smith1000 commented on PR #61741: URL: https://github.com/apache/doris/pull/61741#issuecomment-4151934531
hi, @924060929 I've reworked the fix based on your feedback. The `privChecked` flag now stays on `StatementContext` to preserve view permission passthrough. Instead, `CheckPrivileges.visitLogicalCTEConsumer` explicitly traverses the CTE producer plan for privilege checking. **Local verification was done with Ranger 2.7.0 + Doris 4.0.2 (patched JAR):** Setup: A column-level Ranger policy grants `test_limited` user SELECT on `restricted_table(id, name)` only (no access to `salary`). A separate view-level policy grants `test_limited` SELECT on `restricted_view` (which includes `salary`). | # | Scenario | Expected | Result | |---|----------|----------|--------| | 1 | `SELECT id, name FROM restricted_table` | OK | PASS | | 2 | `SELECT id, name, salary FROM restricted_table` | Denied | PASS | | 3 | `SELECT * FROM restricted_table` | Denied | PASS | | 4 | `SELECT * FROM restricted_view` (view passthrough) | OK | PASS | | 5 | CTE + LEFT JOIN with `SELECT *` on restricted_table (original bug) | Denied | PASS | | 6 | CTE + LEFT JOIN with allowed columns only | OK | PASS | | 7 | CTE + LEFT JOIN explicitly referencing `salary` | Denied | PASS | | 8 | CTE referencing `restricted_view` + JOIN | OK | PASS | | 9 | Single-ref CTE with `SELECT *` (inlined by optimizer) | Denied | PASS | | 10 | Single-ref CTE with allowed columns | OK | PASS | | 11 | Nested CTEs + JOIN with allowed columns | OK | PASS | | 12 | Nested CTEs + JOIN with restricted column | Denied | PASS | All 12 scenarios passed. The fix correctly denies CTE+JOIN bypass while preserving view permission passthrough. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
