This is an automated email from the ASF dual-hosted git repository. tanxinyu pushed a commit to branch revert_unfinished_auth in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit ad8123ac1c9cca2f464e8aaf08a6c4f55c2a5696 Author: OneSizeFitQuorum <[email protected]> AuthorDate: Tue Aug 1 10:31:44 2023 +0800 Revert "[IOTDB-5134] Merge Auth Privilege (#10366)" This reverts commit 4d71e3162c0e2c7564d44deb7b8dd098c59a8ef8. --- .../confignode/it/IoTDBClusterAuthorityIT.java | 17 +- .../java/org/apache/iotdb/db/it/IoTDBAuthIT.java | 163 +++++++++------- .../db/it/IoTDBSyntaxConventionIdentifierIT.java | 52 +++++- .../java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java | 4 +- .../iotdb/db/it/selectinto/IoTDBSelectIntoIT.java | 10 +- .../db/it/trigger/IoTDBTriggerManagementIT.java | 17 +- .../antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 | 208 +++++++++++++++++---- .../request/ConfigPhysicalPlanSerDeTest.java | 3 +- .../confignode/persistence/AuthorInfoTest.java | 29 +-- .../org/apache/iotdb/db/auth/AuthorityChecker.java | 120 +++++++----- .../db/queryengine/plan/parser/ASTVisitor.java | 6 + .../iotdb/db/auth/AuthorizerManagerTest.java | 12 +- .../auth/authorizer/LocalFileAuthorizerTest.java | 8 +- .../iotdb/db/auth/entity/PathPrivilegeTest.java | 4 +- .../org/apache/iotdb/db/auth/entity/RoleTest.java | 5 +- .../org/apache/iotdb/db/auth/entity/UserTest.java | 6 +- .../db/auth/user/LocalFileUserManagerTest.java | 12 +- .../security/encrypt/MessageDigestEncryptTest.java | 2 +- .../commons/auth/authorizer/BasicAuthorizer.java | 2 +- .../iotdb/commons/auth/entity/PrivilegeType.java | 61 ++++-- .../iotdb/commons/auth/user/BasicUserManager.java | 12 +- .../iotdb/commons/auth/user/IUserManager.java | 3 +- .../org/apache/iotdb/commons/utils/AuthUtils.java | 89 +++++---- 23 files changed, 581 insertions(+), 264 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java index de74ff69a8c..dbef8dc24ed 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java @@ -68,7 +68,8 @@ public class IoTDBClusterAuthorityIT { EnvFactory.getEnv().cleanClusterEnvironment(); } - private void cleanUserAndRole(IConfigNodeRPCService.Iface client) throws TException { + private void cleanUserAndRole(IConfigNodeRPCService.Iface client) + throws TException, IllegalPathException { TSStatus status; // clean user @@ -120,13 +121,15 @@ public class IoTDBClusterAuthorityIT { TCheckUserPrivilegesReq checkUserPrivilegesReq; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.USER_PRIVILEGE.ordinal()); + privilegeList.add(PrivilegeType.DELETE_USER.ordinal()); + privilegeList.add(PrivilegeType.CREATE_USER.ordinal()); Set<Integer> revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.USER_PRIVILEGE.ordinal()); + revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal()); List<String> privilege = new ArrayList<>(); - privilege.add("root.** : USER_PRIVILEGE"); + privilege.add("root.** : CREATE_USER"); + privilege.add("root.** : CREATE_USER"); List<PartialPath> paths = new ArrayList<>(); paths.add(new PartialPath("root.ln.**")); @@ -156,7 +159,7 @@ public class IoTDBClusterAuthorityIT { new TCheckUserPrivilegesReq( "tempuser0", AuthUtils.serializePartialPathList(paths), - PrivilegeType.USER_PRIVILEGE.ordinal()); + PrivilegeType.DELETE_USER.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); @@ -267,7 +270,7 @@ public class IoTDBClusterAuthorityIT { new TCheckUserPrivilegesReq( "tempuser0", AuthUtils.serializePartialPathList(paths), - PrivilegeType.USER_PRIVILEGE.ordinal()); + PrivilegeType.DELETE_USER.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); @@ -353,7 +356,6 @@ public class IoTDBClusterAuthorityIT { authorizerResp = client.queryPermission(authorizerReq); status = authorizerResp.getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); - privilege.remove(0); Assert.assertEquals( privilege, authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE)); @@ -386,6 +388,7 @@ public class IoTDBClusterAuthorityIT { authorizerResp = client.queryPermission(authorizerReq); status = authorizerResp.getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); + privilege.remove(0); assertEquals( 0, authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size()); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java index 02f89882df1..667eca5547c 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java @@ -81,7 +81,7 @@ public class IoTDBAuthIT { () -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)")); Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a")); adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL on root.**"); @@ -89,11 +89,11 @@ public class IoTDBAuthIT { userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)"); userStmt.execute("SELECT * from root.a"); - userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); - userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.b.b"); + userStmt.execute("GRANT USER tempuser PRIVILEGES SET_STORAGE_GROUP ON root.a"); + userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b"); adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL on root.**"); - adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.b.b"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b"); Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.b")); Assert.assertThrows( @@ -106,7 +106,7 @@ public class IoTDBAuthIT { Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT * from root.a")); Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a")); } } } @@ -123,10 +123,20 @@ public class IoTDBAuthIT { Assert.assertThrows( SQLException.class, () -> userStmt.execute("CREATE DATABASE root.sgtest")); - adminStmt.execute("GRANT USER sgtest PRIVILEGES WRITE_SCHEMA ON root.*"); + adminStmt.execute("GRANT USER sgtest PRIVILEGES CREATE_DATABASE ON root.*"); try { userStmt.execute("CREATE DATABASE root.sgtest"); + } catch (SQLException e) { + fail(e.getMessage()); + } + + Assert.assertThrows( + SQLException.class, () -> userStmt.execute("DELETE DATABASE root.sgtest")); + + adminStmt.execute("GRANT USER sgtest PRIVILEGES DELETE_STORAGE_GROUP ON root.*"); + + try { userStmt.execute("DELETE DATABASE root.sgtest"); } catch (SQLException e) { fail(e.getMessage()); @@ -187,57 +197,65 @@ public class IoTDBAuthIT { // grant a non-existing user Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER nulluser PRIVILEGES WRITE_SCHEMA on root.a")); + () -> adminStmt.execute("GRANT USER nulluser PRIVILEGES CREATE_DATABASE on root.a")); // grant a non-existing privilege Assert.assertThrows( SQLException.class, () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES NOT_A_PRIVILEGE on root.a")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); // duplicate grant + adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.**"); Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**")); - // grant on an illegal seriesPath + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.**")); + // grant on a illegal seriesPath Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on a.b")); + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b")); // grant admin Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER root PRIVILEGES WRITE_SCHEMA on root.a.b")); + () -> adminStmt.execute("GRANT USER root PRIVILEGES DELETE_TIMESERIES on root.a.b")); // no privilege to grant Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b")); // revoke a non-existing privilege - adminStmt.execute("REVOKE USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.**"); Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES USER_PRIVILEGE on root.**")); + () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.**")); // revoke a non-existing user Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES USER_PRIVILEGE on root.**")); - // revoke on an illegal seriesPath + () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES CREATE_USER on root.**")); + // revoke on a illegal seriesPath Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on a.b")); + () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b")); // revoke admin Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER root PRIVILEGES WRITE_SCHEMA on root.a.b")); + () -> adminStmt.execute("REVOKE USER root PRIVILEGES DELETE_TIMESERIES on root.a.b")); // no privilege to revoke Assert.assertThrows( SQLException.class, - () -> userStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); + () -> + userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b")); // grant privilege to grant Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b")); + + adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_USER_PRIVILEGE on root.**"); + userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**"); + + // grant privilege to revoke + Assert.assertThrows( + SQLException.class, + () -> userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_PRIVILEGE on root.**"); - userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.**"); - userStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES REVOKE_USER_PRIVILEGE on root.**"); + userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**"); } } } @@ -255,23 +273,23 @@ public class IoTDBAuthIT { // grant and revoke the user the privilege to create time series Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON root.a"); userStmt.execute("CREATE DATABASE root.a"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b"); userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); // no privilege to create this one Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.b")); // privilege already exists Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a")); - // no privilege to create this one anymore + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON root.a")); + // no privilege to create this one any more Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); // no privilege to create timeseries Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); - adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); - // no privilege to create this one anymore + adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_DATABASE ON root.a"); + // no privilege to create this one any more Assert.assertThrows( SQLException.class, () -> @@ -279,10 +297,11 @@ public class IoTDBAuthIT { // privilege already exists Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b")); + () -> + adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b")); - adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); - // no privilege to create this one anymore + adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b"); + // no privilege to create this one any more Assert.assertThrows( SQLException.class, () -> @@ -300,9 +319,9 @@ public class IoTDBAuthIT { try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser", "temppw"); Statement userStmt = userCon.createStatement()) { - adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON root.a"); userStmt.execute("CREATE DATABASE root.a"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b"); userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); // grant privilege to insert @@ -310,25 +329,25 @@ public class IoTDBAuthIT { SQLException.class, () -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_DATA on root.a.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a.**"); userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)"); // revoke privilege to insert - adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_DATA on root.a.**"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a.**"); Assert.assertThrows( SQLException.class, () -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)")); // grant privilege to query Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT * from root.a")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_DATA on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root.**"); ResultSet resultSet = userStmt.executeQuery("SELECT * from root.a"); resultSet.close(); resultSet = userStmt.executeQuery("SELECT LAST b from root.a"); resultSet.close(); // revoke privilege to query - adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_DATA on root.**"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_TIMESERIES on root.**"); Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT * from root.a")); } } @@ -347,7 +366,7 @@ public class IoTDBAuthIT { adminStmt.execute("CREATE ROLE admin"); adminStmt.execute( - "GRANT ROLE admin PRIVILEGES WRITE_SCHEMA,READ_DATA,WRITE_DATA on root.**"); + "GRANT ROLE admin PRIVILEGES CREATE_DATABASE,CREATE_TIMESERIES,DELETE_TIMESERIES,READ_TIMESERIES,INSERT_TIMESERIES on root.**"); adminStmt.execute("GRANT admin TO tempuser"); userStmt.execute("CREATE DATABASE root.a"); @@ -358,8 +377,13 @@ public class IoTDBAuthIT { ResultSet resultSet = userStmt.executeQuery("SELECT * FROM root.**"); resultSet.close(); - adminStmt.execute("REVOKE ROLE admin PRIVILEGES WRITE_SCHEMA on root.**"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_DATA on root.**"); + adminStmt.execute("REVOKE ROLE admin PRIVILEGES DELETE_TIMESERIES on root.**"); + + Assert.assertThrows( + SQLException.class, + () -> userStmt.execute("DELETE FROM root.* WHERE TIME <= 1000000000")); + + adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root.**"); adminStmt.execute("REVOKE admin FROM tempuser"); resultSet = userStmt.executeQuery("SELECT * FROM root.**"); resultSet.close(); @@ -470,35 +494,37 @@ public class IoTDBAuthIT { try { adminStmt.execute("CREATE USER user1 'password1'"); - adminStmt.execute("GRANT USER user1 PRIVILEGES READ_SCHEMA ON root.a.b"); + adminStmt.execute("GRANT USER user1 PRIVILEGES READ_TIMESERIES ON root.a.b"); adminStmt.execute("CREATE ROLE role1"); - adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); - adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.d.b.c"); + adminStmt.execute( + "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c"); + adminStmt.execute( + "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c"); adminStmt.execute("GRANT role1 TO user1"); ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1"); String ans = - ",root.a.b : READ_SCHEMA" + ",root.a.b : READ_TIMESERIES" + ",\n" - + "role1,root.a.b.c : WRITE_DATA READ_SCHEMA" + + "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES" + ",\n" - + "role1,root.d.b.c : WRITE_DATA READ_SCHEMA" + + "role1,root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES" + ",\n"; try { validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b.c"); - ans = "role1,root.a.b.c : WRITE_DATA READ_SCHEMA,\n"; + ans = "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; validateResultSet(resultSet, ans); adminStmt.execute("REVOKE role1 from user1"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1"); - ans = ",root.a.b : READ_SCHEMA,\n"; + ans = ",root.a.b : READ_TIMESERIES,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.**"); - ans = ",root.a.b : READ_SCHEMA,\n"; + ans = ",root.a.b : READ_TIMESERIES,\n"; validateResultSet(resultSet, ans); } finally { resultSet.close(); @@ -522,24 +548,31 @@ public class IoTDBAuthIT { // not granted list role privilege, should return empty validateResultSet(resultSet, ans); - adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); - adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.d.b.c"); + adminStmt.execute( + "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c"); + adminStmt.execute( + "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1"); - ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n" + "root.d.b.c : WRITE_DATA READ_SCHEMA,\n"; + ans = + "root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n" + + "root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c"); - ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n"; + ans = "root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; validateResultSet(resultSet, ans); - adminStmt.execute("REVOKE ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); + adminStmt.execute( + "REVOKE ROLE role1 PRIVILEGES INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1"); - ans = "root.d.b.c : WRITE_DATA READ_SCHEMA,\n"; + ans = + "root.a.b.c : READ_TIMESERIES,\n" + + "root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c"); - ans = ""; + ans = "root.a.b.c : READ_TIMESERIES,\n"; validateResultSet(resultSet, ans); } finally { resultSet.close(); @@ -618,10 +651,10 @@ public class IoTDBAuthIT { }; for (int i = 0; i < members.length - 1; i++) { - adminStmt.execute("CREATE USER " + members[i] + " 'a666666'"); + adminStmt.execute("CREATE USER " + members[i] + " '666666'"); adminStmt.execute("GRANT dalao TO " + members[i]); } - adminStmt.execute("CREATE USER RiverSky 'a2333333'"); + adminStmt.execute("CREATE USER RiverSky '2333333'"); adminStmt.execute("GRANT zhazha TO RiverSky"); ResultSet resultSet = adminStmt.executeQuery("LIST USER OF ROLE dalao"); @@ -701,7 +734,7 @@ public class IoTDBAuthIT { try { Assert.assertThrows(SQLException.class, () -> userStmt.execute("LIST USER")); // with list user privilege - adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES LIST_USER on root.**"); ResultSet resultSet = userStmt.executeQuery("LIST USER"); String ans = "root,\n" @@ -744,7 +777,7 @@ public class IoTDBAuthIT { try (Connection adminCon = EnvFactory.getEnv().getConnection(); Statement adminStmt = adminCon.createStatement()) { adminStmt.execute("CREATE USER tempuser 'temppw'"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_DATA on root.sg1.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.sg1.**"); try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser", "temppw"); Statement userStatement = userCon.createStatement()) { @@ -781,7 +814,8 @@ public class IoTDBAuthIT { Statement adminStatement = adminConnection.createStatement()) { adminStatement.execute("CREATE USER a_application 'a_application'"); adminStatement.execute("CREATE ROLE application_role"); - adminStatement.execute("GRANT ROLE application_role PRIVILEGES READ_DATA ON root.test.**"); + adminStatement.execute( + "GRANT ROLE application_role PRIVILEGES READ_TIMESERIES ON root.test.**"); adminStatement.execute("GRANT application_role TO a_application"); adminStatement.execute("INSERT INTO root.test(time, s1, s2, s3) VALUES(1, 2, 3, 4)"); @@ -805,7 +839,8 @@ public class IoTDBAuthIT { adminStatement.execute("CREATE USER user01 'pass1234'"); adminStatement.execute("CREATE USER user02 'pass1234'"); adminStatement.execute("CREATE ROLE manager"); - adminStatement.execute("GRANT USER user01 PRIVILEGES GRANT_PRIVILEGE on root.**"); + adminStatement.execute("GRANT USER user01 PRIVILEGES GRANT_USER_ROLE on root.**"); + adminStatement.execute("GRANT USER user01 PRIVILEGES REVOKE_USER_ROLE on root.**"); } try (Connection userCon = EnvFactory.getEnv().getConnection("user01", "pass1234"); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java index 54cde136ec8..132acdcb51d 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java @@ -603,10 +603,32 @@ public class IoTDBSyntaxConventionIdentifierIT { public void testUserName() { try (Connection connection = EnvFactory.getEnv().getConnection(); Statement statement = connection.createStatement()) { - String[] userNames = new String[] {"userid", "userid0", "user_id", "user0id", "`a22233`"}; + String[] userNames = + new String[] { + "userid", + "userid0", + "user_id", + "user0id", + "`22233`", + "`userab!`", + "`user'ab'`", + "`usera.b`", + "`usera``b`" + }; String[] resultNames = - new String[] {"root", "userid", "userid0", "user_id", "user0id", "a22233"}; + new String[] { + "root", + "userid", + "userid0", + "user_id", + "user0id", + "22233", + "userab!", + "user'ab'", + "usera.b", + "usera`b" + }; String createUsersSql = "create user %s 'pwd123' "; for (String userName : userNames) { @@ -668,9 +690,31 @@ public class IoTDBSyntaxConventionIdentifierIT { public void testRoleName() { try (Connection connection = EnvFactory.getEnv().getConnection(); Statement statement = connection.createStatement()) { - String[] roleNames = new String[] {"roleid", "roleid0", "role_id", "role0id", "`a22233`"}; + String[] roleNames = + new String[] { + "roleid", + "roleid0", + "role_id", + "role0id", + "`22233`", + "`roleab!`", + "`role'ab'`", + "`rolea.b`", + "`rolea``b`" + }; - String[] resultNames = new String[] {"roleid", "roleid0", "role_id", "role0id", "a22233"}; + String[] resultNames = + new String[] { + "roleid", + "roleid0", + "role_id", + "role0id", + "22233", + "roleab!", + "role'ab'", + "rolea.b", + "rolea`b" + }; String createRolesSql = "create role %s"; for (String roleName : roleNames) { statement.execute(String.format(createRolesSql, roleName)); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java index 8265d51c036..dc2254149e8 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java @@ -541,11 +541,11 @@ public class IoTDBCQIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege CONTINUOUS_QUERY_PRIVILEGE", + + ": No permissions for this operation, please add privilege SHOW_CONTINUOUS_QUERIES", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES CONTINUOUS_QUERY_PRIVILEGE"); + statement.execute("GRANT USER `zmty` PRIVILEGES SHOW_CONTINUOUS_QUERIES"); try (ResultSet resultSet = statement2.executeQuery("show CQS")) { diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java index 56fdb0a795f..917949ab266 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java @@ -551,7 +551,7 @@ public class IoTDBSelectIntoIT { try (Connection adminCon = EnvFactory.getEnv().getConnection(); Statement adminStmt = adminCon.createStatement()) { adminStmt.execute("CREATE USER tempuser1 'temppw1'"); - adminStmt.execute("GRANT USER tempuser1 PRIVILEGES WRITE_DATA on root.sg_bk.**;"); + adminStmt.execute("GRANT USER tempuser1 PRIVILEGES INSERT_TIMESERIES on root.sg_bk.**;"); try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser1", "temppw1"); Statement userStmt = userCon.createStatement()) { @@ -562,7 +562,8 @@ public class IoTDBSelectIntoIT { Assert.assertTrue( e.getMessage(), e.getMessage() - .contains("No permissions for this operation, please add privilege READ_DATA")); + .contains( + "No permissions for this operation, please add privilege READ_TIMESERIES")); } } } @@ -572,7 +573,7 @@ public class IoTDBSelectIntoIT { try (Connection adminCon = EnvFactory.getEnv().getConnection(); Statement adminStmt = adminCon.createStatement()) { adminStmt.execute("CREATE USER tempuser2 'temppw2'"); - adminStmt.execute("GRANT USER tempuser2 PRIVILEGES WRITE_DATA on root.sg.**;"); + adminStmt.execute("GRANT USER tempuser2 PRIVILEGES READ_TIMESERIES on root.sg.**;"); try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser2", "temppw2"); Statement userStmt = userCon.createStatement()) { @@ -583,7 +584,8 @@ public class IoTDBSelectIntoIT { Assert.assertTrue( e.getMessage(), e.getMessage() - .contains("No permissions for this operation, please add privilege READ_DATA")); + .contains( + "No permissions for this operation, please add privilege INSERT_TIMESERIES")); } } } diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java index 45de743186d..00a2530d8ca 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java @@ -546,12 +546,11 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", + + ": No permissions for this operation, please add privilege CREATE_TRIGGER", e.getMessage()); } - statement.execute( - "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.a"); + statement.execute("GRANT USER `zmty` PRIVILEGES CREATE_TRIGGER on root.test.stateless.a"); try { statement2.execute( @@ -577,7 +576,7 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", + + ": No permissions for this operation, please add privilege CREATE_TRIGGER", e.getMessage()); } } @@ -609,12 +608,11 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", + + ": No permissions for this operation, please add privilege DROP_TRIGGER", e.getMessage()); } - statement.execute( - "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.b"); + statement.execute("GRANT USER `zmty` PRIVILEGES CREATE_TRIGGER on root.test.stateless.b"); try { statement2.execute("drop trigger " + STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a"); @@ -622,12 +620,11 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", + + ": No permissions for this operation, please add privilege DROP_TRIGGER", e.getMessage()); } - statement.execute( - "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.a"); + statement.execute("GRANT USER `zmty` PRIVILEGES DROP_TRIGGER on root.test.stateless.a"); try { statement2.execute("drop trigger " + STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a"); diff --git a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 index c87727ccd35..ed4d8884943 100644 --- a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 +++ b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 @@ -897,65 +897,140 @@ ELSE // Privileges Keywords PRIVILEGE_VALUE - : READ_DATA - | WRITE_DATA - | READ_SCHEMA - | WRITE_SCHEMA - | USER_PRIVILEGE - | ROLE_PRIVILEGE - | GRANT_PRIVILEGE - | ALTER_PASSWORD - | TRIGGER_PRIVILEGE - | CONTINUOUS_QUERY_PRIVILEGE - | PIPE_PRIVILEGE + : SET_STORAGE_GROUP | DELETE_STORAGE_GROUP | CREATE_DATABASE | DELETE_DATABASE + | CREATE_TIMESERIES | INSERT_TIMESERIES | READ_TIMESERIES | DELETE_TIMESERIES | ALTER_TIMESERIES + | CREATE_USER | DELETE_USER | MODIFY_PASSWORD | LIST_USER + | GRANT_USER_PRIVILEGE | REVOKE_USER_PRIVILEGE | GRANT_USER_ROLE | REVOKE_USER_ROLE + | CREATE_ROLE | DELETE_ROLE | LIST_ROLE | GRANT_ROLE_PRIVILEGE | REVOKE_ROLE_PRIVILEGE + | CREATE_FUNCTION | DROP_FUNCTION | CREATE_TRIGGER | DROP_TRIGGER | START_TRIGGER | STOP_TRIGGER + | CREATE_CONTINUOUS_QUERY | DROP_CONTINUOUS_QUERY | SHOW_CONTINUOUS_QUERIES + | APPLY_TEMPLATE | UPDATE_TEMPLATE | READ_TEMPLATE | READ_TEMPLATE_APPLICATION + | CREATE_PIPEPLUGIN | DROP_PIPEPLUGIN | SHOW_PIPEPLUGINS | CREATE_PIPE | START_PIPE | STOP_PIPE | DROP_PIPE | SHOW_PIPES + | CREATE_VIEW | ALTER_VIEW | RENAME_VIEW | DELETE_VIEW ; -READ_DATA - : R E A D '_' D A T A +SET_STORAGE_GROUP + : S E T '_' S T O R A G E '_' G R O U P ; -WRITE_DATA - : W R I T E '_' D A T A +DELETE_STORAGE_GROUP + : D E L E T E '_' S T O R A G E '_' G R O U P ; -READ_SCHEMA - : R E A D '_' S C H E M A +CREATE_DATABASE + : C R E A T E '_' D A T A B A S E ; -WRITE_SCHEMA - : W R I T E '_' S C H E M A +DELETE_DATABASE + : D E L E T E '_' D A T A B A S E ; -USER_PRIVILEGE - : U S E R '_' P R I V I L E G E +CREATE_TIMESERIES + : C R E A T E '_' T I M E S E R I E S ; -ROLE_PRIVILEGE - : R O L E '_' P R I V I L E G E +INSERT_TIMESERIES + : I N S E R T '_' T I M E S E R I E S ; -GRANT_PRIVILEGE - : G R A N T '_' P R I V I L E G E +READ_TIMESERIES + : R E A D '_' T I M E S E R I E S ; -ALTER_PASSWORD - : A L T E R '_' P A S S W O R D +DELETE_TIMESERIES + : D E L E T E '_' T I M E S E R I E S ; -TRIGGER_PRIVILEGE - : T R I G G E R '_' P R I V I L E G E +ALTER_TIMESERIES + : A L T E R '_' T I M E S E R I E S ; -CONTINUOUS_QUERY_PRIVILEGE - : C O N T I N U O U S '_' Q U E R Y '_' P R I V I L E G E +CREATE_USER + : C R E A T E '_' U S E R ; -PIPE_PRIVILEGE - : P I P E '_' P R I V I L E G E +DELETE_USER + : D E L E T E '_' U S E R ; -SET_STORAGE_GROUP - : S E T '_' S T O R A G E '_' G R O U P +MODIFY_PASSWORD + : M O D I F Y '_' P A S S W O R D + ; + +LIST_USER + : L I S T '_' U S E R + ; + +GRANT_USER_PRIVILEGE + : G R A N T '_' U S E R '_' P R I V I L E G E + ; + +REVOKE_USER_PRIVILEGE + : R E V O K E '_' U S E R '_' P R I V I L E G E + ; + +GRANT_USER_ROLE + : G R A N T '_' U S E R '_' R O L E + ; + +REVOKE_USER_ROLE + : R E V O K E '_' U S E R '_' R O L E + ; + +CREATE_ROLE + : C R E A T E '_' R O L E + ; + +DELETE_ROLE + : D E L E T E '_' R O L E + ; + +LIST_ROLE + : L I S T '_' R O L E + ; + +GRANT_ROLE_PRIVILEGE + : G R A N T '_' R O L E '_' P R I V I L E G E + ; + +REVOKE_ROLE_PRIVILEGE + : R E V O K E '_' R O L E '_' P R I V I L E G E + ; + +CREATE_FUNCTION + : C R E A T E '_' F U N C T I O N + ; + +DROP_FUNCTION + : D R O P '_' F U N C T I O N + ; + +CREATE_TRIGGER + : C R E A T E '_' T R I G G E R + ; + +DROP_TRIGGER + : D R O P '_' T R I G G E R + ; + +START_TRIGGER + : S T A R T '_' T R I G G E R + ; + +STOP_TRIGGER + : S T O P '_' T R I G G E R + ; + +CREATE_CONTINUOUS_QUERY + : C R E A T E '_' C O N T I N U O U S '_' Q U E R Y + ; + +DROP_CONTINUOUS_QUERY + : D R O P '_' C O N T I N U O U S '_' Q U E R Y + ; + +SHOW_CONTINUOUS_QUERIES + : S H O W '_' C O N T I N U O U S '_' Q U E R I E S ; SCHEMA_REPLICATION_FACTOR @@ -978,6 +1053,69 @@ DATA_REGION_GROUP_NUM : D A T A '_' R E G I O N '_' G R O U P '_' N U M ; +APPLY_TEMPLATE + : A P P L Y '_' T E M P L A T E + ; + +UPDATE_TEMPLATE + : U P D A T E '_' T E M P L A T E + ; + +READ_TEMPLATE + : R E A D '_' T E M P L A T E + ; + +READ_TEMPLATE_APPLICATION + : R E A D '_' T E M P L A T E '_' A P P L I C A T I O N + ; + +CREATE_PIPEPLUGIN + : C R E A T E '_' P I P E P L U G I N + ; + +DROP_PIPEPLUGIN + : D R O P '_' P I P E P L U G I N + ; + +SHOW_PIPEPLUGINS + : S H O W '_' P I P E P L U G I N S + ; +CREATE_PIPE + : C R E A T E '_' P I P E + ; + +START_PIPE + : S T A R T '_' P I P E + ; + +STOP_PIPE + : S T O P '_' P I P E + ; + +DROP_PIPE + : D R O P '_' P I P E + ; + +SHOW_PIPES + : S H O W '_' P I P E S + ; + +CREATE_VIEW + : C R E A T E '_' V I E W + ; + +ALTER_VIEW + : A L T E R '_' V I E W + ; + +RENAME_VIEW + : R E N A M E '_' V I E W + ; + +DELETE_VIEW + : D E L E T E '_' V I E W + ; + /** * 3. Operators */ diff --git a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java index f30d46dd117..b09b65d5085 100644 --- a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java +++ b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java @@ -540,7 +540,8 @@ public class ConfigPhysicalPlanSerDeTest { AuthorPlan req0; AuthorPlan req1; Set<Integer> permissions = new HashSet<>(); - permissions.add(PrivilegeType.GRANT_PRIVILEGE.ordinal()); + permissions.add(PrivilegeType.GRANT_USER_PRIVILEGE.ordinal()); + permissions.add(PrivilegeType.REVOKE_USER_ROLE.ordinal()); // create user req0 = diff --git a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java index 476ad57e852..ff5b2f337a2 100644 --- a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java +++ b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java @@ -89,13 +89,16 @@ public class AuthorInfoTest { TCheckUserPrivilegesReq checkUserPrivilegesReq; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.USER_PRIVILEGE.ordinal()); + privilegeList.add(PrivilegeType.DELETE_USER.ordinal()); + privilegeList.add(PrivilegeType.CREATE_USER.ordinal()); Set<Integer> revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.USER_PRIVILEGE.ordinal()); + revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal()); + Map<String, List<String>> permissionInfo; List<String> privilege = new ArrayList<>(); - privilege.add("root.** : USER_PRIVILEGE"); + privilege.add("root.** : CREATE_USER"); + privilege.add("root.** : CREATE_USER"); List<PartialPath> paths = new ArrayList<>(); paths.add(new PartialPath("root.ln")); @@ -122,7 +125,7 @@ public class AuthorInfoTest { // check user privileges status = authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.USER_PRIVILEGE.ordinal()) + .checkUserPrivileges("user0", paths, PrivilegeType.DELETE_USER.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); @@ -215,7 +218,7 @@ public class AuthorInfoTest { // check user privileges status = authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.USER_PRIVILEGE.ordinal()) + .checkUserPrivileges("user0", paths, PrivilegeType.DELETE_USER.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); @@ -282,7 +285,6 @@ public class AuthorInfoTest { permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan); status = permissionInfoResp.getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); - privilege.remove(0); Assert.assertEquals( privilege, permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE)); @@ -315,6 +317,7 @@ public class AuthorInfoTest { permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan); status = permissionInfoResp.getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); + privilege.remove(0); Assert.assertEquals( 0, permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size()); @@ -510,18 +513,18 @@ public class AuthorInfoTest { AuthorPlan authorPlan; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.WRITE_DATA.ordinal()); - privilegeList.add(PrivilegeType.READ_DATA.ordinal()); + privilegeList.add(PrivilegeType.INSERT_TIMESERIES.ordinal()); + privilegeList.add(PrivilegeType.READ_TIMESERIES.ordinal()); Map<String, List<String>> permissionInfo; List<String> userPrivilege = new ArrayList<>(); - userPrivilege.add("root.sg.** : READ_DATA WRITE_DATA"); - userPrivilege.add("root.ln.** : READ_DATA WRITE_DATA"); + userPrivilege.add("root.sg.** : INSERT_TIMESERIES READ_TIMESERIES"); + userPrivilege.add("root.ln.** : INSERT_TIMESERIES READ_TIMESERIES"); Collections.sort(userPrivilege); List<String> rolePrivilege = new ArrayList<>(); - rolePrivilege.add("root.abc.** : READ_DATA WRITE_DATA"); - rolePrivilege.add("root.role_1.** : READ_DATA WRITE_DATA"); + rolePrivilege.add("root.abc.** : INSERT_TIMESERIES READ_TIMESERIES"); + rolePrivilege.add("root.role_1.** : INSERT_TIMESERIES READ_TIMESERIES"); Collections.sort(rolePrivilege); List<String> allPrivilege = new ArrayList<>(); @@ -576,7 +579,7 @@ public class AuthorInfoTest { // check user privileges status = authorInfo - .checkUserPrivileges("user0", userPaths, PrivilegeType.WRITE_DATA.ordinal()) + .checkUserPrivileges("user0", userPaths, PrivilegeType.INSERT_TIMESERIES.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java index e03170d6778..674f09d2bb1 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java @@ -75,7 +75,7 @@ public class AuthorityChecker { int permission = translateToPermissionId(type); if (permission == -1) { return false; - } else if (permission == PrivilegeType.ALTER_PASSWORD.ordinal() + } else if (permission == PrivilegeType.MODIFY_PASSWORD.ordinal() && username.equals(targetUser)) { // A user can modify his own password return true; @@ -152,31 +152,43 @@ public class AuthorityChecker { private static int translateToPermissionId(StatementType type) { switch (type) { - case SHOW_SCHEMA_TEMPLATE: - case SHOW_NODES_IN_SCHEMA_TEMPLATE: - case SHOW_PATH_SET_SCHEMA_TEMPLATE: - case SHOW_PATH_USING_SCHEMA_TEMPLATE: - return PrivilegeType.READ_SCHEMA.ordinal(); - case TTL: + case CREATE_ROLE: + return PrivilegeType.CREATE_ROLE.ordinal(); + case CREATE_USER: + return PrivilegeType.CREATE_USER.ordinal(); + case DELETE_USER: + return PrivilegeType.DELETE_USER.ordinal(); + case DELETE_ROLE: + return PrivilegeType.DELETE_ROLE.ordinal(); + case MODIFY_PASSWORD: + return PrivilegeType.MODIFY_PASSWORD.ordinal(); + case GRANT_USER_PRIVILEGE: + return PrivilegeType.GRANT_USER_PRIVILEGE.ordinal(); + case GRANT_ROLE_PRIVILEGE: + return PrivilegeType.GRANT_ROLE_PRIVILEGE.ordinal(); + case REVOKE_USER_PRIVILEGE: + return PrivilegeType.REVOKE_USER_PRIVILEGE.ordinal(); + case REVOKE_ROLE_PRIVILEGE: + return PrivilegeType.REVOKE_ROLE_PRIVILEGE.ordinal(); + case GRANT_USER_ROLE: + return PrivilegeType.GRANT_USER_ROLE.ordinal(); + case REVOKE_USER_ROLE: + return PrivilegeType.REVOKE_USER_ROLE.ordinal(); case STORAGE_GROUP_SCHEMA: + case TTL: + return PrivilegeType.CREATE_DATABASE.ordinal(); case DELETE_STORAGE_GROUP: + return PrivilegeType.DELETE_DATABASE.ordinal(); case CREATE_TIMESERIES: case CREATE_ALIGNED_TIMESERIES: case CREATE_MULTI_TIMESERIES: + return PrivilegeType.CREATE_TIMESERIES.ordinal(); case DELETE_TIMESERIES: + case DELETE: case DROP_INDEX: + return PrivilegeType.DELETE_TIMESERIES.ordinal(); case ALTER_TIMESERIES: - case CREATE_TEMPLATE: - case DROP_TEMPLATE: - case SET_TEMPLATE: - case ACTIVATE_TEMPLATE: - case DEACTIVATE_TEMPLATE: - case UNSET_TEMPLATE: - case CREATE_LOGICAL_VIEW: - case ALTER_LOGICAL_VIEW: - case RENAME_LOGICAL_VIEW: - case DELETE_LOGICAL_VIEW: - return PrivilegeType.WRITE_SCHEMA.ordinal(); + return PrivilegeType.ALTER_TIMESERIES.ordinal(); case SHOW: case QUERY: case GROUP_BY_TIME: @@ -189,55 +201,75 @@ public class AuthorityChecker { case GROUP_BY_FILL: case SELECT_INTO: case COUNT: - case CREATE_FUNCTION: - case DROP_FUNCTION: - return PrivilegeType.READ_DATA.ordinal(); + return PrivilegeType.READ_TIMESERIES.ordinal(); case INSERT: - case DELETE: case LOAD_DATA: case CREATE_INDEX: case BATCH_INSERT: case BATCH_INSERT_ONE_DEVICE: case BATCH_INSERT_ROWS: case MULTI_BATCH_INSERT: - return PrivilegeType.WRITE_DATA.ordinal(); - case CREATE_USER: - case DELETE_USER: - case LIST_USER: - case LIST_USER_ROLES: - case LIST_USER_PRIVILEGE: - return PrivilegeType.USER_PRIVILEGE.ordinal(); - case CREATE_ROLE: - case DELETE_ROLE: + return PrivilegeType.INSERT_TIMESERIES.ordinal(); case LIST_ROLE: case LIST_ROLE_USERS: case LIST_ROLE_PRIVILEGE: - return PrivilegeType.ROLE_PRIVILEGE.ordinal(); - case MODIFY_PASSWORD: - return PrivilegeType.ALTER_PASSWORD.ordinal(); - case GRANT_USER_PRIVILEGE: - case REVOKE_USER_PRIVILEGE: - case GRANT_ROLE_PRIVILEGE: - case REVOKE_ROLE_PRIVILEGE: - case GRANT_USER_ROLE: - case REVOKE_USER_ROLE: - return PrivilegeType.GRANT_PRIVILEGE.ordinal(); + return PrivilegeType.LIST_ROLE.ordinal(); + case LIST_USER: + case LIST_USER_ROLES: + case LIST_USER_PRIVILEGE: + return PrivilegeType.LIST_USER.ordinal(); + case CREATE_FUNCTION: + return PrivilegeType.CREATE_FUNCTION.ordinal(); + case DROP_FUNCTION: + return PrivilegeType.DROP_FUNCTION.ordinal(); case CREATE_TRIGGER: + return PrivilegeType.CREATE_TRIGGER.ordinal(); case DROP_TRIGGER: - return PrivilegeType.TRIGGER_PRIVILEGE.ordinal(); + return PrivilegeType.DROP_TRIGGER.ordinal(); case CREATE_CONTINUOUS_QUERY: + return PrivilegeType.CREATE_CONTINUOUS_QUERY.ordinal(); case DROP_CONTINUOUS_QUERY: + return PrivilegeType.DROP_CONTINUOUS_QUERY.ordinal(); + case CREATE_TEMPLATE: + case DROP_TEMPLATE: + return PrivilegeType.UPDATE_TEMPLATE.ordinal(); + case SET_TEMPLATE: + case ACTIVATE_TEMPLATE: + case DEACTIVATE_TEMPLATE: + case UNSET_TEMPLATE: + return PrivilegeType.APPLY_TEMPLATE.ordinal(); + case SHOW_SCHEMA_TEMPLATE: + case SHOW_NODES_IN_SCHEMA_TEMPLATE: + return PrivilegeType.READ_TEMPLATE.ordinal(); + case SHOW_PATH_SET_SCHEMA_TEMPLATE: + case SHOW_PATH_USING_SCHEMA_TEMPLATE: + return PrivilegeType.READ_TEMPLATE_APPLICATION.ordinal(); case SHOW_CONTINUOUS_QUERIES: - return PrivilegeType.CONTINUOUS_QUERY_PRIVILEGE.ordinal(); + return PrivilegeType.SHOW_CONTINUOUS_QUERIES.ordinal(); case CREATE_PIPEPLUGIN: + return PrivilegeType.CREATE_PIPEPLUGIN.ordinal(); case DROP_PIPEPLUGIN: + return PrivilegeType.DROP_PIPEPLUGIN.ordinal(); case SHOW_PIPEPLUGINS: + return PrivilegeType.SHOW_PIPEPLUGINS.ordinal(); case CREATE_PIPE: + return PrivilegeType.CREATE_PIPE.ordinal(); case START_PIPE: + return PrivilegeType.START_PIPE.ordinal(); case STOP_PIPE: + return PrivilegeType.STOP_PIPE.ordinal(); case DROP_PIPE: + return PrivilegeType.DROP_PIPE.ordinal(); case SHOW_PIPES: - return PrivilegeType.PIPE_PRIVILEGE.ordinal(); + return PrivilegeType.SHOW_PIPES.ordinal(); + case CREATE_LOGICAL_VIEW: + return PrivilegeType.CREATE_VIEW.ordinal(); + case ALTER_LOGICAL_VIEW: + return PrivilegeType.ALTER_VIEW.ordinal(); + case RENAME_LOGICAL_VIEW: + return PrivilegeType.RENAME_VIEW.ordinal(); + case DELETE_LOGICAL_VIEW: + return PrivilegeType.DELETE_VIEW.ordinal(); default: logger.error("Unrecognizable operator type ({}) for AuthorityChecker.", type); return -1; diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java index e3b27b0402e..1f49e916428 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java @@ -2267,6 +2267,12 @@ public class ASTVisitor extends IoTDBSqlParserBaseVisitor<Statement> { boolean pathRelevant = true; String errorPrivilegeName = ""; for (String privilege : privileges) { + if ("SET_STORAGE_GROUP".equalsIgnoreCase(privilege)) { + privilege = PrivilegeType.CREATE_DATABASE.name(); + } + if ("DELETE_STORAGE_GROUP".equalsIgnoreCase(privilege)) { + privilege = PrivilegeType.DELETE_DATABASE.name(); + } if (!PrivilegeType.valueOf(privilege.toUpperCase()).isPathRelevant()) { pathRelevant = false; errorPrivilegeName = privilege.toUpperCase(); diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java index e77feb08b22..2fac0adae4d 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java @@ -54,8 +54,8 @@ public class AuthorizerManagerTest { Set<Integer> privilegesIds = new HashSet<>(); PathPrivilege privilege = new PathPrivilege(); List<PathPrivilege> privilegeList = new ArrayList<>(); - privilegesIds.add(PrivilegeType.ROLE_PRIVILEGE.ordinal()); - privilegesIds.add(PrivilegeType.GRANT_PRIVILEGE.ordinal()); + privilegesIds.add(PrivilegeType.CREATE_ROLE.ordinal()); + privilegesIds.add(PrivilegeType.REVOKE_USER_ROLE.ordinal()); privilege.setPath(new PartialPath("root.ln")); privilege.setPrivileges(privilegesIds); privilegeList.add(privilege); @@ -108,7 +108,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.ROLE_PRIVILEGE.ordinal()) + PrivilegeType.CREATE_ROLE.ordinal()) .getCode()); // User does not have permission Assert.assertEquals( @@ -117,7 +117,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.USER_PRIVILEGE.ordinal()) + PrivilegeType.CREATE_USER.ordinal()) .getCode()); // Authenticate users with roles @@ -153,7 +153,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.ROLE_PRIVILEGE.ordinal()) + PrivilegeType.CREATE_ROLE.ordinal()) .getCode()); // role does not have permission Assert.assertEquals( @@ -162,7 +162,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.USER_PRIVILEGE.ordinal()) + PrivilegeType.CREATE_USER.ordinal()) .getCode()); authorityFetcher.getAuthorCache().invalidateCache(user.getName(), ""); diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java index 83f39f48c12..fc659a02db0 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java @@ -97,7 +97,7 @@ public class LocalFileAuthorizerTest { try { authorizer.grantPrivilegeToUser(user.getName(), nodeName, 1); } catch (AuthException e) { - assertEquals("User user already has WRITE_DATA on root.laptop.d1", e.getMessage()); + assertEquals("User user already has INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); } try { authorizer.grantPrivilegeToUser("error", nodeName, 1); @@ -122,7 +122,7 @@ public class LocalFileAuthorizerTest { try { authorizer.revokePrivilegeFromUser(user.getName(), nodeName, 1); } catch (AuthException e) { - assertEquals("User user does not have WRITE_DATA on root.laptop.d1", e.getMessage()); + assertEquals("User user does not have INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); } try { @@ -169,13 +169,13 @@ public class LocalFileAuthorizerTest { try { authorizer.grantPrivilegeToRole(roleName, nodeName, 1); } catch (AuthException e) { - assertEquals("Role role already has WRITE_DATA on root.laptop.d1", e.getMessage()); + assertEquals("Role role already has INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); } authorizer.revokePrivilegeFromRole(roleName, nodeName, 1); try { authorizer.revokePrivilegeFromRole(roleName, nodeName, 1); } catch (AuthException e) { - assertEquals("Role role does not have WRITE_DATA on root.laptop.d1", e.getMessage()); + assertEquals("Role role does not have INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); } authorizer.deleteRole(roleName); try { diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java index 3a8e6ea4b9f..757f88da183 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java @@ -34,12 +34,12 @@ public class PathPrivilegeTest { PathPrivilege pathPrivilege = new PathPrivilege(); pathPrivilege.setPath(new PartialPath("root.ln")); pathPrivilege.setPrivileges(Collections.singleton(1)); - Assert.assertEquals("root.ln : WRITE_DATA", pathPrivilege.toString()); + Assert.assertEquals("root.ln : INSERT_TIMESERIES", pathPrivilege.toString()); PathPrivilege pathPrivilege1 = new PathPrivilege(); pathPrivilege1.setPath(new PartialPath("root.sg")); pathPrivilege1.setPrivileges(Collections.singleton(1)); Assert.assertNotEquals(pathPrivilege, pathPrivilege1); pathPrivilege.deserialize(pathPrivilege1.serialize()); - Assert.assertEquals("root.sg : WRITE_DATA", pathPrivilege.toString()); + Assert.assertEquals("root.sg : INSERT_TIMESERIES", pathPrivilege.toString()); } } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java index e32d119df68..724b6097dee 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java @@ -36,10 +36,11 @@ public class RoleTest { PathPrivilege pathPrivilege = new PathPrivilege(new PartialPath("root.ln")); role.setPrivilegeList(Collections.singletonList(pathPrivilege)); role.setPrivileges(new PartialPath("root.ln"), Collections.singleton(1)); - Assert.assertEquals("Role{name='role', privilegeList=[root.ln : WRITE_DATA]}", role.toString()); + Assert.assertEquals( + "Role{name='role', privilegeList=[root.ln : INSERT_TIMESERIES]}", role.toString()); Role role1 = new Role("role1"); role1.deserialize(role.serialize()); Assert.assertEquals( - "Role{name='role', privilegeList=[root.ln : WRITE_DATA]}", role1.toString()); + "Role{name='role', privilegeList=[root.ln : INSERT_TIMESERIES]}", role1.toString()); } } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java index c14ce60174a..467e1777e1c 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java @@ -37,14 +37,12 @@ public class UserTest { user.setPrivilegeList(Collections.singletonList(pathPrivilege)); user.setPrivileges(new PartialPath("root.ln"), Collections.singleton(1)); Assert.assertEquals( - "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], " - + "isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", + "User{name='user', password='password', privilegeList=[root.ln : INSERT_TIMESERIES], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", user.toString()); User user1 = new User("user1", "password1"); user1.deserialize(user.serialize()); Assert.assertEquals( - "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], " - + "isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", + "User{name='user', password='password', privilegeList=[root.ln : INSERT_TIMESERIES], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", user1.toString()); } } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java index a1ce4909901..a4ebb201539 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java @@ -65,13 +65,13 @@ public class LocalFileUserManagerTest { public void testIllegalInput() throws AuthException { // Password contains space try { - manager.createUser("username1", "password_ ", false); + manager.createUser("username1", "password_ "); } catch (AuthException e) { assertTrue(e.getMessage().contains("cannot contain spaces")); } // Username contains space try { - assertFalse(manager.createUser("username 2", "password_", false)); + assertFalse(manager.createUser("username 2", "password_")); } catch (AuthException e) { assertTrue(e.getMessage().contains("cannot contain spaces")); } @@ -94,7 +94,7 @@ public class LocalFileUserManagerTest { User user = manager.getUser(users[0].getName()); assertNull(user); for (User user1 : users) { - assertTrue(manager.createUser(user1.getName(), user1.getPassword(), false)); + assertTrue(manager.createUser(user1.getName(), user1.getPassword())); } for (User user1 : users) { user = manager.getUser(user1.getName()); @@ -102,17 +102,17 @@ public class LocalFileUserManagerTest { assertTrue(AuthUtils.validatePassword(user1.getPassword(), user.getPassword())); } - assertFalse(manager.createUser(users[0].getName(), users[0].getPassword(), false)); + assertFalse(manager.createUser(users[0].getName(), users[0].getPassword())); boolean caught = false; try { - manager.createUser("too", "short", false); + manager.createUser("too", "short"); } catch (AuthException e) { caught = true; } assertTrue(caught); caught = false; try { - manager.createUser("short", "too", false); + manager.createUser("short", "too"); } catch (AuthException e) { caught = true; } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java index 9ad6d671204..146947c0948 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java @@ -80,7 +80,7 @@ public class MessageDigestEncryptTest { User user = manager.getUser(users[0].getName()); assertNull(user); for (User user1 : users) { - assertTrue(manager.createUser(user1.getName(), user1.getPassword(), false)); + assertTrue(manager.createUser(user1.getName(), user1.getPassword())); } for (User user1 : users) { user = manager.getUser(user1.getName()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java index 93c0237e49b..7c1c891bb92 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java @@ -119,7 +119,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService { @Override public void createUser(String username, String password) throws AuthException { - if (!userManager.createUser(username, password, false)) { + if (!userManager.createUser(username, password)) { throw new AuthException( TSStatusCode.USER_ALREADY_EXIST, String.format("User %s already exists", username)); } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java index 8aa3a959d77..41b7252f510 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java @@ -21,18 +21,55 @@ package org.apache.iotdb.commons.auth.entity; /** This enum class contains all available privileges in IoTDB. */ public enum PrivilegeType { - READ_DATA(true), - WRITE_DATA(true), - READ_SCHEMA(true), - WRITE_SCHEMA(true), - USER_PRIVILEGE, - ROLE_PRIVILEGE, - GRANT_PRIVILEGE, - ALTER_PASSWORD, - TRIGGER_PRIVILEGE(true), - CONTINUOUS_QUERY_PRIVILEGE, - PIPE_PRIVILEGE, - ALL; + CREATE_DATABASE(true), + INSERT_TIMESERIES(true), + @Deprecated + UPDATE_TIMESERIES(true), + READ_TIMESERIES(true), + CREATE_TIMESERIES(true), + DELETE_TIMESERIES(true), + CREATE_USER, + DELETE_USER, + MODIFY_PASSWORD, + LIST_USER, + GRANT_USER_PRIVILEGE, + REVOKE_USER_PRIVILEGE, + GRANT_USER_ROLE, + REVOKE_USER_ROLE, + CREATE_ROLE, + DELETE_ROLE, + LIST_ROLE, + GRANT_ROLE_PRIVILEGE, + REVOKE_ROLE_PRIVILEGE, + CREATE_FUNCTION, + DROP_FUNCTION, + CREATE_TRIGGER(true), + DROP_TRIGGER(true), + START_TRIGGER(true), + STOP_TRIGGER(true), + CREATE_CONTINUOUS_QUERY, + DROP_CONTINUOUS_QUERY, + ALL, + DELETE_DATABASE(true), + ALTER_TIMESERIES(true), + UPDATE_TEMPLATE, + READ_TEMPLATE, + APPLY_TEMPLATE(true), + READ_TEMPLATE_APPLICATION, + SHOW_CONTINUOUS_QUERIES, + CREATE_PIPEPLUGIN, + DROP_PIPEPLUGIN, + SHOW_PIPEPLUGINS, + CREATE_PIPE, + START_PIPE, + STOP_PIPE, + DROP_PIPE, + SHOW_PIPES, + CREATE_VIEW(true), + ALTER_VIEW(true), + RENAME_VIEW(true), + DELETE_VIEW(true), + ; private static final int PRIVILEGE_COUNT = values().length; diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java index f9a4485f068..4b872db74ed 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java @@ -82,8 +82,7 @@ public abstract class BasicUserManager implements IUserManager { if (admin == null) { createUser( CommonDescriptor.getInstance().getConfig().getAdminName(), - CommonDescriptor.getInstance().getConfig().getAdminPassword(), - true); + CommonDescriptor.getInstance().getConfig().getAdminPassword()); setUserUseWaterMark(CommonDescriptor.getInstance().getConfig().getAdminName(), false); } logger.info("Admin initialized"); @@ -112,12 +111,9 @@ public abstract class BasicUserManager implements IUserManager { } @Override - public boolean createUser(String username, String password, boolean firstInit) - throws AuthException { - if (!firstInit) { - AuthUtils.validateUsername(username); - AuthUtils.validatePassword(password); - } + public boolean createUser(String username, String password) throws AuthException { + AuthUtils.validateUsername(username); + AuthUtils.validatePassword(password); User user = getUser(username); if (user != null) { diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java index 501ec2be4a7..f403db6195e 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java @@ -43,11 +43,10 @@ public interface IUserManager extends SnapshotProcessor { * * @param username is not null or empty * @param password is not null or empty - * @param firstInit is first init admin * @return True if the user is successfully created, false when the user already exists. * @throws AuthException if the given username or password is illegal. */ - boolean createUser(String username, String password, boolean firstInit) throws AuthException; + boolean createUser(String username, String password) throws AuthException; /** * Delete a user. diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index 1578fdc5fa8..a1a3507e38e 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -50,9 +50,9 @@ public class AuthUtils { private static final Logger logger = LoggerFactory.getLogger(AuthUtils.class); private static final String ROOT_PREFIX = IoTDBConstant.PATH_ROOT; public static PartialPath ROOT_PATH_PRIVILEGE_PATH; - private static final int MIN_LENGTH = 4; - private static final int MAX_LENGTH = 64; - private static final String REX_PATTERN = "^[-\\w]*$"; + private static final int MIN_PASSWORD_LENGTH = 4; + private static final int MIN_USERNAME_LENGTH = 4; + private static final int MIN_ROLENAME_LENGTH = 4; static { try { @@ -77,7 +77,14 @@ public class AuthUtils { * @throws AuthException contains message why password is invalid */ public static void validatePassword(String password) throws AuthException { - validateNameOrPassword(password); + if (password.length() < MIN_PASSWORD_LENGTH) { + throw new AuthException( + TSStatusCode.ILLEGAL_PARAMETER, + "Password's size must be greater than or equal to " + MIN_PASSWORD_LENGTH); + } + if (password.contains(" ")) { + throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Password cannot contain spaces"); + } } /** @@ -100,7 +107,14 @@ public class AuthUtils { * @throws AuthException contains message why username is invalid */ public static void validateUsername(String username) throws AuthException { - validateNameOrPassword(username); + if (username.length() < MIN_USERNAME_LENGTH) { + throw new AuthException( + TSStatusCode.ILLEGAL_PARAMETER, + "Username's size must be greater than or equal to " + MIN_USERNAME_LENGTH); + } + if (username.contains(" ")) { + throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Username cannot contain spaces"); + } } /** @@ -110,26 +124,13 @@ public class AuthUtils { * @throws AuthException contains message why rolename is invalid */ public static void validateRolename(String rolename) throws AuthException { - validateNameOrPassword(rolename); - } - - public static void validateNameOrPassword(String str) throws AuthException { - int length = str.length(); - if (length < MIN_LENGTH) { - throw new AuthException( - TSStatusCode.ILLEGAL_PARAMETER, - "The length of name or password must be greater than or equal to " + MIN_LENGTH); - } else if (length > MAX_LENGTH) { + if (rolename.length() < MIN_ROLENAME_LENGTH) { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, - "The length of name or password must be less than or equal to " + MAX_LENGTH); - } else if (str.contains(" ")) { - throw new AuthException( - TSStatusCode.ILLEGAL_PARAMETER, "The name or password cannot contain spaces"); - } else if (!str.matches(REX_PATTERN)) { - throw new AuthException( - TSStatusCode.ILLEGAL_PARAMETER, - "The name or password can only contain letters, numbers, and underscores"); + "Role name's size must be greater than or equal to " + MIN_ROLENAME_LENGTH); + } + if (rolename.contains(" ")) { + throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Role name cannot contain spaces"); } } @@ -175,11 +176,22 @@ public class AuthUtils { if (!path.equals(ROOT_PATH_PRIVILEGE_PATH)) { validatePath(path); switch (type) { - case READ_SCHEMA: - case WRITE_SCHEMA: - case READ_DATA: - case WRITE_DATA: - case TRIGGER_PRIVILEGE: + case READ_TIMESERIES: + case CREATE_DATABASE: + case DELETE_DATABASE: + case CREATE_TIMESERIES: + case DELETE_TIMESERIES: + case INSERT_TIMESERIES: + case ALTER_TIMESERIES: + case CREATE_TRIGGER: + case DROP_TRIGGER: + case START_TRIGGER: + case STOP_TRIGGER: + case APPLY_TEMPLATE: + case CREATE_VIEW: + case ALTER_VIEW: + case RENAME_VIEW: + case DELETE_VIEW: return; default: throw new AuthException( @@ -188,10 +200,17 @@ public class AuthUtils { } } else { switch (type) { - case READ_SCHEMA: - case WRITE_SCHEMA: - case READ_DATA: - case WRITE_DATA: + case READ_TIMESERIES: + case CREATE_DATABASE: + case DELETE_DATABASE: + case CREATE_TIMESERIES: + case DELETE_TIMESERIES: + case INSERT_TIMESERIES: + case ALTER_TIMESERIES: + case CREATE_VIEW: + case ALTER_VIEW: + case RENAME_VIEW: + case DELETE_VIEW: validatePath(path); return; default: @@ -380,6 +399,12 @@ public class AuthUtils { PrivilegeType[] types = PrivilegeType.values(); for (String authorization : authorizationList) { boolean legal = false; + if ("SET_STORAGE_GROUP".equalsIgnoreCase(authorization)) { + authorization = PrivilegeType.CREATE_DATABASE.name(); + } + if ("DELETE_STORAGE_GROUP".equalsIgnoreCase(authorization)) { + authorization = PrivilegeType.DELETE_DATABASE.name(); + } for (PrivilegeType privilegeType : types) { if (authorization.equalsIgnoreCase(privilegeType.name())) { result.add(privilegeType.ordinal());
