This is an automated email from the ASF dual-hosted git repository. kxiao pushed a commit to branch branch-2.0 in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push: new bacf7ea268a [fix](refresh) fix priv issue of refresh database and table operation #26793 (#26794) bacf7ea268a is described below commit bacf7ea268ae7ee65fea18dc1c3c82479d24023d Author: Mingyu Chen <morning...@163.com> AuthorDate: Sat Nov 11 15:47:07 2023 +0800 [fix](refresh) fix priv issue of refresh database and table operation #26793 (#26794) --- .../org/apache/doris/analysis/RefreshDbStmt.java | 6 ++-- .../apache/doris/analysis/RefreshTableStmt.java | 6 ++-- .../org/apache/doris/catalog/RefreshDbTest.java | 40 ++++++++++++++++++++++ .../org/apache/doris/catalog/RefreshTableTest.java | 40 ++++++++++++++++++++++ 4 files changed, 88 insertions(+), 4 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java index cd8fef0c31e..18124a08206 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java @@ -85,11 +85,13 @@ public class RefreshDbStmt extends DdlStmt { ErrorCode.ERR_DBACCESS_DENIED_ERROR, analyzer.getQualifiedUser(), dbName); } // check access - if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, PrivPredicate.DROP)) { + if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), catalogName, + dbName, PrivPredicate.DROP)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, ConnectContext.get().getQualifiedUser(), dbName); } - if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, PrivPredicate.CREATE)) { + if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), catalogName, + dbName, PrivPredicate.CREATE)) { ErrorReport.reportAnalysisException( ErrorCode.ERR_DBACCESS_DENIED_ERROR, analyzer.getQualifiedUser(), dbName); } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java index b0eff7ed864..65bf35f3059 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java @@ -58,12 +58,14 @@ public class RefreshTableStmt extends DdlStmt { tableName.analyze(analyzer); // check access - if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), tableName.getDb(), + if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), + tableName.getCtl(), tableName.getDb(), tableName.getTbl(), PrivPredicate.DROP)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "DROP"); } - if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), tableName.getDb(), + if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), + tableName.getCtl(), tableName.getDb(), tableName.getTbl(), PrivPredicate.CREATE)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "CREATE"); } diff --git a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java index 23def21689c..6ddc5b206ef 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java @@ -18,16 +18,23 @@ package org.apache.doris.catalog; import org.apache.doris.analysis.CreateCatalogStmt; +import org.apache.doris.analysis.CreateUserStmt; import org.apache.doris.analysis.DropCatalogStmt; +import org.apache.doris.analysis.GrantStmt; import org.apache.doris.analysis.RefreshDbStmt; +import org.apache.doris.analysis.UserIdentity; import org.apache.doris.catalog.external.ExternalDatabase; import org.apache.doris.catalog.external.TestExternalDatabase; import org.apache.doris.catalog.external.TestExternalTable; +import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ExceptionChecker; import org.apache.doris.common.FeConstants; import org.apache.doris.datasource.CatalogIf; import org.apache.doris.datasource.test.TestExternalCatalog; +import org.apache.doris.mysql.privilege.Auth; import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.DdlExecutor; +import org.apache.doris.system.SystemInfoService; import org.apache.doris.utframe.TestWithFeService; import com.google.common.collect.Lists; @@ -105,6 +112,39 @@ public class RefreshDbTest extends TestWithFeService { } } + @Test + public void testRefreshPriv() throws Exception { + Auth auth = Env.getCurrentEnv().getAuth(); + // create user1 + auth.createUser((CreateUserStmt) parseAndAnalyzeStmt( + "create user 'user1'@'%' identified by 'pwd1';", rootCtx)); + // grant only create_priv to user1 on test1.db1.tbl11 + GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt( + "grant create_priv on test1.db1.* to 'user1'@'%';", rootCtx); + auth.grant(grantStmt); + + // mock login user1 + UserIdentity user1 = new UserIdentity("user1", "%"); + user1.analyze(SystemInfoService.DEFAULT_CLUSTER); + ConnectContext user1Ctx = createCtx(user1, "127.0.0.1"); + ExceptionChecker.expectThrowsWithMsg(AnalysisException.class, + "Access denied for user 'default_cluster:user1' to database 'default_cluster:db1'", + () -> parseAndAnalyzeStmt("refresh database test1.db1", user1Ctx)); + ConnectContext.remove(); + + // add drop priv to user1 + rootCtx.setThreadLocalInfo(); + grantStmt = (GrantStmt) parseAndAnalyzeStmt( + "grant drop_priv on test1.db1.* to 'user1'@'%';", rootCtx); + auth.grant(grantStmt); + ConnectContext.remove(); + + // user1 can do refresh table + user1Ctx.setThreadLocalInfo(); + ExceptionChecker.expectThrowsNoException( + () -> parseAndAnalyzeStmt("refresh database test1.db1", user1Ctx)); + } + public static class RefreshTableProvider implements TestExternalCatalog.TestCatalogProvider { public static final Map<String, Map<String, List<Column>>> MOCKED_META; diff --git a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java index a37f1ca98f4..feeec75a7b4 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java @@ -18,15 +18,22 @@ package org.apache.doris.catalog; import org.apache.doris.analysis.CreateCatalogStmt; +import org.apache.doris.analysis.CreateUserStmt; import org.apache.doris.analysis.DropCatalogStmt; +import org.apache.doris.analysis.GrantStmt; import org.apache.doris.analysis.RefreshTableStmt; import org.apache.doris.analysis.TableName; +import org.apache.doris.analysis.UserIdentity; import org.apache.doris.catalog.external.TestExternalTable; +import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ExceptionChecker; import org.apache.doris.common.FeConstants; import org.apache.doris.datasource.CatalogIf; import org.apache.doris.datasource.test.TestExternalCatalog; +import org.apache.doris.mysql.privilege.Auth; import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.DdlExecutor; +import org.apache.doris.system.SystemInfoService; import org.apache.doris.utframe.TestWithFeService; import com.google.common.collect.Lists; @@ -93,6 +100,39 @@ public class RefreshTableTest extends TestWithFeService { Assertions.assertTrue(l5 == l4); } + @Test + public void testRefreshPriv() throws Exception { + Auth auth = Env.getCurrentEnv().getAuth(); + // create user1 + auth.createUser((CreateUserStmt) parseAndAnalyzeStmt( + "create user 'user1'@'%' identified by 'pwd1';", rootCtx)); + // grant only create_priv to user1 on test1.db1.tbl11 + GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt( + "grant create_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx); + auth.grant(grantStmt); + + // mock login user1 + UserIdentity user1 = new UserIdentity("user1", "%"); + user1.analyze(SystemInfoService.DEFAULT_CLUSTER); + ConnectContext user1Ctx = createCtx(user1, "127.0.0.1"); + ExceptionChecker.expectThrowsWithMsg(AnalysisException.class, + "Access denied; you need (at least one of) the DROP privilege(s) for this operation", + () -> parseAndAnalyzeStmt("refresh table test1.db1.tbl11", user1Ctx)); + ConnectContext.remove(); + + // add drop priv to user1 + rootCtx.setThreadLocalInfo(); + grantStmt = (GrantStmt) parseAndAnalyzeStmt( + "grant drop_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx); + auth.grant(grantStmt); + ConnectContext.remove(); + + // user1 can do refresh table + user1Ctx.setThreadLocalInfo(); + ExceptionChecker.expectThrowsNoException( + () -> parseAndAnalyzeStmt("refresh table test1.db1.tbl11", user1Ctx)); + } + public static class RefreshTableProvider implements TestExternalCatalog.TestCatalogProvider { public static final Map<String, Map<String, List<Column>>> MOCKED_META; --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org For additional commands, e-mail: commits-h...@doris.apache.org