Add CHECK GRANT query

[Unalian]

Changelog category (leave one):

• New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Add CHECK GRANT query to check whether the current user/role has been granted the specific privilege and whether the corresponding table/column exists in the memory.

Documentation entry for user-facing changes

• Documentation is written (mandatory for new features)

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

CI Settings (Only check the boxes if you know what you are doing):

• Allow: All Required Checks
• Allow: Stateless tests
• Allow: Stateful tests
• Allow: Integration Tests
• Allow: Performance tests
• Allow: All Builds
• Allow: batch 1, 2 for multi-batch jobs
• Allow: batch 3, 4, 5, 6 for multi-batch jobs

---

• Exclude: Style check
• Exclude: Fast test
• Exclude: All with ASAN
• Exclude: All with TSAN, MSAN, UBSAN, Coverage
• Exclude: All with aarch64, release, debug

---

• Run only fuzzers related jobs (libFuzzer fuzzers, AST fuzzers, etc.)
• Exclude: AST fuzzers

---

• Do not test
• Woolen Wolfdog
• Upload binaries for special builds
• Disable merge-commit
• Disable CI cache

[robot-ch-test-poll]

This is an automated comment for commit 1f7be09 with description of existing statuses. It's updated for the latest CI running

✅ Click here to open a full report in a separate page

Successful checks

Check name	Description	Status
Builds	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Docs check	Builds and tests the documentation	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Style check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success

[Unalian]

Please check the pr. The stateless test failure seems to be not related to my codes. @vitlibar @alexey-milovidov

[vitlibar]

@Unalian Why do you think CHECK GRANT should check that the corresponding table/column exists in the memory?

[Unalian]

@Unalian Why do you think CHECK GRANT should check that the corresponding table/column exists in the memory?

Depends on the describe of the issue.

[vitlibar]

For example, if a table doesn't exist then

DROP TABLE IF EXISTS db.mytable

still works, and that requires privilege GRANT DROP TABLE ON db.mytable.

But what is the point of checking the table's existence in CHECK GRANTS in this case?

CHECK GRANT DROP TABLE ON db.mytable

[vitlibar]

Perhaps we need either a setting to enable/disable checking existence in CHECK GRANT or just separate commands to check grants only or to check existence only. We already have the EXISTS TABLE command, so I think we can have EXISTS COLUMNS as well.

[Unalian]

For example, if a table doesn't exist then

DROP TABLE IF EXISTS db.mytable

still works, and that requires privilege GRANT DROP TABLE ON db.mytable.

But what is the point of checking

CHECK GRANT DROP TABLE ON db.mytable

in this case?

CHECK GRANT DROP TABLE ON db.mytable

will return if the user has privilege to DROP TABLE ON db.mytable and the db.mytable exists.

[vitlibar]

CHECK GRANT DROP TABLE ON db.mytable
will return if the user has privilege to DROP TABLE ON db.mytable and the db.mytable exists

Yes, but this is not what some users might expect from command CHECK GRANT DROP TABLE ON db.mytable in this case.

[Unalian]

Perhaps we need either a setting to enable/disable checking existence in CHECK GRANT or separate commands to check grants only or to check existence only. We already have the EXISTS TABLE command, so I think we can have EXISTS COLUMNS as well.

I got your point. Separating the commands to check grants only or to check existence only may be better. Actually, that is what I am thinking about during coding(#67772 (comment)). I will change the logic here (remove the existence check in check grant). Then, maybe add EXISTS COLUMNS just like EXISTS TABLE as well.

[vitlibar]

Calling executeQuery is a quite heavy way to just return 0 as a result.

It's much better to just build the result block here from scratch - in the same way how it's built in InterpreterExistsQuery:

    return QueryPipeline(std::make_shared<SourceFromSingleChunk>(Block{{
        ColumnUInt8::create(1, result),
        std::make_shared<DataTypeUInt8>(),
        "result" }}));

[Unalian]

Calling executeQuery is a quite heavy way to just return 0 as a result.

It's much better to just build the result block here from scratch - in the same way how it's built in InterpreterExistsQuery:

    return QueryPipeline(std::make_shared<SourceFromSingleChunk>(Block{{
        ColumnUInt8::create(1, result),
        std::make_shared<DataTypeUInt8>(),
        "result" }}));

Got it.

[vitlibar]

You can use user_is_granted right in the arguments of ColumnUInt8::create(), there is no need to repeat the same code again:

    BlockIO res;
    res.pipeline = QueryPipeline(
        std::make_shared<SourceFromSingleChunk>(Block{{ColumnUInt8::create(1, user_is_granted), std::make_shared<DataTypeUInt8>(), "result"}}));

[vitlibar]

These two lines can be replaced with just one:

Suggested change

	AccessRightsElements elements_to_check_grant;
	collectAccessRightsElementsToGrantOrRevoke(query, elements_to_check_grant);
	const AccessRightsElements & elements_to_check_grant = query.access_rights_elements;

and function collectAccessRightsElementsToGrantOrRevoke is not needed in this file.

[vitlibar]

Why can't you use

settings.ostr << access_rights_element.toString();

here instead of calling this function formatElementsWithoutOptions() which looks like a lot of copy-paste?

[Unalian]

Why can't you use

settings.ostr << access_rights_element.toString();

here instead of calling this function formatElementsWithoutOptions() which looks like a lot of copy-paste?

The function does some format works in formatFunction(). Suppose I use settings.ostr << access_rights_element.toString(); here, such query's format will be like (which is created by Parser):

:) check grant select(col,col2) on tb, alter on tb2

CHECK GRANT SELECT(col, col2) ON tb, GRANT ALTER TABLE, ALTER VIEW ON tb2

Query id: 5f3927b0-8d99-4db2-a702-67e53955476c

   ┌─result─┐
1. │      1 │
   └────────┘

1 row in set. Elapsed: 0.001 sec. 

However, the correct response should be just like GRANT keyword:

:) check grant select(col,col2) on tb, alter on tb2

CHECK GRANT SELECT(col, col2) ON tb, ALTER TABLE, ALTER VIEW ON tb2

Query id: b48aabc2-2b6e-45ed-a36a-7802a00e3852

   ┌─result─┐
1. │      1 │
   └────────┘

1 row in set. Elapsed: 0.001 sec. 

I will pollish the formatFunction here.

[vitlibar]

The main problem with your functions is that they look like a lot of copy-pasted code which isn't good. Perhaps you could get rid of at least formatColumnNames & formatONClause?

[vitlibar]

Please move common functions such as parseAccessFlags, parseColumnNames, parseAccessFlagsWithColumns, parseElements to some separate source file (src/Parser/Access/parseAccessRightsElements.h/cpp), where both ParserCheckGrantQuery.cpp and ParserGrantQuery.cpp could use it.

[Unalian]

Please move common functions such as parseAccessFlags, parseColumnNames, parseAccessFlagsWithColumns, parseElements to some separate source file (src/Parser/Access/parseAccessRightsElements.h/cpp), where both ParserCheckGrantQuery.cpp and ParserGrantQuery.cpp could use it.

Got it.

[vitlibar]

I decided to that by myself
#72103

[Unalian]

I decided to that by myself #72103

I decided to that by myself #72103

Amazing! I'm so sorry I haven't updated the code in time because I've been so busy lately :(. Thank you for your work.

[alexey-milovidov]

@Unalian @vitlibar, a bug exists #74414