Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/ClickHouse

Public

mirrored fromhttps://github.com/cloudflare/ClickHouse

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
cb58b407a983516d3cf03905779f2b8323629dd2

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

ClickHouse/src/Access

src/Access/AccessRights.h

138lines · modecode

RawDownload
Merge pull request #12002 from vitlibar/fix-partial-revokes5b73a42
5 years ago
1#pragma once
2
3#include <Core/Types.h>
4#include <Access/AccessRightsElement.h>
5#include <memory>
6#include <vector>
7
8
9namespace DB
10{
11/// Represents a set of access types granted on databases, tables, columns, etc.
12/// For example, "GRANT SELECT, UPDATE ON db.*, GRANT INSERT ON db2.mytbl2" are access rights.
13class AccessRights
14{
15public:
16 AccessRights();
17 AccessRights(const AccessFlags & access);
18 ~AccessRights();
19 AccessRights(const AccessRights & src);
20 AccessRights & operator =(const AccessRights & src);
21 AccessRights(AccessRights && src);
22 AccessRights & operator =(AccessRights && src);
23
24 bool isEmpty() const;
25
26 /// Revokes everything. It's the same as revoke(AccessType::ALL).
27 void clear();
28
29 /// Returns the information about all the access granted as a string.
30 String toString() const;
31
32 /// Returns the information about all the access granted.
33 AccessRightsElementsWithOptions getElements() const;
34
35 /// Grants access on a specified database/table/column.
36 /// Does nothing if the specified access has been already granted.
37 void grant(const AccessFlags & flags);
38 void grant(const AccessFlags & flags, const std::string_view & database);
39 void grant(const AccessFlags & flags, const std::string_view & database, const std::string_view & table);
40 void grant(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::string_view & column);
41 void grant(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::vector<std::string_view> & columns);
42 void grant(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const Strings & columns);
43 void grant(const AccessRightsElement & element);
44 void grant(const AccessRightsElements & elements);
45
46 void grantWithGrantOption(const AccessFlags & flags);
47 void grantWithGrantOption(const AccessFlags & flags, const std::string_view & database);
48 void grantWithGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table);
49 void grantWithGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::string_view & column);
50 void grantWithGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::vector<std::string_view> & columns);
51 void grantWithGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const Strings & columns);
52 void grantWithGrantOption(const AccessRightsElement & element);
53 void grantWithGrantOption(const AccessRightsElements & elements);
54
55 /// Revokes a specified access granted earlier on a specified database/table/column.
56 /// For example, revoke(AccessType::ALL) revokes all grants at all, just like clear();
57 void revoke(const AccessFlags & flags);
58 void revoke(const AccessFlags & flags, const std::string_view & database);
59 void revoke(const AccessFlags & flags, const std::string_view & database, const std::string_view & table);
60 void revoke(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::string_view & column);
61 void revoke(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::vector<std::string_view> & columns);
62 void revoke(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const Strings & columns);
63 void revoke(const AccessRightsElement & element);
64 void revoke(const AccessRightsElements & elements);
65
66 void revokeGrantOption(const AccessFlags & flags);
67 void revokeGrantOption(const AccessFlags & flags, const std::string_view & database);
68 void revokeGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table);
69 void revokeGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::string_view & column);
70 void revokeGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::vector<std::string_view> & columns);
71 void revokeGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const Strings & columns);
72 void revokeGrantOption(const AccessRightsElement & element);
73 void revokeGrantOption(const AccessRightsElements & elements);
74
75 /// Whether a specified access granted.
76 bool isGranted(const AccessFlags & flags) const;
77 bool isGranted(const AccessFlags & flags, const std::string_view & database) const;
78 bool isGranted(const AccessFlags & flags, const std::string_view & database, const std::string_view & table) const;
79 bool isGranted(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::string_view & column) const;
80 bool isGranted(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::vector<std::string_view> & columns) const;
81 bool isGranted(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const Strings & columns) const;
82 bool isGranted(const AccessRightsElement & element) const;
83 bool isGranted(const AccessRightsElements & elements) const;
84
85 bool hasGrantOption(const AccessFlags & flags) const;
86 bool hasGrantOption(const AccessFlags & flags, const std::string_view & database) const;
87 bool hasGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table) const;
88 bool hasGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::string_view & column) const;
89 bool hasGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const std::vector<std::string_view> & columns) const;
90 bool hasGrantOption(const AccessFlags & flags, const std::string_view & database, const std::string_view & table, const Strings & columns) const;
91 bool hasGrantOption(const AccessRightsElement & element) const;
92 bool hasGrantOption(const AccessRightsElements & elements) const;
93
94 /// Merges two sets of access rights together.
95 /// It's used to combine access rights from multiple roles.
96 void merge(const AccessRights & other);
97
98 friend bool operator ==(const AccessRights & left, const AccessRights & right);
99 friend bool operator !=(const AccessRights & left, const AccessRights & right) { return !(left == right); }
100
101 static AccessRights getFullAccess();
102
103private:
104 template <bool with_grant_option, typename... Args>
105 void grantImpl(const AccessFlags & flags, const Args &... args);
106
107 template <bool with_grant_options>
108 void grantImpl(const AccessRightsElement & element);
109
110 template <bool with_grant_options>
111 void grantImpl(const AccessRightsElements & elements);
112
113 template <bool grant_option, typename... Args>
114 void revokeImpl(const AccessFlags & flags, const Args &... args);
115
116 template <bool grant_option>
117 void revokeImpl(const AccessRightsElement & element);
118
119 template <bool grant_option>
120 void revokeImpl(const AccessRightsElements & elements);
121
122 template <bool grant_option, typename... Args>
123 bool isGrantedImpl(const AccessFlags & flags, const Args &... args) const;
124
125 template <bool grant_option>
126 bool isGrantedImpl(const AccessRightsElement & element) const;
127
128 template <bool grant_option>
129 bool isGrantedImpl(const AccessRightsElements & elements) const;
130
131 void logTree() const;
132
133 struct Node;
134 std::unique_ptr<Node> root;
135 std::unique_ptr<Node> root_with_grant_option;
136};
137
138}