fix(rbac): create or replace ownership_object should delete the old ownership key (#18667)

Author: TCeason

src/meta/api/src/database_api.rs

@@ -108,6 +108,8 @@ where
         }
 
         let mut trials = txn_backoff(None, func_name!());
+        let mut old_db_id = None;
+
         loop {
             trials.next().unwrap()?.await;
 
@@ -118,6 +120,7 @@ where
             let mut txn = TxnRequest::default();
 
             if let Some(ref curr_seq_db_id) = curr_seq_db_id {
+                old_db_id = Some(curr_seq_db_id.data.into_inner());
                 match req.create_option {
                     CreateOption::Create => {
                         return Err(KVAppError::AppError(AppError::DatabaseAlreadyExists(
@@ -130,6 +133,7 @@ where
                     CreateOption::CreateIfNotExists => {
                         return Ok(CreateDatabaseReply {
                             db_id: curr_seq_db_id.data.into_inner(),
+                            old_db_id: None,
                         });
                     }
                     CreateOption::CreateOrReplace => {
@@ -187,7 +191,10 @@ where
                 );
 
                 if succ {
-                    return Ok(CreateDatabaseReply { db_id: id_key });
+                    return Ok(CreateDatabaseReply {
+                        db_id: id_key,
+                        old_db_id,
+                    });
                 }
             }
         }

src/meta/api/src/schema_api_test_suite.rs

@@ -4841,6 +4841,7 @@ impl SchemaApiTestSuite {
                 new_table: true,
                 orphan_table_name: None,
                 spec_vec: None,
+                old_table_id: None,
             };
             let cur_db = util.get_database().await?;
             assert!(old_db.meta.seq < cur_db.meta.seq);

src/meta/api/src/table_api.rs

@@ -272,6 +272,8 @@ where
         }
 
         let mut trials = txn_backoff(None, func_name!());
+        let mut old_table_id = None;
+
         loop {
             trials.next().unwrap()?.await;
 
@@ -322,6 +324,7 @@ where
                                 spec_vec: None,
                                 prev_table_id: None,
                                 orphan_table_name: None,
+                                old_table_id: None,
                             });
                         }
                         CreateOption::CreateOrReplace => {
@@ -333,6 +336,7 @@ where
 
                                 SeqV::new(id.seq, *id.data)
                             } else {
+                                old_table_id = Some(*id.data);
                                 let (seq, id) = construct_drop_table_txn_operations(
                                     self,
                                     req.name_ident.table_name.clone(),
@@ -470,6 +474,7 @@ where
                         spec_vec: None,
                         prev_table_id,
                         orphan_table_name,
+                        old_table_id,
                     });
                 } else {
                     // re-run txn with re-fetched data

src/meta/app/src/schema/database.rs

@@ -217,6 +217,7 @@ impl Display for CreateDatabaseReq {
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct CreateDatabaseReply {
     pub db_id: DatabaseId,
+    pub old_db_id: Option<DatabaseId>,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq)]

src/meta/app/src/schema/table.rs

@@ -659,6 +659,7 @@ pub struct CreateTableReply {
     pub spec_vec: Option<(u64, u64)>,
     pub prev_table_id: Option<u64>,
     pub orphan_table_name: Option<String>,
+    pub old_table_id: Option<u64>,
 }
 
 /// Drop table by id.

src/query/service/src/catalogs/default/mutable_catalog.rs

@@ -333,7 +333,10 @@ impl Catalog for MutableCatalog {
         });
         let database = self.build_db_instance(&db_info)?;
         database.init_database(req.name_ident.tenant_name()).await?;
-        Ok(CreateDatabaseReply { db_id: res.db_id })
+        Ok(CreateDatabaseReply {
+            db_id: res.db_id,
+            old_db_id: res.old_db_id,
+        })
     }
 
     #[async_backtrace::framed]

src/query/service/src/interpreters/interpreter_database_create.rs

@@ -88,6 +88,16 @@ impl Interpreter for CreateDatabaseInterpreter {
                         &current_role.name,
                     )
                     .await?;
+
+                // if old_db_id is some means create or replace is success, we should delete the old db id's ownership key
+                if let Some(old_db_id) = reply.old_db_id {
+                    role_api
+                        .revoke_ownership(&OwnershipObject::Database {
+                            catalog_name: self.plan.catalog.clone(),
+                            db_id: *old_db_id,
+                        })
+                        .await?;
+                }
                 RoleCacheManager::instance().invalidate_cache(&tenant);
             }
         }

src/query/service/src/interpreters/interpreter_table_create.rs

@@ -33,6 +33,7 @@ use databend_common_management::RoleApi;
 use databend_common_meta_app::principal::OwnershipObject;
 use databend_common_meta_app::schema::CommitTableMetaReq;
 use databend_common_meta_app::schema::CreateOption;
+use databend_common_meta_app::schema::CreateTableReply;
 use databend_common_meta_app::schema::CreateTableReq;
 use databend_common_meta_app::schema::TableIdent;
 use databend_common_meta_app::schema::TableIndexType;
@@ -41,6 +42,7 @@ use databend_common_meta_app::schema::TableMeta;
 use databend_common_meta_app::schema::TableNameIdent;
 use databend_common_meta_app::schema::TablePartition;
 use databend_common_meta_app::schema::TableStatistics;
+use databend_common_meta_app::tenant::Tenant;
 use databend_common_meta_types::MatchSeq;
 use databend_common_pipeline_core::always_callback;
 use databend_common_pipeline_core::ExecutionInfo;
@@ -228,22 +230,7 @@ impl CreateTableInterpreter {
         let db_id = reply.db_id;
 
         if !req.table_meta.options.contains_key(OPT_KEY_TEMP_PREFIX) {
-            // grant the ownership of the table to the current role.
-            let current_role = self.ctx.get_current_role();
-            if let Some(current_role) = current_role {
-                let role_api = UserApiProvider::instance().role_api(&tenant);
-                role_api
-                    .grant_ownership(
-                        &OwnershipObject::Table {
-                            catalog_name: self.plan.catalog.clone(),
-                            db_id,
-                            table_id,
-                        },
-                        &current_role.name,
-                    )
-                    .await?;
-                RoleCacheManager::instance().invalidate_cache(&tenant);
-            }
+            self.process_ownership(&tenant, reply).await?;
         }
 
         // If the table creation query contains column definitions, like 'CREATE TABLE t1(a int) AS SELECT * from t2',
@@ -336,6 +323,42 @@ impl CreateTableInterpreter {
         Ok(pipeline)
     }
 
+    async fn process_ownership(&self, tenant: &Tenant, reply: CreateTableReply) -> Result<()> {
+        // grant the ownership of the table to the current role.
+        let mut invalid_cache = false;
+        let current_role = self.ctx.get_current_role();
+        let role_api = UserApiProvider::instance().role_api(tenant);
+        if let Some(current_role) = current_role {
+            role_api
+                .grant_ownership(
+                    &OwnershipObject::Table {
+                        catalog_name: self.plan.catalog.clone(),
+                        db_id: reply.db_id,
+                        table_id: reply.table_id,
+                    },
+                    &current_role.name,
+                )
+                .await?;
+            invalid_cache = true;
+        }
+
+        // if old_table_id is some means create or replace is success, we should delete the old table id's ownership key
+        if let Some(old_table_id) = reply.old_table_id {
+            role_api
+                .revoke_ownership(&OwnershipObject::Table {
+                    catalog_name: self.plan.catalog.clone(),
+                    db_id: reply.db_id,
+                    table_id: old_table_id,
+                })
+                .await?;
+            invalid_cache = true;
+        }
+        if invalid_cache {
+            RoleCacheManager::instance().invalidate_cache(tenant);
+        }
+        Ok(())
+    }
+
     #[async_backtrace::framed]
     async fn create_table(&self) -> Result<PipelineBuildResult> {
         let catalog = self.ctx.get_catalog(self.plan.catalog.as_str()).await?;
@@ -390,27 +413,10 @@ impl CreateTableInterpreter {
             self.register_temp_table(prefix).await?;
         }
 
+        // iceberg table do not need to generate ownership.
         if !req.table_meta.options.contains_key(OPT_KEY_TEMP_PREFIX) && !catalog.is_external() {
-            // iceberg table do not need to generate ownership.
-            // grant the ownership of the table to the current role, the above req.table_meta.owner could be removed in the future.
-            if let Some(current_role) = self.ctx.get_current_role() {
-                let tenant = self.ctx.get_tenant();
-                let db = catalog.get_database(&tenant, &self.plan.database).await?;
-                let db_id = db.get_db_info().database_id.db_id;
-
-                let role_api = UserApiProvider::instance().role_api(&tenant);
-                role_api
-                    .grant_ownership(
-                        &OwnershipObject::Table {
-                            catalog_name: self.plan.catalog.clone(),
-                            db_id,
-                            table_id: reply.table_id,
-                        },
-                        &current_role.name,
-                    )
-                    .await?;
-                RoleCacheManager::instance().invalidate_cache(&tenant);
-            }
+            let tenant = self.ctx.get_tenant();
+            self.process_ownership(&tenant, reply).await?;
         }
 
         Ok(PipelineBuildResult::create())

src/query/service/src/test_kits/fixture.rs

@@ -128,8 +128,8 @@ pub trait Setup {
     async fn setup(&self) -> Result<InnerConfig>;
 }
 
-struct OSSSetup {
-    config: InnerConfig,
+pub struct OSSSetup {
+    pub config: InnerConfig,
 }
 
 #[async_trait::async_trait]