feat(rbac): access control

[kailixu]

Description

Please briefly describe the code changes in this pull request.

<Close/close/Fix/fix/Resolve/resolve>:

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Summary of Changes

Hello @kailixu, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades the database's security infrastructure by integrating a robust Role-Based Access Control (RBAC) system. This enhancement provides administrators with fine-grained control over user and role permissions, allowing for precise definition of access rights across various database objects and data levels. The new system facilitates more efficient and secure management of who can perform what actions on which resources, laying a foundation for advanced security policies.

Highlights

• Role-Based Access Control (RBAC) Implementation: Introduced a comprehensive RBAC system, enabling granular management of user and role privileges. This includes new system tables, message types, and command nodes for creating, dropping, and altering roles.
• New System Tables for Roles: Added dedicated system tables (e.g., 'ins_roles', 'ins_role_privileges', 'ins_role_column_privileges') to store role definitions and their associated privileges, enhancing the persistence and management of access control data.
• Enhanced Privilege System: Overhauled the privilege system with new data structures (e.g., 'EPrivType', 'SPrivSet', 'SPrivTblPolicy') to support detailed control over system, object, and table-level privileges, including row-level and column-level access restrictions.
• Updated User and Grant/Revoke Structures: Modified the 'SUserObj' structure to incorporate new privilege hash objects, replacing older, less granular privilege fields. The 'GRANT' and 'REVOKE' statements were updated to align with the new privilege system and role management capabilities.
• Ownership Tracking for Database Objects: Added an 'owner' field to various database object metadata structures (e.g., 'STableMeta', 'SViewMeta', 'SDbObj'), allowing for explicit tracking of object ownership.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive Role-Based Access Control (RBAC) system, including new data structures and functionalities for managing roles and granular privileges. Key changes involve adding new system tables and message types for roles, defining detailed privilege types (system, object, legacy) with support for row-level, column-level, and tag-based table privileges, and updating user authentication responses to reflect this new privilege model. New commands for creating, dropping, and altering roles are added, along with corresponding AST nodes and serialization/deserialization logic. The privilege system now uses SPrivSet instead of simple int64_t bitmasks, and user/role objects are updated to store these new privilege sets and associated hash objects for fine-grained control. Additionally, ownership fields are introduced to various metadata structures (tables, views, databases, indexes, mounts, topics, streams). Review comments highlight an incomplete implementation for retrieving column privileges in mndRetrieveColPrivileges, suggest removing a duplicate error code TSDB_CODE_ROLE_SUBROLE_EXCEEDED, and point out a typo in the macro TSDB_PRIVILEDGE_COLS_LEN.

[gemini-code-assist]

This commented-out block appears to be a duplicate or old definition of SColNameFlag. To improve code clarity and maintainability, this dead code should be removed.

[gemini-code-assist]

There is a typo in the macro name TSDB_PRIVILEDGE_COLS_LEN. It should be TSDB_PRIVILEGE_COLS_LEN to be consistent with the spelling of "privilege" used elsewhere in the codebase.

Suggested change

	#define TSDB_PRIVILEDGE_COLS_LEN 12 * 1024
	#define TSDB_PRIVILEGE_COLS_LEN 12 * 1024

[kailixu]

find test cases failed, and would reopen when feat is done.