[doris] branch master updated: [improvement](auth)only GRANT_PRIV and USAGE_PRIV can GRANT for RESOURCE (#19547)

Fri, 12 May 2023 00:49:18 -0700 

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new 26a7f86b66 [improvement](auth)only GRANT_PRIV and USAGE_PRIV can GRANT 
for RESOURCE (#19547)
26a7f86b66 is described below

commit 26a7f86b6663dcda151b0aa5afa766885faa27b7
Author: zhangdong <[email protected]>
AuthorDate: Fri May 12 15:47:04 2023 +0800

    [improvement](auth)only GRANT_PRIV and USAGE_PRIV can GRANT for RESOURCE 
(#19547)
    
    only GRANT_PRIV and USAGE_PRIV can GRANT for RESOURCE
---
 .../main/java/org/apache/doris/analysis/GrantStmt.java    | 15 ++++++---------
 .../java/org/apache/doris/mysql/privilege/Privilege.java  | 11 +++++++++++
 .../java/org/apache/doris/mysql/privilege/AuthTest.java   | 14 +++++++++++++-
 3 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
index 328f8b5279..482656e93c 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
@@ -110,7 +110,7 @@ public class GrantStmt extends DdlStmt {
     }
 
     @Override
-    public void analyze(Analyzer analyzer) throws AnalysisException, 
UserException {
+    public void analyze(Analyzer analyzer) throws UserException {
         super.analyze(analyzer);
         if (userIdent != null) {
             userIdent.analyze(analyzer.getClusterName());
@@ -214,14 +214,11 @@ public class GrantStmt extends DdlStmt {
 
     public static void checkResourcePrivileges(List<Privilege> privileges, 
String role,
             ResourcePattern resourcePattern) throws AnalysisException {
-        // Rule 1
-        if (privileges.contains(Privilege.NODE_PRIV)) {
-            throw new AnalysisException("Can not grant/revoke NODE_PRIV 
to/from any other users or roles");
-        }
-
-        // Rule 2
-        if (resourcePattern.getPrivLevel() != PrivLevel.GLOBAL && 
privileges.contains(Privilege.ADMIN_PRIV)) {
-            throw new AnalysisException("ADMIN_PRIV privilege can only be 
granted/revoked on/from resource *");
+        for (int i = 0; i < Privilege.notBelongToResourcePrivileges.length; 
i++) {
+            if 
(privileges.contains(Privilege.notBelongToResourcePrivileges[i])) {
+                throw new AnalysisException(String.format("Can not 
grant/revoke %s to/from any other users or roles",
+                        Privilege.notBelongToResourcePrivileges[i]));
+            }
         }
 
         if (role != null) {
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java
index 412fd0aa56..82bb9c911f 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java
@@ -44,6 +44,17 @@ public enum Privilege {
             USAGE_PRIV
     };
 
+    // only GRANT_PRIV and USAGE_PRIV can grant on resource
+    public static Privilege[] notBelongToResourcePrivileges = {
+            NODE_PRIV,
+            ADMIN_PRIV,
+            SELECT_PRIV,
+            LOAD_PRIV,
+            ALTER_PRIV,
+            CREATE_PRIV,
+            DROP_PRIV
+    };
+
     public static Map<Privilege, String> privInDorisToMysql =
             ImmutableMap.<Privilege, String>builder() // No NODE_PRIV and 
ADMIN_PRIV in the mysql
                     .put(SELECT_PRIV, "SELECT")
diff --git 
a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java 
b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
index c75fb797e1..8e26cac872 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
@@ -1580,7 +1580,19 @@ public class AuthTest {
         }
         Assert.assertFalse(accessManager.checkResourcePriv(userIdentity, 
resourceName, PrivPredicate.USAGE));
         Assert.assertFalse(accessManager.checkGlobalPriv(userIdentity, 
PrivPredicate.USAGE));
-
+        // 3.1 grant 'notBelongToResourcePrivileges' on resource 'spark0' to 
'testUser'@'%'
+        for (int i = 0; i < Privilege.notBelongToResourcePrivileges.length; 
i++) {
+            List<AccessPrivilege> notAllowedPrivileges = Lists
+                    
.newArrayList(AccessPrivilege.fromName(Privilege.notBelongToResourcePrivileges[i].getName()));
+            grantStmt = new GrantStmt(userIdentity, null, resourcePattern, 
notAllowedPrivileges);
+            try {
+                grantStmt.analyze(analyzer);
+                Assert.fail(String.format("Can not grant/revoke %s to/from any 
other users or roles",
+                        Privilege.notBelongToResourcePrivileges[i]));
+            } catch (UserException e) {
+                e.printStackTrace();
+            }
+        }
         // 4. drop user
         DropUserStmt dropUserStmt = new DropUserStmt(userIdentity);
         try {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to