This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-3.1 by this push:
new 945bdc28b52 branch-3.1: [enhance](auth)The permission requirement for
Show transaction changed from admin_priv to db's load_priv. #52358 (#53997)
945bdc28b52 is described below
commit 945bdc28b5274d39ad9d0ac63b7c8608213aafe6
Author: zhangdong <[email protected]>
AuthorDate: Tue Jul 29 15:10:36 2025 +0800
branch-3.1: [enhance](auth)The permission requirement for Show transaction
changed from admin_priv to db's load_priv. #52358 (#53997)
pick: #52358
---
.../org/apache/doris/analysis/ShowTransactionStmt.java | 14 +++++++-------
.../suites/auth_p0/test_show_transaction_auth.groovy | 11 ++++++++++-
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
index cd7d2ca5b01..35340abfdef 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
@@ -26,6 +26,7 @@ import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.common.proc.TransProcDir;
+import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
@@ -76,19 +77,18 @@ public class ShowTransactionStmt extends ShowStmt
implements NotFallbackInParser
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
- // check auth
- if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
- PrivPredicate.ADMIN.getPrivs().toString());
- }
-
if (Strings.isNullOrEmpty(dbName)) {
dbName = analyzer.getDefaultDb();
if (Strings.isNullOrEmpty(dbName)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
}
}
-
+ // check auth
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkDbPriv(ConnectContext.get(),
InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.LOAD)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+ PrivPredicate.LOAD.getPrivs().toString(), dbName);
+ }
if (whereClause == null) {
throw new AnalysisException("Missing transaction id");
}
diff --git a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
index 9e6303a2a92..c8355f534cf 100644
--- a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
+++ b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
@@ -28,8 +28,17 @@ suite("test_show_transaction_auth","p0,auth") {
sql "SHOW TRANSACTION WHERE ID=4005;"
} catch (Exception e) {
log.info(e.getMessage())
- assertTrue(e.getMessage().contains("Admin_priv"))
+ assertTrue(e.getMessage().contains("denied"))
}
}
+ sql """grant load_priv on regression_test.* to ${user}"""
+ connect(user, "${pwd}", context.config.jdbcUrl) {
+ try {
+ sql "SHOW TRANSACTION WHERE ID=4005;"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertFalse(e.getMessage().contains("denied"))
+ }
+ }
try_sql("DROP USER ${user}")
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
