(doris) branch branch-2.1 updated: [fix](auth)Fix use encryptkey should check auth (#41791) (#42105)

Thu, 24 Oct 2024 23:32:59 -0700 

This is an automated email from the ASF dual-hosted git repository.

morrysnow pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new b88d4db6e70 [fix](auth)Fix use encryptkey should check auth (#41791) 
(#42105)
b88d4db6e70 is described below

commit b88d4db6e701ff6efa1ae6650b8a5cfa5ad653bb
Author: zhangdong <[email protected]>
AuthorDate: Fri Oct 25 14:32:42 2024 +0800

    [fix](auth)Fix use encryptkey should check auth (#41791) (#42105)
    
    pick from master #41791
---
 .../org/apache/doris/analysis/EncryptKeyRef.java   | 11 ++++
 .../expression/rules/FoldConstantRuleOnFE.java     | 10 ++++
 .../suites/auth_p0/test_use_encryptkey_auth.groovy | 59 ++++++++++++++++++++++
 3 files changed, 80 insertions(+)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java
index ad5b15014f7..01e6ffcc8ef 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java
@@ -19,10 +19,14 @@ package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Database;
 import org.apache.doris.catalog.EncryptKey;
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.Type;
 import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
 import org.apache.doris.thrift.TExprNode;
 
 import com.google.common.base.Strings;
@@ -55,6 +59,13 @@ public class EncryptKeyRef extends Expr {
         if ("".equals(dbName)) {
             ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
         } else {
+            if (!Env.getCurrentEnv().getAccessManager()
+                    .checkDbPriv(ConnectContext.get(), 
InternalCatalog.INTERNAL_CATALOG_NAME,
+                            dbName, PrivPredicate.SHOW)) {
+                String message = 
ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg(
+                        PrivPredicate.SHOW.getPrivs().toString(), dbName);
+                throw new AnalysisException(message);
+            }
             Database database = 
analyzer.getEnv().getInternalCatalog().getDbOrAnalysisException(dbName);
 
             EncryptKey encryptKey = 
database.getEncryptKey(encryptKeyName.getKeyName());
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
index 552e3fe5cfb..5a5eef482a6 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
@@ -20,7 +20,10 @@ package org.apache.doris.nereids.rules.expression.rules;
 import org.apache.doris.catalog.EncryptKey;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.cluster.ClusterNamespace;
+import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.util.DebugUtil;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.nereids.exceptions.AnalysisException;
 import org.apache.doris.nereids.rules.expression.AbstractExpressionRewriteRule;
 import org.apache.doris.nereids.rules.expression.ExpressionListenerMatcher;
@@ -216,6 +219,13 @@ public class FoldConstantRuleOnFE extends 
AbstractExpressionRewriteRule
         if ("".equals(dbName)) {
             throw new AnalysisException("DB " + dbName + "not found");
         }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkDbPriv(ConnectContext.get(), 
InternalCatalog.INTERNAL_CATALOG_NAME,
+                        dbName, PrivPredicate.SHOW)) {
+            String message = 
ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg(
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
+            throw new AnalysisException(message);
+        }
         org.apache.doris.catalog.Database database =
                 Env.getCurrentEnv().getInternalCatalog().getDbNullable(dbName);
         if (database == null) {
diff --git a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy 
b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy
new file mode 100644
index 00000000000..8245486d66f
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy
@@ -0,0 +1,59 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_use_encryptkey_auth","p0,auth") {
+    multi_sql """
+        SET enable_nereids_planner=true;
+        SET enable_fallback_to_original_planner=false;
+    """
+    String suiteName = "test_version_info_mtmv"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String user = "${suiteName}_user"
+    String key = "${suiteName}_key"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """grant select_priv on regression_test to ${user}"""
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+    }
+    sql """CREATE ENCRYPTKEY ${key} AS 'ABCD123456789'"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        test {
+              sql """
+                  SELECT HEX(AES_ENCRYPT("Doris is Great", KEY 
${dbName}.${key}));
+              """
+              exception "denied"
+          }
+    }
+    sql """grant select_priv on ${dbName} to ${user}"""
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+          sql """
+              SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));
+          """
+    }
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to