This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new 9450a5926d8 [fix](auth) fix overwrite logic of user with domain
(#27003)
9450a5926d8 is described below
commit 9450a5926d85e3dc048a8c698a2099a372a4e204
Author: Mingyu Chen <[email protected]>
AuthorDate: Wed Nov 15 13:46:56 2023 +0800
[fix](auth) fix overwrite logic of user with domain (#27003)
backport #27002
---
.../org/apache/doris/mysql/privilege/Auth.java | 2 +-
.../apache/doris/mysql/privilege/UserManager.java | 6 ++++
.../org/apache/doris/mysql/privilege/AuthTest.java | 32 ++++++++++++++++++++++
3 files changed, 39 insertions(+), 1 deletion(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index d07ba404c25..3d0c119f480 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -453,7 +453,7 @@ public class Auth implements Writable {
// create user
try {
- //we should not throw AnalysisException at here,so transfer it
+ // we should not throw AnalysisException at here,so transfer it
userManager.createUser(userIdent, password, null, false);
} catch (PatternMatcherException e) {
throw new DdlException("create user failed,", e);
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserManager.java
index 9a7b2a55ea0..dc7d6a6872b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserManager.java
@@ -183,6 +183,12 @@ public class UserManager implements Writable {
throws PatternMatcherException {
if (userIdentityExist(userIdent, true)) {
User userByUserIdentity = getUserByUserIdentity(userIdent);
+ if (!userByUserIdentity.isSetByDomainResolver() && setByResolver) {
+ // If the user is NOT created by domain resolver,
+ // and the current operation is done by DomainResolver,
+ // we should not override it, just return
+ return userByUserIdentity;
+ }
userByUserIdentity.setPassword(pwd);
userByUserIdentity.setSetByDomainResolver(setByResolver);
return userByUserIdentity;
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
index 5ebfb97e0b1..10fa234607d 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
@@ -1470,6 +1470,38 @@ public class AuthTest {
e.printStackTrace();
Assert.fail();
}
+
+ // test domain override
+ // 1. create a domain user
+ new Expectations() {
+ {
+ ctx.getCurrentUserIdentity();
+ minTimes = 1;
+ result = UserIdentity.ROOT;
+ }
+ };
+ UserIdentity domainUser = new UserIdentity("test_domain_user",
"palo.domain1", true);
+ userDesc = new UserDesc(domainUser, "12345", true);
+ createUserStmt = new CreateUserStmt(false, userDesc, null);
+ createUserStmt.analyze(analyzer);
+ auth.createUser(createUserStmt);
+ // 2. create a normal user with same ip in domain
+ UserIdentity normalUser = new UserIdentity("test_domain_user",
"10.1.1.1");
+ userDesc = new UserDesc(normalUser, "12345", true);
+ createUserStmt = new CreateUserStmt(false, userDesc, null);
+ createUserStmt.analyze(analyzer);
+ auth.createUser(createUserStmt);
+ // 3. run resolve
+ resolver.runAfterCatalogReady();
+ // 4. user grant to test that normal user is not overwrite by domain
resolve
+ grantStmt = new GrantStmt(normalUser, null, new TablePattern("*", "*",
"*"), privileges);
+ try {
+ grantStmt.analyze(analyzer);
+ auth.grant(grantStmt);
+ } catch (UserException e) {
+ e.printStackTrace();
+ Assert.fail();
+ }
}
@Test
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
