This is an automated email from the ASF dual-hosted git repository.
qiaojialin pushed a commit to branch rel/0.13
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/rel/0.13 by this push:
new d2b92c94b8 [IOTDB-2782] When users are not granted READ_TIMESERIES or
INSERT_TIMESERIES, the verification prompt needs to be unified (#7163)
d2b92c94b8 is described below
commit d2b92c94b8953a3fb04e3e7f1a5237510fdd86a2
Author: 任宇华 <[email protected]>
AuthorDate: Tue Aug 30 14:16:15 2022 +0800
[IOTDB-2782] When users are not granted READ_TIMESERIES or
INSERT_TIMESERIES, the verification prompt needs to be unified (#7163)
---
.../apache/iotdb/cluster/utils/StatusUtils.java | 2 +-
.../iotdb/cluster/integration/SingleNodeTest.java | 15 ++++++++--
docs/UserGuide/API/Status-Codes.md | 2 +-
.../Administration-Management/Administration.md | 4 +--
.../Administration-Management/Administration.md | 4 +--
.../iotdb/db/integration/IoTDBAuthorizationIT.java | 25 +++++++++++++---
.../apache/iotdb/session/template/TemplateUT.java | 35 ++++++++++++++++++----
jdbc/README.md | 2 +-
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 2 +-
.../iotdb/db/service/basic/ServiceProvider.java | 5 +++-
.../db/service/thrift/impl/TSServiceImpl.java | 5 +++-
11 files changed, 80 insertions(+), 21 deletions(-)
diff --git
a/cluster/src/main/java/org/apache/iotdb/cluster/utils/StatusUtils.java
b/cluster/src/main/java/org/apache/iotdb/cluster/utils/StatusUtils.java
index 93a90d630a..390c541be6 100644
--- a/cluster/src/main/java/org/apache/iotdb/cluster/utils/StatusUtils.java
+++ b/cluster/src/main/java/org/apache/iotdb/cluster/utils/StatusUtils.java
@@ -187,7 +187,7 @@ public class StatusUtils {
status.setMessage("Has not logged in. ");
break;
case NO_PERMISSION_ERROR:
- status.setMessage("No permissions for this operation. ");
+ status.setMessage("No permissions for this operation, please add
privilege. ");
break;
case UNINITIALIZED_AUTH_ERROR:
status.setMessage("Uninitialized authorizer. ");
diff --git
a/cluster/src/test/java/org/apache/iotdb/cluster/integration/SingleNodeTest.java
b/cluster/src/test/java/org/apache/iotdb/cluster/integration/SingleNodeTest.java
index 3a72b5d77b..ba87ab6c40 100644
---
a/cluster/src/test/java/org/apache/iotdb/cluster/integration/SingleNodeTest.java
+++
b/cluster/src/test/java/org/apache/iotdb/cluster/integration/SingleNodeTest.java
@@ -19,7 +19,10 @@
package org.apache.iotdb.cluster.integration;
+import org.apache.iotdb.db.auth.AuthorityChecker;
+import org.apache.iotdb.db.auth.entity.PrivilegeType;
import org.apache.iotdb.db.conf.IoTDBConstant;
+import org.apache.iotdb.db.qp.logical.Operator;
import org.apache.iotdb.jdbc.Config;
import org.apache.iotdb.rpc.IoTDBConnectionException;
import org.apache.iotdb.rpc.StatementExecutionException;
@@ -115,9 +118,17 @@ public class SingleNodeTest extends BaseSingleNodeTest {
} catch (Exception e) {
assertEquals(
System.lineSeparator()
- + "No permissions for this operation CREATE_TIMESERIES for
SQL: \"create timeseries root.sg1.d1.s1 with datatype=int32\""
+ + "No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+ AuthorityChecker.translateToPermissionId(
+ Operator.OperatorType.CREATE_TIMESERIES)]
+ + " for SQL: \"create timeseries root.sg1.d1.s1 with
datatype=int32\""
+ System.lineSeparator()
- + "No permissions for this operation CREATE_TIMESERIES for
SQL: \"create timeseries root.sg2.d1.s1 with datatype=int32\""
+ + "No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+ AuthorityChecker.translateToPermissionId(
+ Operator.OperatorType.CREATE_TIMESERIES)]
+ + " for SQL: \"create timeseries root.sg2.d1.s1 with
datatype=int32\""
+ System.lineSeparator(),
e.getMessage());
}
diff --git a/docs/UserGuide/API/Status-Codes.md
b/docs/UserGuide/API/Status-Codes.md
index 16ef2a3089..f3bdeb6ff8 100644
--- a/docs/UserGuide/API/Status-Codes.md
+++ b/docs/UserGuide/API/Status-Codes.md
@@ -91,7 +91,7 @@ Here is a list of Status Code and related message:
|506|MULTIPLE_ERROR|Meet error when executing multiple statements|
|600|WRONG_LOGIN_PASSWORD_ERROR|Username or password is wrong|
|601|NOT_LOGIN_ERROR|Has not logged in|
-|602|NO_PERMISSION_ERROR|No permissions for this operation|
+|602|NO_PERMISSION_ERROR|No permissions for this operation, please add
privilege|
|603|UNINITIALIZED_AUTH_ERROR|Uninitialized authorizer|
|700|PARTITION_NOT_READY|Partition table not ready|
|701|TIME_OUT|Operation timeout|
diff --git a/docs/UserGuide/Administration-Management/Administration.md
b/docs/UserGuide/Administration-Management/Administration.md
index 266a15a580..b33ec97ff4 100644
--- a/docs/UserGuide/Administration-Management/Administration.md
+++ b/docs/UserGuide/Administration-Management/Administration.md
@@ -99,7 +99,7 @@ INSERT INTO root.ln.wf01.wt01(timestamp,status)
values(1509465600000,true)
The SQL statement will not be executed and the corresponding error prompt is
given as follows:
```
-Msg: 602: No permissions for this operation INSERT
+Msg: 602: No permissions for this operation, please add privilege
READ_TIMESERIES.
```
Now, we grant the two users write privileges to the corresponding storage
groups, and try to write data again.
@@ -140,7 +140,7 @@ Msg: The statement is executed successfully.
REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
Msg: The statement is executed successfully.
INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
-Msg: 602: No permissions for this operation INSERT
+Msg: 602: No permissions for this operation, please add privilege
READ_TIMESERIES.
```
### SQL Statements
diff --git a/docs/zh/UserGuide/Administration-Management/Administration.md
b/docs/zh/UserGuide/Administration-Management/Administration.md
index 2be651c090..9e387bf987 100644
--- a/docs/zh/UserGuide/Administration-Management/Administration.md
+++ b/docs/zh/UserGuide/Administration-Management/Administration.md
@@ -105,7 +105,7 @@ INSERT INTO root.ln.wf01.wt01(timestamp,status)
values(1509465600000,true)
```
IoTDB> INSERT INTO root.ln.wf01.wt01(timestamp,status)
values(1509465600000,true)
INSERT INTO root.ln.wf01.wt01(timestamp,status) values(1509465600000,true)
-Msg: 602: No permissions for this operation INSERT
+Msg: 602: No permissions for this operation, please add privilege
READ_TIMESERIES.
```
现在,我们分别赋予他们向对应存储组数据的写入权限,并再次尝试向对应的存储组进行数据写入。
@@ -145,7 +145,7 @@ Msg: The statement is executed successfully.
REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
Msg: The statement is executed successfully.
INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
-Msg: 602: No permissions for this operation INSERT
+Msg: 602: No permissions for this operation, please add privilege
READ_TIMESERIES.
```
### SQL 语句
diff --git
a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
index 2e0b2fe6ea..bb5e906656 100644
---
a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
+++
b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
@@ -18,6 +18,9 @@
*/
package org.apache.iotdb.db.integration;
+import org.apache.iotdb.db.auth.AuthorityChecker;
+import org.apache.iotdb.db.auth.entity.PrivilegeType;
+import org.apache.iotdb.db.qp.logical.Operator;
import org.apache.iotdb.db.utils.EnvironmentUtils;
import org.apache.iotdb.itbase.category.LocalStandaloneTest;
import org.apache.iotdb.jdbc.Config;
@@ -1027,9 +1030,17 @@ public class IoTDBAuthorizationIT {
} catch (BatchUpdateException e) {
assertEquals(
System.lineSeparator()
- + "No permissions for this operation CREATE_TIMESERIES for
SQL: \"CREATE TIMESERIES root.sg1.d1.s1 WITH DATATYPE=INT64\""
+ + "No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+ AuthorityChecker.translateToPermissionId(
+ Operator.OperatorType.CREATE_TIMESERIES)]
+ + " for SQL: \"CREATE TIMESERIES root.sg1.d1.s1 WITH
DATATYPE=INT64\""
+ System.lineSeparator()
- + "No permissions for this operation CREATE_TIMESERIES for
SQL: \"CREATE TIMESERIES root.sg2.d1.s1 WITH DATATYPE=INT64\""
+ + "No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+ AuthorityChecker.translateToPermissionId(
+ Operator.OperatorType.CREATE_TIMESERIES)]
+ + " for SQL: \"CREATE TIMESERIES root.sg2.d1.s1 WITH
DATATYPE=INT64\""
+ System.lineSeparator(),
e.getMessage());
}
@@ -1061,9 +1072,15 @@ public class IoTDBAuthorizationIT {
System.out.println(e.getMessage());
assertEquals(
System.lineSeparator()
- + "No permissions for this operation INSERT for SQL:
\"insert into root.sg2.d1(timestamp,s1) values (2,1)\""
+ + "No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+
AuthorityChecker.translateToPermissionId(Operator.OperatorType.INSERT)]
+ + " for SQL: \"insert into root.sg2.d1(timestamp,s1) values
(2,1)\""
+ System.lineSeparator()
- + "No permissions for this operation INSERT for SQL:
\"insert into root.sg2.d1(timestamp,s1) values (4,1)\""
+ + "No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+
AuthorityChecker.translateToPermissionId(Operator.OperatorType.INSERT)]
+ + " for SQL: \"insert into root.sg2.d1(timestamp,s1) values
(4,1)\""
+ System.lineSeparator(),
e.getMessage());
}
diff --git
a/integration/src/test/java/org/apache/iotdb/session/template/TemplateUT.java
b/integration/src/test/java/org/apache/iotdb/session/template/TemplateUT.java
index 516c409a06..06b3593824 100644
---
a/integration/src/test/java/org/apache/iotdb/session/template/TemplateUT.java
+++
b/integration/src/test/java/org/apache/iotdb/session/template/TemplateUT.java
@@ -18,8 +18,11 @@
*/
package org.apache.iotdb.session.template;
+import org.apache.iotdb.db.auth.AuthorityChecker;
+import org.apache.iotdb.db.auth.entity.PrivilegeType;
import org.apache.iotdb.db.conf.IoTDBConstant;
import org.apache.iotdb.db.exception.metadata.MetadataException;
+import org.apache.iotdb.db.qp.logical.Operator;
import org.apache.iotdb.db.qp.physical.sys.CreateTemplatePlan;
import org.apache.iotdb.db.utils.EnvironmentUtils;
import org.apache.iotdb.rpc.BatchExecutionException;
@@ -501,7 +504,11 @@ public class TemplateUT {
try {
nSession.createSchemaTemplate(getTemplate("t1"));
} catch (Exception e) {
- assertEquals("602: No permissions for this operation CREATE_TEMPLATE",
e.getMessage());
+ assertEquals(
+ "602: No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+
AuthorityChecker.translateToPermissionId(Operator.OperatorType.CREATE_TEMPLATE)],
+ e.getMessage());
}
session.executeNonQueryStatement(
@@ -515,14 +522,22 @@ public class TemplateUT {
try {
nSession.setSchemaTemplate("t1", "root.sg2.d1");
} catch (Exception e) {
- assertEquals("602: No permissions for this operation SET_TEMPLATE",
e.getMessage());
+ assertEquals(
+ "602: No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+
AuthorityChecker.translateToPermissionId(Operator.OperatorType.SET_TEMPLATE)],
+ e.getMessage());
}
session.executeNonQueryStatement("grant user tpl_user privileges
APPLY_TEMPLATE on root.sg1");
try {
nSession.setSchemaTemplate("t1", "root.sg2.d1");
} catch (Exception e) {
- assertEquals("602: No permissions for this operation SET_TEMPLATE",
e.getMessage());
+ assertEquals(
+ "602: No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+
AuthorityChecker.translateToPermissionId(Operator.OperatorType.SET_TEMPLATE)],
+ e.getMessage());
}
session.executeNonQueryStatement("grant user tpl_user privileges
APPLY_TEMPLATE on root.sg2");
@@ -534,7 +549,12 @@ public class TemplateUT {
try {
nSession.deactivateTemplateOn("t1", "root.sg1.d1.*");
} catch (Exception e) {
- assertEquals("602: No permissions for this operation
DEACTIVATE_TEMPLATE", e.getMessage());
+ assertEquals(
+ "602: No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+ AuthorityChecker.translateToPermissionId(
+ Operator.OperatorType.DEACTIVATE_TEMPLATE)],
+ e.getMessage());
}
session.close();
@@ -555,7 +575,12 @@ public class TemplateUT {
try {
nSession.deactivateTemplateOn("t1", "root.sg1.d1.*");
} catch (Exception e) {
- assertEquals("602: No permissions for this operation
DEACTIVATE_TEMPLATE", e.getMessage());
+ assertEquals(
+ "602: No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+ AuthorityChecker.translateToPermissionId(
+ Operator.OperatorType.DEACTIVATE_TEMPLATE)],
+ e.getMessage());
}
session.executeNonQueryStatement(
diff --git a/jdbc/README.md b/jdbc/README.md
index bb47d380cc..f0c899e7a7 100644
--- a/jdbc/README.md
+++ b/jdbc/README.md
@@ -245,7 +245,7 @@ Here is a list of Status Code and related message:
|500|INTERNAL_SERVER_ERROR|Internal server error|
|600|WRONG_LOGIN_PASSWORD_ERROR|Username or password is wrong|
|601|NOT_LOGIN_ERROR|Has not logged in|
-|602|NO_PERMISSION_ERROR|No permissions for this operation|
+|602|NO_PERMISSION_ERROR|No permissions for this operation, please add
privilege|
|603|UNINITIALIZED_AUTH_ERROR|Uninitialized authorizer|
##How to try IoTDB JDBC using Karaf
diff --git
a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 4fcfae23cd..143507fbcc 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -93,7 +93,7 @@ public class AuthorityChecker {
return false;
}
- private static int translateToPermissionId(Operator.OperatorType type) {
+ public static int translateToPermissionId(Operator.OperatorType type) {
switch (type) {
case GRANT_ROLE_PRIVILEGE:
return PrivilegeType.GRANT_ROLE_PRIVILEGE.ordinal();
diff --git
a/server/src/main/java/org/apache/iotdb/db/service/basic/ServiceProvider.java
b/server/src/main/java/org/apache/iotdb/db/service/basic/ServiceProvider.java
index b3e20c32f9..0806dec7a7 100644
---
a/server/src/main/java/org/apache/iotdb/db/service/basic/ServiceProvider.java
+++
b/server/src/main/java/org/apache/iotdb/db/service/basic/ServiceProvider.java
@@ -23,6 +23,7 @@ import org.apache.iotdb.db.auth.AuthException;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.auth.authorizer.BasicAuthorizer;
import org.apache.iotdb.db.auth.authorizer.IAuthorizer;
+import org.apache.iotdb.db.auth.entity.PrivilegeType;
import org.apache.iotdb.db.conf.IoTDBConfig;
import org.apache.iotdb.db.conf.IoTDBConstant;
import org.apache.iotdb.db.conf.IoTDBDescriptor;
@@ -147,7 +148,9 @@ public abstract class ServiceProvider {
if (!checkAuthorization(plan, SESSION_MANAGER.getUsername(sessionId))) {
return RpcUtils.getStatus(
TSStatusCode.NO_PERMISSION_ERROR,
- "No permissions for this operation " + plan.getOperatorType());
+ "No permissions for this operation, please add privilege "
+ + PrivilegeType.values()[
+
AuthorityChecker.translateToPermissionId(plan.getOperatorType())]);
}
} catch (AuthException e) {
LOGGER.warn("meet error while checking authorization.", e);
diff --git
a/server/src/main/java/org/apache/iotdb/db/service/thrift/impl/TSServiceImpl.java
b/server/src/main/java/org/apache/iotdb/db/service/thrift/impl/TSServiceImpl.java
index 50cdc7f199..7e862e532f 100644
---
a/server/src/main/java/org/apache/iotdb/db/service/thrift/impl/TSServiceImpl.java
+++
b/server/src/main/java/org/apache/iotdb/db/service/thrift/impl/TSServiceImpl.java
@@ -19,6 +19,7 @@
package org.apache.iotdb.db.service.thrift.impl;
import org.apache.iotdb.db.auth.AuthException;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.auth.authorizer.BasicAuthorizer;
import org.apache.iotdb.db.auth.authorizer.IAuthorizer;
import org.apache.iotdb.db.conf.IoTDBConfig;
@@ -816,7 +817,9 @@ public class TSServiceImpl implements TSIService.Iface {
return RpcUtils.getTSExecuteStatementResp(
RpcUtils.getStatus(
TSStatusCode.NO_PERMISSION_ERROR,
- "No permissions for this operation " + plan.getOperatorType()));
+ "No permissions for this operation, please add privilege "
+ + OperatorType.values()[
+
AuthorityChecker.translateToPermissionId(plan.getOperatorType())]));
}
long queryId = context.getQueryId();
