Skip to content

Initial user's roles are used now to find row policies#31262

Merged
vitlibar merged 2 commits intoClickHouse:masterfrom
vitlibar:initial-user-role-row-policy
Nov 12, 2021
Merged

Initial user's roles are used now to find row policies#31262
vitlibar merged 2 commits intoClickHouse:masterfrom
vitlibar:initial-user-role-row-policy

Conversation

@vitlibar
Copy link
Copy Markdown
Member

@vitlibar vitlibar commented Nov 10, 2021
edited
Loading

Changelog category:

  • Improvement

Changelog entry:
Initial user's roles are used now to find row policies, see #31080

Details:

There are two modes: 1. when the interserver secret is not defined in the cluster's definition and 2. when it's defined.

  1. When the interserver secret is not defined then while we're executing a distributed query on a shard we use row policies from both the initial user and the current user (the current user is defined in cluster's definition). And the row policy can be assigned to an user itself or to one of its roles.
row policy assigned to user row policy assigned to user's role
current user filter applied filter applied
initial user filter applied filter not applied (before this PR) / applied (after this PR)
  1. When the interserver secret is defined the initial user is used instead of the current user, and the current user is not used at all.
row policy assigned to user row policy assigned to user's role
initial user filter applied filter applied

@robot-clickhouse robot-clickhouse added the pr-improvement Pull request with some product improvements label Nov 10, 2021
@KochetovNicolai KochetovNicolai self-assigned this Nov 11, 2021
@KochetovNicolai
Copy link
Copy Markdown
Member

KochetovNicolai commented Nov 11, 2021

Looks like it's backward incompatibility.

Also, changelog entry is not very good. Please, add more context (that it's a remote query which has initial user and interserver user, they may have different row policy, and now we try to take the one for initial user, but not interserver).

If we don't have initial user on remote query, will we use row policy for interserver user, or there will not be any row policy at all?

@vitlibar
Copy link
Copy Markdown
Member Author

vitlibar commented Nov 12, 2021
edited
Loading

Also, changelog entry is not very good. Please, add more context (that it's a remote query which has initial user and interserver user, they may have different row policy, and now we try to take the one for initial user, but not interserver).

I've added more detailed description.

Looks like it's backward incompatibility.

Yes, it's kind of backward incompatibility but I can't imagine somebody who would rely on that the row policy
assigned to initial user's role is not applied.

@vitlibar vitlibar merged commit 79a93c8 into ClickHouse:master Nov 12, 2021
@vitlibar vitlibar deleted the initial-user-role-row-policy branch November 12, 2021 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KochetovNicolai KochetovNicolai KochetovNicolai approved these changes

Assignees

@KochetovNicolai KochetovNicolai

Labels

pr-improvement Pull request with some product improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vitlibar @KochetovNicolai @robot-clickhouse