Add SHOW GRANTS [FOR xxx] statement

[flaneur2020]

I hereby agree to the terms of the CLA available at: https://databend.rs/policies/cla/

Summary

• rename UserPrivilege to UserPrivilegeSet
• add UserIdentity struct which includes username and hostname
• add Display for UserPrivilegeType, UserPrivilegeSet, GrantObject, GrantEntry
• add parser and interpreter for SHOW GRANTS [FOR xxx] statement

Changelog

• New Feature

Related Issues

Fixes #3262

Test Plan

Unit Tests
Stateless Tests

[databend-bot]

Thanks for the contribution!
I have applied any labels matching special text in your PR Changelog.

Please review the labels and make any necessary changes.

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/databend/databend/HKoiinGdDE6vpyrRmWULdAhyWySH
✅ Preview: https://databend-git-fork-flaneur2020-add-show-grants-databend.vercel.app

[Deployment for 8537e88 canceled]

[codecov-commenter]

Codecov Report

Merging #3366 (8537e88) into main (1f29cfc) will decrease coverage by 0%.
The diff coverage is 30%.

@@          Coverage Diff          @@
##            main   #3366   +/-   ##
=====================================
- Coverage     61%     61%   -1%     
=====================================
  Files        610     615    +5     
  Lines      34185   34256   +71     
=====================================
+ Hits       20992   21007   +15     
- Misses     13193   13249   +56     

Impacted Files	Coverage Δ
common/meta/types/src/user_grant.rs	50% <ø> (ø)
common/meta/types/src/user_privilege.rs	33% <ø> (ø)
common/planners/src/plan_node.rs	45% <0%> (-1%)	⬇️
common/planners/src/plan_rewriter.rs	45% <0%> (-1%)	⬇️
common/planners/src/plan_show_grants.rs	0% <0%> (ø)
query/src/interpreters/interpreter_factory.rs	33% <0%> (-2%)	⬇️
query/src/interpreters/interpreter_show_grants.rs	0% <0%> (ø)
query/src/sql/sql_statement.rs	34% <0%> (-1%)	⬇️
query/src/sql/statements/analyzer_statement.rs	90% <0%> (-1%)	⬇️
query/src/sql/statements/statement_grant.rs	39% <0%> (ø)
... and 12 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1f29cfc...8537e88. Read the comment docs.

[mergify]

This pull request has merge conflicts that must be resolved before it can be merged. @flaneur2020 please rebase it 🙏

[mergify]

This pull request has merge conflicts that must be resolved before it can be merged. @flaneur2020 please rebase it 🙏

[flaneur2020]

some test in mysql:

mysql> GRANT SELECT ON db01.tb1 TO 'test-grant'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql>
mysql> show grants for 'test-grant'@'localhost';
+-------------------------------------------------------------+
| Grants for test-grant@localhost                             |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test-grant'@'localhost'              |
| GRANT SELECT ON `db01`.* TO 'test-grant'@'localhost'        |
| GRANT SELECT ON `dbnotexists`.* TO 'test-grant'@'localhost' |
| GRANT SELECT ON `db01`.`tb1` TO 'test-grant'@'localhost'    |
+-------------------------------------------------------------+
4 rows in set (0.00 sec)

mysql> drop database db01;
Query OK, 0 rows affected (0.01 sec)

mysql> SHOW GRANTS FOR 'test-grant'@'localhost';
+--------------------------------------------------------------+
| Grants for test-grant@localhost                              |
+--------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test-grant'@'localhost'               |
| GRANT ALL PRIVILEGES ON `db01`.* TO 'test-grant'@'localhost' |
| GRANT SELECT ON `dbnotexists`.* TO 'test-grant'@'localhost'  |
+--------------------------------------------------------------+
3 rows in set (0.00 sec)

it seems mysql would not cleanup the orphan grants after deleting the database.

[BohuTANG]

It would be better to check the privileges again after REVOKE:
SHOW GRANTS FOR 'test-grant'@'localhost';

[flaneur2020]

thank you, i've add two show grant statements after each revoke statement

[BohuTANG]

After REVOKE SELECT ON db01.* FROM 'test-grant'@'localhost';
Seems like the grants result is not correct?

[flaneur2020]

after revoke SELECT ON db01.* FROM 'test-grant'@'localhost', the rest grants is

GRANT CREATE,SELECT,INSERT,SET ON 'default'.* TO 'test-grant'@'localhost'
GRANT SELECT ON 'db01'.'tb1' TO 'test-grant'@'localhost'

the privilege on 'db01'.'tb1' is not revoked by the statement REVOKE .. ON 'db01'.'*', the behaviour is counter-intuitive, but the same as mysql:

╰─$ mysql -uroot --port 3306 -hlocalhost --protocol=TCP                                                                     
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.35 Homebrew

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE IF NOT EXISTS `db01`;
Query OK, 1 row affected, 1 warning (0.01 sec)

mysql> CREATE TABLE IF NOT EXISTS `db01`.`tb1` (`id` NOT NULL);
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> CREATE USER 'test-grant'@'localhost' IDENTIFIED BY 'password';

mysql> GRANT SELECT ON db01.* TO 'test-grant'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON db01.tb1 TO 'test-grant'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'test-grant'@'localhost';
+-------------------------------------------------------------+
| Grants for test-grant@localhost                             |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test-grant'@'localhost'              |
| GRANT SELECT ON `dbnotexists`.* TO 'test-grant'@'localhost' |
| GRANT SELECT ON `db01`.* TO 'test-grant'@'localhost'        |
| GRANT SELECT ON `db01`.`tb1` TO 'test-grant'@'localhost'    |
+-------------------------------------------------------------+
4 rows in set (0.00 sec)

mysql> REVOKE SELECT ON db01.* FROM 'test-grant'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'test-grant'@'localhost';
+-------------------------------------------------------------+
| Grants for test-grant@localhost                             |
+-------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test-grant'@'localhost'              |
| GRANT SELECT ON `dbnotexists`.* TO 'test-grant'@'localhost' |
| GRANT SELECT ON `db01`.`tb1` TO 'test-grant'@'localhost'    |
+-------------------------------------------------------------+
3 rows in set (0.00 sec)

it seems grant & revoke statement matches the grant objects as key by key, but not taking the relationship between the grant objects into account. (db01.* does include db01.tb1, but revoking privileges on db01.* not revoking db01.tb1)

[BohuTANG]

/lgtm