Skip to content

Allow restrictive row policies without permissive#34596

Merged
vitlibar merged 4 commits intoClickHouse:masterfrom
vitlibar:allow-restrictive-without-permissive
Feb 19, 2022
Merged

Allow restrictive row policies without permissive#34596
vitlibar merged 4 commits intoClickHouse:masterfrom
vitlibar:allow-restrictive-without-permissive

Conversation

@vitlibar
Copy link
Member

@vitlibar vitlibar commented Feb 15, 2022
edited
Loading

Changelog category:

  • Improvement

Changelog entry:
This PR changes restrictive row policies a bit to make them an easier alternative to permissive policies in easy cases.
If for a particular table only restrictive policies exist (without permissive policies) users will be able to see some rows.
Also SHOW CREATE ROW POLICY will always show AS permissive or AS restrictive in row policy's definition.

For example, if we have three users John, Lucy, and Alex and following policies:

CREATE POLICY r1 ON mydb.mytable FOR SELECT USING a=1 AS restrictive TO John;
CREATE POLICY r2 ON mydb.mytable FOR SELECT USING a=2 AS restrictive TO Lucy;

then with the changes of this PR John will see rows with a=1, Lucy will see rows with a=2 and Alex will see any rows.

Before this PR permissive policies were always required to see anything, so in the above example anybody would see nothing.

@robot-clickhouse robot-clickhouse added the pr-improvement Pull request with some product improvements label Feb 15, 2022
@vitlibar vitlibar mentioned this pull request Feb 15, 2022
Closed
@vitlibar vitlibar force-pushed the allow-restrictive-without-permissive branch 2 times, most recently from 5fb3f9d to 4419776 Compare February 16, 2022 20:01
@vitlibar vitlibar force-pushed the allow-restrictive-without-permissive branch from 4419776 to a4ef274 Compare February 17, 2022 07:19
@vitlibar vitlibar merged commit 874b2c8 into ClickHouse:master Feb 19, 2022
@vitlibar vitlibar deleted the allow-restrictive-without-permissive branch February 19, 2022 14:45
@vitlibar
Copy link
Member Author

vitlibar commented Feb 19, 2022
edited
Loading

Stateless tests flaky check: The test 01295_create_row_policy was flaky because it creates a row policy and if there two instances of the test are running at the same time the row policy can already exist for another instance.

@vitlibar vitlibar mentioned this pull request Feb 21, 2022
Merged
@vitlibar vitlibar restored the allow-restrictive-without-permissive branch February 21, 2022 03:55
@e-mars e-mars mentioned this pull request Feb 23, 2022
Closed
vitlibar pushed a commit to vitlibar/ClickHouse that referenced this pull request Feb 24, 2022
Add new configuration flag 'row_policies.permissive_policies_always_r…
9efbf6e 
…equired' which enables

the change in mixing row policies' filters implemented in ClickHouse#34596
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

pr-improvement Pull request with some product improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vitlibar @robot-clickhouse