From 936face65ce7c68746a23f06b473e70e7ac966fb Mon Sep 17 00:00:00 2001 From: TCeason Date: Mon, 13 Jan 2025 10:42:31 +0800 Subject: [PATCH] refactor: only set global settings need to check super privilege query setting, session setting, set variable will not check privileges --- .../interpreters/access/privilege_access.rs | 16 ++++++++++++++- .../18_rbac/18_0007_privilege_access.result | 6 ++++++ .../18_rbac/18_0007_privilege_access.sh | 20 +++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/src/query/service/src/interpreters/access/privilege_access.rs b/src/query/service/src/interpreters/access/privilege_access.rs index 4c5df38fb8068..6c15c2369f58c 100644 --- a/src/query/service/src/interpreters/access/privilege_access.rs +++ b/src/query/service/src/interpreters/access/privilege_access.rs @@ -1151,7 +1151,21 @@ impl AccessChecker for PrivilegeAccess { self.validate_access(&GrantObject::Global, UserPrivilegeType::Grant,false, false) .await?; } - Plan::Set(_) | Plan::Unset(_) | Plan::Kill(_) | Plan::SetPriority(_) | Plan::System(_) => { + Plan::Set(plan) => { + use databend_common_ast::ast::SetType; + if let SetType::SettingsGlobal = plan.set_type { + self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false) + .await?; + } + } + Plan::Unset(plan) => { + use databend_common_ast::ast::SetType; + if let SetType::SettingsGlobal = plan.unset_type { + self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false) + .await?; + } + } + Plan::Kill(_) | Plan::SetPriority(_) | Plan::System(_) => { self.validate_access(&GrantObject::Global, UserPrivilegeType::Super, false, false) .await?; } diff --git a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result index fd9a369f184f9..1bb4bd20095b0 100644 --- a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result +++ b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result @@ -142,3 +142,9 @@ OWNERSHIP default.default.t2 USER b GRANT OWNERSHIP ON 'default'.'default'.'t2' 1 2 3 +=== set privilege check === +100 +100 +1 +1 +=== set privilege check succ === diff --git a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh index ebbc772282056..0c663d9db0df7 100755 --- a/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh +++ b/tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh @@ -302,3 +302,23 @@ echo "drop table if exists t1" | $BENDSQL_CLIENT_CONNECT echo "drop table if exists t2" | $BENDSQL_CLIENT_CONNECT echo "drop stage if exists s3;" | $BENDSQL_CLIENT_CONNECT echo "drop database if exists db01" | $BENDSQL_CLIENT_CONNECT + +echo "=== set privilege check ===" +echo "drop user if exists c" | $BENDSQL_CLIENT_CONNECT +echo "create user c identified by '123'" | $BENDSQL_CLIENT_CONNECT +export USER_C_CONNECT="bendsql --user=c --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}" +echo "set session max_threads=1000" | $BENDSQL_CLIENT_CONNECT +echo "unset session max_threads" | $BENDSQL_CLIENT_CONNECT +echo "settings (ddl_column_type_nullable=0) select 100" | $BENDSQL_CLIENT_CONNECT +echo "SET variable a = 'a';" | $BENDSQL_CLIENT_CONNECT +echo "set global max_threads=1000" | $BENDSQL_CLIENT_CONNECT +echo "unset global max_threads" | $BENDSQL_CLIENT_CONNECT + +echo "set session max_threads=1000" | $USER_C_CONNECT +echo "unset session max_threads" | $USER_C_CONNECT +echo "settings (ddl_column_type_nullable=0) select 100" | $USER_C_CONNECT +echo "SET variable a = 'a';" | $USER_C_CONNECT +echo "set global max_threads=1000;" | $USER_C_CONNECT 2>&1 | grep "Super" | wc -l +echo "unset global max_threads;" | $USER_C_CONNECT 2>&1 | grep "Super" | wc -l +echo "drop user if exists c" | $BENDSQL_CLIENT_CONNECT +echo "=== set privilege check succ ==="