0_stateless/03096_http_interface_role_query_param.reference

@@ -25,15 +25,15 @@ max_result_rows	42
 03096_role_query_param_role1
 03096_role_query_param_role2
 max_result_rows	42
-### Cannot set a role that is not granted to the user (single parameter)
-Code: 497
-ACCESS_DENIED
-### Cannot set a role that is not granted to the user (multiple parameters)
-Code: 497
-ACCESS_DENIED
 ### Cannot set a role that does not exist (single parameter)
 Code: 511
 UNKNOWN_ROLE
 ### Cannot set a role that does not exist (multiple parameters)
 Code: 511
 UNKNOWN_ROLE
+### Cannot set a role that is not granted to the user (single parameter)
+Code: 512
+SET_NON_GRANTED_ROLE
+### Cannot set a role that is not granted to the user (multiple parameters)
+Code: 512
+SET_NON_GRANTED_ROLE

tests/queries/0_stateless/03096_http_interface_role_query_param.sh

@@ -73,16 +73,6 @@ echo "### Sets multiple roles when there are other parameters in the query"
 $CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE&role=$TEST_ROLE2" --data-binary "$SHOW_CURRENT_ROLES_QUERY"
 $CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&$CHANGED_SETTING_NAME=$CHANGED_SETTING_VALUE&role=$TEST_ROLE2" --data-binary "$SHOW_CHANGED_SETTINGS_QUERY"
 
-echo "### Cannot set a role that is not granted to the user (single parameter)"
-OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE_NOT_GRANTED" --data-binary "$SHOW_CURRENT_ROLES_QUERY")
-echo -ne $OUT | grep -o "Code: 497"     || echo "expected code 497, got: $OUT"
-echo -ne $OUT | grep -o "ACCESS_DENIED" || echo "expected ACCESS_DENIED error, got: $OUT"
-
-echo "### Cannot set a role that is not granted to the user (multiple parameters)"
-OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&role=$TEST_ROLE_NOT_GRANTED" --data-binary "$SHOW_CURRENT_ROLES_QUERY")
-echo -ne $OUT | grep -o "Code: 497"     || echo "expected code 497, got: $OUT"
-echo -ne $OUT | grep -o "ACCESS_DENIED" || echo "expected ACCESS_DENIED error, got: $OUT"
-
 echo "### Cannot set a role that does not exist (single parameter)"
 OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=aaaaaaaaaaa" --data-binary "$SHOW_CURRENT_ROLES_QUERY")
 echo -ne $OUT | grep -o "Code: 511"     || echo "expected code 511, got: $OUT"
@@ -93,6 +83,16 @@ OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&
 echo -ne $OUT | grep -o "Code: 511"     || echo "expected code 511, got: $OUT"
 echo -ne $OUT | grep -o "UNKNOWN_ROLE"  || echo "expected UNKNOWN_ROLE error, got: $OUT"
 
+echo "### Cannot set a role that is not granted to the user (single parameter)"
+OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE_NOT_GRANTED" --data-binary "$SHOW_CURRENT_ROLES_QUERY")
+echo -ne $OUT | grep -o "Code: 512"            || echo "expected code 512, got: $OUT"
+echo -ne $OUT | grep -o "SET_NON_GRANTED_ROLE" || echo "expected SET_NON_GRANTED_ROLE error, got: $OUT"
+
+echo "### Cannot set a role that is not granted to the user (multiple parameters)"
+OUT=$($CLICKHOUSE_CURL -u $TEST_USER_AUTH -sS "$CLICKHOUSE_URL&role=$TEST_ROLE1&role=$TEST_ROLE_NOT_GRANTED" --data-binary "$SHOW_CURRENT_ROLES_QUERY")
+echo -ne $OUT | grep -o "Code: 512"            || echo "expected code 512, got: $OUT"
+echo -ne $OUT | grep -o "SET_NON_GRANTED_ROLE" || echo "expected SET_NON_GRANTED_ROLE error, got: $OUT"
+
 $CLICKHOUSE_CLIENT -n --query "
 DROP USER $TEST_USER;
 DROP ROLE $TEST_ROLE1;