fix role mapping

zvonand · zvonand · commit 1c2489d8da06 · 2025-09-04T12:57:46.000+02:00
diff --git a/src/Access/TokenAccessStorage.cpp b/src/Access/TokenAccessStorage.cpp
@@ -20,13 +20,15 @@ namespace ErrorCodes
 
 TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessControl & access_control_, const Poco::Util::AbstractConfiguration & config_, const String & prefix_)
         : IAccessStorage(storage_name_), access_control(access_control_), config(config_), prefix(prefix_),
-          roles_filter(config.getString(prefix.empty() ? "" : prefix + "." + "roles_filter", "")),
         memory_storage(storage_name_, access_control.getChangesNotifier(), false)
 {
     std::lock_guard lock(mutex);
 
     const String prefix_str = (prefix.empty() ? "" : prefix + ".");
 
+    if (config.has(prefix_str + "roles_filter"))
+        roles_filter.emplace(config.getString(prefix_str + "roles_filter"));
+
     provider_name = config.getString(prefix_str + "processor");
     if (provider_name.empty())
         throw Exception(ErrorCodes::BAD_ARGUMENTS, "'processor' must be specified for Token user directory");
@@ -369,21 +371,22 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
         throwAddressNotAllowed(address);
 
     std::set<String> external_roles;
-    if (!roles_filter.ok())
-    {
-        external_roles = token_credentials.getGroups();
-        LOG_TRACE(getLogger(), "{}: No external role filtering set, applying all available groups", getStorageName());
-    }
-    else
+    if (roles_filter.has_value() && roles_filter.value().ok())
     {
+        LOG_TRACE(getLogger(), "{}: External role filter found, applying only matching groups", getStorageName());
         for (const auto & group: token_credentials.getGroups()) {
-            if (RE2::FullMatch(group, roles_filter))
+            if (RE2::FullMatch(group, roles_filter.value()))
             {
                 external_roles.insert(group);
                 LOG_TRACE(getLogger(), "{}: Granted role (group) {} to user", getStorageName(), user->getName());
             }
         }
     }
+    else
+    {
+        LOG_TRACE(getLogger(), "{}: No external role filtering set, applying all available groups", getStorageName());
+        external_roles = token_credentials.getGroups();
+    }
 
     if (new_user)
     {
diff --git a/src/Access/TokenAccessStorage.h b/src/Access/TokenAccessStorage.h
@@ -48,7 +48,7 @@ class TokenAccessStorage : public IAccessStorage
     const String & prefix;
 
     String provider_name;
-    re2::RE2 roles_filter;
+    std::optional<re2::RE2> roles_filter = std::nullopt;
 
     std::set<String> common_role_names;                         // role name that should be granted to all users at all times
     mutable std::map<String, std::size_t> external_role_hashes;
