This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-1.2-lts
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-1.2-lts by this push:
new 79f5a3a280 [branch-1.2](fix)(auth) fix catalog auth check bug and auth
upgrade bug
79f5a3a280 is described below
commit 79f5a3a280daa681fc14a14603ab6d787fe9675a
Author: morningman <[email protected]>
AuthorDate: Fri Feb 10 12:48:13 2023 +0800
[branch-1.2](fix)(auth) fix catalog auth check bug and auth upgrade bug
cherry-pick #16595 and part of #16091
---
.../org/apache/doris/mysql/privilege/PaloAuth.java | 2 +-
.../apache/doris/mysql/privilege/UserPrivTable.java | 21 +++++++++------------
2 files changed, 10 insertions(+), 13 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java
index 4729c4552a..4db3fc8251 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java
@@ -488,7 +488,7 @@ public class PaloAuth implements Writable {
public boolean checkTblPriv(ConnectContext ctx, TableName tableName,
PrivPredicate wanted) {
Preconditions.checkState(tableName.isFullyQualified());
- return checkTblPriv(ctx, tableName.getDb(), tableName.getTbl(),
wanted);
+ return checkTblPriv(ctx, tableName.getCtl(), tableName.getDb(),
tableName.getTbl(), wanted);
}
public boolean checkTblPriv(UserIdentity currentUser, String ctl, String
db, String tbl, PrivPredicate wanted) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java
index 35736b29fe..d3345aba8a 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java
@@ -205,21 +205,18 @@ public class UserPrivTable extends PrivTable {
&& !globalPrivEntry.match(UserIdentity.ADMIN, true)
&& !globalPrivEntry.privSet.isEmpty()) {
try {
- // USAGE_PRIV is no need to degrade.
- PrivBitSet removeUsagePriv =
globalPrivEntry.privSet.copy();
- removeUsagePriv.unset(PaloPrivilege.USAGE_PRIV.getIdx());
- removeUsagePriv.unset(PaloPrivilege.NODE_PRIV.getIdx());
+ // USAGE_PRIV, NODE_PRIV and ADMIN_PRIV are no need to
degrade.
+ PrivBitSet privsAfterRemoved =
globalPrivEntry.privSet.copy();
+ privsAfterRemoved.unset(PaloPrivilege.USAGE_PRIV.getIdx());
+ privsAfterRemoved.unset(PaloPrivilege.NODE_PRIV.getIdx());
+ privsAfterRemoved.unset(PaloPrivilege.ADMIN_PRIV.getIdx());
CatalogPrivEntry entry =
CatalogPrivEntry.create(globalPrivEntry.origUser, globalPrivEntry.origHost,
- InternalCatalog.INTERNAL_CATALOG_NAME,
globalPrivEntry.isDomain, removeUsagePriv);
+ InternalCatalog.INTERNAL_CATALOG_NAME,
globalPrivEntry.isDomain, privsAfterRemoved);
entry.setSetByDomainResolver(false);
catalogPrivTable.addEntry(entry, false, false);
- if (globalPrivEntry.privSet.containsResourcePriv()) {
- // Should only keep the USAGE_PRIV in userPrivTable,
and remove other privs and entries.
-
globalPrivEntry.privSet.and(PrivBitSet.of(PaloPrivilege.USAGE_PRIV));
- } else {
- // Remove all other privs
- globalPrivEntry.privSet.clean();
- }
+ // in global entry, only keey USAGE_PRIV, NODE_PRIV and
ADMIN_PRIV, if they exist before.
+
globalPrivEntry.privSet.and(PrivBitSet.of(PaloPrivilege.USAGE_PRIV,
PaloPrivilege.NODE_PRIV,
+ PaloPrivilege.ADMIN_PRIV));
} catch (Exception e) {
throw new IOException(e.getMessage());
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
