[iotdb] branch master updated: [ISSUE-4308] READ_TIMESERIES privilege granted to users and roles can not take effect when quering by UDFs (#4322)

rong Thu, 04 Nov 2021 09:04:15 -0700

This is an automated email from the ASF dual-hosted git repository.

rong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git



The following commit(s) were added to refs/heads/master by this push:
     new 0073a28  [ISSUE-4308] READ_TIMESERIES privilege granted to users and 
roles can not take effect when quering by UDFs (#4322)
0073a28 is described below

commit 0073a28384cdb84e9469dbf98705ab158dd43a31
Author: Steve Yurong Su <[email protected]>
AuthorDate: Fri Nov 5 00:03:25 2021 +0800

    [ISSUE-4308] READ_TIMESERIES privilege granted to users and roles can not 
take effect when quering by UDFs (#4322)
---
 .../apache/iotdb/db/qp/physical/PhysicalPlan.java  |  5 ++++
 .../apache/iotdb/db/qp/physical/crud/UDTFPlan.java | 13 +++++++----
 .../iotdb/db/query/expression/ResultColumn.java    | 13 +++++++----
 .../org/apache/iotdb/db/service/TSServiceImpl.java |  2 +-
 .../db/integration/auth/IoTDBAuthorizationIT.java  | 27 ++++++++++++++++++++++
 5 files changed, 51 insertions(+), 9 deletions(-)

diff --git 
a/server/src/main/java/org/apache/iotdb/db/qp/physical/PhysicalPlan.java 
b/server/src/main/java/org/apache/iotdb/db/qp/physical/PhysicalPlan.java
index 6a3ab45..adc8ee6 100644
--- a/server/src/main/java/org/apache/iotdb/db/qp/physical/PhysicalPlan.java
+++ b/server/src/main/java/org/apache/iotdb/db/qp/physical/PhysicalPlan.java
@@ -252,6 +252,11 @@ public abstract class PhysicalPlan {
     }
   }
 
+  /** Used to check whether a user has the permission to execute the plan with 
these paths. */
+  public List<PartialPath> getAuthPaths() {
+    return getPaths();
+  }
+
   public static class Factory {
 
     private Factory() {
diff --git 
a/server/src/main/java/org/apache/iotdb/db/qp/physical/crud/UDTFPlan.java 
b/server/src/main/java/org/apache/iotdb/db/qp/physical/crud/UDTFPlan.java
index 502d996..375e1b2 100644
--- a/server/src/main/java/org/apache/iotdb/db/qp/physical/crud/UDTFPlan.java
+++ b/server/src/main/java/org/apache/iotdb/db/qp/physical/crud/UDTFPlan.java
@@ -100,6 +100,15 @@ public class UDTFPlan extends RawDataQueryPlan implements 
UDFPlan {
   }
 
   @Override
+  public List<PartialPath> getAuthPaths() {
+    Set<PartialPath> authPaths = new HashSet<>();
+    for (ResultColumn resultColumn : resultColumns) {
+      authPaths.addAll(resultColumn.collectPaths());
+    }
+    return new ArrayList<>(authPaths);
+  }
+
+  @Override
   public void constructUdfExecutors(List<ResultColumn> resultColumns) {
     for (ResultColumn resultColumn : resultColumns) {
       
resultColumn.getExpression().constructUdfExecutors(expressionName2Executor, 
zoneId);
@@ -128,8 +137,4 @@ public class UDTFPlan extends RawDataQueryPlan implements 
UDFPlan {
   public int getReaderIndex(String pathName) {
     return pathNameToReaderIndex.get(pathName);
   }
-
-  public void setPathNameToReaderIndex(Map<String, Integer> 
pathNameToReaderIndex) {
-    this.pathNameToReaderIndex = pathNameToReaderIndex;
-  }
 }
diff --git 
a/server/src/main/java/org/apache/iotdb/db/query/expression/ResultColumn.java 
b/server/src/main/java/org/apache/iotdb/db/query/expression/ResultColumn.java
index b36a56c..6248fd1 100644
--- 
a/server/src/main/java/org/apache/iotdb/db/query/expression/ResultColumn.java
+++ 
b/server/src/main/java/org/apache/iotdb/db/query/expression/ResultColumn.java
@@ -73,6 +73,8 @@ public class ResultColumn {
 
   private TSDataType dataType;
 
+  private List<PartialPath> allPathsInExpression;
+
   public ResultColumn(Expression expression, String alias) {
     this.expression = expression;
     this.alias = alias;
@@ -118,10 +120,13 @@ public class ResultColumn {
     }
   }
 
-  public Set<PartialPath> collectPaths() {
-    Set<PartialPath> pathSet = new HashSet<>();
-    expression.collectPaths(pathSet);
-    return pathSet;
+  public List<PartialPath> collectPaths() {
+    if (allPathsInExpression == null) {
+      Set<PartialPath> pathSet = new HashSet<>();
+      expression.collectPaths(pathSet);
+      allPathsInExpression = new ArrayList<>(pathSet);
+    }
+    return allPathsInExpression;
   }
 
   public Expression getExpression() {
diff --git 
a/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java 
b/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java
index 6a8cc7e..0f1158d 100644
--- a/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java
+++ b/server/src/main/java/org/apache/iotdb/db/service/TSServiceImpl.java
@@ -901,7 +901,7 @@ public class TSServiceImpl implements TSIService.Iface {
     List<String> columnsTypes = new ArrayList<>();
 
     // check permissions
-    if (!checkAuthorization(physicalPlan.getPaths(), physicalPlan, username)) {
+    if (!checkAuthorization(physicalPlan.getAuthPaths(), physicalPlan, 
username)) {
       return RpcUtils.getTSExecuteStatementResp(
           RpcUtils.getStatus(
               TSStatusCode.NO_PERMISSION_ERROR,
diff --git 
a/server/src/test/java/org/apache/iotdb/db/integration/auth/IoTDBAuthorizationIT.java
 
b/server/src/test/java/org/apache/iotdb/db/integration/auth/IoTDBAuthorizationIT.java
index c45d4ce..2e3b807 100644
--- 
a/server/src/test/java/org/apache/iotdb/db/integration/auth/IoTDBAuthorizationIT.java
+++ 
b/server/src/test/java/org/apache/iotdb/db/integration/auth/IoTDBAuthorizationIT.java
@@ -1148,4 +1148,31 @@ public class IoTDBAuthorizationIT {
       assertTrue(expectedList.containsAll(result));
     }
   }
+
+  /** ISSUE-4308 */
+  @Test
+  public void testSelectUDTF() throws ClassNotFoundException, SQLException {
+    Class.forName(Config.JDBC_DRIVER_NAME);
+    try (Connection adminConnection =
+            DriverManager.getConnection(
+                Config.IOTDB_URL_PREFIX + "127.0.0.1:6667/", "root", "root");
+        Statement adminStatement = adminConnection.createStatement()) {
+      adminStatement.execute("CREATE USER a_application 'a_application'");
+      adminStatement.execute("CREATE ROLE application_role");
+      adminStatement.execute("GRANT ROLE application_role PRIVILEGES 
READ_TIMESERIES ON root.test");
+      adminStatement.execute("GRANT application_role TO a_application");
+
+      adminStatement.execute("INSERT INTO root.test(time, s1, s2, s3) 
VALUES(1, 2, 3, 4)");
+    }
+
+    try (Connection userConnection =
+            DriverManager.getConnection(
+                Config.IOTDB_URL_PREFIX + "127.0.0.1:6667/", "a_application", 
"a_application");
+        Statement userStatement = userConnection.createStatement();
+        ResultSet resultSet =
+            userStatement.executeQuery(
+                "SELECT s1, s1, s1 - s3, s2 * sin(s1), s1 + 1 / 2 * sin(s1), 
sin(s1), sin(s1) FROM root.test")) {
+      assertTrue(resultSet.next());
+    }
+  }
 }

[iotdb] branch master updated: [ISSUE-4308] READ_TIMESERIES privilege granted to users and roles can not take effect when quering by UDFs (#4322)

Reply via email to