From 963e27a5c65f004f6fa4d0965c86cd3debf96d8b Mon Sep 17 00:00:00 2001 From: TCeason <33082201+TCeason@users.noreply.github.com> Date: Wed, 8 Jan 2025 13:17:07 +0800 Subject: [PATCH] fix: system.tables table visibility (#17202) ```sql create user a identified by '123' with default_role='a'; create role a; create database a; grant ownership on a.* to role a; grant role a to a; create table a.b(id int); create role b; grant ownership on a.b to role b; -- login with user a -- this query should return right result select name, owner from system.tables where database = 'a'and name = 'b' ``` --- src/query/storages/system/src/tables_table.rs | 3 +-- .../18_rbac/18_0003_db_visibility.result | 2 ++ .../18_rbac/18_0003_db_visibility.sh | 22 +++++++++++++++++++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/query/storages/system/src/tables_table.rs b/src/query/storages/system/src/tables_table.rs index 1b86800be5f41..28c9f6c951cfb 100644 --- a/src/query/storages/system/src/tables_table.rs +++ b/src/query/storages/system/src/tables_table.rs @@ -328,6 +328,7 @@ where TablesTable: HistoryAware } } + let visibility_checker = ctx.get_visibility_checker(false).await?; // from system.tables where database = 'db' and name = 'name' // from system.tables where database = 'db' and table_id = 123 if db_name.len() == 1 @@ -336,7 +337,6 @@ where TablesTable: HistoryAware && !invalid_tables_ids && !WITH_HISTORY { - let visibility_checker = ctx.get_visibility_checker(true).await?; for (ctl_name, ctl) in ctls.iter() { for db in &db_name { match ctl.get_database(&tenant, db.as_str()).await { @@ -415,7 +415,6 @@ where TablesTable: HistoryAware } } } else { - let visibility_checker = ctx.get_visibility_checker(false).await?; let catalog_dbs = visibility_checker.get_visibility_database(); for (ctl_name, ctl) in ctls.iter() { diff --git a/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.result b/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.result index 942844017e8fc..8cbc87bc1aa56 100644 --- a/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.result +++ b/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.result @@ -66,3 +66,5 @@ system 2 3 4 +=== test system.tables === +b b diff --git a/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.sh b/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.sh index 9d0869d9fd996..7af3b33e2aa0b 100755 --- a/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.sh +++ b/tests/suites/0_stateless/18_rbac/18_0003_db_visibility.sh @@ -92,3 +92,25 @@ echo "select * from db1.t1" | $BENDSQL_CLIENT_CONNECT echo "select * from db2.t2" | $BENDSQL_CLIENT_CONNECT echo "select * from db_u3.t3" | $BENDSQL_CLIENT_CONNECT echo "select * from db_root.t1" | $BENDSQL_CLIENT_CONNECT + +echo "=== test system.tables ===" +echo "drop user if exists a;" | $BENDSQL_CLIENT_CONNECT +echo "drop user if exists b;" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists b;" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists a;" | $BENDSQL_CLIENT_CONNECT +echo "drop database if exists a;" | $BENDSQL_CLIENT_CONNECT +echo "create user a identified by '123' with default_role='a'" | $BENDSQL_CLIENT_CONNECT +echo "create role a" | $BENDSQL_CLIENT_CONNECT +echo "create database a" | $BENDSQL_CLIENT_CONNECT +echo "grant ownership on a.* to role a" | $BENDSQL_CLIENT_CONNECT +echo "grant role a to a" | $BENDSQL_CLIENT_CONNECT +echo "create table a.b(id int)" | $BENDSQL_CLIENT_CONNECT +echo "create role b" | $BENDSQL_CLIENT_CONNECT +echo "grant ownership on a.b to role b" | $BENDSQL_CLIENT_CONNECT +export TEST_A_CONNECT="bendsql --user=a --password=123 --host=${QUERY_MYSQL_HANDLER_HOST} --port ${QUERY_HTTP_HANDLER_PORT}" +echo "select name, owner from system.tables where database = 'a'and name = 'b'" | $TEST_A_CONNECT +echo "drop user if exists a;" | $BENDSQL_CLIENT_CONNECT +echo "drop user if exists b;" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists b;" | $BENDSQL_CLIENT_CONNECT +echo "drop role if exists a;" | $BENDSQL_CLIENT_CONNECT +echo "drop database if exists a;" | $BENDSQL_CLIENT_CONNECT