This is an automated email from the ASF dual-hosted git repository.
qiaojialin pushed a commit to branch rel/0.11
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/rel/0.11 by this push:
new 356fe4f [To rel/0.11][IOTDB-1308] Users with READ_TIMESERIES
permission cannot execute group by fill queries (#3017)
356fe4f is described below
commit 356fe4ffa30015ae4247ef4502c7a513f7588b60
Author: Steve Yurong Su <[email protected]>
AuthorDate: Thu Apr 15 19:57:13 2021 +0800
[To rel/0.11][IOTDB-1308] Users with READ_TIMESERIES permission cannot
execute group by fill queries (#3017)
---
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 50 ++---
.../main/java/org/apache/iotdb/db/qp/Planner.java | 2 -
.../org/apache/iotdb/db/qp/logical/Operator.java | 16 +-
.../apache/iotdb/db/auth/AuthorityCheckerTest.java | 217 +++++++++++++++++++++
4 files changed, 234 insertions(+), 51 deletions(-)
diff --git
a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 9695a87..487936f 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -18,24 +18,24 @@
*/
package org.apache.iotdb.db.auth;
-import java.util.List;
import org.apache.iotdb.db.auth.authorizer.BasicAuthorizer;
import org.apache.iotdb.db.auth.authorizer.IAuthorizer;
import org.apache.iotdb.db.auth.entity.PrivilegeType;
import org.apache.iotdb.db.conf.IoTDBConstant;
import org.apache.iotdb.db.metadata.PartialPath;
import org.apache.iotdb.db.qp.logical.Operator;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.util.List;
+
public class AuthorityChecker {
private static final String SUPER_USER = IoTDBConstant.ADMIN_NAME;
private static final Logger logger =
LoggerFactory.getLogger(AuthorityChecker.class);
- private AuthorityChecker() {
-
- }
+ private AuthorityChecker() {}
/**
* check permission.
@@ -47,21 +47,22 @@ public class AuthorityChecker {
* @return if permission-check is passed
* @throws AuthException Authentication Exception
*/
- public static boolean check(String username, List<PartialPath> paths,
Operator.OperatorType type,
- String targetUser)
+ public static boolean check(
+ String username, List<PartialPath> paths, Operator.OperatorType type,
String targetUser)
throws AuthException {
if (SUPER_USER.equals(username)) {
return true;
}
+
int permission = translateToPermissionId(type);
if (permission == -1) {
- logger.error("OperateType not found. {}", type);
return false;
- } else if (permission == PrivilegeType.MODIFY_PASSWORD.ordinal() &&
username
- .equals(targetUser)) {
+ } else if (permission == PrivilegeType.MODIFY_PASSWORD.ordinal()
+ && username.equals(targetUser)) {
// a user can modify his own password
return true;
}
+
if (!paths.isEmpty()) {
for (PartialPath path : paths) {
if (!checkOnePath(username, path, permission)) {
@@ -71,6 +72,7 @@ public class AuthorityChecker {
} else {
return checkOnePath(username, null, permission);
}
+
return true;
}
@@ -117,26 +119,20 @@ public class AuthorityChecker {
case CREATE_TIMESERIES:
return PrivilegeType.CREATE_TIMESERIES.ordinal();
case DELETE_TIMESERIES:
+ case DELETE:
return PrivilegeType.DELETE_TIMESERIES.ordinal();
case QUERY:
case SELECT:
case FILTER:
case GROUPBYTIME:
- case SEQTABLESCAN:
- case TABLESCAN:
- case INDEXQUERY:
- case MERGEQUERY:
case AGGREGATION:
case LAST:
+ case FILL:
+ case GROUP_BY_FILL:
return PrivilegeType.READ_TIMESERIES.ordinal();
- case DELETE:
- return PrivilegeType.DELETE_TIMESERIES.ordinal();
case INSERT:
case LOADDATA:
- case INDEX:
return PrivilegeType.INSERT_TIMESERIES.ordinal();
- case UPDATE:
- return PrivilegeType.UPDATE_TIMESERIES.ordinal();
case LIST_ROLE:
case LIST_ROLE_USERS:
case LIST_ROLE_PRIVILEGE:
@@ -145,25 +141,9 @@ public class AuthorityChecker {
case LIST_USER_ROLES:
case LIST_USER_PRIVILEGE:
return PrivilegeType.LIST_USER.ordinal();
- case AUTHOR:
- case METADATA:
- case BASIC_FUNC:
- case FILEREAD:
- case FROM:
- case FUNC:
- case HASHTABLESCAN:
- case JOIN:
- case LIMIT:
- case MERGEJOIN:
- case NULL:
- case ORDERBY:
- case SFW:
- case UNION:
- logger.error("Illegal operator type authorization : {}", type);
- return -1;
default:
+ logger.error("Unrecognizable operator type ({}) for
AuthorityChecker.", type);
return -1;
}
-
}
}
diff --git a/server/src/main/java/org/apache/iotdb/db/qp/Planner.java
b/server/src/main/java/org/apache/iotdb/db/qp/Planner.java
index bd99fd9..cb2ab65 100644
--- a/server/src/main/java/org/apache/iotdb/db/qp/Planner.java
+++ b/server/src/main/java/org/apache/iotdb/db/qp/Planner.java
@@ -157,8 +157,6 @@ public class Planner {
case ALTER_TIMESERIES:
case LOADDATA:
case INSERT:
- case INDEX:
- case INDEXQUERY:
case GRANT_WATERMARK_EMBEDDING:
case REVOKE_WATERMARK_EMBEDDING:
case TTL:
diff --git a/server/src/main/java/org/apache/iotdb/db/qp/logical/Operator.java
b/server/src/main/java/org/apache/iotdb/db/qp/logical/Operator.java
index 13b8b5b..c6486e6 100644
--- a/server/src/main/java/org/apache/iotdb/db/qp/logical/Operator.java
+++ b/server/src/main/java/org/apache/iotdb/db/qp/logical/Operator.java
@@ -32,7 +32,7 @@ public abstract class Operator {
protected OperatorType operatorType = OperatorType.NULL;
- public Operator(int tokenIntType) {
+ protected Operator(int tokenIntType) {
this.tokenIntType = tokenIntType;
this.tokenName = SQLConstant.tokenNames.get(tokenIntType);
this.isDebug = false;
@@ -74,35 +74,23 @@ public abstract class Operator {
/** If you want to add new OperatorType, you must add it in the last. */
public enum OperatorType {
SFW,
- JOIN,
- UNION,
FILTER,
GROUPBYTIME,
- ORDERBY,
- LIMIT,
SELECT,
- SEQTABLESCAN,
- HASHTABLESCAN,
- MERGEJOIN,
- FILEREAD,
NULL,
- TABLESCAN,
- UPDATE,
INSERT,
BATCHINSERT,
DELETE,
BASIC_FUNC,
IN,
QUERY,
- MERGEQUERY,
+ UPDATE,
AGGREGATION,
AUTHOR,
FROM,
FUNC,
LOADDATA,
METADATA,
- INDEX,
- INDEXQUERY,
FILL,
SET_STORAGE_GROUP,
CREATE_TIMESERIES,
diff --git
a/server/src/test/java/org/apache/iotdb/db/auth/AuthorityCheckerTest.java
b/server/src/test/java/org/apache/iotdb/db/auth/AuthorityCheckerTest.java
new file mode 100644
index 0000000..5f394f8
--- /dev/null
+++ b/server/src/test/java/org/apache/iotdb/db/auth/AuthorityCheckerTest.java
@@ -0,0 +1,217 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iotdb.db.auth;
+
+import org.apache.iotdb.db.auth.authorizer.BasicAuthorizer;
+import org.apache.iotdb.db.auth.authorizer.IAuthorizer;
+import org.apache.iotdb.db.auth.entity.PrivilegeType;
+import org.apache.iotdb.db.auth.entity.User;
+import org.apache.iotdb.db.exception.metadata.IllegalPathException;
+import org.apache.iotdb.db.metadata.PartialPath;
+import org.apache.iotdb.db.qp.logical.Operator.OperatorType;
+import org.apache.iotdb.db.utils.EnvironmentUtils;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.util.ArrayList;
+import java.util.Collections;
+
+public class AuthorityCheckerTest {
+
+ IAuthorizer authorizer;
+ User user;
+ String nodeName = "root.laptop.d1";
+
+ @Before
+ public void setUp() throws Exception {
+ EnvironmentUtils.envSetUp();
+ authorizer = BasicAuthorizer.getInstance();
+ user = new User("user", "password");
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ EnvironmentUtils.cleanEnv();
+ }
+
+ @Test
+ public void testAuthorityChecker() throws AuthException,
IllegalPathException {
+ authorizer.createUser(user.getName(), user.getPassword());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.INSERT_TIMESERIES.ordinal());
+ authorizer.grantPrivilegeToUser(user.getName(), nodeName,
PrivilegeType.CREATE_ROLE.ordinal());
+ authorizer.grantPrivilegeToUser(user.getName(), nodeName,
PrivilegeType.CREATE_USER.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.READ_TIMESERIES.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.DELETE_TIMESERIES.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.REVOKE_USER_ROLE.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.GRANT_USER_ROLE.ordinal());
+ authorizer.grantPrivilegeToUser(user.getName(), nodeName,
PrivilegeType.LIST_USER.ordinal());
+ authorizer.grantPrivilegeToUser(user.getName(), nodeName,
PrivilegeType.LIST_ROLE.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName,
PrivilegeType.REVOKE_USER_PRIVILEGE.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.UPDATE_TIMESERIES.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName,
PrivilegeType.GRANT_ROLE_PRIVILEGE.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName,
PrivilegeType.GRANT_USER_PRIVILEGE.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.MODIFY_PASSWORD.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName,
PrivilegeType.REVOKE_ROLE_PRIVILEGE.ordinal());
+ authorizer.grantPrivilegeToUser(user.getName(), nodeName,
PrivilegeType.DELETE_ROLE.ordinal());
+ authorizer.grantPrivilegeToUser(user.getName(), nodeName,
PrivilegeType.DELETE_USER.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.SET_STORAGE_GROUP.ordinal());
+ authorizer.grantPrivilegeToUser(
+ user.getName(), nodeName, PrivilegeType.CREATE_TIMESERIES.ordinal());
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.INSERT,
+ user.getName()));
+
+ Assert.assertTrue(AuthorityChecker.check("root", null, null, null));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.CREATE_ROLE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.QUERY,
+ user.getName()));
+
+ // check empty list
+ Assert.assertFalse(
+ AuthorityChecker.check(
+ user.getName(), new ArrayList<>(), OperatorType.INSERT,
user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.MODIFY_PASSWORD,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.GRANT_USER_PRIVILEGE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.GRANT_ROLE_PRIVILEGE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.REVOKE_USER_PRIVILEGE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.REVOKE_ROLE_PRIVILEGE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.REVOKE_ROLE_PRIVILEGE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.GRANT_USER_ROLE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.DELETE_USER,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.DELETE_ROLE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.LIST_ROLE,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.LIST_USER,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.SET_STORAGE_GROUP,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.CREATE_TIMESERIES,
+ user.getName()));
+
+ Assert.assertTrue(
+ AuthorityChecker.check(
+ user.getName(),
+ Collections.singletonList(new PartialPath(nodeName)),
+ OperatorType.DELETE_TIMESERIES,
+ user.getName()));
+ }
+}
