This is an automated email from the ASF dual-hosted git repository.
huajianlan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new a169556e449 fix check column privilege failed by hidden column (#34849)
a169556e449 is described below
commit a169556e4496c1732d790817328ff7e3f2defd12
Author: 924060929 <[email protected]>
AuthorDate: Tue May 14 22:34:23 2024 +0800
fix check column privilege failed by hidden column (#34849)
fix check column privilege failed by hidden column: DORIS_DELETE_SIGN
---
.../nereids/rules/rewrite/CheckPrivileges.java | 6 ++
.../authorization/column_authorization.groovy | 65 ++++++++++++++++++++++
2 files changed, 71 insertions(+)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
index 713a9404dc0..5c82dfac651 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
@@ -26,6 +26,7 @@ import org.apache.doris.nereids.exceptions.AnalysisException;
import org.apache.doris.nereids.jobs.JobContext;
import org.apache.doris.nereids.rules.analysis.UserAuthentication;
import org.apache.doris.nereids.trees.expressions.Slot;
+import org.apache.doris.nereids.trees.expressions.SlotReference;
import org.apache.doris.nereids.trees.plans.Plan;
import org.apache.doris.nereids.trees.plans.logical.LogicalCatalogRelation;
import org.apache.doris.nereids.trees.plans.logical.LogicalRelation;
@@ -81,6 +82,11 @@ public class CheckPrivileges extends ColumnPruning {
for (Slot requiredSlot : requiredSlots) {
Slot slot = idToSlot.get(requiredSlot.getExprId().asInt());
if (slot != null) {
+ // don't check privilege for hidden column, e.g.
__DORIS_DELETE_SIGN__
+ if (slot instanceof SlotReference && ((SlotReference)
slot).getColumn().isPresent()
+ && !((SlotReference)
slot).getColumn().get().isVisible()) {
+ continue;
+ }
usedColumns.add(slot.getName());
}
}
diff --git
a/regression-test/suites/nereids_p0/authorization/column_authorization.groovy
b/regression-test/suites/nereids_p0/authorization/column_authorization.groovy
new file mode 100644
index 00000000000..9bd1c512acc
--- /dev/null
+++
b/regression-test/suites/nereids_p0/authorization/column_authorization.groovy
@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("column_authorization") {
+ def db = context.config.getDbNameByFile(context.file)
+ def user1 = "test_unique_table_auth_user1"
+ def baseTable = "test_unique_table_auth_base_table"
+
+
+ sql "drop table if exists ${baseTable}"
+
+ sql """
+ CREATE TABLE ${baseTable} (id INT, name TEXT)
+ unique key(id)
+ DISTRIBUTED BY HASH(`id`)
+ PROPERTIES (
+ "replication_allocation" = "tag.location.default: 1"
+ );
+ """
+
+ sql "insert into ${baseTable} values(1, 'hello'), (2, 'world'), (3,
'doris');"
+
+ sql "drop user if exists ${user1}"
+ sql "create user ${user1}"
+ sql "grant SELECT_PRIV(id) on ${db}.${baseTable} to '${user1}'@'%';"
+
+ //cloud-mode
+ if (isCloudMode()) {
+ def clusters = sql " SHOW CLUSTERS; "
+ assertTrue(!clusters.isEmpty())
+ def validCluster = clusters[0][0]
+ sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user1}""";
+ }
+
+ sql 'sync'
+
+ def defaultDbUrl = context.config.jdbcUrl.substring(0,
context.config.jdbcUrl.lastIndexOf("/"))
+ logger.info("connect to ${defaultDbUrl}".toString())
+ connect(user = user1, password = null, url = defaultDbUrl) {
+ sql "set enable_fallback_to_original_planner=false"
+
+ // no privilege to name
+ test {
+ sql "select * from ${db}.${baseTable}"
+ exception "Permission denied"
+ }
+
+ // has privilege to id, __DORIS_DELETE_SIGN__
+ sql "select id, __DORIS_DELETE_SIGN__ from ${db}.${baseTable}"
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
