1. Normalize the code

2. grant ownership on warehouse object only supported for warehouses managed by the system

Author: TCeason

src/meta/app/src/principal/ownership_object.rs

@@ -54,7 +54,7 @@ pub enum OwnershipObject {
     },
 
     Warehouse {
-        uid: String,
+        id: String,
     },
 }
 
@@ -84,7 +84,7 @@ impl fmt::Display for OwnershipObject {
             }
             OwnershipObject::UDF { name } => write!(f, "UDF {name}"),
             OwnershipObject::Stage { name } => write!(f, "STAGE {name}"),
-            OwnershipObject::Warehouse { uid } => write!(f, "Warehouse {uid}"),
+            OwnershipObject::Warehouse { id: uid } => write!(f, "Warehouse {uid}"),
         }
     }
 }
@@ -124,7 +124,7 @@ impl KeyCodec for OwnershipObject {
             }
             OwnershipObject::Stage { name } => b.push_raw("stage-by-name").push_str(name),
             OwnershipObject::UDF { name } => b.push_raw("udf-by-name").push_str(name),
-            OwnershipObject::Warehouse { uid } => b.push_raw("warehouse-by-uid").push_str(uid),
+            OwnershipObject::Warehouse { id: uid } => b.push_raw("warehouse-by-uid").push_str(uid),
         }
     }
 
@@ -173,7 +173,7 @@ impl KeyCodec for OwnershipObject {
             }
             "warehouse-by-uid" => {
                 let uid = p.next_str()?;
-                Ok(OwnershipObject::Warehouse { uid })
+                Ok(OwnershipObject::Warehouse { id: uid })
             }
             _ => Err(kvapi::KeyError::InvalidSegment {
                 i: p.index(),

src/meta/app/src/principal/tenant_ownership_object_ident.rs

@@ -260,7 +260,7 @@ mod tests {
             let role_grantee = TenantOwnershipObjectIdent::new_unchecked(
                 Tenant::new_literal("test"),
                 OwnershipObject::Warehouse {
-                    uid: "n87s".to_string(),
+                    id: "n87s".to_string(),
                 },
             );
 

src/meta/app/src/principal/user_privilege.rs

@@ -207,7 +207,9 @@ impl UserPrivilegeSet {
         let stage_privs_without_ownership = Self::available_privileges_on_stage(false);
         let udf_privs_without_ownership = Self::available_privileges_on_udf(false);
         let wh_privs_without_ownership = Self::available_privileges_on_warehouse(false);
-        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask | CreateWarehouse });
+        // TODO : The warehouse functionality is not yet fully integrated. Therefore, the CreateWarehouse permission must be granted separately
+        // If self-created user or configured user wants to create warehouse in system-manage cluster must execute: grant create warehouse on *.* to <user_name>;
+        let privs = make_bitflags!(UserPrivilegeType::{ Usage | Super | CreateUser | DropUser | CreateRole | DropRole | CreateDatabase | Grant | CreateDataMask });
         (database_privs.privileges
             | privs
             | stage_privs_without_ownership.privileges

src/meta/proto-conv/src/ownership_from_to_protobuf_impl.rs

@@ -90,7 +90,7 @@ impl FromToProto for mt::principal::OwnershipObject {
             }) => Ok(mt::principal::OwnershipObject::Stage { name: stage }),
             pb::ownership_object::Object::Warehouse(
                 pb::ownership_object::OwnershipWarehouseObject { uid },
-            ) => Ok(mt::principal::OwnershipObject::Warehouse { uid }),
+            ) => Ok(mt::principal::OwnershipObject::Warehouse { id: uid }),
         }
     }
 
@@ -126,7 +126,7 @@ impl FromToProto for mt::principal::OwnershipObject {
                     stage: name.clone(),
                 }),
             ),
-            mt::principal::OwnershipObject::Warehouse { uid } => {
+            mt::principal::OwnershipObject::Warehouse { id: uid } => {
                 Some(pb::ownership_object::Object::Warehouse(
                     pb::ownership_object::OwnershipWarehouseObject { uid: uid.clone() },
                 ))

src/meta/proto-conv/tests/it/v120_warehouse_ownershipobject.rs

@@ -106,7 +106,7 @@ fn test_decode_v120_ownership() -> anyhow::Result<()> {
     let want = || mt::principal::OwnershipInfo {
         role: "r1".to_string(),
         object: OwnershipObject::Warehouse {
-            uid: "auniqueid".to_string(),
+            id: "auniqueid".to_string(),
         },
     };
     common::test_pb_from_to(func_name!(), want())?;

src/query/management/src/role/role_mgr.rs

@@ -504,7 +504,7 @@ fn convert_to_grant_obj(owner_obj: &OwnershipObject) -> GrantObject {
         } => GrantObject::TableById(catalog_name.to_string(), *db_id, *table_id),
         OwnershipObject::Stage { name } => GrantObject::Stage(name.to_string()),
         OwnershipObject::UDF { name } => GrantObject::UDF(name.to_string()),
-        OwnershipObject::Warehouse { uid } => GrantObject::Warehouse(uid.to_string()),
+        OwnershipObject::Warehouse { id: uid } => GrantObject::Warehouse(uid.to_string()),
     }
 }
 

src/query/service/src/interpreters/access/privilege_access.rs

@@ -155,7 +155,7 @@ impl PrivilegeAccess {
                 name: name.to_string(),
             },
             GrantObject::Warehouse(uid) => OwnershipObject::Warehouse {
-                uid: uid.to_string(),
+                id: uid.to_string(),
             },
             GrantObject::Global => return Ok(None),
         };

src/query/service/src/interpreters/interpreter_create_warehouses.rs

@@ -87,7 +87,7 @@ impl Interpreter for CreateWarehouseInterpreter {
                 if let Some(current_role) = self.ctx.get_current_role() {
                     role_api
                         .grant_ownership(
-                            &OwnershipObject::Warehouse { uid: sw.role_id },
+                            &OwnershipObject::Warehouse { id: sw.role_id },
                             &current_role.name,
                         )
                         .await?;
@@ -118,7 +118,7 @@ impl Interpreter for CreateWarehouseInterpreter {
             if let Some(current_role) = self.ctx.get_current_role() {
                 role_api
                     .grant_ownership(
-                        &OwnershipObject::Warehouse { uid: sw.role_id },
+                        &OwnershipObject::Warehouse { id: sw.role_id },
                         &current_role.name,
                     )
                     .await?;

src/query/service/src/interpreters/interpreter_drop_warehouses.rs

@@ -76,7 +76,7 @@ impl Interpreter for DropWarehouseInterpreter {
             if let Some(current_role) = self.ctx.get_current_role() {
                 role_api
                     .grant_ownership(
-                        &OwnershipObject::Warehouse { uid: sw.role_id },
+                        &OwnershipObject::Warehouse { id: sw.role_id },
                         &current_role.name,
                     )
                     .await?;

src/query/service/src/interpreters/interpreter_privilege_grant.rs

@@ -14,6 +14,7 @@
 
 use std::sync::Arc;
 
+use databend_common_base::base::GlobalInstance;
 use databend_common_exception::ErrorCode;
 use databend_common_exception::Result;
 use databend_common_meta_app::principal::GrantObject;
@@ -25,6 +26,7 @@ use databend_common_meta_app::tenant::Tenant;
 use databend_common_sql::plans::GrantPrivilegePlan;
 use databend_common_users::RoleCacheManager;
 use databend_common_users::UserApiProvider;
+use databend_enterprise_resources_management::ResourcesManagement;
 use log::debug;
 use log::error;
 use log::info;
@@ -102,7 +104,7 @@ impl GrantPrivilegeInterpreter {
                 name: name.to_string(),
             }),
             GrantObject::Warehouse(uid) => Ok(OwnershipObject::Warehouse {
-                uid: uid.to_string(),
+                id: uid.to_string(),
             }),
             GrantObject::Global => Err(ErrorCode::IllegalGrant(
                 "Illegal GRANT/REVOKE command; please consult the manual to see which privileges can be used",
@@ -203,6 +205,17 @@ impl Interpreter for GrantPrivilegeInterpreter {
                         .convert_to_ownerobject(&tenant, &plan.on, plan.on.catalog())
                         .await?;
                     if self.ctx.get_current_role().is_some() {
+                        if let OwnershipObject::Warehouse { .. } = owner_object {
+                            let warehouse_mgr =
+                                GlobalInstance::get::<Arc<dyn ResourcesManagement>>();
+
+                            // Only support grant ownership when support_forward_warehouse_request is true
+                            if !warehouse_mgr.support_forward_warehouse_request() {
+                                return Err(ErrorCode::IllegalGrant(
+                                    "Illegal GRANT/REVOKE command; only supported for warehouses managed by the system",
+                                ));
+                            }
+                        }
                         self.grant_ownership(&self.ctx, &tenant, &owner_object, &role)
                             .await?;
                     } else {

src/query/service/src/table_functions/show_grants/show_grants_table.rs

@@ -516,7 +516,7 @@ async fn show_account_grants(
                         privileges.push("OWNERSHIP".to_string());
                         grant_list.push(format!("GRANT OWNERSHIP ON UDF {} TO {}", name, identity));
                     }
-                    OwnershipObject::Warehouse { uid } => {
+                    OwnershipObject::Warehouse { id: uid } => {
                         if let Some(sw) = warehouses
                             .iter()
                             .filter_map(|w| {
@@ -739,27 +739,25 @@ async fn show_object_grant(
                 return Err(ErrorCode::InvalidArgument("The 'SHOW GRANTS ON <warehouse_name>' only supported for warehouses managed by the system. Please verify that you are using a system-managed warehouse".to_string()));
             }
             let warehouses = warehouse_mgr.list_warehouses().await?;
-            let mut uid = String::new();
+            let mut id = String::new();
             for w in warehouses {
                 if let WarehouseInfo::SystemManaged(rw) = w {
                     if rw.id == name {
-                        uid = rw.role_id.to_string();
+                        id = rw.role_id.to_string();
                         break;
                     }
                 }
             }
-            if !visibility_checker.check_warehouse_visibility(&uid) {
+            if !visibility_checker.check_warehouse_visibility(&id) {
                 return Err(ErrorCode::PermissionDenied(format!(
                     "Permission denied: No privilege on warehouse {} for user {}.",
                     name, current_user
                 )));
             }
             (
-                GrantObject::Warehouse(uid.to_string()),
-                OwnershipObject::Warehouse {
-                    uid: uid.to_string(),
-                },
-                Some(uid),
+                GrantObject::Warehouse(id.to_string()),
+                OwnershipObject::Warehouse { id: id.to_string() },
+                Some(id),
                 name,
             )
         }

src/query/users/src/user_mgr.rs

@@ -233,7 +233,7 @@ impl UserApiProvider {
         }
         if let GrantObject::Warehouse(_) = object {
             return Err(ErrorCode::IllegalUser(format!(
-                "Cannot grant warehouse privileges to user `{}`",
+                "Cannot revoke warehouse privileges to user `{}`",
                 user.username
             )));
         }

src/query/users/src/visibility_checker.rs

@@ -200,7 +200,7 @@ impl GrantObjectVisibilityChecker {
                 OwnershipObject::UDF { name } => {
                     granted_udfs.insert(name.to_string());
                 }
-                OwnershipObject::Warehouse { uid } => {
+                OwnershipObject::Warehouse { id: uid } => {
                     granted_ws.insert(uid.to_string());
                 }
             }

tests/sqllogictests/suites/base/05_ddl/05_0017_ddl_grant_role.test

@@ -264,3 +264,6 @@ drop role if exists role1;
 
 statement ok
 drop role if exists role2;
+
+statement error 1061
+GRANT ownership on warehouse w1 to role 'role1';