Skip to content

Commit

Permalink
Merge a7615cd into d3a36a5
Browse files Browse the repository at this point in the history
  • Loading branch information
@nikvas0
nikvas0 authored Dec 2, 2024
2 parents d3a36a5 + a7615cd commit a8b5c57
Showing 1 changed file with 148 additions and 0 deletions.
148 changes: 148 additions & 0 deletions ydb/core/kqp/ut/scheme/kqp_acl_ut.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,154 @@ Y_UNIT_TEST_SUITE(KqpAcl) {

driver.Stop(true);
}

Y_UNIT_TEST_TWIN(AclForOltpAndOlap, isOlap) {
const TString query = Sprintf(R"(
CREATE TABLE `/Root/test_acl` (
id Int64 NOT NULL,
name String,
primary key (id)
) WITH (STORE=%s);
)", isOlap ? "COLUMN" : "ROW");

TKikimrRunner kikimr;

{
auto driverConfig = TDriverConfig()
.SetEndpoint(kikimr.GetEndpoint())
.SetAuthToken("root@builtin");
auto driver = TDriver(driverConfig);
auto client = NYdb::NQuery::TQueryClient(driver);

AssertSuccessResult(client.ExecuteQuery(query, NYdb::NQuery::TTxControl::NoTx()).ExtractValueSync());

driver.Stop(true);
}

{
auto schemeClient = kikimr.GetSchemeClient();
NYdb::NScheme::TPermissions permissions("user0@builtin", {});
AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
).ExtractValueSync()
);
}

{
auto driverConfig = TDriverConfig()
.SetEndpoint(kikimr.GetEndpoint())
.SetAuthToken("user0@builtin");
auto driver = TDriver(driverConfig);
auto client = NYdb::NQuery::TQueryClient(driver);

auto result = client.ExecuteQuery(R"(
SELECT * FROM `/Root/test_acl`;
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToString());
const auto expectedIssueMessage = "Cannot find table 'db.[/Root/test_acl]' because it does not exist or you do not have access permissions.";
UNIT_ASSERT_C(result.GetIssues().ToString().Contains(expectedIssueMessage), result.GetIssues().ToString());

auto resultWrite = client.ExecuteQuery(R"(
REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(!resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
UNIT_ASSERT_C(resultWrite.GetIssues().ToString().Contains(expectedIssueMessage), resultWrite.GetIssues().ToString());

driver.Stop(true);
}

{
auto schemeClient = kikimr.GetSchemeClient();
NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.describe_schema"});
AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
).ExtractValueSync()
);
}

{
auto driverConfig = TDriverConfig()
.SetEndpoint(kikimr.GetEndpoint())
.SetAuthToken("user0@builtin");
auto driver = TDriver(driverConfig);
auto client = NYdb::NQuery::TQueryClient(driver);

auto result = client.ExecuteQuery(R"(
SELECT * FROM `/Root/test_acl`;
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToString());
const auto expectedIssueMessage = "Failed to resolve table `/Root/test_acl` status: AccessDenied., code: 2028";
UNIT_ASSERT_C(result.GetIssues().ToString().Contains(expectedIssueMessage), result.GetIssues().ToString());

auto resultWrite = client.ExecuteQuery(R"(
REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(!resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
UNIT_ASSERT_C(resultWrite.GetIssues().ToString().Contains(expectedIssueMessage), resultWrite.GetIssues().ToString());

driver.Stop(true);
}

{
auto schemeClient = kikimr.GetSchemeClient();
NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.describe_schema", "ydb.deprecated.select_row"});
AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
).ExtractValueSync()
);
}

{
auto driverConfig = TDriverConfig()
.SetEndpoint(kikimr.GetEndpoint())
.SetAuthToken("user0@builtin");
auto driver = TDriver(driverConfig);
auto client = NYdb::NQuery::TQueryClient(driver);

auto result = client.ExecuteQuery(R"(
SELECT * FROM `/Root/test_acl`;
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());

auto resultWrite = client.ExecuteQuery(R"(
REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(!resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
const auto expectedIssueMessage = "Failed to resolve table `/Root/test_acl` status: AccessDenied., code: 2028";
UNIT_ASSERT_C(resultWrite.GetIssues().ToString().Contains(expectedIssueMessage), resultWrite.GetIssues().ToString());

driver.Stop(true);
}

{
auto schemeClient = kikimr.GetSchemeClient();
NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.update_row"});
AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
).ExtractValueSync()
);
}

{
auto driverConfig = TDriverConfig()
.SetEndpoint(kikimr.GetEndpoint())
.SetAuthToken("user0@builtin");
auto driver = TDriver(driverConfig);
auto client = NYdb::NQuery::TQueryClient(driver);

auto result = client.ExecuteQuery(R"(
SELECT * FROM `/Root/test_acl`;
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());

auto resultWrite = client.ExecuteQuery(R"(
REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
)", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
UNIT_ASSERT_C(resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());

driver.Stop(true);
}
}
}

} // namespace NKqp
Expand Down

0 comments on commit a8b5c57

Please sign in to comment.