This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 2bfab8fd229 [fix](auth)fix some tvf not check auth (#45483)
2bfab8fd229 is described below
commit 2bfab8fd2297ed3d79feef83015a147f76c4f49b
Author: zhangdong <[email protected]>
AuthorDate: Mon Dec 23 19:20:31 2024 +0800
[fix](auth)fix some tvf not check auth (#45483)
### What problem does this PR solve?
Problem Summary:
fix some tvf not check auth
- backends() support check auth
- frontends() support check auth
- frontends_disks() support check auth
### Release note
Change the privilege required for TVF backends, frontends and
frontends_disks. Before, no privilege required for them. from now on,
ADMIN_PRIV or NODE_PRIV is required.
---
.../tablefunction/BackendsTableValuedFunction.java | 10 ++++
.../FrontendsDisksTableValuedFunction.java | 10 ++++
.../FrontendsTableValuedFunction.java | 10 ++++
.../suites/auth_p0/test_backends_auth.groovy | 64 ++++++++++++++++++++++
.../suites/auth_p0/test_frontends_auth.groovy | 64 ++++++++++++++++++++++
.../auth_p0/test_frontends_disks_auth.groovy | 55 +++++++++++++++++++
6 files changed, 213 insertions(+)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/BackendsTableValuedFunction.java
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/BackendsTableValuedFunction.java
index 04ea7d01eae..817bfefafdf 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/BackendsTableValuedFunction.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/BackendsTableValuedFunction.java
@@ -18,9 +18,13 @@
package org.apache.doris.tablefunction;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.PrimitiveType;
import org.apache.doris.catalog.ScalarType;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.nereids.exceptions.AnalysisException;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.thrift.TBackendsMetadataParams;
import org.apache.doris.thrift.TMetaScanRange;
import org.apache.doris.thrift.TMetadataType;
@@ -83,6 +87,12 @@ public class BackendsTableValuedFunction extends
MetadataTableValuedFunction {
if (params.size() != 0) {
throw new AnalysisException("backends table-valued-function does
not support any params");
}
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN_OR_NODE)) {
+ String message =
ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR.formatErrorMsg(
+ PrivPredicate.ADMIN_OR_NODE.getPrivs().toString());
+ throw new AnalysisException(message);
+ }
}
@Override
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsDisksTableValuedFunction.java
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsDisksTableValuedFunction.java
index cc7ff82b8fb..2c898a57afe 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsDisksTableValuedFunction.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsDisksTableValuedFunction.java
@@ -18,8 +18,12 @@
package org.apache.doris.tablefunction;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.nereids.exceptions.AnalysisException;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.thrift.TFrontendsMetadataParams;
import org.apache.doris.thrift.TMetaScanRange;
import org.apache.doris.thrift.TMetadataType;
@@ -67,6 +71,12 @@ public class FrontendsDisksTableValuedFunction extends
MetadataTableValuedFuncti
if (params.size() != 0) {
throw new AnalysisException("frontends_disks table-valued-function
does not support any params");
}
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN_OR_NODE)) {
+ String message =
ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR.formatErrorMsg(
+ PrivPredicate.ADMIN_OR_NODE.getPrivs().toString());
+ throw new AnalysisException(message);
+ }
}
@Override
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsTableValuedFunction.java
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsTableValuedFunction.java
index aded1076a83..a9f48b6d1ff 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsTableValuedFunction.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/FrontendsTableValuedFunction.java
@@ -18,8 +18,12 @@
package org.apache.doris.tablefunction;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.nereids.exceptions.AnalysisException;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.thrift.TFrontendsMetadataParams;
import org.apache.doris.thrift.TMetaScanRange;
import org.apache.doris.thrift.TMetadataType;
@@ -76,6 +80,12 @@ public class FrontendsTableValuedFunction extends
MetadataTableValuedFunction {
if (params.size() != 0) {
throw new AnalysisException("frontends table-valued-function does
not support any params");
}
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN_OR_NODE)) {
+ String message =
ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR.formatErrorMsg(
+ PrivPredicate.ADMIN_OR_NODE.getPrivs().toString());
+ throw new AnalysisException(message);
+ }
}
@Override
diff --git a/regression-test/suites/auth_p0/test_backends_auth.groovy
b/regression-test/suites/auth_p0/test_backends_auth.groovy
new file mode 100644
index 00000000000..753ae837c77
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_backends_auth.groovy
@@ -0,0 +1,64 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_backends_auth","p0,auth") {
+ String suiteName = "test_backends_auth"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+
+ //cloud-mode
+ if (isCloudMode()) {
+ def clusters = sql " SHOW CLUSTERS; "
+ assertTrue(!clusters.isEmpty())
+ def validCluster = clusters[0][0]
+ sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+ }
+
+ sql """grant select_priv on regression_test to ${user}"""
+
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ test {
+ sql """
+ show backends;
+ """
+ exception "denied"
+ }
+ test {
+ sql """
+ select * from backends();
+ """
+ exception "denied"
+ }
+ }
+
+ sql """grant admin_priv on *.*.* to ${user}"""
+
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ sql """
+ show backends;
+ """
+ sql """
+ select * from backends();
+ """
+ }
+
+ try_sql("DROP USER ${user}")
+}
\ No newline at end of file
diff --git a/regression-test/suites/auth_p0/test_frontends_auth.groovy
b/regression-test/suites/auth_p0/test_frontends_auth.groovy
new file mode 100644
index 00000000000..21fff527518
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_frontends_auth.groovy
@@ -0,0 +1,64 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_frontends_auth","p0,auth") {
+ String suiteName = "test_frontends_auth"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+
+ //cloud-mode
+ if (isCloudMode()) {
+ def clusters = sql " SHOW CLUSTERS; "
+ assertTrue(!clusters.isEmpty())
+ def validCluster = clusters[0][0]
+ sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+ }
+
+ sql """grant select_priv on regression_test to ${user}"""
+
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ test {
+ sql """
+ show frontends;
+ """
+ exception "denied"
+ }
+ test {
+ sql """
+ select * from frontends();
+ """
+ exception "denied"
+ }
+ }
+
+ sql """grant admin_priv on *.*.* to ${user}"""
+
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ sql """
+ show frontends;
+ """
+ sql """
+ select * from frontends();
+ """
+ }
+
+ try_sql("DROP USER ${user}")
+}
\ No newline at end of file
diff --git a/regression-test/suites/auth_p0/test_frontends_disks_auth.groovy
b/regression-test/suites/auth_p0/test_frontends_disks_auth.groovy
new file mode 100644
index 00000000000..3767fdde0a5
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_frontends_disks_auth.groovy
@@ -0,0 +1,55 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_frontends_disks_auth","p0,auth") {
+ String suiteName = "test_frontends_disks_auth"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+
+ //cloud-mode
+ if (isCloudMode()) {
+ def clusters = sql " SHOW CLUSTERS; "
+ assertTrue(!clusters.isEmpty())
+ def validCluster = clusters[0][0]
+ sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+ }
+
+ sql """grant select_priv on regression_test to ${user}"""
+
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ test {
+ sql """
+ select * from frontends_disks();
+ """
+ exception "denied"
+ }
+ }
+
+ sql """grant admin_priv on *.*.* to ${user}"""
+
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ sql """
+ select * from frontends_disks();
+ """
+ }
+
+ try_sql("DROP USER ${user}")
+}
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
