Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: grant default CONNECT action for new created user #7716

Merged
merged 5 commits into from
Feb 6, 2023
Merged

fix: grant default CONNECT action for new created user #7716

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e65b4b2
fix: grant default conn action for new created user
yezizp2012 Feb 6, 2023
ef8c303
remove unnecessary check
yezizp2012 Feb 6, 2023
e6a09e7
fix ut
yezizp2012 Feb 6, 2023
08bbc18
Merge branch 'main' into zp/fix-conn-for-user
yezizp2012 Feb 6, 2023
d9eb72c
Merge branch 'main' into zp/fix-conn-for-user
mergify[bot] Feb 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 24 additions & 3 deletions src/frontend/src/handler/create_user.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,21 @@
use pgwire::pg_response::{PgResponse, StatementType};
use risingwave_common::error::ErrorCode::PermissionDenied;
use risingwave_common::error::Result;
use risingwave_pb::user::UserInfo;
use risingwave_pb::user::grant_privilege::{Action, ActionWithGrantOption, Object};
use risingwave_pb::user::{GrantPrivilege, UserInfo};
use risingwave_sqlparser::ast::{CreateUserStatement, UserOption, UserOptions};

use super::RwPgResponse;
use crate::binder::Binder;
use crate::catalog::CatalogError;
use crate::catalog::{CatalogError, DatabaseId};
use crate::handler::HandlerArgs;
use crate::user::user_authentication::encrypted_password;

fn make_prost_user_info(
user_name: String,
options: &UserOptions,
session_user: &UserInfo,
database_id: DatabaseId,
) -> Result<UserInfo> {
if !session_user.is_super {
let require_super = options
Expand All @@ -45,10 +47,22 @@ fn make_prost_user_info(
}
}

// Since we don't have concept of PUBLIC group yet, here we simply grant new user with CONNECT
// action of session database.
let grant_privileges = vec![GrantPrivilege {
action_with_opts: vec![ActionWithGrantOption {
action: Action::Connect as i32,
with_grant_option: true,
granted_by: session_user.id,
}],
object: Some(Object::DatabaseId(database_id)),
}];

let mut user_info = UserInfo {
name: user_name,
// the LOGIN option is implied if it is not explicitly specified.
can_login: true,
grant_privileges,
..Default::default()
};

Expand Down Expand Up @@ -85,6 +99,13 @@ pub async fn handle_create_user(
stmt: CreateUserStatement,
) -> Result<RwPgResponse> {
let session = handler_args.session;
let database_id = {
let catalog_reader = session.env().catalog_reader().read_guard();
catalog_reader
.get_database_by_name(session.database())
.expect("session database should exist")
.id()
};
let user_info = {
let user_name = Binder::resolve_user_name(stmt.user_name)?;
let user_reader = session.env().user_info_reader().read_guard();
Expand All @@ -96,7 +117,7 @@ pub async fn handle_create_user(
.get_user_by_name(session.user_name())
.ok_or_else(|| CatalogError::NotFound("user", session.user_name().to_string()))?;

make_prost_user_info(user_name, &stmt.with_options, session_user)?
make_prost_user_info(user_name, &stmt.with_options, session_user, database_id)?
};

let user_info_writer = session.env().user_info_writer();
Expand Down
60 changes: 44 additions & 16 deletions src/frontend/src/handler/handle_privilege.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,10 +241,16 @@ mod tests {
.await
.unwrap();

let database_id = {
let (session_database_id, database_id) = {
let catalog_reader = session.env().catalog_reader();
let reader = catalog_reader.read_guard();
reader.get_database_by_name("db1").unwrap().id()
(
reader
.get_database_by_name(session.database())
.unwrap()
.id(),
reader.get_database_by_name("db1").unwrap().id(),
)
};

{
Expand All @@ -253,21 +259,31 @@ mod tests {
let user_info = reader.get_user_by_name("user1").unwrap();
assert_eq!(
user_info.grant_privileges,
vec![ProstPrivilege {
action_with_opts: vec![
ActionWithGrantOption {
vec![
ProstPrivilege {
action_with_opts: vec![ActionWithGrantOption {
action: Action::Connect as i32,
with_grant_option: true,
granted_by: DEFAULT_SUPER_USER_ID,
},
ActionWithGrantOption {
action: Action::Create as i32,
with_grant_option: true,
granted_by: DEFAULT_SUPER_USER_ID,
}
],
object: Some(ProstObject::DatabaseId(database_id)),
}]
granted_by: session.user_id(),
}],
object: Some(ProstObject::DatabaseId(session_database_id)),
},
ProstPrivilege {
action_with_opts: vec![
ActionWithGrantOption {
action: Action::Connect as i32,
with_grant_option: true,
granted_by: DEFAULT_SUPER_USER_ID,
},
ActionWithGrantOption {
action: Action::Create as i32,
with_grant_option: true,
granted_by: DEFAULT_SUPER_USER_ID,
}
],
object: Some(ProstObject::DatabaseId(database_id)),
}
]
);
}

Expand All @@ -282,6 +298,7 @@ mod tests {
assert!(user_info
.grant_privileges
.iter()
.filter(|gp| gp.object == Some(ProstObject::DatabaseId(database_id)))
.all(|p| p.action_with_opts.iter().all(|ao| !ao.with_grant_option)));
}

Expand All @@ -293,7 +310,18 @@ mod tests {
let user_reader = session.env().user_info_reader();
let reader = user_reader.read_guard();
let user_info = reader.get_user_by_name("user1").unwrap();
assert!(user_info.grant_privileges.is_empty());
assert_eq!(
user_info.grant_privileges,
vec![ProstPrivilege {
action_with_opts: vec![ActionWithGrantOption {
action: Action::Connect as i32,
with_grant_option: true,
granted_by: session.user_id(),
}],
object: Some(ProstObject::DatabaseId(session_database_id)),
}]
);
}
frontend.run_sql("DROP USER user1").await.unwrap();
}
}
6 changes: 0 additions & 6 deletions src/meta/src/manager/catalog/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1614,12 +1614,6 @@ where
user.name
)));
}
if !user.grant_privileges.is_empty() {
return Err(MetaError::permission_denied(format!(
"Cannot drop user {} with privileges",
id
)));
}
if user_core
.user_grant_relation
.get(&id)
Expand Down
2 changes: 0 additions & 2 deletions src/meta/src/rpc/service/user_service.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,6 @@ use crate::manager::{CatalogManagerRef, IdCategory, MetaSrvEnv};
use crate::storage::MetaStore;
use crate::MetaResult;

// TODO: Change user manager as a part of the catalog manager, to ensure that operations on Catalog
// and User are transactional.
pub struct UserServiceImpl<S: MetaStore> {
env: MetaSrvEnv<S>,

Expand Down