From 3d3fdb741117671bef13d8a7262eff52178b8d9b Mon Sep 17 00:00:00 2001
From: jeeminso <jeeminso@gmail.com>
Date: Thu, 3 Apr 2025 13:39:03 -0400
Subject: [PATCH] privileges and views

---
 tests/bwc/test_rolling_upgrade.py | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/tests/bwc/test_rolling_upgrade.py b/tests/bwc/test_rolling_upgrade.py
index c12509e5..d1fcc31b 100644
--- a/tests/bwc/test_rolling_upgrade.py
+++ b/tests/bwc/test_rolling_upgrade.py
@@ -1,5 +1,7 @@
 import unittest
 from crate.client import connect
+from crate.client.exceptions import ProgrammingError
+
 from crate.qa.tests import NodeProvider, insert_data, wait_for_active_shards, UpgradePath
 
 ROLLING_UPGRADES_V4 = (
@@ -103,6 +105,7 @@ def _test_rolling_upgrade(self, path, nodes):
                 ) CLUSTERED INTO {shards} SHARDS
                 WITH (number_of_replicas={replicas})
             ''')
+            c.execute("deny dql on table doc.t1 to arthur")
             c.execute("CREATE VIEW doc.v1 AS SELECT type, title, value FROM doc.t1")
             insert_data(conn, 'doc', 't1', 1000)
 
@@ -148,8 +151,14 @@ def _test_rolling_upgrade(self, path, nodes):
             # Run a query as a user created on an older version (ensure user is read correctly from cluster state, auth works, etc)
             with connect(cluster.node().http_url, username='arthur', password='secret', error_trace=True) as custom_user_conn:
                 c = custom_user_conn.cursor()
-                wait_for_active_shards(c, expected_active_shards)
+                # 'arthur' can only see 'parted' shards, 6 shards are for 't1'
+                wait_for_active_shards(c, expected_active_shards - 6)
                 c.execute("SELECT 1")
+                # has no privilege
+                with self.assertRaisesRegex(ProgrammingError, "RelationUnknown.*"):
+                    c.execute("EXPLAIN SELECT * FROM doc.t1")
+                # has privilege
+                c.execute("EXPLAIN SELECT * FROM doc.v1")
 
             cluster[idx] = new_node
             with connect(new_node.http_url, error_trace=True) as conn:
@@ -159,8 +168,11 @@ def _test_rolling_upgrade(self, path, nodes):
                 c.execute("select name from sys.users order by 1")
                 self.assertEqual(c.fetchall(), [["arthur"], ["crate"]])
 
-                c.execute("select * from sys.privileges")
-                self.assertEqual(c.fetchall(), [["CLUSTER", "arthur", "crate", None, "GRANT", "DQL"]])
+                c.execute("select * from sys.privileges order by ident")
+                self.assertEqual(
+                    c.fetchall(),
+                    [['TABLE', 'arthur', 'crate', 'doc.t1', 'DENY', 'DQL'],
+                     ['CLUSTER', 'arthur', 'crate', None, 'GRANT', 'DQL']])
 
                 c.execute('''
                     SELECT type, AVG(value)
@@ -239,3 +251,14 @@ def _test_rolling_upgrade(self, path, nodes):
             ''')
             res = c.fetchone()
             self.assertEqual(res[0], nodes + 1)
+
+            # Ensure Arthur can be dropped and re-added
+            c.execute("drop user arthur")
+            c.execute("select * from sys.privileges")
+            self.assertEqual(c.fetchall(), [])
+
+            # Ensure view 'v' can be dropped and re-added
+            c.execute("DROP VIEW doc.v1")
+            c.execute("CREATE VIEW doc.v1 AS SELECT 11")
+            c.execute("SELECT * FROM doc.v1")
+            self.assertEqual(c.fetchall(), [[11]])