feat: object warehouse support rbac (#17262)

* feat: object warehouse support rbac

* add WAREHOUSE as ident

note: only support_forward_warehouse_request will apply warehouse rbac. Now only support SystemResourcesManagement

* add new privilege type forward test

* add new ident parse func: grant_ident

* 1. Normalize the code

2. grant ownership on warehouse object only supported for warehouses managed by the system

* fix warehouse uid modify to id

* add CreateWarehouse in available_privileges_on_global

Author: TCeason

Diff for: src/meta/app/src/principal/ownership_object.rs

@@ -52,6 +52,10 @@ pub enum OwnershipObject {
     UDF {
         name: String,
     },
+
+    Warehouse {
+        id: String,
+    },
 }
 
 impl OwnershipObject {
@@ -80,6 +84,7 @@ impl fmt::Display for OwnershipObject {
             }
             OwnershipObject::UDF { name } => write!(f, "UDF {name}"),
             OwnershipObject::Stage { name } => write!(f, "STAGE {name}"),
+            OwnershipObject::Warehouse { id } => write!(f, "Warehouse {id}"),
         }
     }
 }
@@ -119,6 +124,7 @@ impl KeyCodec for OwnershipObject {
             }
             OwnershipObject::Stage { name } => b.push_raw("stage-by-name").push_str(name),
             OwnershipObject::UDF { name } => b.push_raw("udf-by-name").push_str(name),
+            OwnershipObject::Warehouse { id } => b.push_raw("warehouse-by-id").push_str(id),
         }
     }
 
@@ -165,9 +171,13 @@ impl KeyCodec for OwnershipObject {
                 let name = p.next_str()?;
                 Ok(OwnershipObject::UDF { name })
             }
+            "warehouse-by-id" => {
+                let id = p.next_str()?;
+                Ok(OwnershipObject::Warehouse { id })
+            }
             _ => Err(kvapi::KeyError::InvalidSegment {
                 i: p.index(),
-                expect: "database-by-id|database-by-catalog-id|table-by-id|table-by-catalog-id|stage-by-name|udf-by-name"
+                expect: "database-by-id|database-by-catalog-id|table-by-id|table-by-catalog-id|stage-by-name|udf-by-name|warehouse-by-id"
                     .to_string(),
                 got: q.to_string(),
             }),

Diff for: src/meta/app/src/principal/tenant_ownership_object_ident.rs

@@ -254,6 +254,22 @@ mod tests {
             let parsed = TenantOwnershipObjectIdent::from_str_key(&key).unwrap();
             assert_eq!(role_grantee, parsed);
         }
+
+        // warehouse
+        {
+            let role_grantee = TenantOwnershipObjectIdent::new_unchecked(
+                Tenant::new_literal("test"),
+                OwnershipObject::Warehouse {
+                    id: "n87s".to_string(),
+                },
+            );
+
+            let key = role_grantee.to_string_key();
+            assert_eq!("__fd_object_owners/test/warehouse-by-id/n87s", key);
+
+            let parsed = TenantOwnershipObjectIdent::from_str_key(&key).unwrap();
+            assert_eq!(role_grantee, parsed);
+        }
     }
 
     #[test]

Diff for: src/meta/app/src/principal/user_grant.rs

@@ -111,7 +111,9 @@ impl GrantObject {
             GrantObject::Stage(_) => {
                 UserPrivilegeSet::available_privileges_on_stage(available_ownership)
             }
-            GrantObject::Warehouse(_) => UserPrivilegeSet::available_privileges_on_warehouse(),
+            GrantObject::Warehouse(_) => {
+                UserPrivilegeSet::available_privileges_on_warehouse(available_ownership)
+            }
         }
     }
 

Diff for: src/meta/app/src/principal/user_privilege.rs

@@ -76,6 +76,8 @@ pub enum UserPrivilegeType {
     Write = 1 << 19,
     // Privilege to Create database
     CreateDatabase = 1 << 20,
+    // Privilege to Create warehouse
+    CreateWarehouse = 1 << 21,
     // Discard Privilege Type
     Set = 1 << 4,
 }
@@ -102,6 +104,7 @@ const ALL_PRIVILEGES: BitFlags<UserPrivilegeType> = make_bitflags!(
         | Read
         | Write
         | CreateDatabase
+        | CreateWarehouse
     }
 );
 
@@ -129,6 +132,7 @@ impl Display for UserPrivilegeType {
             UserPrivilegeType::Read => "Read",
             UserPrivilegeType::Write => "Write",
             UserPrivilegeType::CreateDatabase => "CREATE DATABASE",
+            UserPrivilegeType::CreateWarehouse => "CREATE WAREHOUSE",
         })
     }
 }
@@ -166,6 +170,9 @@ impl From<databend_common_ast::ast::UserPrivilegeType> for UserPrivilegeType {
             databend_common_ast::ast::UserPrivilegeType::CreateDatabase => {
                 UserPrivilegeType::CreateDatabase
             }
+            databend_common_ast::ast::UserPrivilegeType::CreateWarehouse => {
+                UserPrivilegeType::CreateWarehouse
+            }
             databend_common_ast::ast::UserPrivilegeType::Set => UserPrivilegeType::Set,
         }
     }
@@ -199,8 +206,8 @@ impl UserPrivilegeSet {
         let database_privs = Self::available_privileges_on_database(false);
         let stage_privs_without_ownership = Self::available_privileges_on_stage(false);
         let udf_privs_without_ownership = Self::available_privileges_on_udf(false);
-        let wh_privs_without_ownership = Self::available_privileges_on_warehouse();
-        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask });
+        let wh_privs_without_ownership = Self::available_privileges_on_warehouse(false);
+        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateWarehouse });
         (database_privs.privileges
             | privs
             | stage_privs_without_ownership.privileges
@@ -234,8 +241,12 @@ impl UserPrivilegeSet {
         }
     }
 
-    pub fn available_privileges_on_warehouse() -> Self {
-        make_bitflags!(UserPrivilegeType::{  Usage }).into()
+    pub fn available_privileges_on_warehouse(available_ownership: bool) -> Self {
+        if available_ownership {
+            make_bitflags!(UserPrivilegeType::{  Usage | Ownership }).into()
+        } else {
+            make_bitflags!(UserPrivilegeType::{  Usage }).into()
+        }
     }
 
     pub fn available_privileges_on_udf(available_ownership: bool) -> Self {

Diff for: src/meta/proto-conv/src/ownership_from_to_protobuf_impl.rs

@@ -88,6 +88,9 @@ impl FromToProto for mt::principal::OwnershipObject {
             pb::ownership_object::Object::Stage(pb::ownership_object::OwnershipStageObject {
                 stage,
             }) => Ok(mt::principal::OwnershipObject::Stage { name: stage }),
+            pb::ownership_object::Object::Warehouse(
+                pb::ownership_object::OwnershipWarehouseObject { id },
+            ) => Ok(mt::principal::OwnershipObject::Warehouse { id }),
         }
     }
 
@@ -123,6 +126,11 @@ impl FromToProto for mt::principal::OwnershipObject {
                     stage: name.clone(),
                 }),
             ),
+            mt::principal::OwnershipObject::Warehouse { id } => {
+                Some(pb::ownership_object::Object::Warehouse(
+                    pb::ownership_object::OwnershipWarehouseObject { id: id.clone() },
+                ))
+            }
         };
         Ok(pb::OwnershipObject {
             ver: VER,

Diff for: src/meta/proto-conv/src/util.rs

@@ -149,6 +149,7 @@ const META_CHANGE_LOG: &[(u64, &str)] = &[
     (117, "2025-01-21: Add: config.proto: add disable_list_batch in WebhdfsConfig"),
     (118, "2025-01-22: Add: config.proto: add user_name in WebhdfsConfig"),
     (119, "2025-01-25: Add: virtual_column add alias_names and auto_generated field"),
+    (120, "2025-02-11: Add: Add new UserPrivilege CreateWarehouse and new OwnershipObject::Warehouse"),
     // Dear developer:
     //      If you're gonna add a new metadata version, you'll have to add a test for it.
     //      You could just copy an existing test file(e.g., `../tests/it/v024_table_meta.rs`)

Diff for: src/meta/proto-conv/tests/it/main.rs

@@ -117,3 +117,4 @@ mod v116_marked_deleted_index_meta;
 mod v117_webhdfs_add_disable_list_batch;
 mod v118_webhdfs_add_user_name;
 mod v119_virtual_column;
+mod v120_warehouse_ownershipobject;

Diff for: src/meta/proto-conv/tests/it/v120_warehouse_ownershipobject.rs

@@ -0,0 +1,116 @@
+// Copyright 2023 Datafuse Labs.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use std::collections::HashSet;
+
+use chrono::DateTime;
+use chrono::Utc;
+use databend_common_meta_app as mt;
+use databend_common_meta_app::principal::OwnershipObject;
+use databend_common_meta_app::principal::UserGrantSet;
+use databend_common_meta_app::principal::UserPrivilegeType;
+use enumflags2::make_bitflags;
+use fastrace::func_name;
+
+use crate::common;
+
+// These bytes are built when a new version in introduced,
+// and are kept for backward compatibility test.
+//
+// *************************************************************
+// * These messages should never be updated,                   *
+// * only be added when a new version is added,                *
+// * or be removed when an old version is no longer supported. *
+// *************************************************************
+//
+
+#[test]
+fn test_decode_v120_grant_object() -> anyhow::Result<()> {
+    let role_info_v120 = vec![
+        10, 2, 114, 49, 18, 172, 1, 10, 21, 10, 8, 10, 0, 160, 6, 120, 168, 6, 24, 16, 128, 128,
+        128, 1, 160, 6, 120, 168, 6, 24, 10, 31, 10, 21, 18, 13, 10, 7, 100, 101, 102, 97, 117,
+        108, 116, 18, 2, 100, 98, 160, 6, 120, 168, 6, 24, 16, 2, 160, 6, 120, 168, 6, 24, 10, 35,
+        10, 25, 26, 17, 10, 7, 100, 101, 102, 97, 117, 108, 116, 18, 2, 100, 98, 26, 2, 116, 98,
+        160, 6, 120, 168, 6, 24, 16, 2, 160, 6, 120, 168, 6, 24, 10, 22, 10, 12, 34, 4, 10, 2, 102,
+        49, 160, 6, 120, 168, 6, 24, 16, 1, 160, 6, 120, 168, 6, 24, 10, 24, 10, 12, 42, 4, 10, 2,
+        115, 49, 160, 6, 120, 168, 6, 24, 16, 128, 128, 32, 160, 6, 120, 168, 6, 24, 10, 21, 10, 8,
+        10, 0, 160, 6, 120, 168, 6, 24, 16, 254, 255, 191, 1, 160, 6, 120, 168, 6, 24, 160, 6, 120,
+        168, 6, 24, 26, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48, 58, 48,
+        48, 32, 85, 84, 67, 34, 23, 49, 57, 55, 48, 45, 48, 49, 45, 48, 49, 32, 48, 48, 58, 48, 48,
+        58, 48, 48, 32, 85, 84, 67, 160, 6, 120, 168, 6, 24,
+    ];
+    let want = || mt::principal::RoleInfo {
+        name: "r1".to_string(),
+        grants: UserGrantSet::new(
+            vec![
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Global,
+                    make_bitflags!(UserPrivilegeType::{CreateWarehouse}),
+                ),
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Database("default".to_string(), "db".to_string()),
+                    make_bitflags!(UserPrivilegeType::{Create}),
+                ),
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Table(
+                        "default".to_string(),
+                        "db".to_string(),
+                        "tb".to_string(),
+                    ),
+                    make_bitflags!(UserPrivilegeType::{Create}),
+                ),
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::UDF("f1".to_string()),
+                    make_bitflags!(UserPrivilegeType::{Usage}),
+                ),
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Stage("s1".to_string()),
+                    make_bitflags!(UserPrivilegeType::{Write}),
+                ),
+                // test new global privilege CreateWarehouse
+                mt::principal::GrantEntry::new(
+                    mt::principal::GrantObject::Global,
+                    make_bitflags!(UserPrivilegeType::{Create | Select | Insert | Update | Delete | Drop | Alter | Super | CreateUser | DropUser | CreateRole | DropRole | Grant | CreateStage | Set | CreateDataMask | Ownership | Read | Write | CreateWarehouse }),
+                ),
+            ],
+            HashSet::new(),
+        ),
+        created_on: DateTime::<Utc>::default(),
+        update_on: DateTime::<Utc>::default(),
+    };
+
+    common::test_pb_from_to(func_name!(), want())?;
+    common::test_load_old(func_name!(), role_info_v120.as_slice(), 120, want())?;
+
+    Ok(())
+}
+
+#[test]
+fn test_decode_v120_ownership() -> anyhow::Result<()> {
+    let ownership_info_v120 = vec![
+        10, 2, 114, 49, 18, 19, 42, 11, 10, 9, 97, 117, 110, 105, 113, 117, 101, 105, 100, 160, 6,
+        120, 168, 6, 24, 160, 6, 120, 168, 6, 24,
+    ];
+
+    let want = || mt::principal::OwnershipInfo {
+        role: "r1".to_string(),
+        object: OwnershipObject::Warehouse {
+            id: "auniqueid".to_string(),
+        },
+    };
+    common::test_pb_from_to(func_name!(), want())?;
+    common::test_load_old(func_name!(), ownership_info_v120.as_slice(), 120, want())?;
+
+    Ok(())
+}

Diff for: src/meta/protos/proto/ownership.proto

@@ -46,10 +46,15 @@ message OwnershipObject {
     string stage = 1;
   }
 
+  message OwnershipWarehouseObject {
+    string id = 1;
+  }
+
   oneof object {
     OwnershipDatabaseObject database = 1;
     OwnershipTableObject table = 2;
     OwnershipUdfObject udf = 3;
     OwnershipStageObject stage = 4;
+    OwnershipWarehouseObject warehouse = 5;
   }
 }

Diff for: src/query/ast/src/ast/statements/principal.rs

@@ -150,6 +150,8 @@ pub enum UserPrivilegeType {
     Write,
     // Privilege to Create database
     CreateDatabase,
+    // Privilege to Create warehouse
+    CreateWarehouse,
     // Discard Privilege Type
     Set,
 }
@@ -178,6 +180,7 @@ impl Display for UserPrivilegeType {
             UserPrivilegeType::Read => "Read",
             UserPrivilegeType::Write => "Write",
             UserPrivilegeType::CreateDatabase => "CREATE DATABASE",
+            UserPrivilegeType::CreateWarehouse => "CREATE WAREHOUSE",
         })
     }
 }

Diff for: src/query/ast/src/ast/statements/user.rs

@@ -147,6 +147,7 @@ pub enum GrantObjectName {
     Table(Option<String>, String),
     UDF(String),
     Stage(String),
+    Warehouse(String),
 }
 
 impl Display for GrantObjectName {
@@ -164,6 +165,7 @@ impl Display for GrantObjectName {
             }
             GrantObjectName::UDF(udf) => write!(f, " UDF {udf}"),
             GrantObjectName::Stage(stage) => write!(f, " STAGE {stage}"),
+            GrantObjectName::Warehouse(w) => write!(f, " WAREHOUSE {w}"),
         }
     }
 }

Diff for: src/query/ast/src/parser/common.rs

@@ -88,6 +88,10 @@ pub fn ident(i: Input) -> IResult<Identifier> {
     non_reserved_identifier(|token| token.is_reserved_ident(false))(i)
 }
 
+pub fn grant_ident(i: Input) -> IResult<Identifier> {
+    non_reserved_identifier(|token| token.is_grant_reserved_ident(false, true))(i)
+}
+
 pub fn plain_ident(i: Input) -> IResult<Identifier> {
     plain_identifier(|token| token.is_reserved_ident(false))(i)
 }

Diff for: src/query/ast/src/parser/stage.rs

@@ -30,6 +30,19 @@ use crate::parser::input::Input;
 use crate::parser::token::*;
 use crate::parser::ErrorKind;
 
+pub fn parameter_to_grant_string(i: Input) -> IResult<String> {
+    let ident_to_string = |i| map_res(grant_ident, |ident| Ok(ident.name))(i);
+    let u64_to_string = |i| map(literal_u64, |v| v.to_string())(i);
+    let boolean_to_string = |i| map(literal_bool, |v| v.to_string())(i);
+
+    rule!(
+        #literal_string
+        | #ident_to_string
+        | #u64_to_string
+        | #boolean_to_string
+    )(i)
+}
+
 pub fn parameter_to_string(i: Input) -> IResult<String> {
     let ident_to_string = |i| map_res(ident, |ident| Ok(ident.name))(i);
     let u64_to_string = |i| map(literal_u64, |v| v.to_string())(i);