This is an automated email from the ASF dual-hosted git repository.
rong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new cca9cbc73b [IOTDB-2797][privilege] Fix root.** doesn't work (#5756)
cca9cbc73b is described below
commit cca9cbc73b7a89d767440f84e6c5f1f5abce67fc
Author: 刘威 <[email protected]>
AuthorDate: Wed May 4 14:52:46 2022 +0800
[IOTDB-2797][privilege] Fix root.** doesn't work (#5756)
---
.../Administration-Management/Administration.md | 2 +-
.../Administration-Management/Administration.md | 2 +-
.../iotdb/db/integration/IoTDBAuthorizationIT.java | 32 ++++++++++++++++++++--
.../iotdb/db/auth/authorizer/BasicAuthorizer.java | 14 ++++++++++
4 files changed, 46 insertions(+), 4 deletions(-)
diff --git a/docs/UserGuide/Administration-Management/Administration.md
b/docs/UserGuide/Administration-Management/Administration.md
index 352e4776b2..292495e432 100644
--- a/docs/UserGuide/Administration-Management/Administration.md
+++ b/docs/UserGuide/Administration-Management/Administration.md
@@ -34,7 +34,7 @@ The user is the legal user of the database. A user
corresponds to a unique usern
### Privilege
-The database provides a variety of operations, and not all users can perform
all operations. If a user can perform an operation, the user is said to have
the privilege to perform the operation. privileges are divided into data
management privilege (such as adding, deleting and modifying data) and
authority management privilege (such as creation and deletion of users and
roles, granting and revoking of privileges, etc.). Data management privilege
often needs a path to limit its effective [...]
+The database provides a variety of operations, and not all users can perform
all operations. If a user can perform an operation, the user is said to have
the privilege to perform the operation. privileges are divided into data
management privilege (such as adding, deleting and modifying data) and
authority management privilege (such as creation and deletion of users and
roles, granting and revoking of privileges, etc.). Data management privilege
often needs a path to limit its effective [...]
### Role
diff --git a/docs/zh/UserGuide/Administration-Management/Administration.md
b/docs/zh/UserGuide/Administration-Management/Administration.md
index be6b3da2a2..4d1a244e69 100644
--- a/docs/zh/UserGuide/Administration-Management/Administration.md
+++ b/docs/zh/UserGuide/Administration-Management/Administration.md
@@ -33,7 +33,7 @@ IoTDB 为用户提供了权限管理操作,从而为用户提供对于数据
### 权限
-数据库提供多种操作,并不是所有的用户都能执行所有操作。如果一个用户可以执行某项操作,则称该用户有执行该操作的权限。权限可分为数据管理权限(如对数据进行增删改查)以及权限管理权限(用户、角色的创建与删除,权限的赋予与撤销等)。数据管理权限往往需要一个路径来限定其生效范围,它的生效范围是以该路径对应的节点为根的一棵子树(具体请参考
IoTDB 的数据组织)。
+数据库提供多种操作,并不是所有的用户都能执行所有操作。如果一个用户可以执行某项操作,则称该用户有执行该操作的权限。权限可分为数据管理权限(如对数据进行增删改查)以及权限管理权限(用户、角色的创建与删除,权限的赋予与撤销等)。数据管理权限往往需要一个路径来限定其生效范围,它的生效范围是以该路径对应的节点为根的一棵子树(具体请参考
IoTDB 的数据组织)。注意:在授予权限时不允许使用路径通配符。
### 角色
diff --git
a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
index 1d82f335e9..0be39d28d4 100644
---
a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
+++
b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
@@ -439,7 +439,7 @@ public class IoTDBAuthorizationIT {
}
assertTrue(caught);
- // grant on a illegal seriesPath
+ // grant on an illegal seriesPath
caught = false;
try {
adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES
on a.b");
@@ -447,6 +447,34 @@ public class IoTDBAuthorizationIT {
caught = true;
}
assertTrue(caught);
+ caught = false;
+ try {
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES
on root.*");
+ } catch (SQLException e) {
+ caught = true;
+ }
+ assertTrue(caught);
+ caught = false;
+ try {
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES
on root.**");
+ } catch (SQLException e) {
+ caught = true;
+ }
+ assertTrue(caught);
+ caught = false;
+ try {
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES
on root.*.a");
+ } catch (SQLException e) {
+ caught = true;
+ }
+ assertTrue(caught);
+ caught = false;
+ try {
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES
on root.**.a");
+ } catch (SQLException e) {
+ caught = true;
+ }
+ assertTrue(caught);
// grant admin
caught = false;
@@ -485,7 +513,7 @@ public class IoTDBAuthorizationIT {
}
assertTrue(caught);
- // revoke on a illegal seriesPath
+ // revoke on an illegal seriesPath
caught = false;
try {
adminStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES
on a.b");
diff --git
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
index e856ec8d25..36a4c69b9a 100644
---
a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
+++
b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
@@ -130,6 +130,13 @@ public abstract class BasicAuthorizer implements
IAuthorizer, IService {
@Override
public void grantPrivilegeToUser(String username, String path, int
privilegeId)
throws AuthException {
+ if (path.endsWith(".*")
+ || path.endsWith(".**")
+ || path.contains(".*.")
+ || path.contains(".**.")) {
+ throw new AuthException(
+ "Invalid path, the path wildcard is not allowed in granting
privileges");
+ }
String newPath = path;
if (isAdmin(username)) {
throw new AuthException("Invalid operation, administrator already has
all privileges");
@@ -194,6 +201,13 @@ public abstract class BasicAuthorizer implements
IAuthorizer, IService {
@Override
public void grantPrivilegeToRole(String roleName, String path, int
privilegeId)
throws AuthException {
+ if (path.endsWith(".*")
+ || path.endsWith(".**")
+ || path.contains(".*.")
+ || path.contains(".**.")) {
+ throw new AuthException(
+ "Invalid path, the path wildcard is not allowed in granting
privileges");
+ }
String p = path;
if (!PrivilegeType.isPathRelevant(privilegeId)) {
p = IoTDBConstant.PATH_ROOT;
