Skip to content

Add missing SELECT grant check in mergeTreeProjection table function#95480

Merged
alexey-milovidov merged 1 commit intomasterfrom
fix-mergetree-projection-grants
Jan 29, 2026
Merged

Add missing SELECT grant check in mergeTreeProjection table function#95480
alexey-milovidov merged 1 commit intomasterfrom
fix-mergetree-projection-grants

Conversation

@alexey-milovidov
Copy link
Copy Markdown
Member

@alexey-milovidov alexey-milovidov commented Jan 29, 2026

The mergeTreeProjection table function was missing an access check, allowing users without SELECT permission on a table to read data from its projections. This fix adds the same access check that mergeTreeIndex and mergeTreeAnalyzeIndexes already have.

Also adds tests for grant checking on all MergeTree introspection functions: mergeTreeAnalyzeIndexes, mergeTreeAnalyzeIndexesUUID, mergeTreeIndex, and mergeTreeProjection.

Changelog category (leave one):

  • Critical Bug Fix (crash, data loss, RBAC) or LOGICAL_ERROR

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

The mergeTreeProjection table function was missing an access check, allowing users without SELECT permission on a table (but with permissions for table functions) to read data from its projections. This fix adds the same access check that mergeTreeIndex and mergeTreeAnalyzeIndexes already have.

@alexey-milovidov @claude
Add missing SELECT grant check in mergeTreeProjection table function
fa3cf80 
The `mergeTreeProjection` table function was missing an access check,
allowing users without SELECT permission on a table to read data from
its projections. This fix adds the same access check that
`mergeTreeIndex` and `mergeTreeAnalyzeIndexes` already have.

Also adds tests for grant checking on all MergeTree introspection
functions: `mergeTreeAnalyzeIndexes`, `mergeTreeAnalyzeIndexesUUID`,
`mergeTreeIndex`, and `mergeTreeProjection`.

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@alexey-milovidov alexey-milovidov added the blocker This issue / pr blocks a new release label Jan 29, 2026
@clickhouse-gh
Copy link
Copy Markdown
Contributor

clickhouse-gh bot commented Jan 29, 2026
edited
Loading

Workflow [PR], commit [fa3cf80]

Summary:

job_name test_name status info comment
AST fuzzer (amd_ubsan) failure
Logical error: Block structure mismatch in A stream: different number of columns: (STID: 0993-38e6) FAIL cidb, issue

@clickhouse-gh clickhouse-gh bot added pr-critical-bugfix pr-must-backport Pull request should be backported intentionally. Use this label with great care! labels Jan 29, 2026
@pufit pufit self-assigned this Jan 29, 2026
@pufit
Copy link
Copy Markdown
Member

pufit commented Jan 29, 2026

Looks good. Clean one-liner fix following the same pattern as mergeTreeIndex and mergeTreeAnalyzeIndexes. Tests are thorough — appreciate the coverage for all introspection functions, not just the one being fixed.

The CI failure (AST fuzzer) appears to be the known issue #83614, unrelated to this change.

This review was drafted by an AI assistant (Claude) on behalf of @pufit.

pufit
pufit approved these changes Jan 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pufit pufit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dead Internet Theory
Looks good to me, but I would remove some of the AI comments - they are good to get initial thoughts when you are reviewing AI suggestions, but afterwards they might become overwhelming for other contributors. Some obvious ones, like # Grant SELECT permission above grant queries, are unnecessary. But this is my opinion only.

@alexey-milovidov
Copy link
Copy Markdown
Member Author

alexey-milovidov commented Jan 29, 2026

These comments are in tests, I see it as okay.

@alexey-milovidov alexey-milovidov merged commit 153305b into master Jan 29, 2026
131 of 134 checks passed
@alexey-milovidov alexey-milovidov deleted the fix-mergetree-projection-grants branch January 29, 2026 05:39
@robot-clickhouse-ci-1 robot-clickhouse-ci-1 added the pr-synced-to-cloud The PR is synced to the cloud repo label Jan 29, 2026
@robot-ch-test-poll robot-ch-test-poll added the pr-must-backport-synced The `*-must-backport` labels are synced into the cloud Sync PR label Jan 29, 2026
This was referenced Jan 29, 2026
Closed
Merged
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95480 to 25.8: Add missing SELECT grant check in `mergeTree…
95fed4b 
…Projection` table function
This was referenced Jan 29, 2026
Merged
Merged
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95480 to 25.10: Add missing SELECT grant check in `mergeTre…
f882b6d 
…eProjection` table function
This was referenced Jan 29, 2026
Closed
Merged
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95480 to 25.11: Add missing SELECT grant check in `mergeTre…
7660f05 
…eProjection` table function
This was referenced Jan 29, 2026
Merged
Merged
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95480 to 25.12: Add missing SELECT grant check in `mergeTre…
ca77d21 
…eProjection` table function
@robot-ch-test-poll2 robot-ch-test-poll2 mentioned this pull request Jan 29, 2026
Merged
@robot-ch-test-poll2 robot-ch-test-poll2 mentioned this pull request Jan 29, 2026
Merged
robot-clickhouse added a commit that referenced this pull request Jan 29, 2026
@robot-clickhouse
Backport #95480 to 26.1: Add missing SELECT grant check in `mergeTree…
9f102bf 
…Projection` table function
@robot-ch-test-poll2 robot-ch-test-poll2 mentioned this pull request Jan 29, 2026
Merged
clickhouse-gh bot added a commit that referenced this pull request Jan 29, 2026
@clickhouse-gh
Merge pull request #95492 from ClickHouse/backport/26.1/95480
e5818a2 
Backport #95480 to 26.1: Add missing SELECT grant check in `mergeTreeProjection` table function
@robot-ch-test-poll robot-ch-test-poll mentioned this pull request Jan 31, 2026
Closed
@robot-ch-test-poll4 robot-ch-test-poll4 added the pr-backports-created Backport PRs are successfully created, it won't be processed by CI script anymore label Feb 3, 2026
clickhouse-gh bot added a commit that referenced this pull request Feb 19, 2026
@clickhouse-gh
Merge pull request #95488 from ClickHouse/backport/25.11/95480
41c72ad 
Backport #95480 to 25.11: Add missing SELECT grant check in `mergeTreeProjection` table function
pufit added a commit that referenced this pull request Feb 23, 2026
@pufit
Merge pull request #95490 from ClickHouse/backport/25.12/95480
5c4fcd8 
Backport #95480 to 25.12: Add missing SELECT grant check in `mergeTreeProjection` table function
pufit added a commit that referenced this pull request Feb 23, 2026
@pufit
Merge pull request #95484 from ClickHouse/backport/25.8/95480
0ce5ad4 
Backport #95480 to 25.8: Add missing SELECT grant check in `mergeTreeProjection` table function
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pufit pufit pufit approved these changes

Assignees

@pufit pufit

Labels

blocker This issue / pr blocks a new release pr-backports-created Backport PRs are successfully created, it won't be processed by CI script anymore pr-critical-bugfix pr-must-backport Pull request should be backported intentionally. Use this label with great care! pr-must-backport-synced The `*-must-backport` labels are synced into the cloud Sync PR pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@alexey-milovidov @pufit @nikitamikhaylov @robot-ch-test-poll @robot-ch-test-poll4 @pnovitskiy @robot-clickhouse-ci-1