docs(query): add access control doc about privilege

docs/doc/04-security/00-access-control/10-access-control-privileges.md

@@ -0,0 +1,78 @@
+---
+title: Access Control Privileges
+sidebar_label: Privileges
+description:
+  Databend Access Control Privileges
+---
+
+This topic describes the privileges that are available in the Databend access control model.
+
+## All Privileges
+
+| Privilege | Object Type | Description |
+| :--                 | :--                  | :--                  |
+| ALL   |  All    | Grants all the privileges for the specified object type. |
+| Alter   |    Database, Table, View   | Privilege to alter databases or tables. |
+| Create   |     Database, Table    | Privilege to create databases or tables. |
+| Delete   |  Table   | Privilege to delete or truncate rows in a table. |
+| Drop       |    Database, Table, View    | Privilege to drop databases or tables or views and undrop databases or tables. |
+| Insert       |   Table       | Privilege to insert rows into tables. |
+| Select       |    Table      | Privilege to select rows from tables . |
+| Update       |      Table    | Privilege to update rows in a table |
+| Grant       |     Global    | Privilege to Grant/Revoke privileges to users or roles |
+| Super       |      Global   | Privilege to Kill query, Set global configs, OptimizeTable. |
+| Usage       |    Global     | UsagePrivilege is a synonym for “no privileges” |
+| Create Role   |      Global    | Not used |
+| Create Stage   |    Not used     | Not used |
+| Create User   |     Global     | Not used |
+
+## Global Privileges
+
+| Privilege | Usage |
+| :--                 | :--                  |
+| ALL   |  Grants all the privileges for the specified object type. |
+| Grant   |    Add/Drop table Column, Alter table cluster key, Re-cluster table |
+| CreateRole   |     Create table    |
+| CreateUser   |  Delete rows in a table, Truncate table |
+| Super       |    Kill query, Set configs |
+| Usage       |   Only can connect to databend query, but no privileges |
+
+
+## Table Privileges
+
+| Privilege | Usage |
+| :--                 | :--                  |
+| ALL   |  Grants all the privileges for the specified object type. |
+| Alter   |    Add/Drop table Column, Alter table cluster key, Re-cluster table |
+| Create   |     Create table    |
+| Delete   |  Delete rows in a table, Truncate table |
+| Drop       |    Drop table, Undrop table(restores the recent version of a dropped table) |
+| Insert       |   Insert rows into table |
+| Select       |    Select rows from tables |
+| Update       |      Update rows in a table |
+| Super       |    Optimize table need super privilege |
+
+## View Privileges
+
+| Privilege | Usage |
+| :--                 | :--                  |
+| ALL   |  Grants all the privileges for the specified object type |
+| Alter   |    Create/Drop view, Alter the existing view by using another `QUERY` |
+| Drop       |    Drop view |
+
+## Database Privileges
+
+| Privilege | Usage |
+| :--                 | :--                  |
+| Alter   |    Rename database |
+| Create   |     Create database    |
+| Drop       |    Drop database, Undrop database((restores the recent version of a dropped database)) |
+
+
+## Session Policy Privileges
+
+
+| Privilege | Usage |
+| :--                 | :--                  |
+| Super       |    Kill query, Set configs |
+| ALL   |  Grants all the privileges for the specified object type. |

docs/doc/04-security/00-access-control/_category_.json

@@ -0,0 +1,7 @@
+{
+  "label": "Access Control",
+  "link": {
+    "type": "generated-index",
+    "slug": "/operations/access"
+  }
+}

docs/doc/04-security/_category_.json

@@ -0,0 +1,7 @@
+{
+  "label": "Security",
+  "link": {
+    "type": "generated-index",
+    "slug": "/security"
+  }
+}

src/meta/app/src/principal/user_privilege.rs

@@ -46,7 +46,7 @@ pub enum UserPrivilegeType {
     Create = 1 << 1,
     // Privilege to drop databases or tables.
     Drop = 1 << 7,
-    // Privilege to delete rows in a table
+    // Privilege to alter databases or tables.
     Alter = 1 << 8,
     // Privilege to Kill query, Set global configs, etc.
     Super = 1 << 9,

src/query/ast/src/parser/statement.rs

@@ -1359,14 +1359,14 @@ pub fn priv_type(i: Input) -> IResult<UserPrivilegeType> {
         value(UserPrivilegeType::Insert, rule! { INSERT }),
         value(UserPrivilegeType::Update, rule! { UPDATE }),
         value(UserPrivilegeType::Delete, rule! { DELETE }),
-        value(UserPrivilegeType::Create, rule! { CREATE }),
         value(UserPrivilegeType::Drop, rule! { DROP }),
         value(UserPrivilegeType::Alter, rule! { ALTER }),
         value(UserPrivilegeType::Super, rule! { SUPER }),
         value(UserPrivilegeType::CreateUser, rule! { CREATE ~ USER }),
         value(UserPrivilegeType::CreateRole, rule! { CREATE ~ ROLE }),
         value(UserPrivilegeType::Grant, rule! { GRANT }),
         value(UserPrivilegeType::CreateStage, rule! { CREATE ~ STAGE }),
+        value(UserPrivilegeType::Create, rule! { CREATE }),
         value(UserPrivilegeType::Set, rule! { SET }),
     ))(i)
 }

src/query/ast/tests/it/parser.rs

@@ -167,6 +167,7 @@ fn test_statement() {
         r#"ALTER DATABASE c RENAME TO a;"#,
         r#"ALTER DATABASE ctl.c RENAME TO a;"#,
         r#"CREATE TABLE t (a INT COMMENT 'col comment') COMMENT='table comment';"#,
+        r#"GRANT CREATE, CREATE USER ON * TO 'test-grant'@'localhost';"#,
         r#"GRANT SELECT, CREATE ON * TO 'test-grant'@'localhost';"#,
         r#"GRANT SELECT, CREATE ON *.* TO 'test-grant'@'localhost';"#,
         r#"GRANT SELECT, CREATE ON * TO USER 'test-grant'@'localhost';"#,
@@ -593,3 +594,4 @@ fn test_expr_error() {
         run_parser!(file, expr, case);
     }
 }
+

src/query/ast/tests/it/testdata/statement-error.txt

@@ -233,7 +233,7 @@ error:
   --> SQL:1:15
   |
 1 | GRANT SELECT, ALL PRIVILEGES, CREATE ON * TO 'test-grant'@'localhost';
-  | ----- ------  ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `CREATE`, or 5 more ...
+  | ----- ------  ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `DROP`, or 5 more ...
   | |     |        
   | |     while parsing <privileges> ON <privileges_level>
   | while parsing `GRANT { ROLE <role_name> | schemaObjectPrivileges | ALL [ PRIVILEGES ] ON <privileges_level> } TO { [ROLE <role_name>] | [USER] <user> }`
@@ -268,7 +268,7 @@ error:
   --> SQL:1:24
   |
 1 | REVOKE SELECT, CREATE, ALL PRIVILEGES ON * FROM 'test-grant'@'localhost';
-  | ------ ------          ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `CREATE`, or 5 more ...
+  | ------ ------          ^^^ expected `USAGE`, `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `DROP`, or 5 more ...
   | |      |                
   | |      while parsing <privileges> ON <privileges_level>
   | while parsing `REVOKE { ROLE <role_name> | schemaObjectPrivileges | ALL [ PRIVILEGES ] ON <privileges_level> } FROM { [ROLE <role_name>] | [USER] <user> }`

src/query/ast/tests/it/testdata/statement.txt

@@ -6166,6 +6166,32 @@ CreateTable(
 )
 
 
+---------- Input ----------
+GRANT CREATE, CREATE USER ON * TO 'test-grant'@'localhost';
+---------- Output ---------
+GRANT CREATE, CREATE USER ON * TO USER 'test-grant'@'localhost'
+---------- AST ------------
+Grant(
+    GrantStmt {
+        source: Privs {
+            privileges: [
+                Create,
+                CreateUser,
+            ],
+            level: Database(
+                None,
+            ),
+        },
+        principal: User(
+            UserIdentity {
+                username: "test-grant",
+                hostname: "localhost",
+            },
+        ),
+    },
+)
+
+
 ---------- Input ----------
 GRANT SELECT, CREATE ON * TO 'test-grant'@'localhost';
 ---------- Output ---------