| 1 | #pragma once |
|---|---|
| 2 | |
| 3 | #include <Access/IAccessEntity.h> |
| 4 | |
| 5 | |
| 6 | namespace DB |
| 7 | { |
| 8 | class Context; |
| 9 | |
| 10 | |
| 11 | /** Represents a row level security policy for a table. |
| 12 | */ |
| 13 | struct RowPolicy : public IAccessEntity |
| 14 | { |
| 15 | void setDatabase(const String & database_); |
| 16 | void setTableName(const String & table_name_); |
| 17 | void setName(const String & policy_name_) override; |
| 18 | void setFullName(const String & database_, const String & table_name_, const String & policy_name_); |
| 19 | |
| 20 | String getDatabase() const { return database; } |
| 21 | String getTableName() const { return table_name; } |
| 22 | String getName() const override { return policy_name; } |
| 23 | |
| 24 | struct FullNameParts |
| 25 | { |
| 26 | String database; |
| 27 | String table_name; |
| 28 | String policy_name; |
| 29 | String getFullName() const; |
| 30 | String getFullName(const Context & context) const; |
| 31 | }; |
| 32 | |
| 33 | /// Filter is a SQL conditional expression used to figure out which rows should be visible |
| 34 | /// for user or available for modification. If the expression returns NULL or false for some rows |
| 35 | /// those rows are silently suppressed. |
| 36 | /// Check is a SQL condition expression used to check whether a row can be written into |
| 37 | /// the table. If the expression returns NULL or false an exception is thrown. |
| 38 | /// If a conditional expression here is empty it means no filtering is applied. |
| 39 | enum ConditionIndex |
| 40 | { |
| 41 | SELECT_FILTER, |
| 42 | INSERT_CHECK, |
| 43 | UPDATE_FILTER, |
| 44 | UPDATE_CHECK, |
| 45 | DELETE_FILTER, |
| 46 | }; |
| 47 | static constexpr size_t MAX_CONDITION_INDEX = 5; |
| 48 | static const char * conditionIndexToString(ConditionIndex index); |
| 49 | static const char * conditionIndexToColumnName(ConditionIndex index); |
| 50 | |
| 51 | String conditions[MAX_CONDITION_INDEX]; |
| 52 | |
| 53 | /// Sets that the policy is permissive. |
| 54 | /// A row is only accessible if at least one of the permissive policies passes, |
| 55 | /// in addition to all the restrictive policies. |
| 56 | void setPermissive(bool permissive_ = true) { setRestrictive(!permissive_); } |
| 57 | bool isPermissive() const { return !isRestrictive(); } |
| 58 | |
| 59 | /// Sets that the policy is restrictive. |
| 60 | /// A row is only accessible if at least one of the permissive policies passes, |
| 61 | /// in addition to all the restrictive policies. |
| 62 | void setRestrictive(bool restrictive_ = true) { restrictive = restrictive_; } |
| 63 | bool isRestrictive() const { return restrictive; } |
| 64 | |
| 65 | bool equal(const IAccessEntity & other) const override; |
| 66 | std::shared_ptr<IAccessEntity> clone() const override { return cloneImpl<RowPolicy>(); } |
| 67 | |
| 68 | /// Which roles or users should use this quota. |
| 69 | Strings roles; |
| 70 | bool all_roles = false; |
| 71 | Strings except_roles; |
| 72 | |
| 73 | private: |
| 74 | String database; |
| 75 | String table_name; |
| 76 | String policy_name; |
| 77 | bool restrictive = false; |
| 78 | }; |
| 79 | |
| 80 | using RowPolicyPtr = std::shared_ptr<const RowPolicy>; |
| 81 | } |
| 82 |
Generated while processing ClickHouse/dbms/src/Access/AccessControlManager.cpp
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.