Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support grant/revoke privilege in frontend #3004

Merged
merged 11 commits into from
Jun 7, 2022
79 changes: 79 additions & 0 deletions e2e_test/ddl/privilege.slt
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# Create a super user.
statement ok
CREATE USER user WITH SUPERUSER PASSWORD 'password';

# Create a user.
statement ok
CREATE USER user1 WITH PASSWORD 'password1';

# Create a database.
statement ok
CREATE DATABASE db1;

# Create a schema.
statement ok
CREATE SCHEMA db1.schema1;

# Grant privilege for user1.
statement ok
GRANT ALL ON DATABASE db1 TO user1 WITH GRANT OPTION GRANTED BY user;

# Grant invalid privilege on database for user1.
statement error
GRANT INSERT ON DATABASE db1 TO user1 WITH GRANT OPTION GRANTED BY user;

# Grant privilege on invalid database for user1.
statement error
GRANT ALL ON DATABASE db_invalid TO user1 WITH GRANT OPTION GRANTED BY user;

# Grant privilege on database for invalid user.
statement error
GRANT ALL ON DATABASE db_invalid TO user_invalid WITH GRANT OPTION GRANTED BY user;

# Grant privilege on schema for user1.
statement ok
GRANT CREATE ON SCHEMA db1.schema1 TO user1 WITH GRANT OPTION GRANTED BY user;

# Grant privilege on all sources in schema for user1.
statement ok
GRANT ALL PRIVILEGES ON ALL SOURCES IN SCHEMA db1.schema1 TO user1 GRANTED BY user;

# Grant privilege on all mviews in schema for user1.
statement ok
GRANT ALL PRIVILEGES ON ALL MATERIALIZED VIEWS IN SCHEMA db1.schema1 TO user1 GRANTED BY user;

# Revoke privilege on all mviews in schema for user1.
statement ok
REVOKE ALL PRIVILEGES ON ALL MATERIALIZED VIEWS IN SCHEMA db1.schema1 FROM user1;

# Revoke privilege on all sources in schema for user1.
statement ok
REVOKE ALL PRIVILEGES ON ALL SOURCES IN SCHEMA db1.schema1 FROM user1;

# Revoke privilege on schema for user1.
statement ok
REVOKE CREATE ON SCHEMA db1.schema1 FROM user1;

# Revoke GRANT OPTION FOR from database for user1.
statement ok
REVOKE GRANT OPTION FOR ALL ON DATABASE db1 from user1 GRANTED BY user;

# Revoke privilege on database for user1.
statement ok
REVOKE ALL ON DATABASE db1 FROM user1;

# Drop schema
statement ok
DROP SCHEMA db1.schema1;

# Drop database
statement ok
DROP DATABASE db1;

# Drop user1
statement ok
DROP USER user1;

# Drop user
statement ok
DROP USER user;
58 changes: 13 additions & 45 deletions proto/user.proto
Original file line number Diff line number Diff line change
Expand Up @@ -32,39 +32,7 @@ message UserInfo {

/// GrantPrivilege defines a privilege granted to a user.
message GrantPrivilege {
message GrantDatabase {
uint32 database_id = 1;
}

message GrantSchema {
uint32 database_id = 1;
uint32 schema_id = 2;
}

message GrantTable {
uint32 database_id = 1;
uint32 schema_id = 2;
uint32 table_id = 3;
}

message GrantSource {
uint32 database_id = 1;
uint32 schema_id = 2;
uint32 source_id = 3;
}

/// To support grant privilege on ALL TABLES IN SCHEMA schema_name.
message GrantAllTables {
uint32 database_id = 1;
uint32 schema_id = 2;
}

message GrantAllSources {
uint32 database_id = 1;
uint32 schema_id = 2;
}

enum Privilege {
enum Action {
UNKNOWN = 0;
SELECT = 1;
INSERT = 2;
Expand All @@ -74,20 +42,20 @@ message GrantPrivilege {
CONNECT = 6;
}

message PrivilegeWithGrantOption {
Privilege privilege = 1;
message ActionWithGrantOption {
Action action = 1;
bool with_grant_option = 2;
}

oneof target {
GrantDatabase grant_database = 1;
GrantSchema grant_schema = 2;
GrantTable grant_table = 3;
GrantSource grant_source = 4;
GrantAllTables grant_all_tables = 5;
GrantAllSources grant_all_sources = 6;
oneof object {
uint32 database_id = 1;
uint32 schema_id = 2;
uint32 table_id = 3;
uint32 source_id = 4;
uint32 all_tables_schema_id = 5;
uint32 all_sources_schema_id = 6;
}
repeated PrivilegeWithGrantOption privilege_with_opts = 7;
repeated ActionWithGrantOption action_with_opts = 7;
}

message CreateUserRequest {
Expand All @@ -109,7 +77,7 @@ message DropUserResponse {
}

message GrantPrivilegeRequest {
string user_name = 1;
repeated string users = 1;
repeated GrantPrivilege privileges = 2;
bool with_grant_option = 3;
}
Expand All @@ -120,7 +88,7 @@ message GrantPrivilegeResponse {
}

message RevokePrivilegeRequest {
string user_name = 1;
repeated string users = 1;
repeated GrantPrivilege privileges = 2;
bool revoke_grant_option = 3;
}
Expand Down
5 changes: 1 addition & 4 deletions src/frontend/src/handler/create_user.rs
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,7 @@ use crate::catalog::CatalogError;
use crate::session::OptimizerContext;
use crate::user::{encrypt_default, try_extract};

pub(crate) fn make_prost_user_info(
name: ObjectName,
options: &CreateUserWithOptions,
) -> Result<UserInfo> {
fn make_prost_user_info(name: ObjectName, options: &CreateUserWithOptions) -> Result<UserInfo> {
let mut user_info = UserInfo {
name: Binder::resolve_user_name(name)?,
// the LOGIN option is implied if it is not explicitly specified.
Expand Down
Loading