This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch tmp_tpc_preview4-mysk
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/tmp_tpc_preview4-mysk by this
push:
new 9afce201a34 [fix](priv) skip catalog priv check if using customized
access controller (#60929)
9afce201a34 is described below
commit 9afce201a3459c26f18d51c36dfc0d305f98d7e9
Author: seawinde <[email protected]>
AuthorDate: Mon Mar 2 11:44:18 2026 +0800
[fix](priv) skip catalog priv check if using customized access controller
(#60929)
Cherry-pick from enterprise-core commit
20746197c17b49e7647d8a91a5c2ab4d573158d5
Co-authored-by: Mingyu Chen (Rayner) <[email protected]>
---
.../main/java/org/apache/doris/common/Config.java | 3 +++
.../mysql/privilege/AccessControllerManager.java | 28 +++++++++++++++++++---
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index bfe191cf069..f4372bf1390 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -3757,4 +3757,7 @@ public class Config extends ConfigBase {
"agent tasks health check interval, default is five minutes, no
health check when less than or equal to 0"
})
public static long agent_task_health_check_intervals_ms = 5 * 60 * 1000L;
// 5 min
+ @ConfField(description = {"是否跳过 catalog 层级的鉴权",
+ "Whether to skip catalog level privilege check"})
+ public static boolean skip_catalog_priv_check = false;
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index 973513ea4c3..28fbe9b843a 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -25,6 +25,7 @@ import org.apache.doris.common.Config;
import org.apache.doris.common.UserException;
import org.apache.doris.common.util.ClassLoaderUtils;
import org.apache.doris.datasource.CatalogIf;
+import org.apache.doris.datasource.CatalogMgr;
import org.apache.doris.datasource.ExternalCatalog;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.info.TableNameInfo;
@@ -32,6 +33,7 @@ import org.apache.doris.plugin.PropertiesUtils;
import org.apache.doris.qe.ConnectContext;
import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
import com.google.common.collect.Maps;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
@@ -196,9 +198,29 @@ public class AccessControllerManager {
public boolean checkCtlPriv(UserIdentity currentUser, String ctl,
PrivPredicate wanted) {
boolean hasGlobal = checkGlobalPriv(currentUser, wanted);
- // for checking catalog priv, always use InternalAccessController.
- // because catalog priv is only saved in InternalAccessController.
- return defaultAccessController.checkCtlPriv(hasGlobal, currentUser,
ctl, wanted);
+ if (!Config.skip_catalog_priv_check) {
+ // for checking catalog priv, always use InternalAccessController.
+ // because catalog priv is only saved in InternalAccessController.
+ return defaultAccessController.checkCtlPriv(hasGlobal,
currentUser, ctl, wanted);
+ } else {
+ CatalogIf catalog =
Env.getCurrentEnv().getCatalogMgr().getCatalog(ctl);
+ if (catalog == null) {
+ return false;
+ }
+ if (catalog.isInternalCatalog()) {
+ return defaultAccessController.checkCtlPriv(hasGlobal,
currentUser, ctl, wanted);
+ }
+ // If catalog not set access controller, use internal access
controller
+ // otherwise, skip catalog priv check
+ String className = (String)
catalog.getProperties().getOrDefault(CatalogMgr.ACCESS_CONTROLLER_CLASS_PROP,
+ "");
+ if (Strings.isNullOrEmpty(className)) {
+ // not set access controller, use internal access controller
+ return defaultAccessController.checkCtlPriv(hasGlobal,
currentUser, ctl, wanted);
+ } else {
+ return true;
+ }
+ }
}
// ==== Database ====
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
