This is an automated email from the ASF dual-hosted git repository.
qiaojialin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 3ab613f854 [IOTDB-3149] There is a difference between adding ** path
and without a path to list user privileges (#7808)
3ab613f854 is described below
commit 3ab613f85444f9db80b715ac8c6baee91d00324a
Author: 任宇华 <[email protected]>
AuthorDate: Tue Nov 1 20:43:11 2022 +0800
[IOTDB-3149] There is a difference between adding ** path and without a
path to list user privileges (#7808)
---
.../iotdb/confignode/persistence/AuthorInfo.java | 6 ++--
.../confignode/persistence/AuthorInfoTest.java | 36 ++++++++++++++++++--
.../confignode/it/IoTDBClusterAuthorityIT.java | 38 ++++++++++++++++++++--
.../org/apache/iotdb/commons/utils/AuthUtils.java | 17 ----------
.../iotdb/db/localconfignode/LocalConfigNode.java | 6 ++--
.../apache/iotdb/db/qp/executor/PlanExecutor.java | 6 ++--
6 files changed, 78 insertions(+), 31 deletions(-)
diff --git
a/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
b/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
index 0e24fb8b10..69a225f293 100644
---
a/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
+++
b/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
@@ -296,7 +296,7 @@ public class AuthorInfo implements SnapshotProcessor {
continue;
}
for (String path : plan.getNodeNameList()) {
- if (AuthUtils.pathOrBelongsTo(path, pathPrivilege.getPath())) {
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(), path)) {
rolePrivilegesSet.add(pathPrivilege.toString());
}
}
@@ -341,7 +341,7 @@ public class AuthorInfo implements SnapshotProcessor {
continue;
}
for (String path : plan.getNodeNameList()) {
- if (AuthUtils.pathOrBelongsTo(path, pathPrivilege.getPath())
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(), path)
&& !userPrivilegeSet.contains(pathPrivilege.toString())) {
rolePrivileges.add("");
userPrivilegeSet.add(pathPrivilege.toString());
@@ -363,7 +363,7 @@ public class AuthorInfo implements SnapshotProcessor {
continue;
}
for (String path : plan.getNodeNameList()) {
- if (AuthUtils.pathOrBelongsTo(path, pathPrivilege.getPath())
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(), path)
&& !rolePrivilegeSet.contains(pathPrivilege.toString())) {
rolePrivileges.add(roleN);
rolePrivilegeSet.add(pathPrivilege.toString());
diff --git
a/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
b/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
index 4c986b985a..46bbfdbbb5 100644
---
a/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
+++
b/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
@@ -254,7 +254,7 @@ public class AuthorInfoTest {
status = authorInfo.authorNonQuery(authorPlan);
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- // list privileges user
+ // list privileges user on root.ln.**
authorPlan =
new AuthorPlan(
ConfigPhysicalPlanType.ListUserPrivilege,
@@ -267,6 +267,22 @@ public class AuthorInfoTest {
permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertEquals(
+ 0,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
+
+ // list privileges user on root.**
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.ListUserPrivilege,
+ "user0",
+ "",
+ "",
+ "",
+ new HashSet<>(),
+ Collections.singletonList("root.**"));
+ permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
+ status = permissionInfoResp.getStatus();
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
Assert.assertEquals(
privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
@@ -286,7 +302,7 @@ public class AuthorInfoTest {
Assert.assertEquals(
privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
- // list privileges role
+ // list privileges role on root.ln.**
authorPlan =
new AuthorPlan(
ConfigPhysicalPlanType.ListRolePrivilege,
@@ -300,6 +316,22 @@ public class AuthorInfoTest {
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
privilege.remove(0);
+ Assert.assertEquals(
+ 0,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
+
+ // list privileges role on root.**
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.ListRolePrivilege,
+ "",
+ "role0",
+ "",
+ "",
+ new HashSet<>(),
+ Collections.singletonList("root.**"));
+ permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan);
+ status = permissionInfoResp.getStatus();
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
Assert.assertEquals(
privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
diff --git
a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
index 7fc113ec3e..6c7e982e7b 100644
---
a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
@@ -315,7 +315,7 @@ public class IoTDBClusterAuthorityIT {
status = client.operatePermission(authorizerReq);
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- // list privileges user
+ // list privileges user on root.ln.**
authorizerReq =
new TAuthorizerReq(
AuthorOperator.AuthorType.LIST_USER_PRIVILEGE.ordinal(),
@@ -328,7 +328,23 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- assertEquals(
+ Assert.assertEquals(
+ 0,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
+
+ // list privileges user on root.**
+ authorizerReq =
+ new TAuthorizerReq(
+ AuthorOperator.AuthorType.LIST_USER_PRIVILEGE.ordinal(),
+ "tempuser0",
+ "",
+ "",
+ "",
+ new HashSet<>(),
+ Collections.singletonList("root.**"));
+ authorizerResp = client.queryPermission(authorizerReq);
+ status = authorizerResp.getStatus();
+ assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertEquals(
privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
// list user privileges
@@ -347,7 +363,7 @@ public class IoTDBClusterAuthorityIT {
Assert.assertEquals(
privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
- // list privileges role
+ // list privileges role on root.ln.**
authorizerReq =
new TAuthorizerReq(
AuthorOperator.AuthorType.LIST_ROLE_PRIVILEGE.ordinal(),
@@ -361,6 +377,22 @@ public class IoTDBClusterAuthorityIT {
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
privilege.remove(0);
+ assertEquals(
+ 0,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
+
+ // list privileges role on root.**
+ authorizerReq =
+ new TAuthorizerReq(
+ AuthorOperator.AuthorType.LIST_ROLE_PRIVILEGE.ordinal(),
+ "",
+ "temprole0",
+ "",
+ "",
+ new HashSet<>(),
+ Collections.singletonList("root.**"));
+ authorizerResp = client.queryPermission(authorizerReq);
+ status = authorizerResp.getStatus();
+ assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
assertEquals(
privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
diff --git
a/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
b/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
index a060c50564..c1f8ae9031 100644
--- a/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
+++ b/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
@@ -217,23 +217,6 @@ public class AuthUtils {
}
}
- /**
- * check if pathA either belongs to pathB or pathB belongs to pathA
according to path pattern.
- *
- * @param pathA path
- * @param pathB path
- * @return True if pathA is a sub pattern of pathB, or pathB is a sub
pattern of pathA
- */
- public static boolean pathOrBelongsTo(String pathA, String pathB) throws
AuthException {
- try {
- PartialPath partialPathA = new PartialPath(pathA);
- PartialPath partialPathB = new PartialPath(pathB);
- return partialPathB.matchFullPath(partialPathA) ||
partialPathA.matchFullPath(partialPathB);
- } catch (IllegalPathException e) {
- throw new AuthException(e);
- }
- }
-
/**
* check privilege.
*
diff --git
a/server/src/main/java/org/apache/iotdb/db/localconfignode/LocalConfigNode.java
b/server/src/main/java/org/apache/iotdb/db/localconfignode/LocalConfigNode.java
index 65f8b56204..998c900c02 100644
---
a/server/src/main/java/org/apache/iotdb/db/localconfignode/LocalConfigNode.java
+++
b/server/src/main/java/org/apache/iotdb/db/localconfignode/LocalConfigNode.java
@@ -1197,7 +1197,7 @@ public class LocalConfigNode {
continue;
}
for (PartialPath path : authorStatement.getNodeNameList()) {
- if (AuthUtils.pathOrBelongsTo(path.getFullPath(),
pathPrivilege.getPath())) {
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(),
path.getFullPath())) {
rolePrivilegeSet.add(pathPrivilege.toString());
}
}
@@ -1236,7 +1236,7 @@ public class LocalConfigNode {
continue;
}
for (PartialPath path : authorStatement.getNodeNameList()) {
- if (AuthUtils.pathOrBelongsTo(path.getFullPath(),
pathPrivilege.getPath())
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(),
path.getFullPath())
&& !userPrivilegeSet.contains(pathPrivilege.toString())) {
rolePrivileges.add("");
userPrivilegeSet.add(pathPrivilege.toString());
@@ -1258,7 +1258,7 @@ public class LocalConfigNode {
continue;
}
for (PartialPath path : authorStatement.getNodeNameList()) {
- if (AuthUtils.pathOrBelongsTo(path.getFullPath(),
pathPrivilege.getPath())
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(),
path.getFullPath())
&& !rolePrivilegeSet.contains(pathPrivilege.toString())) {
rolePrivileges.add(roleN);
rolePrivilegeSet.add(pathPrivilege.toString());
diff --git
a/server/src/main/java/org/apache/iotdb/db/qp/executor/PlanExecutor.java
b/server/src/main/java/org/apache/iotdb/db/qp/executor/PlanExecutor.java
index c4a22d2d28..344d44f41b 100644
--- a/server/src/main/java/org/apache/iotdb/db/qp/executor/PlanExecutor.java
+++ b/server/src/main/java/org/apache/iotdb/db/qp/executor/PlanExecutor.java
@@ -2252,7 +2252,7 @@ public class PlanExecutor implements IPlanExecutor {
continue;
}
for (PartialPath path : nodeNameList) {
- if (AuthUtils.pathOrBelongsTo(path.getFullPath(),
pathPrivilege.getPath())) {
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(),
path.getFullPath())) {
RowRecord record = new RowRecord(index++);
Field field = new Field(TSDataType.TEXT);
field.setBinaryV(new Binary(pathPrivilege.toString()));
@@ -2307,7 +2307,7 @@ public class PlanExecutor implements IPlanExecutor {
continue;
}
for (PartialPath path : nodeNameList) {
- if (AuthUtils.pathOrBelongsTo(path.getFullPath(),
pathPrivilege.getPath())) {
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(),
path.getFullPath())) {
RowRecord record = new RowRecord(index++);
Field roleF = new Field(TSDataType.TEXT);
roleF.setBinaryV(new Binary(""));
@@ -2336,7 +2336,7 @@ public class PlanExecutor implements IPlanExecutor {
dataSet.putRecord(record);
}
for (PartialPath path : nodeNameList) {
- if (AuthUtils.pathOrBelongsTo(path.getFullPath(),
pathPrivilege.getPath())) {
+ if (AuthUtils.pathBelongsTo(pathPrivilege.getPath(),
path.getFullPath())) {
RowRecord record = new RowRecord(index++);
Field roleF = new Field(TSDataType.TEXT);
roleF.setBinaryV(new Binary(roleN));
