ACL test for olap (#13270)

nikvas0 · web-flow · commit 814e8853dc20 · 2025-01-10T13:49:48.000+03:00
diff --git a/ydb/core/kqp/ut/scheme/kqp_acl_ut.cpp b/ydb/core/kqp/ut/scheme/kqp_acl_ut.cpp
@@ -353,6 +353,149 @@ Y_UNIT_TEST_SUITE(KqpAcl) {
             )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
             UNIT_ASSERT_C(resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
 
+            auto resultDelete = client.ExecuteQuery(R"(
+                DELETE FROM `/Root/test_acl` WHERE 1=1;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!resultDelete.IsSuccess(), resultDelete.GetIssues().ToString());
+            const auto expectedIssueMessage = "Failed to resolve table `/Root/test_acl` status: AccessDenied., code: 2028";
+            UNIT_ASSERT_C(resultDelete.GetIssues().ToString().Contains(expectedIssueMessage), resultDelete.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto schemeClient = kikimr.GetSchemeClient();
+            NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.erase_row"});
+            NYdb::NScheme::TPermissions revokePermissions("user0@builtin", {"ydb.deprecated.update_row"});
+            AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
+                    NYdb::NScheme::TModifyPermissionsSettings()
+                        .AddGrantPermissions(permissions)
+                        .AddRevokePermissions(revokePermissions)
+                ).ExtractValueSync()
+            );
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                SELECT * FROM `/Root/test_acl`;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+            const auto expectedIssueMessage = "Failed to resolve table `/Root/test_acl` status: AccessDenied., code: 2028";
+            UNIT_ASSERT_C(resultWrite.GetIssues().ToString().Contains(expectedIssueMessage), resultWrite.GetIssues().ToString());
+
+            auto resultDelete = client.ExecuteQuery(R"(
+                DELETE FROM `/Root/test_acl` WHERE 1=1;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(resultDelete.IsSuccess(), resultDelete.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto schemeClient = kikimr.GetSchemeClient();
+            NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.erase_row", "ydb.deprecated.update_row"});
+            AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
+                    NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
+                ).ExtractValueSync()
+            );
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                SELECT * FROM `/Root/test_acl`;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+
+            auto resultDelete = client.ExecuteQuery(R"(
+                DELETE FROM `/Root/test_acl` WHERE 1=1;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(resultDelete.IsSuccess(), resultDelete.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto schemeClient = kikimr.GetSchemeClient();
+            NYdb::NScheme::TPermissions revokePermissions("user0@builtin", {"ydb.deprecated.select_row"});
+            AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
+                    NYdb::NScheme::TModifyPermissionsSettings()
+                        .AddRevokePermissions(revokePermissions)
+                ).ExtractValueSync()
+            );
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                SELECT * FROM `/Root/test_acl`;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToString());
+            const auto expectedIssueMessage = "Failed to resolve table `/Root/test_acl` status: AccessDenied., code: 2028";
+            UNIT_ASSERT_C(result.GetIssues().ToString().Contains(expectedIssueMessage), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+
+            auto resultDelete = client.ExecuteQuery(R"(
+                DELETE FROM `/Root/test_acl` WHERE 1=1;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!resultDelete.IsSuccess(), resultDelete.GetIssues().ToString());
+            UNIT_ASSERT_C(resultDelete.GetIssues().ToString().Contains(expectedIssueMessage), resultDelete.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                INSERT INTO `/Root/test_acl` (id, name) VALUES (100, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                UPDATE `/Root/test_acl` ON SELECT 100 AS id, 'new test' AS name;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+
+            auto resultDelete = client.ExecuteQuery(R"(
+                DELETE FROM `/Root/test_acl` ON SELECT 100 AS id;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(resultDelete.IsSuccess(), resultDelete.GetIssues().ToString());
+
             driver.Stop(true);
         }
     }
