(doris) branch master updated: [enhance](auth)The permission requirement for Show transaction changed from admin_priv to db's load_priv. (#52358)

[starocean999]

This is an automated email from the ASF dual-hosted git repository.

starocean999 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new 2e24bb40915 [enhance](auth)The permission requirement for Show 
transaction changed from admin_priv to db's load_priv. (#52358)
2e24bb40915 is described below

commit 2e24bb4091548f497f6d8b6354ca28b120cb4682
Author: zhangdong <zhangd...@selectdb.com>
AuthorDate: Thu Jul 24 17:00:44 2025 +0800

    [enhance](auth)The permission requirement for Show transaction changed from 
admin_priv to db's load_priv. (#52358)
    
    
    The permission requirement for Show transaction changed from admin_priv
    to db's load_priv.
    doc pr: https://github.com/apache/doris-website/pull/2565
---
 .../trees/plans/commands/ShowTransactionCommand.java       | 14 +++++++-------
 .../trees/plans/commands/ShowTransactionCommandTest.java   |  2 +-
 .../suites/auth_p0/test_show_transaction_auth.groovy       | 11 ++++++++++-
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommand.java
 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommand.java
index b7712e214c7..104644374d1 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommand.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommand.java
@@ -26,6 +26,7 @@ import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.proc.TransProcDir;
+import org.apache.doris.datasource.InternalCatalog;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.nereids.analyzer.UnboundSlot;
 import org.apache.doris.nereids.trees.expressions.EqualTo;
@@ -105,19 +106,18 @@ public class ShowTransactionCommand extends ShowCommand {
      * validate
      */
     public void validate(ConnectContext ctx) throws AnalysisException {
-        // check auth
-        if 
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
-                    PrivPredicate.ADMIN.getPrivs().toString());
-        }
-
         if (Strings.isNullOrEmpty(dbName)) {
             dbName = ctx.getDatabase();
             if (Strings.isNullOrEmpty(dbName)) {
                 ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
             }
         }
-
+        // check auth
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkDbPriv(ConnectContext.get(), 
InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.LOAD)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+                    PrivPredicate.LOAD.getPrivs().toString(), dbName);
+        }
         if (expr == null) {
             throw new AnalysisException("Missing transaction id");
         }
diff --git 
a/fe/fe-core/src/test/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommandTest.java
 
b/fe/fe-core/src/test/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommandTest.java
index afd971a596b..97cc4f0d3bb 100644
--- 
a/fe/fe-core/src/test/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommandTest.java
+++ 
b/fe/fe-core/src/test/java/org/apache/doris/nereids/trees/plans/commands/ShowTransactionCommandTest.java
@@ -61,7 +61,7 @@ public class ShowTransactionCommandTest {
                 minTimes = 0;
                 result = true;
 
-                accessControllerManager.checkGlobalPriv(connectContext, 
PrivPredicate.ADMIN);
+                accessControllerManager.checkDbPriv(connectContext, anyString, 
anyString, PrivPredicate.LOAD);
                 minTimes = 0;
                 result = true;
             }
diff --git a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy 
b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
index 9e6303a2a92..c8355f534cf 100644
--- a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
+++ b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
@@ -28,8 +28,17 @@ suite("test_show_transaction_auth","p0,auth") {
             sql "SHOW TRANSACTION WHERE ID=4005;"
         } catch (Exception e) {
             log.info(e.getMessage())
-            assertTrue(e.getMessage().contains("Admin_priv"))
+            assertTrue(e.getMessage().contains("denied"))
         }
     }
+    sql """grant load_priv on regression_test.* to ${user}"""
+    connect(user, "${pwd}", context.config.jdbcUrl) {
+        try {
+                sql "SHOW TRANSACTION WHERE ID=4005;"
+            } catch (Exception e) {
+                log.info(e.getMessage())
+                assertFalse(e.getMessage().contains("denied"))
+            }
+    }
     try_sql("DROP USER ${user}")
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org