databendlabs / databend

𝗗𝗮𝘁𝗮, 𝗔𝗻𝗮𝗹𝘆𝘁𝗶𝗰𝘀 & 𝗔𝗜. Modern alternative to Snowflake. Cost-effective and simple for massive-scale analytics. https://databend.com
https://docs.databend.com
Other
7.94k stars 752 forks source link

bug: show columns from clusters from system return err #16430

Open TCeason opened 2 months ago

TCeason commented 2 months ago

Summary

root@localhost:8001/default> show grants;

SHOW GRANTS

-[ RECORD 1 ]-----------------------------------
 privileges: ALL
object_name: *.*
  object_id: NULL
   grant_to: USER
       name: root
     grants: GRANT ALL ON *.* TO 'root'@'%'

1 row read in 0.023 sec. Processed 1 row, 133B (43.34 rows/s, 5.63 KiB/s)

root@localhost:8001/default> show columns from clusters from system;
error: APIError: ResponseError with 1063: Permission denied: User 'root'@'%' does not have the required privileges for table 'system.clusters'
dosubot[bot] commented 2 months ago

Hey there, @TCeason! 👋 I'm here to help you with any bugs, questions, or contributions you have. I'm like a bot with a heart! 😄

The "show columns from clusters from system" SQL command returns a "Permission denied" error for the 'root' user because the user does not have the required privileges for the 'system' database. Even though the 'root' user is granted all available privileges on a global level, specific operations within the 'system' database may still require additional privileges [1].

To resolve this, you can explicitly grant the necessary privileges to the 'root' user for the 'system' database. Here is a code snippet to do that:

use databend_common_meta_app::principal::{GrantObject, UserPrivilegeType, UserGrantSet};
use enumflags2::make_bitflags;

let mut user = UserInfo::new_no_auth("root", "%");
let mut grants = UserGrantSet::empty();

grants.grant_privileges(
    &GrantObject::Database("system".to_string()),
    make_bitflags!(UserPrivilegeType::{Select | Insert | Update | Delete}).into(),
);

user.grants = grants;
session.set_authed_user(user, None).await.unwrap();

This code grants the 'root' user the necessary privileges to access the 'system' database [2][3].

To continue talking to Dosu, mention @dosu.