1 | #pragma once |
2 | |
3 | #include <Access/IAccessEntity.h> |
4 | |
5 | |
6 | namespace DB |
7 | { |
8 | class Context; |
9 | |
10 | |
11 | /** Represents a row level security policy for a table. |
12 | */ |
13 | struct RowPolicy : public IAccessEntity |
14 | { |
15 | void setDatabase(const String & database_); |
16 | void setTableName(const String & table_name_); |
17 | void setName(const String & policy_name_) override; |
18 | void setFullName(const String & database_, const String & table_name_, const String & policy_name_); |
19 | |
20 | String getDatabase() const { return database; } |
21 | String getTableName() const { return table_name; } |
22 | String getName() const override { return policy_name; } |
23 | |
24 | struct FullNameParts |
25 | { |
26 | String database; |
27 | String table_name; |
28 | String policy_name; |
29 | String getFullName() const; |
30 | String getFullName(const Context & context) const; |
31 | }; |
32 | |
33 | /// Filter is a SQL conditional expression used to figure out which rows should be visible |
34 | /// for user or available for modification. If the expression returns NULL or false for some rows |
35 | /// those rows are silently suppressed. |
36 | /// Check is a SQL condition expression used to check whether a row can be written into |
37 | /// the table. If the expression returns NULL or false an exception is thrown. |
38 | /// If a conditional expression here is empty it means no filtering is applied. |
39 | enum ConditionIndex |
40 | { |
41 | SELECT_FILTER, |
42 | INSERT_CHECK, |
43 | UPDATE_FILTER, |
44 | UPDATE_CHECK, |
45 | DELETE_FILTER, |
46 | }; |
47 | static constexpr size_t MAX_CONDITION_INDEX = 5; |
48 | static const char * conditionIndexToString(ConditionIndex index); |
49 | static const char * conditionIndexToColumnName(ConditionIndex index); |
50 | |
51 | String conditions[MAX_CONDITION_INDEX]; |
52 | |
53 | /// Sets that the policy is permissive. |
54 | /// A row is only accessible if at least one of the permissive policies passes, |
55 | /// in addition to all the restrictive policies. |
56 | void setPermissive(bool permissive_ = true) { setRestrictive(!permissive_); } |
57 | bool isPermissive() const { return !isRestrictive(); } |
58 | |
59 | /// Sets that the policy is restrictive. |
60 | /// A row is only accessible if at least one of the permissive policies passes, |
61 | /// in addition to all the restrictive policies. |
62 | void setRestrictive(bool restrictive_ = true) { restrictive = restrictive_; } |
63 | bool isRestrictive() const { return restrictive; } |
64 | |
65 | bool equal(const IAccessEntity & other) const override; |
66 | std::shared_ptr<IAccessEntity> clone() const override { return cloneImpl<RowPolicy>(); } |
67 | |
68 | /// Which roles or users should use this quota. |
69 | Strings roles; |
70 | bool all_roles = false; |
71 | Strings except_roles; |
72 | |
73 | private: |
74 | String database; |
75 | String table_name; |
76 | String policy_name; |
77 | bool restrictive = false; |
78 | }; |
79 | |
80 | using RowPolicyPtr = std::shared_ptr<const RowPolicy>; |
81 | } |
82 | |