This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new 97d6021c03d [opt](resource-tag) root and admin user can use any
resource tag by default #28088 (#28080)
97d6021c03d is described below
commit 97d6021c03d68aac837cc5f9979c9f8ccb9ee1e0
Author: Mingyu Chen <[email protected]>
AuthorDate: Wed Dec 6 23:40:53 2023 +0800
[opt](resource-tag) root and admin user can use any resource tag by default
#28088 (#28080)
bp #28088
---
docs/en/docs/admin-manual/multi-tenant.md | 4 ++--
docs/zh-CN/docs/admin-manual/multi-tenant.md | 4 ++--
.../apache/doris/mysql/privilege/CommonUserProperties.java | 4 ----
.../org/apache/doris/mysql/privilege/UserPropertyMgr.java | 11 ++++++++++-
.../test/java/org/apache/doris/catalog/UserPropertyTest.java | 3 +--
.../java/org/apache/doris/planner/ResourceTagQueryTest.java | 2 +-
6 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/docs/en/docs/admin-manual/multi-tenant.md
b/docs/en/docs/admin-manual/multi-tenant.md
index b5659a7897e..d4f207ceae7 100644
--- a/docs/en/docs/admin-manual/multi-tenant.md
+++ b/docs/en/docs/admin-manual/multi-tenant.md
@@ -138,7 +138,7 @@ Node resource division refers to setting tags for BE nodes
in a Doris cluster, a
After the setting is complete, when user1 initiates a query on the
UserTable table, it will only access the data copy on the nodes in the
`group_a` resource group, and the query will only use the node computing
resources in the `group_a` resource group. The query of user3 can use copies
and computing resources in any resource group.
- > Note: By default, the user's `resource_tags.location` attribute is
empty. In versions prior to 2.0.2 (inclusive), by default, users are not
restricted by tags and can use any resource group. After version 2.0.3, users
can only use the `default` resource group by default.
+ > Note: By default, the user's `resource_tags.location` attribute is
empty. In versions prior to 2.0.2 (inclusive), by default, users are not
restricted by tags and can use any resource group. After version 2.0.3, normal
users can only use the `default` resource group by default. Root and Admin user
can use any resource group.
In this way, we have achieved physical resource isolation for different
user queries by dividing nodes and restricting user resource usage.
Furthermore, we can create different users for different business departments
and restrict each user from using different resource groups. In order to avoid
the use of resource interference between different business parts. For example,
there is a business table in the cluster that needs to be shared by all 9
business departments, but it is hoped [...]
@@ -268,4 +268,4 @@ Through the above 4 steps, we can smoothly use the resource
division function af
The table creation statements for table2, table3, and table4 do not need to
specify `replication_allocation` again.
- Note: Changing the replica distribution policy of the database will not
affect existing tables.
\ No newline at end of file
+ Note: Changing the replica distribution policy of the database will not
affect existing tables.
diff --git a/docs/zh-CN/docs/admin-manual/multi-tenant.md
b/docs/zh-CN/docs/admin-manual/multi-tenant.md
index ec24a513825..7e346dbd8e5 100644
--- a/docs/zh-CN/docs/admin-manual/multi-tenant.md
+++ b/docs/zh-CN/docs/admin-manual/multi-tenant.md
@@ -138,7 +138,7 @@ FE 不参与用户数据的处理计算等工作,因此是一个资源消耗
设置完成后,user1 在发起对 UserTable 表的查询时,只会访问 `group_a` 资源组内节点上的数据副本,并且查询仅会使用
`group_a` 资源组内的节点计算资源。而 user3 的查询可以使用任意资源组内的副本和计算资源。
- > 注:默认情况下,用户的 `resource_tags.location` 属性为空,在2.0.2(含)之前的版本中,默认情况下,用户不受 tag
的限制,可以使用任意资源组。在 2.0.3 版本之后,默认情况下,用户只能使用 `default` 资源组。
+ > 注:默认情况下,用户的 `resource_tags.location` 属性为空,在2.0.2(含)之前的版本中,默认情况下,用户不受 tag
的限制,可以使用任意资源组。在 2.0.3 版本之后,默认情况下,普通用户只能使用 `default` 资源组。root 和 admin
用户可以使用任意资源组。
这样,我们通过对节点的划分,以及对用户的资源使用限制,实现了不同用户查询上的物理资源隔离。更进一步,我们可以给不同的业务部门创建不同的用户,并限制每个用户使用不同的资源组。以避免不同业务部分之间使用资源干扰。比如集群内有一张业务表需要共享给所有9个业务部门使用,但是希望能够尽量避免不同部门之间的资源抢占。则我们可以为这张表创建3个副本,分别存储在3个资源组中。接下来,我们为9个业务部门创建9个用户,每3个用户限制使用一个资源组。这样,资源的竞争程度就由9降低到了3。
@@ -266,4 +266,4 @@ FE 不参与用户数据的处理计算等工作,因此是一个资源消耗
table2,table3,table4的建表语句无需再指定`replication_allocation`。
- 注意事项:更改database的副本分布策略不会对已有的table产生影响。
\ No newline at end of file
+ 注意事项:更改database的副本分布策略不会对已有的table产生影响。
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CommonUserProperties.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CommonUserProperties.java
index 8fa28485ae5..cf36639c0a9 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CommonUserProperties.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CommonUserProperties.java
@@ -110,10 +110,6 @@ public class CommonUserProperties implements Writable {
}
public Set<Tag> getResourceTags() {
- // If resource tags in user properties is empty, use default backend
tag.
- if (resourceTags.isEmpty()) {
- return Sets.newHashSet(Tag.DEFAULT_BACKEND_TAG);
- }
return resourceTags;
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPropertyMgr.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPropertyMgr.java
index 7232417a2e8..46f900f655a 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPropertyMgr.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPropertyMgr.java
@@ -29,6 +29,7 @@ import org.apache.doris.load.DppConfig;
import org.apache.doris.resource.Tag;
import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@@ -123,7 +124,15 @@ public class UserPropertyMgr implements Writable {
if (existProperty == null) {
return UserProperty.INVALID_RESOURCE_TAGS;
}
- return existProperty.getCopiedResourceTags();
+ Set<Tag> tags = existProperty.getCopiedResourceTags();
+ // only root and admin can return empty tag.
+ // empty tag means user can access all backends.
+ // for normal user, if tag is empty, use default tag.
+ if (tags.isEmpty() && !(qualifiedUser.equalsIgnoreCase(Auth.ROOT_USER)
+ || qualifiedUser.equalsIgnoreCase(Auth.ADMIN_USER))) {
+ tags = Sets.newHashSet(Tag.DEFAULT_BACKEND_TAG);
+ }
+ return tags;
}
public Pair<String, DppConfig> getLoadClusterInfo(String qualifiedUser,
String cluster) throws DdlException {
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/catalog/UserPropertyTest.java
b/fe/fe-core/src/test/java/org/apache/doris/catalog/UserPropertyTest.java
index 3142d75691a..2a3252caadc 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/UserPropertyTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/UserPropertyTest.java
@@ -24,7 +24,6 @@ import org.apache.doris.common.Pair;
import org.apache.doris.common.UserException;
import org.apache.doris.load.DppConfig;
import org.apache.doris.mysql.privilege.UserProperty;
-import org.apache.doris.resource.Tag;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
@@ -118,7 +117,7 @@ public class UserPropertyTest {
Assert.assertEquals(new String[]{"rule1", "rule2"},
userProperty.getSqlBlockRules());
Assert.assertEquals(2, userProperty.getCpuResourceLimit());
Assert.assertEquals(500, userProperty.getQueryTimeout());
- Assert.assertEquals(Sets.newHashSet(Tag.DEFAULT_BACKEND_TAG),
userProperty.getCopiedResourceTags());
+ Assert.assertEquals(Sets.newHashSet(),
userProperty.getCopiedResourceTags());
// fetch property
List<List<String>> rows = userProperty.fetchProperty();
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/planner/ResourceTagQueryTest.java
b/fe/fe-core/src/test/java/org/apache/doris/planner/ResourceTagQueryTest.java
index 9bbc7ab55eb..8bcd302a181 100644
---
a/fe/fe-core/src/test/java/org/apache/doris/planner/ResourceTagQueryTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/planner/ResourceTagQueryTest.java
@@ -196,7 +196,7 @@ public class ResourceTagQueryTest {
OlapTable tbl = (OlapTable) db.getTableNullable("tbl1");
Set<Tag> userTags =
Env.getCurrentEnv().getAuth().getResourceTags(Auth.ROOT_USER);
- Assert.assertEquals(1, userTags.size());
+ Assert.assertEquals(0, userTags.size());
// set default tag for root
String setPropStr = "set property for 'root' 'resource_tags.location'
= 'default';";
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
