fix: system.tables table visibility (#17202)

```sql create user a identified by '123' with default_role='a'; create role a; create database a; grant ownership on a.* to role a; grant role a to a; create table a.b(id int); create role b; grant ownership on a.b to role b; -- login with user a -- this query should return right result select name, owner from system.tables where database = 'a'and name = 'b' ```
databendlabs · Jan 8, 2025 · 963e27a · 963e27a
1 parent 64c53b2
commit 963e27a
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/src/query/storages/system/src/tables_table.rs b/src/query/storages/system/src/tables_table.rs
@@ -328,6 +328,7 @@ where TablesTable<WITH_HISTORY, WITHOUT_VIEW>: HistoryAware
             }
         }
 
+        let visibility_checker = ctx.get_visibility_checker(false).await?;
         // from system.tables where database = 'db' and name = 'name'
         // from system.tables where database = 'db' and table_id = 123
         if db_name.len() == 1
@@ -336,7 +337,6 @@ where TablesTable<WITH_HISTORY, WITHOUT_VIEW>: HistoryAware
             && !invalid_tables_ids
             && !WITH_HISTORY
         {
-            let visibility_checker = ctx.get_visibility_checker(true).await?;
             for (ctl_name, ctl) in ctls.iter() {
                 for db in &db_name {
                     match ctl.get_database(&tenant, db.as_str()).await {
@@ -415,7 +415,6 @@ where TablesTable<WITH_HISTORY, WITHOUT_VIEW>: HistoryAware
                 }
             }
         } else {
-            let visibility_checker = ctx.get_visibility_checker(false).await?;
             let catalog_dbs = visibility_checker.get_visibility_database();
 
             for (ctl_name, ctl) in ctls.iter() {

diff --git a/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.result b/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.result
@@ -66,3 +66,5 @@ system
 2
 3
 4
+=== test system.tables ===
+b	b
diff --git a/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.sh b/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.sh
@@ -92,3 +92,25 @@ echo "select * from db1.t1" | $BENDSQL_CLIENT_CONNECT
 echo "select * from db2.t2" | $BENDSQL_CLIENT_CONNECT
 echo "select * from db_u3.t3" | $BENDSQL_CLIENT_CONNECT
 echo "select * from db_root.t1" | $BENDSQL_CLIENT_CONNECT
+
+echo "=== test system.tables ==="
+echo "drop user if exists a;" | $BENDSQL_CLIENT_CONNECT
+echo "drop user if exists b;" | $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists b;" | $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists a;" | $BENDSQL_CLIENT_CONNECT
+echo "drop database if exists a;" | $BENDSQL_CLIENT_CONNECT
+echo "create user a identified by '123' with default_role='a'" | $BENDSQL_CLIENT_CONNECT
+echo "create role a" | $BENDSQL_CLIENT_CONNECT
+echo "create database a" | $BENDSQL_CLIENT_CONNECT
+echo "grant ownership on a.* to role a" | $BENDSQL_CLIENT_CONNECT
+echo "grant role a to a" | $BENDSQL_CLIENT_CONNECT
+echo "create table a.b(id int)" | $BENDSQL_CLIENT_CONNECT
+echo "create role b" | $BENDSQL_CLIENT_CONNECT
+echo "grant ownership on a.b to role b" | $BENDSQL_CLIENT_CONNECT
+export TEST_A_CONNECT="bendsql --user=a --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}"
+echo "select name, owner from system.tables where database = 'a'and name = 'b'" | $TEST_A_CONNECT
+echo "drop user if exists a;" | $BENDSQL_CLIENT_CONNECT
+echo "drop user if exists b;" | $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists b;" | $BENDSQL_CLIENT_CONNECT
+echo "drop role if exists a;" | $BENDSQL_CLIENT_CONNECT
+echo "drop database if exists a;" | $BENDSQL_CLIENT_CONNECT
Original file line number	Diff line number	Diff line change
Expand Up		@@ -66,3 +66,5 @@ system
		2
		3
		4
		=== test system.tables ===
		b b