This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-3.1 by this push:
new 4b6ed69bb8b branch-3.1: [Enhancement](Cloud) Check auth when alter
vault #51747 (#52490)
4b6ed69bb8b is described below
commit 4b6ed69bb8bf40f14ec615d3d29e97b640e10eb3
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Tue Jul 1 14:17:46 2025 +0800
branch-3.1: [Enhancement](Cloud) Check auth when alter vault #51747 (#52490)
Cherry-picked from #51747
Co-authored-by: Lijia Liu <[email protected]>
---
.../trees/plans/commands/AlterStorageVaultCommand.java | 16 ++++++++++++++++
.../suites/vault_p0/alter/test_alter_vault_type.groovy | 18 ++++++++++++++++++
.../suites/vault_p0/default/test_default_vault.groovy | 10 ++++++++++
3 files changed, 44 insertions(+)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterStorageVaultCommand.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterStorageVaultCommand.java
index 7b2d99814a2..f877ef0da14 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterStorageVaultCommand.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterStorageVaultCommand.java
@@ -21,7 +21,11 @@ import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.StorageVault;
import org.apache.doris.catalog.StorageVault.StorageVaultType;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeNameFormat;
+import org.apache.doris.common.Pair;
+import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.nereids.trees.plans.PlanType;
import org.apache.doris.nereids.trees.plans.visitor.PlanVisitor;
import org.apache.doris.qe.ConnectContext;
@@ -47,6 +51,10 @@ public class AlterStorageVaultCommand extends Command
implements ForwardWithSync
@Override
public void run(ConnectContext ctx, StmtExecutor executor) throws
Exception {
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"ADMIN");
+ }
StorageVault.StorageVaultType vaultType =
StorageVaultType.fromString(properties.get(TYPE));
if (vaultType == StorageVault.StorageVaultType.UNKNOWN) {
throw new AnalysisException("Unsupported Storage Vault type: " +
type);
@@ -54,6 +62,14 @@ public class AlterStorageVaultCommand extends Command
implements ForwardWithSync
FeNameFormat.checkStorageVaultName(name);
if (properties.containsKey(StorageVault.PropertyKey.VAULT_NAME)) {
+ String newVaultName =
properties.get(StorageVault.PropertyKey.VAULT_NAME);
+ Pair<String, String> info =
Env.getCurrentEnv().getStorageVaultMgr().getDefaultStorageVault();
+ if (info != null && name.equalsIgnoreCase(info.first)) {
+ throw new AnalysisException("Cannot rename default storage
vault. Before rename it, you should execute"
+ + " `UNSET DEFAULT STORAGE VAULT` sql to unset default
storage vault. After rename it, you can"
+ + " execute `SET " + newVaultName + " AS DEFAULT
STORAGE VAULT` sql to set it as default"
+ + " storage vault.");
+ }
String newName =
properties.get(StorageVault.PropertyKey.VAULT_NAME);
FeNameFormat.checkStorageVaultName(newName);
Preconditions.checkArgument(!name.equalsIgnoreCase(newName),
"Vault name has not been changed");
diff --git a/regression-test/suites/vault_p0/alter/test_alter_vault_type.groovy
b/regression-test/suites/vault_p0/alter/test_alter_vault_type.groovy
index 1a4c4c19193..a57207712e9 100644
--- a/regression-test/suites/vault_p0/alter/test_alter_vault_type.groovy
+++ b/regression-test/suites/vault_p0/alter/test_alter_vault_type.groovy
@@ -77,4 +77,22 @@ suite("test_alter_vault_type", "nonConcurrent") {
);
"""
}, "is not hdfs storage vault")
+
+ def test_user = "alter_vault_no_pri";
+ def test_pass = "12345"
+ sql """create user ${test_user} identified by '${test_pass}'"""
+
+ try {
+ def result = connect(test_user, test_pass, context.config.jdbcUrl) {
+ sql """
+ ALTER STORAGE VAULT ${s3VaultName}
+ PROPERTIES (
+ "type"="s3",
+ "VAULT_NAME" = "${s3VaultName}_rename"
+ );
+ """
+ }
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("Access denied for user"),
e.getMessage())
+ }
}
\ No newline at end of file
diff --git a/regression-test/suites/vault_p0/default/test_default_vault.groovy
b/regression-test/suites/vault_p0/default/test_default_vault.groovy
index 0660b47cbf8..069c4b7daeb 100644
--- a/regression-test/suites/vault_p0/default/test_default_vault.groovy
+++ b/regression-test/suites/vault_p0/default/test_default_vault.groovy
@@ -185,6 +185,16 @@ suite("test_default_vault", "nonConcurrent") {
}
assertTrue(found)
+ expectExceptionLike({
+ sql """
+ ALTER STORAGE VAULT ${s3VaultName}
+ PROPERTIES (
+ "type"="s3",
+ "VAULT_NAME" = "${s3VaultName}_rename"
+ );
+ """
+ }, "Cannot rename default storage vault")
+
sql """
CREATE TABLE ${s3TableName}_2 (
C_CUSTKEY INTEGER NOT NULL,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
