1#pragma once
2
3#include <Access/IAccessEntity.h>
4
5
6namespace DB
7{
8class Context;
9
10
11/** Represents a row level security policy for a table.
12 */
13struct RowPolicy : public IAccessEntity
14{
15 void setDatabase(const String & database_);
16 void setTableName(const String & table_name_);
17 void setName(const String & policy_name_) override;
18 void setFullName(const String & database_, const String & table_name_, const String & policy_name_);
19
20 String getDatabase() const { return database; }
21 String getTableName() const { return table_name; }
22 String getName() const override { return policy_name; }
23
24 struct FullNameParts
25 {
26 String database;
27 String table_name;
28 String policy_name;
29 String getFullName() const;
30 String getFullName(const Context & context) const;
31 };
32
33 /// Filter is a SQL conditional expression used to figure out which rows should be visible
34 /// for user or available for modification. If the expression returns NULL or false for some rows
35 /// those rows are silently suppressed.
36 /// Check is a SQL condition expression used to check whether a row can be written into
37 /// the table. If the expression returns NULL or false an exception is thrown.
38 /// If a conditional expression here is empty it means no filtering is applied.
39 enum ConditionIndex
40 {
41 SELECT_FILTER,
42 INSERT_CHECK,
43 UPDATE_FILTER,
44 UPDATE_CHECK,
45 DELETE_FILTER,
46 };
47 static constexpr size_t MAX_CONDITION_INDEX = 5;
48 static const char * conditionIndexToString(ConditionIndex index);
49 static const char * conditionIndexToColumnName(ConditionIndex index);
50
51 String conditions[MAX_CONDITION_INDEX];
52
53 /// Sets that the policy is permissive.
54 /// A row is only accessible if at least one of the permissive policies passes,
55 /// in addition to all the restrictive policies.
56 void setPermissive(bool permissive_ = true) { setRestrictive(!permissive_); }
57 bool isPermissive() const { return !isRestrictive(); }
58
59 /// Sets that the policy is restrictive.
60 /// A row is only accessible if at least one of the permissive policies passes,
61 /// in addition to all the restrictive policies.
62 void setRestrictive(bool restrictive_ = true) { restrictive = restrictive_; }
63 bool isRestrictive() const { return restrictive; }
64
65 bool equal(const IAccessEntity & other) const override;
66 std::shared_ptr<IAccessEntity> clone() const override { return cloneImpl<RowPolicy>(); }
67
68 /// Which roles or users should use this quota.
69 Strings roles;
70 bool all_roles = false;
71 Strings except_roles;
72
73private:
74 String database;
75 String table_name;
76 String policy_name;
77 bool restrictive = false;
78};
79
80using RowPolicyPtr = std::shared_ptr<const RowPolicy>;
81}
82