Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RBAC] Support grant role and revoke role #4451

Merged
merged 2 commits into from
Mar 15, 2022
Merged

[RBAC] Support grant role and revoke role #4451

merged 2 commits into from
Mar 15, 2022

Conversation

junnplus
Copy link
Contributor

@junnplus junnplus commented Mar 15, 2022
edited
Loading

Signed-off-by: Ye Sijun junnplus@gmail.com

I hereby agree to the terms of the CLA available at: https://databend.rs/dev/policies/cla/

Summary

This PR support grant role and revoke role statement for RBAC.

Changelog

  • New Feature

Related Issues

Fixes #4201 #2818

Test Plan

Unit Tests

Stateless Tests

@vercel
Copy link

vercel bot commented Mar 15, 2022
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/databend/databend/2o5FtEohMGWwkB7M9toJ5emGgot3
✅ Preview: Canceled

[Deployment for 45f9a05 canceled]

@mergify
Copy link
Contributor

mergify bot commented Mar 15, 2022

Thanks for the contribution!
I have applied any labels matching special text in your PR Changelog.

Please review the labels and make any necessary changes.

@mergify mergify bot added the pr-feature this PR introduces a new feature to the codebase label Mar 15, 2022
@junnplus junnplus marked this pull request as ready for review March 15, 2022 09:32
@junnplus junnplus requested a review from BohuTANG as a code owner March 15, 2022 09:32
@flaneur2020
Copy link
Member

/lgtm

nice work! ❤️

@BohuTANG
Copy link
Member

Oops, conflicts

junnplus added 2 commits March 15, 2022 20:29
@junnplus
support grant role and revoke role
f18ca6a 
Signed-off-by: Ye Sijun <junnplus@gmail.com>
@junnplus
add steteless test
45f9a05 
Signed-off-by: Ye Sijun <junnplus@gmail.com>
youngsofun
youngsofun reviewed Mar 15, 2022
View reviewed changes
query/src/interpreters/interpreter_role_grant.rs
@@ -0,0 +1,78 @@
// Copyright 2021 Datafuse Labs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2022

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can consider removing this time uniformly from license, should be in another PR.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.
Hints:
The time is the file which year created not updated.

youngsofun
youngsofun reviewed Mar 15, 2022
View reviewed changes
query/src/interpreters/interpreter_role_drop.rs
@@ -52,7 +52,7 @@ impl Interpreter for DropRoleInterpreter {
let tenant = self.ctx.get_tenant();
let user_mgr = self.ctx.get_user_manager();
user_mgr
.drop_role(&tenant, &plan.role_identity, plan.if_exists)
.drop_role(&tenant, plan.role_identity, plan.if_exists)
Copy link
Member

@youngsofun youngsofun Mar 15, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to check the role is used(granted) to other user/role before delete?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can restrict removing roles that are in use, but I'm not sure if we want to do that.

Copy link
Member

@youngsofun youngsofun Mar 15, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if not restricted, the deleted role exists in other role`s info, which need cleaning up?
maybe we need store the list the role granted to?
we can either refuse delete or do clean up based on it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, it doesn't matter if there is no restriction, geting privileges will checks if the role exists.

we can either refuse delete or do clean up based on it.

SGTM.

@mergify mergify bot merged commit 908faae into databendlabs:main Mar 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@youngsofun youngsofun youngsofun approved these changes

@databend-bot databend-bot databend-bot approved these changes

@BohuTANG BohuTANG Awaiting requested review from BohuTANG

@flaneur2020 flaneur2020 Awaiting requested review from flaneur2020

Assignees
No one assigned
Labels
need-review pr-feature this PR introduces a new feature to the codebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[RBAC] Allow grant role to user/role
5 participants
@junnplus @flaneur2020 @BohuTANG @youngsofun @databend-bot