Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add definers for views (Attempt 2) #60439

Merged
merged 67 commits into from
Feb 28, 2024
Merged

Add definers for views (Attempt 2) #60439

merged 67 commits into from
Feb 28, 2024

Conversation

pufit
Copy link
Member

@pufit pufit commented Feb 27, 2024

Changelog category (leave one):

  • New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Added new syntax which allows to specify definer user in View/Materialized View. This allows to execute selects/inserts from views without explicit grants for underlying tables.

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

Closes #19228
Original PR: #54901

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

pufit added 30 commits October 11, 2023 21:07
@pufit
SQL security for view/materialized view
bee2786
@pufit
style check fix
5cb002d
@pufit
docs (just to make CI run tests)
e84fde4
@pufit
fix default sql security type
4cf1b4c
@pufit
fix fastests
b1dce13
@pufit
fix tests
646568c
@pufit
fix tests
86df397
@pufit
Add DEFINER grant
63faf66
@pufit
Improve grants, format
a1cf4f8
@pufit
fix indent
be6a58f
@pufit
fix fast tests
cb30a4b
@pufit
fix fast tests
bcf319a
@pufit
format improve
55eecf8
@pufit
fix
303c16d
@pufit
fix
b87f0ef
@pufit
fix segfault
3d17363
@pufit
Alter, docs, tests
d855bc7
@pufit
Merge branch 'master' into pufit/views-sql-security
cc48bd5 
# Conflicts:
#	docs/en/operations/settings/settings.md
#	src/Core/Settings.h
@pufit
fix style
8cd3280
@pufit
fix build
4787c9e
@pufit
fix fast tests
cce5d08
@pufit
Merge branch 'master' into pufit/views-sql-security
382d228 
# Conflicts:
#	docs/en/operations/settings/settings.md
#	src/Core/Settings.h
#	src/Processors/Transforms/buildPushingToViewsChain.cpp
@pufit
Fix issues from the review
1f980c1
@pufit
fix seg fault
4edacbe
@pufit
Try to fix tests
abdca02
@pufit
Merge branch 'master' into pufit/views-sql-security
cba8f67 
# Conflicts:
#	src/Processors/Transforms/buildPushingToViewsChain.cpp
#	src/Storages/StorageMaterializedView.cpp
@pufit
Docs fix, tests fix
9561f07
@pufit
Merge branch 'master' into pufit/views-sql-security
290a119 
# Conflicts:
#	docs/en/sql-reference/statements/create/view.md
@pufit
Fix database set, grants docs
332bd85
@pufit
Merge branch 'master' into pufit/views-sql-security
97b96f6 
# Conflicts:
#	docs/en/operations/settings/settings.md
#	src/Core/Settings.h
#	src/Parsers/ASTAlterQuery.cpp
#	src/Processors/Transforms/buildPushingToViewsChain.cpp
@robot-ch-test-poll3 robot-ch-test-poll3 added the pr-feature Pull request with new product feature label Feb 27, 2024
@robot-ch-test-poll3
Copy link
Contributor

robot-ch-test-poll3 commented Feb 27, 2024
edited by robot-ch-test-poll4
Loading

This is an automated comment for commit e0891b9 with description of existing statuses. It's updated for the latest CI running

⏳ Click here to open a full report in a separate page

Successful checks
Check nameDescriptionStatus
A SyncThere's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS✅ success
Docs checkBuilds and tests the documentation✅ success
Fast testNormally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here✅ success
Mergeable CheckChecks if all other necessary checks are successful✅ success
Style checkRuns a set of checks to keep the code style clean. If some of tests failed, see the related log from the report✅ success
Check nameDescriptionStatus
CI runningA meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR⏳ pending

@vitlibar vitlibar self-assigned this Feb 27, 2024
@pufit
Merge branch 'master' into pufit/views-sql-security
e0891b9 
# Conflicts:
#	src/Core/SettingsChangesHistory.h
@pufit pufit merged commit 330a206 into master Feb 28, 2024
17 of 38 checks passed
@pufit pufit deleted the pufit/views-sql-security branch February 28, 2024 00:00
@robot-ch-test-poll robot-ch-test-poll added the pr-synced-to-cloud The PR is synced to the cloud repo label Feb 28, 2024
@tavplubix
Copy link
Member

@pufit, please pay attention to the CI status

tavplubix added a commit that referenced this pull request Feb 28, 2024
@tavplubix
Revert "Add definers for views (Attempt 2) (#60439)"
92f976f 
This reverts commit 330a206.
@tavplubix tavplubix mentioned this pull request Feb 28, 2024
Closed
Algunenano
Algunenano reviewed Mar 6, 2024
View reviewed changes
tests/queries/0_stateless/02884_create_view_with_sql_security_option.sh
user1="user02884_1_$RANDOM$RANDOM"
user2="user02884_2_$RANDOM$RANDOM"
user3="user02884_3_$RANDOM$RANDOM"
db="db02884_$RANDOM$RANDOM"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why isn't this using the database that's created for each test? CLICKHOUSE_DATABASE.

Having it's custom database makes things harder to track and clean up (specially since the test is slow and might be killed in local envs).

Copy link
Member

@vitlibar vitlibar Mar 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also we could use this idea even for objects which are not databases:

user2="user2_02884_${CLICKHOUSE_DATABASE}_$RANDOM"

@campi01 campi01 mentioned this pull request Mar 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vitlibar vitlibar vitlibar approved these changes

@Algunenano Algunenano Algunenano left review comments

Assignees

@vitlibar vitlibar

Labels
pr-feature Pull request with new product feature pr-synced-to-cloud The PR is synced to the cloud repo
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RBAC: Stored Object Access Control / DEFINER / SQL SECURITY
6 participants
@pufit @robot-ch-test-poll3 @tavplubix @Algunenano @vitlibar @robot-ch-test-poll