Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improving SQL DEFINERS for MV #63777

Closed
melvynator opened this issue May 14, 2024 · 1 comment · Fixed by #64079
Closed

Improving SQL DEFINERS for MV #63777

melvynator opened this issue May 14, 2024 · 1 comment · Fixed by #64079
Assignees
@pufit
Labels
analyzer Issues and pull-requests related to new analyzer bug Confirmed user-visible misbehaviour in official release unexpected behaviour

Comments

@melvynator
Copy link
Member

Currently if you have a the following tables:

DROP TABLE events_mv;
DROP TABLE materialized_events;
DROP TABLE session_events;

CREATE TABLE session_events(
    clientId UUID,
    sessionId UUID,
    pageId UUID,
    timestamp DateTime,
    type String
) ORDER BY (timestamp);

CREATE MATERIALIZED VIEW events_mv
TO materialized_events
AS SELECT
    clientId,
    sessionId,
    pageId,
    timestamp,
    type
FROM session_events;

CREATE TABLE materialized_events(
    clientId UUID,
    sessionId UUID,
    pageId UUID,
    timestamp DateTime,
    type String
) ORDER BY (timestamp);

The minimum set of permission you currently need for a user to insert into the table:

DROP USER user_1;
CREATE USER user_1 IDENTIFIED WITH sha256_password BY 'My_password123@';
GRANT INSERT ON default.session_events TO user_1;
GRANT SELECT ON default.session_events TO user_1;

If you don't specify

GRANT SELECT ON default.session_events TO user_1;

The insert will fail because of missing permission.

The permission should be covered by the definer. Ideally the only grant that should be needed would be:

GRANT INSERT ON default.session_events TO user_1;
@pufit
Copy link
Member

pufit commented May 14, 2024 

INSERT INTO source
SELECT *
FROM generateRandom()
LIMIT 100
SETTINGS allow_experimental_analyzer = 0

Query id: 1a621b9c-9a91-4731-b630-98e1ca8b6bc3

Ok.

0 rows in set. Elapsed: 0.010 sec.

SQL security doesn't work correctly with the analyzer

@pufit pufit added bug Confirmed user-visible misbehaviour in official release analyzer Issues and pull-requests related to new analyzer labels May 14, 2024
@pufit pufit mentioned this issue May 17, 2024
Merged
31 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pufit pufit

Labels
analyzer Issues and pull-requests related to new analyzer bug Confirmed user-visible misbehaviour in official release unexpected behaviour
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix SQL security access checks with analyzer ClickHouse/ClickHouse
2 participants
@melvynator @pufit