This is an automated email from the ASF dual-hosted git repository.
kxiao pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new bacf7ea268a [fix](refresh) fix priv issue of refresh database and
table operation #26793 (#26794)
bacf7ea268a is described below
commit bacf7ea268ae7ee65fea18dc1c3c82479d24023d
Author: Mingyu Chen <morning...@163.com>
AuthorDate: Sat Nov 11 15:47:07 2023 +0800
[fix](refresh) fix priv issue of refresh database and table operation
#26793 (#26794)
---
.../org/apache/doris/analysis/RefreshDbStmt.java | 6 ++--
.../apache/doris/analysis/RefreshTableStmt.java | 6 ++--
.../org/apache/doris/catalog/RefreshDbTest.java | 40 ++++++++++++++++++++++
.../org/apache/doris/catalog/RefreshTableTest.java | 40 ++++++++++++++++++++++
4 files changed, 88 insertions(+), 4 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
index cd8fef0c31e..18124a08206 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
@@ -85,11 +85,13 @@ public class RefreshDbStmt extends DdlStmt {
ErrorCode.ERR_DBACCESS_DENIED_ERROR,
analyzer.getQualifiedUser(), dbName);
}
// check access
- if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(),
dbName, PrivPredicate.DROP)) {
+ if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(),
catalogName,
+ dbName, PrivPredicate.DROP)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
ConnectContext.get().getQualifiedUser(), dbName);
}
- if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(),
dbName, PrivPredicate.CREATE)) {
+ if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(),
catalogName,
+ dbName, PrivPredicate.CREATE)) {
ErrorReport.reportAnalysisException(
ErrorCode.ERR_DBACCESS_DENIED_ERROR,
analyzer.getQualifiedUser(), dbName);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
index b0eff7ed864..65bf35f3059 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
@@ -58,12 +58,14 @@ public class RefreshTableStmt extends DdlStmt {
tableName.analyze(analyzer);
// check access
- if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
tableName.getDb(),
+ if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
+ tableName.getCtl(), tableName.getDb(),
tableName.getTbl(), PrivPredicate.DROP)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"DROP");
}
- if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
tableName.getDb(),
+ if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
+ tableName.getCtl(), tableName.getDb(),
tableName.getTbl(), PrivPredicate.CREATE)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"CREATE");
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
index 23def21689c..6ddc5b206ef 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
@@ -18,16 +18,23 @@
package org.apache.doris.catalog;
import org.apache.doris.analysis.CreateCatalogStmt;
+import org.apache.doris.analysis.CreateUserStmt;
import org.apache.doris.analysis.DropCatalogStmt;
+import org.apache.doris.analysis.GrantStmt;
import org.apache.doris.analysis.RefreshDbStmt;
+import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.external.ExternalDatabase;
import org.apache.doris.catalog.external.TestExternalDatabase;
import org.apache.doris.catalog.external.TestExternalTable;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ExceptionChecker;
import org.apache.doris.common.FeConstants;
import org.apache.doris.datasource.CatalogIf;
import org.apache.doris.datasource.test.TestExternalCatalog;
+import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.DdlExecutor;
+import org.apache.doris.system.SystemInfoService;
import org.apache.doris.utframe.TestWithFeService;
import com.google.common.collect.Lists;
@@ -105,6 +112,39 @@ public class RefreshDbTest extends TestWithFeService {
}
}
+ @Test
+ public void testRefreshPriv() throws Exception {
+ Auth auth = Env.getCurrentEnv().getAuth();
+ // create user1
+ auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
+ "create user 'user1'@'%' identified by 'pwd1';", rootCtx));
+ // grant only create_priv to user1 on test1.db1.tbl11
+ GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+ "grant create_priv on test1.db1.* to 'user1'@'%';", rootCtx);
+ auth.grant(grantStmt);
+
+ // mock login user1
+ UserIdentity user1 = new UserIdentity("user1", "%");
+ user1.analyze(SystemInfoService.DEFAULT_CLUSTER);
+ ConnectContext user1Ctx = createCtx(user1, "127.0.0.1");
+ ExceptionChecker.expectThrowsWithMsg(AnalysisException.class,
+ "Access denied for user 'default_cluster:user1' to database
'default_cluster:db1'",
+ () -> parseAndAnalyzeStmt("refresh database test1.db1",
user1Ctx));
+ ConnectContext.remove();
+
+ // add drop priv to user1
+ rootCtx.setThreadLocalInfo();
+ grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+ "grant drop_priv on test1.db1.* to 'user1'@'%';", rootCtx);
+ auth.grant(grantStmt);
+ ConnectContext.remove();
+
+ // user1 can do refresh table
+ user1Ctx.setThreadLocalInfo();
+ ExceptionChecker.expectThrowsNoException(
+ () -> parseAndAnalyzeStmt("refresh database test1.db1",
user1Ctx));
+ }
+
public static class RefreshTableProvider implements
TestExternalCatalog.TestCatalogProvider {
public static final Map<String, Map<String, List<Column>>> MOCKED_META;
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
index a37f1ca98f4..feeec75a7b4 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
@@ -18,15 +18,22 @@
package org.apache.doris.catalog;
import org.apache.doris.analysis.CreateCatalogStmt;
+import org.apache.doris.analysis.CreateUserStmt;
import org.apache.doris.analysis.DropCatalogStmt;
+import org.apache.doris.analysis.GrantStmt;
import org.apache.doris.analysis.RefreshTableStmt;
import org.apache.doris.analysis.TableName;
+import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.external.TestExternalTable;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ExceptionChecker;
import org.apache.doris.common.FeConstants;
import org.apache.doris.datasource.CatalogIf;
import org.apache.doris.datasource.test.TestExternalCatalog;
+import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.DdlExecutor;
+import org.apache.doris.system.SystemInfoService;
import org.apache.doris.utframe.TestWithFeService;
import com.google.common.collect.Lists;
@@ -93,6 +100,39 @@ public class RefreshTableTest extends TestWithFeService {
Assertions.assertTrue(l5 == l4);
}
+ @Test
+ public void testRefreshPriv() throws Exception {
+ Auth auth = Env.getCurrentEnv().getAuth();
+ // create user1
+ auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
+ "create user 'user1'@'%' identified by 'pwd1';", rootCtx));
+ // grant only create_priv to user1 on test1.db1.tbl11
+ GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+ "grant create_priv on test1.db1.tbl11 to 'user1'@'%';",
rootCtx);
+ auth.grant(grantStmt);
+
+ // mock login user1
+ UserIdentity user1 = new UserIdentity("user1", "%");
+ user1.analyze(SystemInfoService.DEFAULT_CLUSTER);
+ ConnectContext user1Ctx = createCtx(user1, "127.0.0.1");
+ ExceptionChecker.expectThrowsWithMsg(AnalysisException.class,
+ "Access denied; you need (at least one of) the DROP
privilege(s) for this operation",
+ () -> parseAndAnalyzeStmt("refresh table test1.db1.tbl11",
user1Ctx));
+ ConnectContext.remove();
+
+ // add drop priv to user1
+ rootCtx.setThreadLocalInfo();
+ grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+ "grant drop_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx);
+ auth.grant(grantStmt);
+ ConnectContext.remove();
+
+ // user1 can do refresh table
+ user1Ctx.setThreadLocalInfo();
+ ExceptionChecker.expectThrowsNoException(
+ () -> parseAndAnalyzeStmt("refresh table test1.db1.tbl11",
user1Ctx));
+ }
+
public static class RefreshTableProvider implements
TestExternalCatalog.TestCatalogProvider {
public static final Map<String, Map<String, List<Column>>> MOCKED_META;
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
