Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(catalog): UserInfo and GrantPrivilege upon catalog #2643

Closed
yezizp2012 opened this issue May 18, 2022 · 1 comment
Closed

feat(catalog): UserInfo and GrantPrivilege upon catalog #2643

yezizp2012 opened this issue May 18, 2022 · 1 comment
Assignees
@yezizp2012
Labels
component/frontend Protocol, parsing, binder. component/meta Meta related issue. type/feature type/tracking Tracking issue.

Comments

@yezizp2012
Copy link
Member

yezizp2012 commented May 18, 2022
edited
Loading

Data type definition and associated RPC service in Meta:

/// AuthInfo is the information required to login to a server.
message AuthInfo {
  enum EncryptionType {
    UNSPECIFIED = 0;
    UNKNOWN = 1;
    PLAINTEXT = 2;
    SHA256 = 3;
    MD5 = 4;
  }
  EncryptionType encryption_type = 1;
  bytes encrypted_value = 2;
}

// User defines a user in the system.
message UserInfo {
  uint32 id = 1;
  string name = 2;
  bool is_super = 3;
  bool can_create_db = 4;
  bool can_create_user = 5;
  bool can_login = 6;
  AuthInfo auth_info = 7;

  /// Granted privileges will be only updated through the command of GRANT/REVOKE.
  repeated GrantPrivilege grant_privileges = 8;
}

// GrantPrivilege defines a privilege granted to a user.
message GrantPrivilege {
  enum Action {
    UNSPECIFIED = 0;
    UNKNOWN = 1;
    SELECT = 2;
    INSERT = 3;
    UPDATE = 4;
    DELETE = 5;
    CREATE = 6;
    CONNECT = 7;
  }

  message ActionWithGrantOption {
    Action action = 1;
    bool with_grant_option = 2;
    uint32 granted_by = 3;
  }

  oneof object {
    uint32 database_id = 1;
    uint32 schema_id = 2;
    uint32 table_id = 3;
    uint32 source_id = 4;
    uint32 all_tables_schema_id = 5;
    uint32 all_sources_schema_id = 6;
  }
  repeated ActionWithGrantOption action_with_opts = 7;
}

message CreateUserRequest {
  UserInfo user = 1;
}

message CreateUserResponse {
  common.Status status = 1;
  uint64 version = 2;
}

message DropUserRequest {
  uint32 user_id = 1;
}

message DropUserResponse {
  common.Status status = 1;
  uint64 version = 2;
}

message UpdateUserRequest {
  enum UpdateField {
    UNKNOWN = 0;
    SUPER = 1;
    LOGIN = 2;
    CREATE_DB = 3;
    AUTH_INFO = 4;
    RENAME = 5;
    CREATE_USER = 6;
  }
  UserInfo user = 1;
  repeated UpdateField update_fields = 2;
}

message UpdateUserResponse {
  common.Status status = 1;
  uint64 version = 2;
}

message GrantPrivilegeRequest {
  repeated uint32 user_ids = 1;
  repeated GrantPrivilege privileges = 2;
  bool with_grant_option = 3;
  uint32 granted_by = 4;
}

message GrantPrivilegeResponse {
  common.Status status = 1;
  uint64 version = 2;
}

message RevokePrivilegeRequest {
  repeated uint32 user_ids = 1;
  repeated GrantPrivilege privileges = 2;
  uint32 granted_by = 3;
  uint32 revoke_by = 4;
  bool revoke_grant_option = 5;
  bool cascade = 6;
}

message RevokePrivilegeResponse {
  common.Status status = 1;
  uint64 version = 2;
}

service UserService {
  rpc CreateUser(CreateUserRequest) returns (CreateUserResponse);
  rpc DropUser(DropUserRequest) returns (DropUserResponse);
  rpc UpdateUser(UpdateUserRequest) returns (UpdateUserResponse);

  // GrantPrivilege grants a privilege to a user.
  rpc GrantPrivilege(GrantPrivilegeRequest) returns (GrantPrivilegeResponse);
  // RevokePrivilege revokes a privilege from a user.
  rpc RevokePrivilege(RevokePrivilegeRequest) returns (RevokePrivilegeResponse);
}

Unlike the standard PostgreSQL syntax, to simply our design, we don't have a role definition in current stage and only support part of options for user and privilege. Here are the syntaxes we plan to support:

SQL Syntax

CREATE USER, refer: CREATE USER

CREATE USER name [ [ WITH ] option [ ... ] ]

where option can be:

      SUPERUSER | NOSUPERUSER
    | CREATEDB | NOCREATEDB
    | LOGIN | NOLOGIN
    | CREATEUSER | NOCREATEUSER
    | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL

Some options like INHERIT/REPLICATION/BYPASSRLS/CONNECTION LIMIT are not supported in current design. This could be easy to expand in the future.

ALTER USER, refer: ALTER USER

ALTER USER user_specification [ WITH ] option [ ... ]

where option can be:

      SUPERUSER | NOSUPERUSER
    | CREATEDB | NOCREATEDB
    | LOGIN | NOLOGIN
    | CREATEUSER | NOCREATEUSER
    | [ ENCRYPTED ] PASSWORD 'password' | PASSWORD NULL

ALTER USER name RENAME TO new_name

DROP USER, refer: DROP USER

DROP USER [ IF EXISTS ] name [, ...]

GRANT, refer: GRANT

We only support grants privileges on a database object(database, schema, table). The possible privileges are: SELECT, INSERT, UPDATE, DELETE, CREATE, CONNECT, ALL. GRANT and REVOKE can also be done by a user that is not super user, but is a member that holds privileges WITH GRANT OPTION on the object.

If WITH GRANT OPTION is specified, the recipient of the privilege can in turn grant it to others.
If GRANTED BY is specified, the specified grantor must be the current user. This clause is currently present in this form only for SQL compatibility.

GRANT { { CREATE | CONNECT } [, ...] | ALL [ PRIVILEGES ] }
    ON DATABASE database_name [, ...]
    TO user_specification [, ...] [ WITH GRANT OPTION ]
    [ GRANTED BY user_specification ]

GRANT { { CREATE } [, ...] | ALL [ PRIVILEGES ] }
    ON SCHEMA schema_name [, ...]
    TO user_specification [, ...] [ WITH GRANT OPTION ]
    [ GRANTED BY user_specification ]

GRANT { { SELECT | INSERT | UPDATE | DELETE }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { [ SOURCE ] source_name [, ...]
         | ALL SOURCES IN SCHEMA schema_name [, ...] }
    TO user_specification [, ...] [ WITH GRANT OPTION ]
    [ GRANTED BY user_specification ]

GRANT { { SELECT | INSERT | UPDATE | DELETE }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { [ MATERIALIZED VIEW ] mview_name [, ...]
         | ALL MATERIALIZED VIEWS IN SCHEMA schema_name [, ...] }
    TO user_specification [, ...] [ WITH GRANT OPTION ]
    [ GRANTED BY user_specification ]

REVOKE, refer: REVOKE

REVOKE [ GRANT OPTION FOR ]
    { { CREATE | CONNECT } [, ...] | ALL [ PRIVILEGES ] }
    ON DATABASE database_name [, ...]
    FROM user_specification [, ...]
    [ GRANTED BY user_specification ]

REVOKE [ GRANT OPTION FOR ]
    { { CREATE } [, ...] | ALL [ PRIVILEGES ] }
    ON SCHEMA schema_name [, ...]
    FROM user_specification [, ...]
    [ GRANTED BY user_specification ]

REVOKE [ GRANT OPTION FOR ]
    { { SELECT | INSERT | UPDATE | DELETE }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { [ SOURCE ] source_name [, ...]
         | ALL SOURCES IN SCHEMA schema_name [, ...] }
    FROM user_specification [, ...]
    [ GRANTED BY user_specification ]

REVOKE [ GRANT OPTION FOR ]
    { { SELECT | INSERT | UPDATE | DELETE }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { [ MATERIALIZED VIEW ] mview_name [, ...]
         | ALL MATERIALIZED VIEWS IN SCHEMA schema_name [, ...] }
    FROM user_specification [, ...]
    [ GRANTED BY user_specification ]
@yezizp2012 yezizp2012 added the type/enhancement Improvements to existing implementation. label May 18, 2022
@yezizp2012
Copy link
Member Author

Cc @fuyufjh @TennyZhuang @neverchanje

@yezizp2012 yezizp2012 self-assigned this May 18, 2022
@yezizp2012 yezizp2012 added component/frontend Protocol, parsing, binder. and removed type/enhancement Improvements to existing implementation. labels May 18, 2022
This was referenced May 18, 2022
Merged
Merged
This was referenced Jun 6, 2022
Merged
Merged
@cnissnzg cnissnzg mentioned this issue Jun 21, 2022
Merged
3 tasks
@cnissnzg cnissnzg mentioned this issue Jul 28, 2022
Merged
3 tasks
@yezizp2012 yezizp2012 added the type/tracking Tracking issue. label Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yezizp2012 yezizp2012

Labels
component/frontend Protocol, parsing, binder. component/meta Meta related issue. type/feature type/tracking Tracking issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yezizp2012