def role_column_privileges(self, grant_columns, insert_columns_pass, data_fail, data_pass,
table_type, revoke_columns=None, insert_columns_fail=None, node=None):
"""Check that user with a role is able to insert on granted columns and unable
to insert on not granted or revoked columns.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"), role(node, "role0"):
with When("I grant insert privilege"):
node.query(f"GRANT INSERT({grant_columns}) ON merge_tree TO role0")
with And("I grant the role to a user"):
node.query("GRANT role0 TO user0")
if insert_columns_fail is not None:
with And("I insert into not granted column"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query(f"INSERT INTO merge_tree ({insert_columns_fail}) VALUES ({data_fail})",
settings=[("user","user0")], exitcode=exitcode, message=message)
with And("I insert into granted column"):
node.query(f"INSERT INTO merge_tree ({insert_columns_pass}) VALUES ({data_pass})",
settings=[("user","user0")])
with Then("I check the insert functioned"):
input_equals_output = input_output_equality_check(node, insert_columns_pass, data_pass)
assert input_equals_output, error()
if revoke_columns is not None:
with When("I revoke insert privilege from columns"):
node.query(f"REVOKE INSERT({revoke_columns}) ON merge_tree FROM role0")
with And("I insert into revoked columns"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query(f"INSERT INTO merge_tree ({insert_columns_pass}) VALUES ({data_pass})",
settings=[("user","user0")], exitcode=exitcode, message=message)
def role_column_privileges(self,
grant_columns,
select_columns_pass,
data_pass,
table_type,
revoke_columns=None,
select_columns_fail=None,
node=None):
"""Check that user is able to select from granted columns and unable
to select from not granted or revoked columns.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with Given("The table has some data on some columns"):
node.query(
f"INSERT INTO merge_tree ({select_columns_pass}) VALUES ({data_pass})"
)
with user(node, "user0"), role(node, "role0"):
with When("I grant select privilege"):
node.query(
f"GRANT SELECT({grant_columns}) ON merge_tree TO role0")
with And("I grant the role to a user"):
node.query("GRANT role0 TO user0")
if select_columns_fail is not None:
with And("I select from not granted column"):
exitcode, message = errors.not_enough_privileges(
name="user0")
node.query(
f"SELECT ({select_columns_fail}) FROM merge_tree",
settings=[("user", "user0")],
exitcode=exitcode,
message=message)
with Then("I verify SELECT command"):
user_select = node.query("SELECT d FROM merge_tree",
settings=[("user", "user0")])
default = node.query("SELECT d FROM merge_tree")
assert user_select.output == default.output, error()
if revoke_columns is not None:
with When("I revoke select privilege for columns from role"):
node.query(
f"REVOKE SELECT({revoke_columns}) ON merge_tree FROM role0"
)
with And("I select from revoked columns"):
exitcode, message = errors.not_enough_privileges(
name="user0")
node.query(
f"SELECT ({select_columns_pass}) FROM merge_tree",
settings=[("user", "user0")],
exitcode=exitcode,
message=message)
def role_with_privilege_from_role_with_grant_option(self,
table_type,
node=None):
"""Check that a user is able to insert on a table with a role that was granted privilege
by another role with grant option
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0,user1"), role(node, "role0,role1"):
with When("I grant privilege with grant option to role"):
node.query(
"GRANT INSERT(d) ON merge_tree TO role0 WITH GRANT OPTION")
with And("I grant the role to a user"):
node.query("GRANT role0 TO user0")
with And(
"I grant privilege on a column I dont have permission on"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("GRANT INSERT(b) ON merge_tree TO role1",
settings=[("user", "user0")],
exitcode=exitcode,
message=message)
with And("I grant privilege to another role via grant option"):
node.query("GRANT INSERT(d) ON merge_tree TO role1",
settings=[("user", "user0")])
with And("I grant the second role to another user"):
node.query("GRANT role1 TO user1")
with And("I insert into a table"):
node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')",
settings=[("user", "user1")])
with Then("I check that I can read inserted data"):
output = node.query(
"SELECT d FROM merge_tree FORMAT JSONEachRow").output
assert output == '{"d":"2020-01-01"}', error()
def user_with_privilege_on_cluster(self, table_type, node=None):
"""Check that user is able to insert on a table with
privilege granted on a cluster.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
try:
with Given("I have a user on a cluster"):
node.query("CREATE USER OR REPLACE user0 ON CLUSTER sharded_cluster")
with When("I grant insert privilege on a cluster without the node with the table"):
node.query("GRANT ON CLUSTER cluster23 INSERT ON merge_tree TO user0")
with And("I insert into the table expecting a fail"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings=[("user","user0")],
exitcode=exitcode, message=message)
with And("I grant insert privilege on cluster including all nodes"):
node.query("GRANT ON CLUSTER sharded_cluster INSERT ON merge_tree TO user0")
with And("I revoke insert privilege on cluster without the table node"):
node.query("REVOKE ON CLUSTER cluster23 INSERT ON merge_tree FROM user0")
with And("I insert into the table"):
node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings=[("user","user0")])
with Then("I check that I can read inserted data"):
output = node.query("SELECT d FROM merge_tree FORMAT JSONEachRow").output
assert output == '{"d":"2020-01-01"}', error()
finally:
with Finally("I drop the user"):
node.query("DROP USER user0 ON CLUSTER sharded_cluster")
def without_privilege(self, table_type, node=None):
"""Check that user without insert privilege on a table is not able to insert on that table.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"):
with When("I run INSERT without privilege"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings = [("user","user0")],
exitcode=exitcode, message=message)
def without_privilege(self, table_type, node=None):
"""Check that user without select privilege on a table is not able to select on that table.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"):
with When("I run SELECT without privilege"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("SELECT * FROM merge_tree",
settings=[("user", "user0")],
exitcode=exitcode,
message=message)
def revoke_privilege_from_role_via_user_with_grant_option(self, table_type, node=None):
"""Check that user is unable to revoke a column they dont have acces to from a role.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"), role(node, "role0"):
with When("I grant privilege with grant option to user"):
node.query("GRANT INSERT(d) ON merge_tree TO user0 WITH GRANT OPTION")
with Then("I revoke privilege on a column the user with grant option does not have access to"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("REVOKE INSERT(b) ON merge_tree FROM role0", settings=[("user","user0")],
exitcode=exitcode, message=message)
def user_with_revoked_privilege(self, table_type, node=None):
"""Check that user is unable to insert into a table after insert privilege on that table has been revoked from user.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"):
with When("I grant privilege"):
node.query("GRANT INSERT ON merge_tree TO user0")
with And("I revoke privilege"):
node.query("REVOKE INSERT ON merge_tree FROM user0")
with And("I use INSERT"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')",
settings=[("user","user0")], exitcode=exitcode, message=message)
def user_with_revoked_privilege(self, table_type, node=None):
"""Check that user is unable to select from a table after select privilege
on that table has been revoked from the user.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"):
with When("I grant privilege"):
node.query("GRANT SELECT ON merge_tree TO user0")
with And("I revoke privilege"):
node.query("REVOKE SELECT ON merge_tree FROM user0")
with And("I use SELECT, throws exception"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("SELECT * FROM merge_tree",
settings=[("user", "user0")],
exitcode=exitcode,
message=message)
def user_with_revoked_role(self, table_type, node=None):
"""Check that user with a role that has insert privilege on a table
is unable to insert into that table after the role with insert
privilege has been revoked from the user.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"), role(node, "role0"):
with When("I grant privilege to a role"):
node.query("GRANT INSERT ON merge_tree TO role0")
with And("I grant the role to a user"):
node.query("GRANT role0 TO user0")
with And("I revoke the role from the user"):
node.query("REVOKE role0 FROM user0")
with And("I insert into the table"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')",
settings=[("user","user0")], exitcode=exitcode, message=message)
def role_with_revoked_privilege(self, table_type, node=None):
"""Check that user with a role that has select privilege on a table is unable
to select from that table after select privilege has been revoked from the role.
"""
if node is None:
node = self.context.node
with table(node, "merge_tree", table_type):
with user(node, "user0"), role(node, "role0"):
with When("I grant privilege to a role"):
node.query("GRANT SELECT ON merge_tree TO role0")
with And("I grant the role to a user"):
node.query("GRANT role0 TO user0")
with And("I revoke privilege from the role"):
node.query("REVOKE SELECT ON merge_tree FROM role0")
with And("I select from the table"):
exitcode, message = errors.not_enough_privileges(name="user0")
node.query("SELECT * FROM merge_tree",
settings=[("user", "user0")],
exitcode=exitcode,
message=message)
