risingwave_common/acl/
mod.rs

1// Copyright 2025 RisingWave Labs
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! `Acl` defines all grantable privileges.
16
17use std::fmt::Formatter;
18use std::sync::LazyLock;
19
20use enumflags2::{BitFlags, bitflags, make_bitflags};
21use parse_display::Display;
22use risingwave_pb::user::grant_privilege::PbAction;
23
24#[bitflags]
25#[repr(u64)]
26#[derive(Clone, Copy, Debug, Display, Eq, PartialEq)]
27pub enum AclMode {
28    #[display("a")]
29    Insert = 1 << 0, // formerly known as "append".
30    #[display("r")]
31    Select = 1 << 1, // formerly known as "read".
32    #[display("w")]
33    Update = 1 << 2, // formerly known as "write".
34    #[display("d")]
35    Delete = 1 << 3,
36    #[display("D")]
37    Truncate = 1 << 4, // super-delete, as it were
38    #[display("x")]
39    References = 1 << 5,
40    #[display("t")]
41    Trigger = 1 << 6,
42    #[display("X")]
43    Execute = 1 << 7, // For functions
44    #[display("U")]
45    Usage = 1 << 8, // For various object types
46    #[display("C")]
47    Create = 1 << 9, // For namespaces and databases
48    #[display("T")]
49    CreateTemp = 1 << 10, // For databases
50    #[display("c")]
51    Connect = 1 << 11, // For databases
52    #[display("s")]
53    Set = 1 << 12, // For configuration parameters
54    #[display("A")]
55    AlterSystem = 1 << 13, // For configuration parameters
56    #[display("m")]
57    Maintain = 1 << 14, // For relations
58}
59
60impl From<PbAction> for AclMode {
61    fn from(action: PbAction) -> Self {
62        match action {
63            PbAction::Unspecified => unreachable!(),
64            PbAction::Select => AclMode::Select,
65            PbAction::Insert => AclMode::Insert,
66            PbAction::Update => AclMode::Update,
67            PbAction::Delete => AclMode::Delete,
68            PbAction::Create => AclMode::Create,
69            PbAction::Connect => AclMode::Connect,
70            PbAction::Usage => AclMode::Usage,
71            PbAction::Execute => AclMode::Execute,
72        }
73    }
74}
75
76impl From<AclMode> for PbAction {
77    fn from(val: AclMode) -> Self {
78        match val {
79            AclMode::Select => PbAction::Select,
80            AclMode::Insert => PbAction::Insert,
81            AclMode::Update => PbAction::Update,
82            AclMode::Delete => PbAction::Delete,
83            AclMode::Create => PbAction::Create,
84            AclMode::Connect => PbAction::Connect,
85            AclMode::Usage => PbAction::Usage,
86            AclMode::Execute => PbAction::Execute,
87            _ => unreachable!(),
88        }
89    }
90}
91
92/// `AclModeSet` defines a set of `AclMode`s.
93#[derive(Clone, Debug)]
94pub struct AclModeSet {
95    pub modes: BitFlags<AclMode>,
96}
97
98macro_rules! lazy_acl_modes {
99    ($name:ident, { $($mode:tt)* }) => {
100        pub static $name: LazyLock<AclModeSet> = LazyLock::new(||
101            make_bitflags!(AclMode::{ $($mode)* }).into()
102        );
103    };
104    ($name:ident, readonly) => {
105        pub static $name: LazyLock<AclModeSet> = LazyLock::new(AclModeSet::readonly);
106    };
107}
108
109lazy_acl_modes!(ALL_AVAILABLE_DATABASE_MODES, { Create | Connect });
110lazy_acl_modes!(ALL_AVAILABLE_SCHEMA_MODES, { Create | Usage });
111lazy_acl_modes!(ALL_AVAILABLE_TABLE_MODES, {
112    Select | Insert | Update | Delete
113});
114lazy_acl_modes!(ALL_AVAILABLE_VIEW_MODES, {
115    Select | Insert | Update | Delete
116});
117lazy_acl_modes!(ALL_AVAILABLE_SOURCE_MODES, readonly);
118lazy_acl_modes!(ALL_AVAILABLE_MVIEW_MODES, readonly);
119lazy_acl_modes!(ALL_AVAILABLE_SINK_MODES, readonly);
120lazy_acl_modes!(ALL_AVAILABLE_SUBSCRIPTION_MODES, readonly);
121lazy_acl_modes!(ALL_AVAILABLE_FUNCTION_MODES, { Execute });
122lazy_acl_modes!(ALL_AVAILABLE_CONNECTION_MODES, { Usage });
123lazy_acl_modes!(ALL_AVAILABLE_SECRET_MODES, { Usage });
124
125impl AclModeSet {
126    #[allow(dead_code)]
127    pub fn empty() -> Self {
128        Self {
129            modes: BitFlags::empty(),
130        }
131    }
132
133    pub fn readonly() -> Self {
134        Self {
135            modes: BitFlags::from(AclMode::Select),
136        }
137    }
138
139    pub fn has_mode(&self, mode: AclMode) -> bool {
140        self.modes.contains(mode)
141    }
142
143    pub fn iter(&self) -> impl Iterator<Item = AclMode> + '_ {
144        self.modes.iter()
145    }
146}
147
148impl From<BitFlags<AclMode>> for AclModeSet {
149    fn from(modes: BitFlags<AclMode>) -> Self {
150        Self { modes }
151    }
152}
153
154impl std::fmt::Display for AclModeSet {
155    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
156        write!(f, "{}", self.modes)
157    }
158}
risingwave_common/acl/mod.rs

risingwave_common/acl/
mod.rs
