fix(query): only account_admin role can modify setting network_policy (#18456)

Author: TCeason

src/query/service/src/interpreters/access/privilege_access.rs

@@ -1359,13 +1359,28 @@ impl AccessChecker for PrivilegeAccess {
             Plan::Set(plan) => {
                 use databend_common_ast::ast::SetType;
                 if let SetType::SettingsGlobal = plan.set_type {
+                    plan.idents.iter()
+                        .try_for_each(|setting| {
+                            if setting.eq_ignore_ascii_case("network_policy") && !self.ctx.get_current_user()?.is_account_admin() {
+                                return Err(ErrorCode::PermissionDenied("Permission Denied: Setting of network_policy is restricted to account_admin role".to_string()));
+                            }
+                            Ok(())
+                        })?;
                     self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false)
                         .await?;
                 }
             }
             Plan::Unset(plan) => {
                 use databend_common_ast::ast::SetType;
                 if let SetType::SettingsGlobal = plan.unset_type {
+                    plan.vars.iter()
+                        .try_for_each(|setting| {
+                            if setting.eq_ignore_ascii_case("network_policy") && !self.ctx.get_current_user()?.is_account_admin() {
+                                    return Err(ErrorCode::PermissionDenied("Permission Denied: Setting of network_policy is restricted to account_admin role".to_string()));
+                            }
+                            Ok(())
+                            }
+                        )?;
                     self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false)
                         .await?;
                 }

tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result

@@ -36,6 +36,9 @@ test -- insert overwrite
 test -- optimize table
 Error: APIError: QueryFailed: [1063]Permission denied: privilege [Super] is required on 'default'.'default'.'t20_0012' for user 'test-user'@'%' with roles [public,test-role1,test-role2]
 true
+=== NETWORK_POLICY SETTING ===
+Error: APIError: QueryFailed: [1063]Permission Denied: Setting of network_policy is restricted to account_admin role
+Error: APIError: QueryFailed: [1063]Permission Denied: Setting of network_policy is restricted to account_admin role
 test -- select
 1
 1

tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh

@@ -92,6 +92,13 @@ echo "set data_retention_time_in_days=0; optimize table t20_0012 all" | $TEST_US
 ## verify
 echo "select count(*)>=1 from fuse_snapshot('default', 't20_0012')" | $TEST_USER_CONNECT
 
+echo "=== NETWORK_POLICY SETTING ==="
+echo "drop network policy if exists test_user_without_account_admin"  | $TEST_USER_CONNECT
+echo "create network policy test_user_without_account_admin allowed_ip_list=('127.0.0.0/24')"  | $TEST_USER_CONNECT
+echo "set global network_policy='test_user_without_account_admin'"  | $TEST_USER_CONNECT
+echo "unset global network_policy"  | $TEST_USER_CONNECT
+echo "drop network policy if exists test_user_without_account_admin"  | $TEST_USER_CONNECT
+
 ## select data
 echo "select 'test -- select'" | $TEST_USER_CONNECT
 ## Init tables