This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new bd8df44d696 [opt](privilege) Grant check name (#39597)
bd8df44d696 is described below
commit bd8df44d696329fec0abbfa5650d0c53c302adcd
Author: zhangdong <[email protected]>
AuthorDate: Fri Aug 23 17:45:27 2024 +0800
[opt](privilege) Grant check name (#39597)
grant stmt check ctl/db/table if exist
---
.../org/apache/doris/mysql/privilege/Auth.java | 31 ++++++++++++++++++++++
.../apache/doris/datasource/CatalogMgrTest.java | 7 -----
.../suites/auth_p0/test_create_view_auth.groovy | 2 +-
.../suites/auth_p0/test_grant_auth.groovy | 2 +-
...uth.groovy => test_grant_nonexist_table.groovy} | 23 +++++++++++++---
.../ccr_mow_syncer_p0/test_get_binlog.groovy | 1 -
.../inverted_index/test_get_binlog.groovy | 1 -
7 files changed, 53 insertions(+), 14 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index 2073e33cb4f..36070d20173 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -36,8 +36,10 @@ import org.apache.doris.analysis.SetUserPropertyStmt;
import org.apache.doris.analysis.TablePattern;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.analysis.WorkloadGroupPattern;
+import org.apache.doris.catalog.DatabaseIf;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.InfoSchemaDb;
+import org.apache.doris.catalog.TableIf;
import org.apache.doris.cloud.datasource.CloudInternalCatalog;
import org.apache.doris.cloud.proto.Cloud;
import org.apache.doris.cluster.ClusterNamespace;
@@ -54,6 +56,7 @@ import org.apache.doris.common.Pair;
import org.apache.doris.common.PatternMatcherException;
import org.apache.doris.common.UserException;
import org.apache.doris.common.io.Writable;
+import org.apache.doris.datasource.CatalogIf;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.MysqlPassword;
import org.apache.doris.mysql.authenticate.AuthenticateType;
@@ -86,6 +89,7 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
+import java.util.Objects;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.stream.Collectors;
@@ -677,6 +681,7 @@ public class Auth implements Writable {
throws DdlException {
writeLock();
try {
+ checkTablePatternExist(tblPattern);
if (role == null) {
if (!doesUserExist(userIdent)) {
throw new DdlException("user " + userIdent + " does not
exist");
@@ -695,6 +700,32 @@ public class Auth implements Writable {
}
}
+ private void checkTablePatternExist(TablePattern tablePattern) throws
DdlException {
+ Objects.requireNonNull(tablePattern, "tablePattern can not be null");
+ PrivLevel privLevel = tablePattern.getPrivLevel();
+ if (privLevel == PrivLevel.GLOBAL) {
+ return;
+ }
+ CatalogIf catalog =
Env.getCurrentEnv().getCatalogMgr().getCatalog(tablePattern.getQualifiedCtl());
+ if (catalog == null) {
+ throw new DdlException("catalog:" + tablePattern.getQualifiedCtl()
+ " does not exist");
+ }
+ if (privLevel == PrivLevel.CATALOG) {
+ return;
+ }
+ DatabaseIf db = catalog.getDbNullable(tablePattern.getQualifiedDb());
+ if (db == null) {
+ throw new DdlException("database:" + tablePattern.getQualifiedDb()
+ " does not exist");
+ }
+ if (privLevel == PrivLevel.DATABASE) {
+ return;
+ }
+ TableIf table = db.getTableNullable(tablePattern.getTbl());
+ if (table == null) {
+ throw new DdlException("table:" + tablePattern.getTbl() + " does
not exist");
+ }
+ }
+
// grant for ResourcePattern
private void grantInternal(UserIdentity userIdent, String role,
ResourcePattern resourcePattern, PrivBitSet privs,
boolean errOnNonExist, boolean isReplay) throws DdlException {
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/datasource/CatalogMgrTest.java
b/fe/fe-core/src/test/java/org/apache/doris/datasource/CatalogMgrTest.java
index e5e8a9d71a5..fa546cccec9 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/datasource/CatalogMgrTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/datasource/CatalogMgrTest.java
@@ -105,13 +105,6 @@ public class CatalogMgrTest extends TestWithFeService {
// grant with no catalog is switched, internal catalog works.
CreateRoleStmt createRole1 = (CreateRoleStmt)
parseAndAnalyzeStmt("create role role1;", rootCtx);
auth.createRole(createRole1);
- GrantStmt grantRole1 = (GrantStmt) parseAndAnalyzeStmt("grant
grant_priv on tpch.* to role 'role1';", rootCtx);
- auth.grant(grantRole1);
- // grant with ctl.db.tbl. grant can succeed even if the catalog does
not exist
- GrantStmt grantRole1WithCtl = (GrantStmt) parseAndAnalyzeStmt(
- "grant select_priv on testc.testdb.* to role 'role1';",
rootCtx);
- auth.grant(grantRole1WithCtl);
- // user1 can't switch to hive
auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
"create user 'user1'@'%' identified by 'pwd1' default role
'role1';", rootCtx));
user1 = new UserIdentity("user1", "%");
diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy
b/regression-test/suites/auth_p0/test_create_view_auth.groovy
index 124d3f96014..4e708c8e694 100644
--- a/regression-test/suites/auth_p0/test_create_view_auth.groovy
+++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy
@@ -47,7 +47,7 @@ suite("test_create_view_auth","p0,auth") {
assertTrue(e.getMessage().contains("Admin_priv,Create_priv"))
}
}
- sql """grant create_priv on ${dbName}.v1 to ${user}"""
+ sql """grant create_priv on ${dbName}.* to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "create view ${dbName}.v1 as select * from
${dbName}.${tableName};"
diff --git a/regression-test/suites/auth_p0/test_grant_auth.groovy
b/regression-test/suites/auth_p0/test_grant_auth.groovy
index fd3f51a4081..c026cfd91ed 100644
--- a/regression-test/suites/auth_p0/test_grant_auth.groovy
+++ b/regression-test/suites/auth_p0/test_grant_auth.groovy
@@ -22,7 +22,7 @@ suite("test_grant_auth","p0,auth") {
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
- sql """grant select_priv on `_internal_schema`.* to ${user}"""
+ sql """grant select_priv on `__internal_schema`.* to ${user}"""
try_sql("DROP USER ${user}")
}
diff --git a/regression-test/suites/auth_p0/test_grant_auth.groovy
b/regression-test/suites/auth_p0/test_grant_nonexist_table.groovy
similarity index 61%
copy from regression-test/suites/auth_p0/test_grant_auth.groovy
copy to regression-test/suites/auth_p0/test_grant_nonexist_table.groovy
index fd3f51a4081..36e75707be7 100644
--- a/regression-test/suites/auth_p0/test_grant_auth.groovy
+++ b/regression-test/suites/auth_p0/test_grant_nonexist_table.groovy
@@ -17,12 +17,29 @@
import org.junit.Assert;
-suite("test_grant_auth","p0,auth") {
- String user = 'test_grant_auth_user'
+suite("test_grant_nonexist_table","p0,auth") {
+ String suiteName = "test_grant_nonexist_table"
+ String dbName = context.config.getDbNameByFile(context.file)
+ String user = "${suiteName}_user"
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
- sql """grant select_priv on `_internal_schema`.* to ${user}"""
+
+ test {
+ sql """grant select_priv on non_exist_catalog.*.* to ${user}"""
+ exception "catalog"
+ }
+
+ test {
+ sql """grant select_priv on internal.non_exist_db.* to ${user}"""
+ exception "database"
+ }
+
+ test {
+ sql """grant select_priv on internal.${dbName}.non_exist_table to
${user}"""
+ exception "table"
+ }
+
try_sql("DROP USER ${user}")
}
diff --git a/regression-test/suites/ccr_mow_syncer_p0/test_get_binlog.groovy
b/regression-test/suites/ccr_mow_syncer_p0/test_get_binlog.groovy
index 62ba97551f6..13fe4eeec33 100644
--- a/regression-test/suites/ccr_mow_syncer_p0/test_get_binlog.groovy
+++ b/regression-test/suites/ccr_mow_syncer_p0/test_get_binlog.groovy
@@ -133,7 +133,6 @@ suite("test_mow_get_binlog_case") {
sql """DROP USER IF EXISTS ${noPrivUser}"""
sql """CREATE USER ${noPrivUser} IDENTIFIED BY '123456'"""
sql """GRANT ALL ON ${context.config.defaultDb}.* TO ${noPrivUser}"""
- sql """GRANT ALL ON TEST_${context.dbName}.${emptyTable} TO
${noPrivUser}"""
syncer.context.user = "${noPrivUser}"
syncer.context.passwd = "123456"
assertTrue((syncer.getBinlog("${seqTableName}")) == false)
diff --git
a/regression-test/suites/ccr_syncer_p0/inverted_index/test_get_binlog.groovy
b/regression-test/suites/ccr_syncer_p0/inverted_index/test_get_binlog.groovy
index b837f799e58..1e3fed68923 100644
--- a/regression-test/suites/ccr_syncer_p0/inverted_index/test_get_binlog.groovy
+++ b/regression-test/suites/ccr_syncer_p0/inverted_index/test_get_binlog.groovy
@@ -226,7 +226,6 @@ suite("test_get_binlog_case_index") {
"""
sql """CREATE USER IF NOT EXISTS ${noPrivUser} IDENTIFIED BY '123456'"""
sql """GRANT ALL ON ${context.config.defaultDb}.* TO ${noPrivUser}"""
- sql """GRANT ALL ON TEST_${context.dbName}.${emptyTable} TO
${noPrivUser}"""
syncer.context.user = "${noPrivUser}"
syncer.context.passwd = "123456"
assertTrue((syncer.getBinlog("${tableName}")) == false)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
