This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new cae5a9d3cd [Fix](auth) fix revoke role operation cause fe down (#23852)
cae5a9d3cd is described below
commit cae5a9d3cda764fc28b51bd9320911eda81411f6
Author: Houliang Qi <[email protected]>
AuthorDate: Sun Sep 10 16:16:07 2023 +0800
[Fix](auth) fix revoke role operation cause fe down (#23852)
If there 3 above fe nodes,
the following opeartions will cause all FE nodes down.
DROP USER revoke_test_user
DROP ROLE revoke_test_role
DROP DATABASE IF EXISTS revoke_test_db
CREATE DATABASE revoke_test_db
CREATE ROLE revoke_test_role
CREATE USER revoke_test_user IDENTIFIED BY 'revoke_test_pwd'
GRANT SELECT_PRIV ON revoke_test_db.* TO ROLE 'revoke_test_role'
GRANT 'revoke_test_role' TO revoke_test_user
SHOW GRANTS FOR revoke_test_user
REVOKE 'revoke_test_role' from revoke_test_user
SHOW GRANTS FOR revoke_test_user
DROP USER revoke_test_user
DROP ROLE revoke_test_role
DROP DATABASE revoke_test_db
---
.../org/apache/doris/mysql/privilege/Auth.java | 2 +-
.../suites/account_p0/test_revoke_role.groovy | 49 ++++++++++++++++++++++
2 files changed, 50 insertions(+), 1 deletion(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index 636ac50f39..9ebf6075ae 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -711,7 +711,7 @@ public class Auth implements Writable {
revokeInternal(info.getUserIdent(), info.getRole(),
info.getWorkloadGroupPattern(), info.getPrivs(),
true /* err on non exist */, true /* is replay */);
} else {
- revokeInternal(info.getUserIdent(), info.getRoles(), false);
+ revokeInternal(info.getUserIdent(), info.getRoles(), true /*
is replay */);
}
} catch (DdlException e) {
LOG.error("should not happened", e);
diff --git a/regression-test/suites/account_p0/test_revoke_role.groovy
b/regression-test/suites/account_p0/test_revoke_role.groovy
new file mode 100644
index 0000000000..50590bd176
--- /dev/null
+++ b/regression-test/suites/account_p0/test_revoke_role.groovy
@@ -0,0 +1,49 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("test_revoke_role", "account") {
+ def role= 'revoke_test_role'
+ def user = 'revoke_test_user'
+ def dbName = 'revoke_test_db'
+ def pwd = 'revoke_test_pwd'
+
+ try_sql("DROP ROLE ${role}")
+ try_sql("DROP USER ${user}")
+ try_sql("DROP ROLE ${role}")
+ sql """DROP DATABASE IF EXISTS ${dbName}"""
+ sql """CREATE DATABASE ${dbName}"""
+
+ sql """CREATE ROLE ${role}"""
+ sql """CREATE USER ${user} IDENTIFIED BY '${pwd}'"""
+
+ sql """GRANT SELECT_PRIV ON ${dbName}.* TO ROLE '${role}'"""
+ sql """GRANT '${role}' TO ${user}"""
+
+ def result = sql """ SHOW GRANTS FOR ${user} """
+ assertEquals(result.size(), 1)
+ assertTrue(result[0][5].contains("internal.default_cluster:${dbName}:
Select_priv"))
+
+ sql """REVOKE '${role}' from ${user}"""
+ result = sql """ SHOW GRANTS FOR ${user} """
+ assertEquals(result.size(), 1)
+ assertFalse(result[0][5].contains("internal.default_cluster:${dbName}:
Select_priv"))
+
+ sql """DROP USER ${user}"""
+ sql """DROP ROLE ${role}"""
+ sql """DROP DATABASE ${dbName}"""
+}
+
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
