fix test

Author: TCeason

src/meta/app/src/principal/user_privilege.rs

@@ -97,36 +97,6 @@ pub enum UserPrivilegeType {
     CreateDataMask = 1 << 16,
 }
 
-const ALL_PRIVILEGES: BitFlags<UserPrivilegeType> = make_bitflags!(
-    UserPrivilegeType::{
-        Create
-        | Select
-        | Insert
-        | Update
-        | Delete
-        | Drop
-        | Alter
-        | Super
-        | CreateUser
-        | DropUser
-        | CreateRole
-        | DropRole
-        | Grant
-        | CreateStage
-        | Set
-        | CreateDataMask
-        | CreateMaskingPolicy
-        | ApplyMaskingPolicy
-        | Ownership
-        | Read
-        | Write
-        | CreateDatabase
-        | CreateWarehouse
-        | CreateConnection
-        | AccessConnection
-    }
-);
-
 impl Display for UserPrivilegeType {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         write!(f, "{}", match self {
@@ -345,26 +315,13 @@ impl UserPrivilegeSet {
         }
     }
 
-    // TODO: remove this, as ALL has different meanings on different objects
-    pub fn all_privileges() -> Self {
-        ALL_PRIVILEGES.into()
-    }
-
     pub fn set_privilege(&mut self, privilege: UserPrivilegeType) {
         self.privileges |= privilege;
     }
 
     pub fn has_privilege(&self, privilege: UserPrivilegeType) -> bool {
         self.privileges.contains(privilege)
     }
-
-    pub fn set_all_privileges(&mut self) {
-        self.privileges |= ALL_PRIVILEGES;
-    }
-
-    pub fn is_all_privileges(&self) -> bool {
-        self.privileges == ALL_PRIVILEGES
-    }
 }
 
 impl Display for UserPrivilegeSet {

src/meta/app/tests/it/user_privilege.rs

@@ -26,7 +26,7 @@ fn test_user_privilege() -> Result<()> {
     let r = privileges.has_privilege(UserPrivilegeType::Insert);
     assert!(r);
 
-    privileges.set_all_privileges();
+    privileges |= UserPrivilegeSet::available_privileges_on_global();
     let r = privileges.has_privilege(UserPrivilegeType::Create);
     assert!(r);
 

src/query/service/src/interpreters/access/privilege_access.rs

@@ -1514,7 +1514,6 @@ impl AccessChecker for PrivilegeAccess {
                 }
             }
             Plan::CreateView(plan) => {
-                self.validate_db_access(&plan.catalog, &plan.database, UserPrivilegeType::Create, false).await?;
                 let mut planner = Planner::new(self.ctx.clone());
                 let (plan, _) = planner.plan_sql(&plan.subquery).await?;
                 self.check(ctx, &plan).await?

src/query/users/tests/it/role_mgr.rs

@@ -102,7 +102,7 @@ async fn test_role_manager() -> Result<()> {
                 &tenant,
                 &role_name,
                 GrantObject::Global,
-                UserPrivilegeSet::all_privileges(),
+                UserPrivilegeSet::available_privileges_on_global(),
             )
             .await?;
         let role = role_mgr.get_role(&tenant, role_name.clone()).await?;
@@ -118,7 +118,7 @@ async fn test_role_manager() -> Result<()> {
                 &tenant,
                 &role_name,
                 GrantObject::Global,
-                UserPrivilegeSet::all_privileges(),
+                UserPrivilegeSet::available_privileges_on_global(),
             )
             .await?;
 

src/query/users/tests/it/user_mgr.rs

@@ -162,7 +162,7 @@ async fn test_user_manager() -> Result<()> {
                 &tenant,
                 user_info.identity(),
                 GrantObject::Global,
-                UserPrivilegeSet::all_privileges(),
+                UserPrivilegeSet::available_privileges_on_global(),
             )
             .await?;
         let user_info = user_mgr.get_user(&tenant, user_info.identity()).await?;
@@ -173,7 +173,7 @@ async fn test_user_manager() -> Result<()> {
                 &tenant,
                 user_info.identity(),
                 GrantObject::Global,
-                UserPrivilegeSet::all_privileges(),
+                UserPrivilegeSet::available_privileges_on_global(),
             )
             .await?;
         let user_info = user_mgr.get_user(&tenant, user_info.identity()).await?;

tests/sqllogictests/suites/base/06_show/06_0007_show_roles.test

@@ -61,9 +61,6 @@ grant role b to role a;
 statement ok
 grant role a to a;
 
-statement ok
-grant create database on *.* to a;
-
 statement ok
 set enable_expand_roles=1;
 
@@ -87,7 +84,7 @@ select grants from show_grants('user', 'a') order by object_id;
 GRANT SELECT ON 'default'.'default'.'t' TO 'a'@'%'
 GRANT OWNERSHIP ON 'default'.'default'.'t' TO 'a'@'%'
 GRANT OWNERSHIP ON 'default'.'default'.'t1' TO 'a'@'%'
-GRANT SELECT,INSERT,CREATE DATABASE ON *.* TO 'a'@'%'
+GRANT SELECT,INSERT ON *.* TO 'a'@'%'
 
 statement ok
 set enable_expand_roles=0;
@@ -114,7 +111,6 @@ select grants from show_grants('user', 'a') order by object_id;
 GRANT ROLE a to 'a'@'%'
 GRANT ROLE b to 'a'@'%'
 GRANT ROLE public to 'a'@'%'
-GRANT CREATE DATABASE ON *.* TO 'a'@'%'
 
 statement ok
 unset enable_expand_roles;

tests/suites/0_stateless/18_rbac/18_0002_ownership_cover.sh

@@ -135,7 +135,7 @@ echo "create role drop_role;" | $BENDSQL_CLIENT_CONNECT
 echo "create role drop_role1;" | $BENDSQL_CLIENT_CONNECT
 echo "create user u1 identified by '123' with DEFAULT_ROLE='drop_role'" | $BENDSQL_CLIENT_CONNECT
 echo "grant role drop_role to u1;" | $BENDSQL_CLIENT_CONNECT
-echo "grant create database on *.* to u1;" | $BENDSQL_CLIENT_CONNECT
+echo "grant create database on *.* to role drop_role;" | $BENDSQL_CLIENT_CONNECT
 export USER_U1_CONNECT="bendsql --user=u1 --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}"
 
 echo "create database a" | $USER_U1_CONNECT

tests/suites/0_stateless/18_rbac/18_0004_view_privilege.result

@@ -16,14 +16,14 @@
 1
 >>>> revoke create on default.* from role role1
 need failed: with 1063
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1]
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1,role2]
 need failed: with 1063
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1]
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'owner'@'%' with roles [public,role1,role2]
 >>>> grant ownership on default.v_t_owner to role role1
 >>>> create view v_t as select * from t
 >>>> create view v_t_union as select * from t union all select * from t_owner
 'select * from v_t order by id' failed.
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1]
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1,role2]
 >>>> grant select on default.v_t to owner
 >>>> grant select on default.v_t_union to owner
 1
@@ -43,7 +43,7 @@ Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is req
 === create view as select view ===
 >>>> revoke select on default.v_t from owner
 >>>> grant select on default.t to owner
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1]
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'v_t' for user 'owner'@'%' with roles [public,role1,role2]
 >>>> grant select on default.v_t to owner
 >>>> grant select on default.t to owner
 >>>> grant select on default.v_t1 to owner

tests/suites/0_stateless/18_rbac/18_0004_view_privilege.sh

@@ -26,8 +26,15 @@ echo 'create table t_owner(c1 int)' | $TEST_USER_CONNECT
 echo 'insert into t_owner values(2)' | $TEST_USER_CONNECT
 stmt 'revoke create on default.* from role role1'
 
+echo 'drop role if exists role2' | $BENDSQL_CLIENT_CONNECT
+echo 'create role role2' | $BENDSQL_CLIENT_CONNECT
+echo 'grant create on default.* to role role2' | $BENDSQL_CLIENT_CONNECT
+echo 'grant role role2 to owner' | $BENDSQL_CLIENT_CONNECT
+echo 'alter user owner with default_role=role2' | $BENDSQL_CLIENT_CONNECT
+
 echo 'need failed: with 1063'
 echo 'create view v_t as select * from t' | $TEST_USER_CONNECT
+
 echo 'need failed: with 1063'
 echo 'create view v_t_union as select * from t union all select * from t_owner' | $TEST_USER_CONNECT
 echo 'create view v_t_owner as select * from t_owner' | $TEST_USER_CONNECT
@@ -67,3 +74,4 @@ stmt 'drop view if exists v_t_union'
 stmt 'drop view if exists v_t1'
 stmt 'drop user if exists owner'
 stmt 'drop role if exists role1'
+echo 'drop role if exists role2' | $BENDSQL_CLIENT_CONNECT

tests/suites/0_stateless/18_rbac/18_0007_privilege_access.result

@@ -113,28 +113,28 @@ Error: APIError: QueryFailed: [1063]Permission denied: No privilege on database
 Error: APIError: QueryFailed: [1063]Permission denied: No privilege on table root_table for user b.
 Error: APIError: QueryFailed: [1063]Permission denied: No privilege on table root_table for user b.
 1	1
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public]
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Object
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'b'@'%' with roles [public]
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Object
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public]. Note: Please ensure that your current role have the appropriate permissions to create a new Object
-Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public]
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public,role_test_b]
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public,role_test_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t' for user 'b'@'%' with roles [public,role_test_b]
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public,role_test_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Read] is required on STAGE s3 for user 'b'@'%' with roles [public,role_test_b]. Note: Please ensure that your current role have the appropriate permissions to create a new Object
+Error: APIError: QueryFailed: [1063]Permission denied: privilege [Select] is required on 'default'.'default'.'t1' for user 'b'@'%' with roles [public,role_test_b]
 0
 1
 a b/data_UUID_0000_00000000.parquet	1	0	NULL	NULL
 === check db/table_id ===
 Read s3  USER b GRANT Read ON STAGE s3 TO 'b'@'%'
-CREATE default  USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%'
 SELECT system  USER b GRANT SELECT ON 'default'.'system'.* TO 'b'@'%'
+CREATE default  USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%'
 SELECT,INSERT,DELETE default.default.t  USER b GRANT SELECT,INSERT,DELETE ON 'default'.'default'.'t' TO 'b'@'%'
 SELECT default.default.t1  USER b GRANT SELECT ON 'default'.'default'.'t1' TO 'b'@'%'
 SELECT,INSERT default.c.t  USER b GRANT SELECT,INSERT ON 'default'.'c'.'t' TO 'b'@'%'
 OWNERSHIP default.default.t2  USER b GRANT OWNERSHIP ON 'default'.'default'.'t2' TO 'b'@'%'
 1
 1
 Read s3  USER b GRANT Read ON STAGE s3 TO 'b'@'%'
-CREATE default  USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%'
 SELECT system  USER b GRANT SELECT ON 'default'.'system'.* TO 'b'@'%'
+CREATE default  USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%'
 SELECT,INSERT,DELETE default.default.t  USER b GRANT SELECT,INSERT,DELETE ON 'default'.'default'.'t' TO 'b'@'%'
 SELECT default.default.t1  USER b GRANT SELECT ON 'default'.'default'.'t1' TO 'b'@'%'
 SELECT,INSERT default.c.t1  USER b GRANT SELECT,INSERT ON 'default'.'c'.'t1' TO 'b'@'%'
@@ -143,8 +143,8 @@ OWNERSHIP default.default.t2  USER b GRANT OWNERSHIP ON 'default'.'default'.'t2'
 1
 2
 Read s3  USER b GRANT Read ON STAGE s3 TO 'b'@'%'
-CREATE default  USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%'
 SELECT system  USER b GRANT SELECT ON 'default'.'system'.* TO 'b'@'%'
+CREATE default  USER b GRANT CREATE ON 'default'.'default'.* TO 'b'@'%'
 SELECT,INSERT,DELETE default.default.t  USER b GRANT SELECT,INSERT,DELETE ON 'default'.'default'.'t' TO 'b'@'%'
 SELECT default.default.t1  USER b GRANT SELECT ON 'default'.'default'.'t1' TO 'b'@'%'
 SELECT,INSERT default.d.t1  USER b GRANT SELECT,INSERT ON 'default'.'d'.'t1' TO 'b'@'%'