This is an automated email from the ASF dual-hosted git repository. tanxinyu pushed a commit to branch revert_unfinished_auth in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 593b42938ba078790d348f6a886e2560abb8ba7b Author: OneSizeFitQuorum <[email protected]> AuthorDate: Tue Aug 1 10:31:36 2023 +0800 Revert "[IOTDB-5134] Add READ and WRITE with aggregate privilege (#10520)" This reverts commit 4cb91037bb526d0add5389bdcb9df15893ef7ac2. --- .../confignode/it/IoTDBClusterAuthorityIT.java | 20 +++--- .../java/org/apache/iotdb/db/it/IoTDBAuthIT.java | 55 ++++++---------- .../java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java | 4 +- .../iotdb/db/it/selectinto/IoTDBSelectIntoIT.java | 2 +- .../db/it/trigger/IoTDBTriggerManagementIT.java | 17 ++--- .../org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4 | 2 - .../antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 | 43 +++++-------- .../iotdb/confignode/persistence/AuthorInfo.java | 2 +- .../confignode/persistence/AuthorInfoTest.java | 20 +++--- .../org/apache/iotdb/db/auth/AuthorityChecker.java | 13 ++-- .../iotdb/db/auth/ClusterAuthorityFetcher.java | 12 ++-- .../iotdb/db/auth/AuthorizerManagerTest.java | 10 +-- .../auth/authorizer/LocalFileAuthorizerTest.java | 8 +-- .../iotdb/commons/auth/entity/PrivilegeType.java | 73 +++------------------- .../iotdb/commons/auth/role/BasicRoleManager.java | 3 +- .../iotdb/commons/auth/user/BasicUserManager.java | 3 +- .../org/apache/iotdb/commons/utils/AuthUtils.java | 24 ++++--- 17 files changed, 110 insertions(+), 201 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java index 30cec1d28a1..de74ff69a8c 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java @@ -120,13 +120,13 @@ public class IoTDBClusterAuthorityIT { TCheckUserPrivilegesReq checkUserPrivilegesReq; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.MANAGE_USER.ordinal()); + privilegeList.add(PrivilegeType.USER_PRIVILEGE.ordinal()); Set<Integer> revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.MANAGE_USER.ordinal()); + revokePrivilege.add(PrivilegeType.USER_PRIVILEGE.ordinal()); List<String> privilege = new ArrayList<>(); - privilege.add("root.** : MANAGE_USER"); + privilege.add("root.** : USER_PRIVILEGE"); List<PartialPath> paths = new ArrayList<>(); paths.add(new PartialPath("root.ln.**")); @@ -156,7 +156,7 @@ public class IoTDBClusterAuthorityIT { new TCheckUserPrivilegesReq( "tempuser0", AuthUtils.serializePartialPathList(paths), - PrivilegeType.MANAGE_USER.ordinal()); + PrivilegeType.USER_PRIVILEGE.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); @@ -267,7 +267,7 @@ public class IoTDBClusterAuthorityIT { new TCheckUserPrivilegesReq( "tempuser0", AuthUtils.serializePartialPathList(paths), - PrivilegeType.MANAGE_USER.ordinal()); + PrivilegeType.USER_PRIVILEGE.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); @@ -481,12 +481,10 @@ public class IoTDBClusterAuthorityIT { authorizerResp = client.queryPermission(authorizerReq); status = authorizerResp.getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); - Set<PrivilegeType> allPrivilegeTypes = PrivilegeType.ALL.getStorablePrivilege(); - List<String> resultPrivilegeTypes = - authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE); - Assert.assertEquals(allPrivilegeTypes.size(), resultPrivilegeTypes.size()); - for (int i = 0; i < allPrivilegeTypes.size(); i++) { - Assert.assertTrue(resultPrivilegeTypes.contains(PrivilegeType.values()[i].toString())); + for (int i = 0; i < PrivilegeType.values().length; i++) { + assertEquals( + PrivilegeType.values()[i].toString(), + authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).get(i)); } } catch (Exception e) { e.printStackTrace(); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java index 2df47a3588b..02f89882df1 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java @@ -94,19 +94,6 @@ public class IoTDBAuthIT { adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL on root.**"); adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.b.b"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE, MANAGE_DATABASE on root.**"); - - userStmt.execute("CREATE DATABASE root.c"); - userStmt.execute("CREATE TIMESERIES root.c.d WITH DATATYPE=INT32,ENCODING=PLAIN"); - userStmt.execute("INSERT INTO root.c(timestamp, d) VALUES (100, 100)"); - userStmt.execute("SELECT * from root.c"); - - adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE, MANAGE_DATABASE on root.**"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES READ on root.**"); - - userStmt.execute("SELECT * from root.c"); - - adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ on root.**"); Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.b")); Assert.assertThrows( @@ -136,7 +123,7 @@ public class IoTDBAuthIT { Assert.assertThrows( SQLException.class, () -> userStmt.execute("CREATE DATABASE root.sgtest")); - adminStmt.execute("GRANT USER sgtest PRIVILEGES MANAGE_DATABASE ON root.*"); + adminStmt.execute("GRANT USER sgtest PRIVILEGES WRITE_SCHEMA ON root.*"); try { userStmt.execute("CREATE DATABASE root.sgtest"); @@ -205,11 +192,11 @@ public class IoTDBAuthIT { Assert.assertThrows( SQLException.class, () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES NOT_A_PRIVILEGE on root.a")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_USER on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); // duplicate grant Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_USER on root.**")); + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**")); // grant on an illegal seriesPath Assert.assertThrows( SQLException.class, @@ -223,14 +210,14 @@ public class IoTDBAuthIT { SQLException.class, () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); // revoke a non-existing privilege - adminStmt.execute("REVOKE USER tempuser PRIVILEGES MANAGE_USER on root.**"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES MANAGE_USER on root.**")); + () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES USER_PRIVILEGE on root.**")); // revoke a non-existing user Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES MANAGE_USER on root.**")); + () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES USER_PRIVILEGE on root.**")); // revoke on an illegal seriesPath Assert.assertThrows( SQLException.class, @@ -268,7 +255,7 @@ public class IoTDBAuthIT { // grant and revoke the user the privilege to create time series Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_DATABASE,WRITE_SCHEMA ON root.a"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); userStmt.execute("CREATE DATABASE root.a"); adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); @@ -277,15 +264,13 @@ public class IoTDBAuthIT { // privilege already exists Assert.assertThrows( SQLException.class, - () -> - adminStmt.execute( - "GRANT USER tempuser PRIVILEGES MANAGE_DATABASE,WRITE_SCHEMA ON root.a")); + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a")); // no privilege to create this one anymore Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); // no privilege to create timeseries Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); - adminStmt.execute("REVOKE USER tempuser PRIVILEGES MANAGE_DATABASE,WRITE_SCHEMA ON root.a"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); // no privilege to create this one anymore Assert.assertThrows( SQLException.class, @@ -315,7 +300,7 @@ public class IoTDBAuthIT { try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser", "temppw"); Statement userStmt = userCon.createStatement()) { - adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_DATABASE ON root.a"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); userStmt.execute("CREATE DATABASE root.a"); adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); @@ -362,7 +347,7 @@ public class IoTDBAuthIT { adminStmt.execute("CREATE ROLE admin"); adminStmt.execute( - "GRANT ROLE admin PRIVILEGES MANAGE_DATABASE,WRITE_SCHEMA,READ_DATA,WRITE_DATA on root.**"); + "GRANT ROLE admin PRIVILEGES WRITE_SCHEMA,READ_DATA,WRITE_DATA on root.**"); adminStmt.execute("GRANT admin TO tempuser"); userStmt.execute("CREATE DATABASE root.a"); @@ -373,7 +358,7 @@ public class IoTDBAuthIT { ResultSet resultSet = userStmt.executeQuery("SELECT * FROM root.**"); resultSet.close(); - adminStmt.execute("REVOKE ROLE admin PRIVILEGES MANAGE_DATABASE,WRITE_SCHEMA on root.**"); + adminStmt.execute("REVOKE ROLE admin PRIVILEGES WRITE_SCHEMA on root.**"); adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_DATA on root.**"); adminStmt.execute("REVOKE admin FROM tempuser"); resultSet = userStmt.executeQuery("SELECT * FROM root.**"); @@ -495,15 +480,15 @@ public class IoTDBAuthIT { String ans = ",root.a.b : READ_SCHEMA" + ",\n" - + "role1,root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA" + + "role1,root.a.b.c : WRITE_DATA READ_SCHEMA" + ",\n" - + "role1,root.d.b.c : READ_DATA WRITE_DATA READ_SCHEMA" + + "role1,root.d.b.c : WRITE_DATA READ_SCHEMA" + ",\n"; try { validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b.c"); - ans = "role1,root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n"; + ans = "role1,root.a.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); adminStmt.execute("REVOKE role1 from user1"); @@ -540,19 +525,17 @@ public class IoTDBAuthIT { adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.d.b.c"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1"); - ans = - "root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n" - + "root.d.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n"; + ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n" + "root.d.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c"); - ans = "root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n"; + ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); adminStmt.execute("REVOKE ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1"); - ans = "root.d.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n"; + ans = "root.d.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c"); @@ -718,7 +701,7 @@ public class IoTDBAuthIT { try { Assert.assertThrows(SQLException.class, () -> userStmt.execute("LIST USER")); // with list user privilege - adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_USER on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); ResultSet resultSet = userStmt.executeQuery("LIST USER"); String ans = "root,\n" diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java index 1b858d70dd8..8265d51c036 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java @@ -541,11 +541,11 @@ public class IoTDBCQIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege USE_CQ", + + ": No permissions for this operation, please add privilege CONTINUOUS_QUERY_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES USE_CQ"); + statement.execute("GRANT USER `zmty` PRIVILEGES CONTINUOUS_QUERY_PRIVILEGE"); try (ResultSet resultSet = statement2.executeQuery("show CQS")) { diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java index 16b0ca64fe0..56fdb0a795f 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java @@ -583,7 +583,7 @@ public class IoTDBSelectIntoIT { Assert.assertTrue( e.getMessage(), e.getMessage() - .contains("No permissions for this operation, please add privilege WRITE_DATA")); + .contains("No permissions for this operation, please add privilege READ_DATA")); } } } diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java index 8b04523b6b8..45de743186d 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java @@ -546,11 +546,12 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege USE_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES USE_TRIGGER on root.test.stateless.a"); + statement.execute( + "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.a"); try { statement2.execute( @@ -576,7 +577,7 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege USE_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } } @@ -608,11 +609,12 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege USE_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES USE_TRIGGER on root.test.stateless.b"); + statement.execute( + "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.b"); try { statement2.execute("drop trigger " + STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a"); @@ -620,11 +622,12 @@ public class IoTDBTriggerManagementIT { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege USE_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES USE_TRIGGER on root.test.stateless.a"); + statement.execute( + "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.a"); try { statement2.execute("drop trigger " + STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a"); diff --git a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4 b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4 index c9d66ee181e..c26fe66aa5b 100644 --- a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4 +++ b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4 @@ -910,8 +910,6 @@ privileges privilegeValue : ALL - | READ - | WRITE | PRIVILEGE_VALUE ; diff --git a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 index 0d66cbc8033..c87727ccd35 100644 --- a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 +++ b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 @@ -61,14 +61,6 @@ ALL : A L L ; -READ - : R E A D - ; - -WRITE - : W R I T E - ; - ALTER : A L T E R ; @@ -909,14 +901,13 @@ PRIVILEGE_VALUE | WRITE_DATA | READ_SCHEMA | WRITE_SCHEMA - | MANAGE_USER - | MANAGE_ROLE + | USER_PRIVILEGE + | ROLE_PRIVILEGE | GRANT_PRIVILEGE | ALTER_PASSWORD - | USE_TRIGGER - | USE_CQ - | USE_PIPE - | MANAGE_DATABASE + | TRIGGER_PRIVILEGE + | CONTINUOUS_QUERY_PRIVILEGE + | PIPE_PRIVILEGE ; READ_DATA @@ -935,12 +926,12 @@ WRITE_SCHEMA : W R I T E '_' S C H E M A ; -MANAGE_USER - : M A N A G E '_' U S E R +USER_PRIVILEGE + : U S E R '_' P R I V I L E G E ; -MANAGE_ROLE - : M A N A G E '_' R O L E +ROLE_PRIVILEGE + : R O L E '_' P R I V I L E G E ; GRANT_PRIVILEGE @@ -951,20 +942,16 @@ ALTER_PASSWORD : A L T E R '_' P A S S W O R D ; -USE_TRIGGER - : U S E '_' T R I G G E R - ; - -USE_CQ - : U S E '_' C Q +TRIGGER_PRIVILEGE + : T R I G G E R '_' P R I V I L E G E ; -USE_PIPE - : U S E '_' P I P E +CONTINUOUS_QUERY_PRIVILEGE + : C O N T I N U O U S '_' Q U E R Y '_' P R I V I L E G E ; -MANAGE_DATABASE - : M A N A G E '_' D A T A B A S E +PIPE_PRIVILEGE + : P I P E '_' P R I V I L E G E ; SET_STORAGE_GROUP diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java index 22b04d9cc0d..2c1ce580110 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java @@ -314,7 +314,7 @@ public class AuthorInfo implements SnapshotProcessor { List<String> userPrivilegesList = new ArrayList<>(); if (IoTDBConstant.PATH_ROOT.equals(plan.getUserName())) { - for (PrivilegeType privilegeType : PrivilegeType.ALL.getStorablePrivilege()) { + for (PrivilegeType privilegeType : PrivilegeType.values()) { userPrivilegesList.add(privilegeType.toString()); } } else { diff --git a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java index 04412c3a252..476ad57e852 100644 --- a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java +++ b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java @@ -89,13 +89,13 @@ public class AuthorInfoTest { TCheckUserPrivilegesReq checkUserPrivilegesReq; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.MANAGE_USER.ordinal()); + privilegeList.add(PrivilegeType.USER_PRIVILEGE.ordinal()); Set<Integer> revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.MANAGE_USER.ordinal()); + revokePrivilege.add(PrivilegeType.USER_PRIVILEGE.ordinal()); List<String> privilege = new ArrayList<>(); - privilege.add("root.** : MANAGE_USER"); + privilege.add("root.** : USER_PRIVILEGE"); List<PartialPath> paths = new ArrayList<>(); paths.add(new PartialPath("root.ln")); @@ -122,7 +122,7 @@ public class AuthorInfoTest { // check user privileges status = authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.MANAGE_USER.ordinal()) + .checkUserPrivileges("user0", paths, PrivilegeType.USER_PRIVILEGE.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); @@ -215,7 +215,7 @@ public class AuthorInfoTest { // check user privileges status = authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.MANAGE_USER.ordinal()) + .checkUserPrivileges("user0", paths, PrivilegeType.USER_PRIVILEGE.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); @@ -411,12 +411,10 @@ public class AuthorInfoTest { permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan); status = permissionInfoResp.getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); - Set<PrivilegeType> allPrivilegeTypes = PrivilegeType.ALL.getStorablePrivilege(); - List<String> resultPrivilegeTypes = - permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE); - Assert.assertEquals(allPrivilegeTypes.size(), resultPrivilegeTypes.size()); - for (int i = 0; i < allPrivilegeTypes.size(); i++) { - Assert.assertTrue(resultPrivilegeTypes.contains(PrivilegeType.values()[i].toString())); + for (int i = 0; i < PrivilegeType.values().length; i++) { + Assert.assertEquals( + PrivilegeType.values()[i].toString(), + permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).get(i)); } } diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java index a7feb9966c8..e03170d6778 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java @@ -157,10 +157,9 @@ public class AuthorityChecker { case SHOW_PATH_SET_SCHEMA_TEMPLATE: case SHOW_PATH_USING_SCHEMA_TEMPLATE: return PrivilegeType.READ_SCHEMA.ordinal(); + case TTL: case STORAGE_GROUP_SCHEMA: case DELETE_STORAGE_GROUP: - return PrivilegeType.MANAGE_DATABASE.ordinal(); - case TTL: case CREATE_TIMESERIES: case CREATE_ALIGNED_TIMESERIES: case CREATE_MULTI_TIMESERIES: @@ -207,13 +206,13 @@ public class AuthorityChecker { case LIST_USER: case LIST_USER_ROLES: case LIST_USER_PRIVILEGE: - return PrivilegeType.MANAGE_USER.ordinal(); + return PrivilegeType.USER_PRIVILEGE.ordinal(); case CREATE_ROLE: case DELETE_ROLE: case LIST_ROLE: case LIST_ROLE_USERS: case LIST_ROLE_PRIVILEGE: - return PrivilegeType.MANAGE_ROLE.ordinal(); + return PrivilegeType.ROLE_PRIVILEGE.ordinal(); case MODIFY_PASSWORD: return PrivilegeType.ALTER_PASSWORD.ordinal(); case GRANT_USER_PRIVILEGE: @@ -225,11 +224,11 @@ public class AuthorityChecker { return PrivilegeType.GRANT_PRIVILEGE.ordinal(); case CREATE_TRIGGER: case DROP_TRIGGER: - return PrivilegeType.USE_TRIGGER.ordinal(); + return PrivilegeType.TRIGGER_PRIVILEGE.ordinal(); case CREATE_CONTINUOUS_QUERY: case DROP_CONTINUOUS_QUERY: case SHOW_CONTINUOUS_QUERIES: - return PrivilegeType.USE_CQ.ordinal(); + return PrivilegeType.CONTINUOUS_QUERY_PRIVILEGE.ordinal(); case CREATE_PIPEPLUGIN: case DROP_PIPEPLUGIN: case SHOW_PIPEPLUGINS: @@ -238,7 +237,7 @@ public class AuthorityChecker { case STOP_PIPE: case DROP_PIPE: case SHOW_PIPES: - return PrivilegeType.USE_PIPE.ordinal(); + return PrivilegeType.PIPE_PRIVILEGE.ordinal(); default: logger.error("Unrecognizable operator type ({}) for AuthorityChecker.", type); return -1; diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java index 255d26f8252..68056580beb 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java @@ -303,15 +303,13 @@ public class ClusterAuthorityFetcher implements IAuthorityFetcher { */ private PathPrivilege toPathPrivilege(PartialPath path, String privilege) { PathPrivilege pathPrivilege = new PathPrivilege(); - pathPrivilege.setPath(path); + String[] privileges = privilege.replace(" ", "").split(","); Set<Integer> privilegeIds = new HashSet<>(); - pathPrivilege.setPrivileges(privilegeIds); - if (privilege.trim().length() != 0) { - String[] privileges = privilege.replace(" ", "").split(","); - for (String p : privileges) { - privilegeIds.add(Integer.parseInt(p)); - } + for (String p : privileges) { + privilegeIds.add(Integer.parseInt(p)); } + pathPrivilege.setPrivileges(privilegeIds); + pathPrivilege.setPath(path); return pathPrivilege; } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java index 37f71925dbc..e77feb08b22 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java @@ -54,7 +54,7 @@ public class AuthorizerManagerTest { Set<Integer> privilegesIds = new HashSet<>(); PathPrivilege privilege = new PathPrivilege(); List<PathPrivilege> privilegeList = new ArrayList<>(); - privilegesIds.add(PrivilegeType.MANAGE_ROLE.ordinal()); + privilegesIds.add(PrivilegeType.ROLE_PRIVILEGE.ordinal()); privilegesIds.add(PrivilegeType.GRANT_PRIVILEGE.ordinal()); privilege.setPath(new PartialPath("root.ln")); privilege.setPrivileges(privilegesIds); @@ -108,7 +108,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.MANAGE_ROLE.ordinal()) + PrivilegeType.ROLE_PRIVILEGE.ordinal()) .getCode()); // User does not have permission Assert.assertEquals( @@ -117,7 +117,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.MANAGE_USER.ordinal()) + PrivilegeType.USER_PRIVILEGE.ordinal()) .getCode()); // Authenticate users with roles @@ -153,7 +153,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.MANAGE_ROLE.ordinal()) + PrivilegeType.ROLE_PRIVILEGE.ordinal()) .getCode()); // role does not have permission Assert.assertEquals( @@ -162,7 +162,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.MANAGE_USER.ordinal()) + PrivilegeType.USER_PRIVILEGE.ordinal()) .getCode()); authorityFetcher.getAuthorCache().invalidateCache(user.getName(), ""); diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java index 8b532268ca5..83f39f48c12 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java @@ -200,12 +200,10 @@ public class LocalFileAuthorizerTest { // a user can get all role permissions. Set<Integer> permissions = authorizer.getPrivileges(user.getName(), nodeName); - assertEquals(4, permissions.size()); - assertTrue(permissions.contains(0)); + assertEquals(2, permissions.size()); assertTrue(permissions.contains(1)); - assertTrue(permissions.contains(2)); assertTrue(permissions.contains(3)); - assertFalse(permissions.contains(4)); + assertFalse(permissions.contains(2)); try { authorizer.grantRoleToUser(roleName, user.getName()); @@ -215,7 +213,7 @@ public class LocalFileAuthorizerTest { // revoke a role from a user, the user will lose all role's permission authorizer.revokeRoleFromUser(roleName, user.getName()); Set<Integer> revokeRolePermissions = authorizer.getPrivileges(user.getName(), nodeName); - assertEquals(2, revokeRolePermissions.size()); + assertEquals(1, revokeRolePermissions.size()); assertTrue(revokeRolePermissions.contains(1)); assertFalse(revokeRolePermissions.contains(2)); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java index c3ef891ea7e..8aa3a959d77 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java @@ -19,63 +19,31 @@ package org.apache.iotdb.commons.auth.entity; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - /** This enum class contains all available privileges in IoTDB. */ public enum PrivilegeType { READ_DATA(true), - WRITE_DATA(true, true, READ_DATA), + WRITE_DATA(true), READ_SCHEMA(true), - WRITE_SCHEMA(true, true, READ_SCHEMA), - MANAGE_USER, - MANAGE_ROLE, + WRITE_SCHEMA(true), + USER_PRIVILEGE, + ROLE_PRIVILEGE, GRANT_PRIVILEGE, ALTER_PASSWORD, - USE_TRIGGER(true), - USE_CQ, - USE_PIPE, - MANAGE_DATABASE(true), - READ(true, false, READ_DATA, READ_SCHEMA), - WRITE(true, false, WRITE_DATA, WRITE_SCHEMA), - ALL( - true, - false, - READ, - WRITE, - MANAGE_USER, - MANAGE_ROLE, - GRANT_PRIVILEGE, - ALTER_PASSWORD, - USE_TRIGGER, - USE_CQ, - USE_PIPE, - MANAGE_DATABASE); + TRIGGER_PRIVILEGE(true), + CONTINUOUS_QUERY_PRIVILEGE, + PIPE_PRIVILEGE, + ALL; private static final int PRIVILEGE_COUNT = values().length; private final boolean isPathRelevant; - private final boolean isStorable; - private final List<PrivilegeType> subPrivileges = new ArrayList<>(); PrivilegeType() { this.isPathRelevant = false; - this.isStorable = true; } PrivilegeType(boolean isPathRelevant) { this.isPathRelevant = isPathRelevant; - this.isStorable = true; - } - - PrivilegeType(boolean isPathRelevant, boolean isStorable, PrivilegeType... privilegeTypes) { - this.isPathRelevant = isPathRelevant; - this.isStorable = isStorable; - this.subPrivileges.addAll(Arrays.asList(privilegeTypes)); } /** @@ -89,32 +57,7 @@ public enum PrivilegeType { return 0 <= type && type < PRIVILEGE_COUNT && values()[type].isPathRelevant; } - public static boolean isStorable(int type) { - return 0 <= type && type < PRIVILEGE_COUNT && values()[type].isStorable; - } - public boolean isPathRelevant() { return isPathRelevant; } - - public static Set<PrivilegeType> getStorablePrivilege(Integer ordinal) { - if (ordinal < 0 || ordinal >= PRIVILEGE_COUNT) { - return Collections.emptySet(); - } - PrivilegeType privilegeType = PrivilegeType.values()[ordinal]; - return privilegeType.getStorablePrivilege(); - } - - public Set<PrivilegeType> getStorablePrivilege() { - Set<PrivilegeType> result = new HashSet<>(); - if (isStorable) { - // if this privilege is storable, add it to the result set - result.add(this); - } - for (PrivilegeType privilegeType : subPrivileges) { - // add all storable privileges of sub privileges to the result set - result.addAll(privilegeType.getStorablePrivilege()); - } - return result; - } } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java index bcdd1bc1a7c..142532434b0 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java @@ -19,7 +19,6 @@ package org.apache.iotdb.commons.auth.role; import org.apache.iotdb.commons.auth.AuthException; -import org.apache.iotdb.commons.auth.entity.PrivilegeType; import org.apache.iotdb.commons.auth.entity.Role; import org.apache.iotdb.commons.concurrent.HashLock; import org.apache.iotdb.commons.path.PartialPath; @@ -146,7 +145,7 @@ public abstract class BasicRoleManager implements IRoleManager { throw new AuthException( TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s", rolename)); } - if (PrivilegeType.isStorable(privilegeId) && !role.hasPrivilege(path, privilegeId)) { + if (!role.hasPrivilege(path, privilegeId)) { return false; } role.removePrivilege(path, privilegeId); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java index 042d671497c..f9a4485f068 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java @@ -19,7 +19,6 @@ package org.apache.iotdb.commons.auth.user; import org.apache.iotdb.commons.auth.AuthException; -import org.apache.iotdb.commons.auth.entity.PrivilegeType; import org.apache.iotdb.commons.auth.entity.User; import org.apache.iotdb.commons.concurrent.HashLock; import org.apache.iotdb.commons.conf.CommonDescriptor; @@ -197,7 +196,7 @@ public abstract class BasicUserManager implements IUserManager { throw new AuthException( TSStatusCode.USER_NOT_EXIST, String.format(NO_SUCH_USER_ERROR, username)); } - if (PrivilegeType.isStorable(privilegeId) && !user.hasPrivilege(path, privilegeId)) { + if (!user.hasPrivilege(path, privilegeId)) { return false; } user.removePrivilege(path, privilegeId); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index ad49ad5288d..1578fdc5fa8 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -179,8 +179,7 @@ public class AuthUtils { case WRITE_SCHEMA: case READ_DATA: case WRITE_DATA: - case USE_TRIGGER: - case MANAGE_DATABASE: + case TRIGGER_PRIVILEGE: return; default: throw new AuthException( @@ -191,7 +190,6 @@ public class AuthUtils { switch (type) { case READ_SCHEMA: case WRITE_SCHEMA: - case MANAGE_DATABASE: case READ_DATA: case WRITE_DATA: validatePath(path); @@ -317,8 +315,12 @@ public class AuthUtils { privilegeList.add(targetPathPrivilege); } // add privilegeId into targetPathPrivilege - for (PrivilegeType privilegeType : PrivilegeType.getStorablePrivilege(privilegeId)) { - targetPathPrivilege.getPrivileges().add(privilegeType.ordinal()); + if (privilegeId != PrivilegeType.ALL.ordinal()) { + targetPathPrivilege.getPrivileges().add(privilegeId); + } else { + for (PrivilegeType privilegeType : PrivilegeType.values()) { + targetPathPrivilege.getPrivileges().add(privilegeType.ordinal()); + } } } @@ -339,11 +341,15 @@ public class AuthUtils { } } if (targetPathPrivilege != null) { - for (PrivilegeType privilegeType : PrivilegeType.getStorablePrivilege(privilegeId)) { - targetPathPrivilege.getPrivileges().remove(privilegeType.ordinal()); - } - if (targetPathPrivilege.getPrivileges().isEmpty()) { + if (privilegeId == PrivilegeType.ALL.ordinal()) { + // remove all privileges on target path privilegeList.remove(targetPathPrivilege); + } else { + // remove privilege on target path + targetPathPrivilege.getPrivileges().remove(privilegeId); + if (targetPathPrivilege.getPrivileges().isEmpty()) { + privilegeList.remove(targetPathPrivilege); + } } } }
