def role_column_privileges(self, grant_columns, insert_columns_pass, data_fail, data_pass, table_type, revoke_columns=None, insert_columns_fail=None, node=None): """Check that user with a role is able to insert on granted columns and unable to insert on not granted or revoked columns. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"), role(node, "role0"): with When("I grant insert privilege"): node.query(f"GRANT INSERT({grant_columns}) ON merge_tree TO role0") with And("I grant the role to a user"): node.query("GRANT role0 TO user0") if insert_columns_fail is not None: with And("I insert into not granted column"): exitcode, message = errors.not_enough_privileges(name="user0") node.query(f"INSERT INTO merge_tree ({insert_columns_fail}) VALUES ({data_fail})", settings=[("user","user0")], exitcode=exitcode, message=message) with And("I insert into granted column"): node.query(f"INSERT INTO merge_tree ({insert_columns_pass}) VALUES ({data_pass})", settings=[("user","user0")]) with Then("I check the insert functioned"): input_equals_output = input_output_equality_check(node, insert_columns_pass, data_pass) assert input_equals_output, error() if revoke_columns is not None: with When("I revoke insert privilege from columns"): node.query(f"REVOKE INSERT({revoke_columns}) ON merge_tree FROM role0") with And("I insert into revoked columns"): exitcode, message = errors.not_enough_privileges(name="user0") node.query(f"INSERT INTO merge_tree ({insert_columns_pass}) VALUES ({data_pass})", settings=[("user","user0")], exitcode=exitcode, message=message)
def role_column_privileges(self, grant_columns, select_columns_pass, data_pass, table_type, revoke_columns=None, select_columns_fail=None, node=None): """Check that user is able to select from granted columns and unable to select from not granted or revoked columns. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with Given("The table has some data on some columns"): node.query( f"INSERT INTO merge_tree ({select_columns_pass}) VALUES ({data_pass})" ) with user(node, "user0"), role(node, "role0"): with When("I grant select privilege"): node.query( f"GRANT SELECT({grant_columns}) ON merge_tree TO role0") with And("I grant the role to a user"): node.query("GRANT role0 TO user0") if select_columns_fail is not None: with And("I select from not granted column"): exitcode, message = errors.not_enough_privileges( name="user0") node.query( f"SELECT ({select_columns_fail}) FROM merge_tree", settings=[("user", "user0")], exitcode=exitcode, message=message) with Then("I verify SELECT command"): user_select = node.query("SELECT d FROM merge_tree", settings=[("user", "user0")]) default = node.query("SELECT d FROM merge_tree") assert user_select.output == default.output, error() if revoke_columns is not None: with When("I revoke select privilege for columns from role"): node.query( f"REVOKE SELECT({revoke_columns}) ON merge_tree FROM role0" ) with And("I select from revoked columns"): exitcode, message = errors.not_enough_privileges( name="user0") node.query( f"SELECT ({select_columns_pass}) FROM merge_tree", settings=[("user", "user0")], exitcode=exitcode, message=message)
def role_with_privilege_from_role_with_grant_option(self, table_type, node=None): """Check that a user is able to insert on a table with a role that was granted privilege by another role with grant option """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0,user1"), role(node, "role0,role1"): with When("I grant privilege with grant option to role"): node.query( "GRANT INSERT(d) ON merge_tree TO role0 WITH GRANT OPTION") with And("I grant the role to a user"): node.query("GRANT role0 TO user0") with And( "I grant privilege on a column I dont have permission on"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("GRANT INSERT(b) ON merge_tree TO role1", settings=[("user", "user0")], exitcode=exitcode, message=message) with And("I grant privilege to another role via grant option"): node.query("GRANT INSERT(d) ON merge_tree TO role1", settings=[("user", "user0")]) with And("I grant the second role to another user"): node.query("GRANT role1 TO user1") with And("I insert into a table"): node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings=[("user", "user1")]) with Then("I check that I can read inserted data"): output = node.query( "SELECT d FROM merge_tree FORMAT JSONEachRow").output assert output == '{"d":"2020-01-01"}', error()
def user_with_privilege_on_cluster(self, table_type, node=None): """Check that user is able to insert on a table with privilege granted on a cluster. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): try: with Given("I have a user on a cluster"): node.query("CREATE USER OR REPLACE user0 ON CLUSTER sharded_cluster") with When("I grant insert privilege on a cluster without the node with the table"): node.query("GRANT ON CLUSTER cluster23 INSERT ON merge_tree TO user0") with And("I insert into the table expecting a fail"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings=[("user","user0")], exitcode=exitcode, message=message) with And("I grant insert privilege on cluster including all nodes"): node.query("GRANT ON CLUSTER sharded_cluster INSERT ON merge_tree TO user0") with And("I revoke insert privilege on cluster without the table node"): node.query("REVOKE ON CLUSTER cluster23 INSERT ON merge_tree FROM user0") with And("I insert into the table"): node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings=[("user","user0")]) with Then("I check that I can read inserted data"): output = node.query("SELECT d FROM merge_tree FORMAT JSONEachRow").output assert output == '{"d":"2020-01-01"}', error() finally: with Finally("I drop the user"): node.query("DROP USER user0 ON CLUSTER sharded_cluster")
def without_privilege(self, table_type, node=None): """Check that user without insert privilege on a table is not able to insert on that table. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"): with When("I run INSERT without privilege"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings = [("user","user0")], exitcode=exitcode, message=message)
def without_privilege(self, table_type, node=None): """Check that user without select privilege on a table is not able to select on that table. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"): with When("I run SELECT without privilege"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("SELECT * FROM merge_tree", settings=[("user", "user0")], exitcode=exitcode, message=message)
def revoke_privilege_from_role_via_user_with_grant_option(self, table_type, node=None): """Check that user is unable to revoke a column they dont have acces to from a role. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"), role(node, "role0"): with When("I grant privilege with grant option to user"): node.query("GRANT INSERT(d) ON merge_tree TO user0 WITH GRANT OPTION") with Then("I revoke privilege on a column the user with grant option does not have access to"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("REVOKE INSERT(b) ON merge_tree FROM role0", settings=[("user","user0")], exitcode=exitcode, message=message)
def user_with_revoked_privilege(self, table_type, node=None): """Check that user is unable to insert into a table after insert privilege on that table has been revoked from user. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"): with When("I grant privilege"): node.query("GRANT INSERT ON merge_tree TO user0") with And("I revoke privilege"): node.query("REVOKE INSERT ON merge_tree FROM user0") with And("I use INSERT"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings=[("user","user0")], exitcode=exitcode, message=message)
def user_with_revoked_privilege(self, table_type, node=None): """Check that user is unable to select from a table after select privilege on that table has been revoked from the user. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"): with When("I grant privilege"): node.query("GRANT SELECT ON merge_tree TO user0") with And("I revoke privilege"): node.query("REVOKE SELECT ON merge_tree FROM user0") with And("I use SELECT, throws exception"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("SELECT * FROM merge_tree", settings=[("user", "user0")], exitcode=exitcode, message=message)
def user_with_revoked_role(self, table_type, node=None): """Check that user with a role that has insert privilege on a table is unable to insert into that table after the role with insert privilege has been revoked from the user. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"), role(node, "role0"): with When("I grant privilege to a role"): node.query("GRANT INSERT ON merge_tree TO role0") with And("I grant the role to a user"): node.query("GRANT role0 TO user0") with And("I revoke the role from the user"): node.query("REVOKE role0 FROM user0") with And("I insert into the table"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("INSERT INTO merge_tree (d) VALUES ('2020-01-01')", settings=[("user","user0")], exitcode=exitcode, message=message)
def role_with_revoked_privilege(self, table_type, node=None): """Check that user with a role that has select privilege on a table is unable to select from that table after select privilege has been revoked from the role. """ if node is None: node = self.context.node with table(node, "merge_tree", table_type): with user(node, "user0"), role(node, "role0"): with When("I grant privilege to a role"): node.query("GRANT SELECT ON merge_tree TO role0") with And("I grant the role to a user"): node.query("GRANT role0 TO user0") with And("I revoke privilege from the role"): node.query("REVOKE SELECT ON merge_tree FROM role0") with And("I select from the table"): exitcode, message = errors.not_enough_privileges(name="user0") node.query("SELECT * FROM merge_tree", settings=[("user", "user0")], exitcode=exitcode, message=message)