This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new f63d5a4b2fe [fix](auth) Fix no auth,but can select count(*) (#35465)
f63d5a4b2fe is described below
commit f63d5a4b2fe7688c536400c89dd8669c188191ee
Author: zhangdong <[email protected]>
AuthorDate: Wed May 29 11:57:00 2024 +0800
[fix](auth) Fix no auth,but can select count(*) (#35465)
when select count(*),cols is empty, should check table priv
---
.../nereids/rules/analysis/UserAuthentication.java | 18 ++++++++++++++++--
.../account_p0/test_nereids_authentication.groovy | 10 ++++++++++
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
index 360131f2c4f..df94a051afe 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
@@ -17,13 +17,19 @@
package org.apache.doris.nereids.rules.analysis;
+import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.DatabaseIf;
import org.apache.doris.catalog.TableIf;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.datasource.CatalogIf;
+import org.apache.doris.mysql.privilege.AccessControllerManager;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
+import org.apache.commons.collections.CollectionUtils;
+
import java.util.Set;
/**
@@ -52,7 +58,15 @@ public class UserAuthentication {
return;
}
String ctlName = catalog.getName();
- connectContext.getEnv().getAccessManager().checkColumnsPriv(
- connectContext.getCurrentUserIdentity(), ctlName, dbName,
tableName, columns, PrivPredicate.SELECT);
+ AccessControllerManager accessManager =
connectContext.getEnv().getAccessManager();
+ UserIdentity userIdentity = connectContext.getCurrentUserIdentity();
+ if (CollectionUtils.isEmpty(columns)) {
+ if (!accessManager.checkTblPriv(userIdentity, ctlName, dbName,
tableName, PrivPredicate.SELECT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.SELECT.getPrivs().toString(), tableName);
+ }
+ } else {
+ accessManager.checkColumnsPriv(userIdentity, ctlName, dbName,
tableName, columns, PrivPredicate.SELECT);
+ }
}
}
diff --git
a/regression-test/suites/account_p0/test_nereids_authentication.groovy
b/regression-test/suites/account_p0/test_nereids_authentication.groovy
index 2d30835f69a..a0d9c4b4514 100644
--- a/regression-test/suites/account_p0/test_nereids_authentication.groovy
+++ b/regression-test/suites/account_p0/test_nereids_authentication.groovy
@@ -66,6 +66,13 @@ suite("test_nereids_authentication", "query") {
}
}
+ connect(user=user, password='Doris_123456', url=url) {
+ test {
+ sql "SELECT count(*) FROM ${tableName2}"
+ exception "denied"
+ }
+ }
+
connect(user=user, password='Doris_123456', url=url) {
test {
sql "SELECT * FROM ${tableName1}, ${tableName2} WHERE
${tableName1}.`key` = ${tableName2}.`key`"
@@ -78,6 +85,9 @@ suite("test_nereids_authentication", "query") {
sql "SELECT * FROM ${tableName2}"
}
assertEquals(result.size(), 0)
+ connect(user=user, password='Doris_123456', url=url) {
+ sql "SELECT count(*) FROM ${tableName2}"
+ }
connect(user=user, password='Doris_123456', url=url) {
sql "SELECT * FROM ${tableName1}, ${tableName2} WHERE
${tableName1}.`key` = ${tableName2}.`key`"
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
