refactor: only set global settings need to check super privilege (#17255)

TCeason · web-flow · commit e6cf9d1599d1 · 2025-01-13T07:19:15.000Z
query setting, session setting, set variable will not check privileges
diff --git a/src/query/service/src/interpreters/access/privilege_access.rs b/src/query/service/src/interpreters/access/privilege_access.rs
@@ -1151,7 +1151,21 @@ impl AccessChecker for PrivilegeAccess {
                 self.validate_access(&GrantObject::Global, UserPrivilegeType::Grant,false, false)
                     .await?;
             }
-            Plan::Set(_) | Plan::Unset(_) | Plan::Kill(_) | Plan::SetPriority(_) | Plan::System(_) => {
+            Plan::Set(plan) => {
+                use databend_common_ast::ast::SetType;
+                if let SetType::SettingsGlobal = plan.set_type {
+                    self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false)
+                        .await?;
+                }
+            }
+            Plan::Unset(plan) => {
+                use databend_common_ast::ast::SetType;
+                if let SetType::SettingsGlobal = plan.unset_type {
+                    self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false)
+                        .await?;
+                }
+            }
+            Plan::Kill(_) | Plan::SetPriority(_) | Plan::System(_) => {
                 self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false)
                     .await?;
             }
diff --git a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result
@@ -142,3 +142,9 @@ OWNERSHIP default.default.t2  USER b GRANT OWNERSHIP ON 'default'.'default'.'t2'
 1
 2
 3
+=== set privilege check ===
+100
+100
+1
+1
+=== set privilege check succ ===
diff --git a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh
@@ -302,3 +302,23 @@ echo "drop table if exists t1" | $BENDSQL_CLIENT_CONNECT
 echo "drop table if exists t2" | $BENDSQL_CLIENT_CONNECT
 echo "drop stage if exists s3;" | $BENDSQL_CLIENT_CONNECT
 echo "drop database if exists db01" | $BENDSQL_CLIENT_CONNECT
+
+echo "=== set privilege check ==="
+echo "drop user if exists c" | $BENDSQL_CLIENT_CONNECT
+echo "create user c identified by '123'" | $BENDSQL_CLIENT_CONNECT
+export USER_C_CONNECT="bendsql --user=c --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}"
+echo "set session max_threads=1000" | $BENDSQL_CLIENT_CONNECT
+echo "unset session max_threads" | $BENDSQL_CLIENT_CONNECT
+echo "settings (ddl_column_type_nullable=0) select 100" | $BENDSQL_CLIENT_CONNECT
+echo "SET variable a = 'a';" | $BENDSQL_CLIENT_CONNECT
+echo "set global max_threads=1000" | $BENDSQL_CLIENT_CONNECT
+echo "unset global max_threads" | $BENDSQL_CLIENT_CONNECT
+
+echo "set session max_threads=1000" | $USER_C_CONNECT
+echo "unset session max_threads" | $USER_C_CONNECT
+echo "settings (ddl_column_type_nullable=0) select 100" | $USER_C_CONNECT
+echo "SET variable a = 'a';" | $USER_C_CONNECT
+echo "set global max_threads=1000;" | $USER_C_CONNECT 2>&1  | grep "Super" | wc -l
+echo "unset global max_threads;" | $USER_C_CONNECT 2>&1  | grep "Super" | wc -l
+echo "drop user if exists c" | $BENDSQL_CLIENT_CONNECT
+echo "=== set privilege check succ ==="

Original file line number	Diff line number	Diff line change
`@@ -142,3 +142,9 @@ OWNERSHIP default.default.t2 USER b GRANT OWNERSHIP ON 'default'.'default'.'t2'`
`142`	`142`	`1`
`143`	`143`	`2`
`144`	`144`	`3`
	`145`	`+=== set privilege check ===`
	`146`	`+100`
	`147`	`+100`
	`148`	`+1`
	`149`	`+1`
	`150`	`+=== set privilege check succ ===`