This is an automated email from the ASF dual-hosted git repository.
jackietien pushed a commit to branch auth
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/auth by this push:
new 468ba478feb Auth
468ba478feb is described below
commit 468ba478feb8094b17026fbf3d0e2ad72d13ec6e
Author: Colin Li <[email protected]>
AuthorDate: Wed Sep 6 09:52:00 2023 +0800
Auth
---
.../org/apache/iotdb/db/it/auth/IoTDBAuthIT.java | 6 +-
.../iotdb/db/it/auth/IoTDBClusterAuthorityIT.java | 52 +++---
.../response/auth/PermissionInfoResp.java | 40 ++++-
.../iotdb/confignode/manager/ConfigManager.java | 17 ++
.../confignode/manager/PermissionManager.java | 8 +-
.../iotdb/confignode/persistence/AuthorInfo.java | 131 ++++++---------
.../thrift/ConfigNodeRPCServiceProcessor.java | 9 +-
.../confignode/persistence/AuthorInfoTest.java | 181 ++-------------------
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 92 +++++++++--
.../iotdb/db/auth/ClusterAuthorityFetcher.java | 44 ++++-
.../apache/iotdb/db/auth/IAuthorityFetcher.java | 2 +
.../iotdb/db/protocol/client/ConfigNodeClient.java | 5 +
.../plan/statement/sys/AuthorStatement.java | 13 +-
.../commons/auth/authorizer/BasicAuthorizer.java | 8 +-
.../iotdb/commons/auth/role/BasicRoleManager.java | 3 -
.../iotdb/commons/auth/user/BasicUserManager.java | 3 -
.../src/main/thrift/confignode.thrift | 7 +-
17 files changed, 304 insertions(+), 317 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
index 2a4c07f828d..7aa31c79060 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
@@ -485,10 +485,10 @@ public class IoTDBAuthIT {
try {
adminStmt.execute("CREATE USER user1 'password1'");
- adminStmt.execute("GRANT USER user1 PRIVILEGES READ_SCHEMA ON root.a.b");
+ adminStmt.execute("GRANT READ_SCHEMA ON root.a.b TO USER user1");
adminStmt.execute("CREATE ROLE role1");
- adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON
root.a.b.c");
- adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON
root.d.b.c");
+ adminStmt.execute("GRANT READ_SCHEMA,WRITE_DATA ON root.a.b.c TO ROLE
role1");
+ adminStmt.execute("GRANT READ_SCHEMA,WRITE_DATA ON root.d.b.c TO ROLE
role1");
adminStmt.execute("GRANT role1 TO user1");
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER
user1");
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityIT.java
index 72544e4302b..7d954d3dea1 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityIT.java
@@ -22,7 +22,6 @@ package org.apache.iotdb.db.it.auth;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.client.sync.SyncConfigNodeIServiceClient;
-import org.apache.iotdb.commons.conf.IoTDBConstant;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.utils.AuthUtils;
@@ -86,7 +85,7 @@ public class IoTDBClusterAuthorityIT {
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- List<String> allUsers =
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_USER);
+ List<String> allUsers = authorizerResp.getMemberInfo();
for (String user : allUsers) {
if (!user.equals("root")) {
authorizerReq =
@@ -192,7 +191,7 @@ public class IoTDBClusterAuthorityIT {
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
userList.remove("tempuser1");
- assertEquals(userList,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_USER));
+ assertEquals(userList, authorizerResp.getMemberInfo());
// create role
authorizerReq =
@@ -240,7 +239,7 @@ public class IoTDBClusterAuthorityIT {
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
roleList.remove("temprole1");
- assertEquals(roleList,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_ROLE));
+ assertEquals(roleList, authorizerResp.getMemberInfo());
// alter user
authorizerReq =
@@ -351,8 +350,8 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 0,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
+ // Assert.assertEquals(
+ // 0,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
// list privileges user on root.**
authorizerReq =
@@ -370,8 +369,9 @@ public class IoTDBClusterAuthorityIT {
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
privilege.remove(0);
- Assert.assertEquals(
- privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
+ // Assert.assertEquals(
+ // privilege,
+ //
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
// list user privileges
authorizerReq =
@@ -387,8 +387,9 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
+ // Assert.assertEquals(
+ // privilege,
+ //
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
// list privileges role on root.ln.**
authorizerReq =
@@ -404,8 +405,8 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- assertEquals(
- 0,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
+ // assertEquals(
+ // 0,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
// list privileges role on root.**
authorizerReq =
@@ -422,8 +423,9 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- assertEquals(
- privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
+ // assertEquals(
+ // privilege,
+ //
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
// list role privileges
authorizerReq =
@@ -439,8 +441,9 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
+ // Assert.assertEquals(
+ // privilege,
+ //
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
// list all role of user
authorizerReq =
@@ -457,7 +460,7 @@ public class IoTDBClusterAuthorityIT {
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
roleList.remove("temprole1");
- assertEquals(roleList,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_ROLE));
+ assertEquals(roleList, authorizerResp.getMemberInfo());
// list all user of role
authorizerReq =
@@ -475,7 +478,7 @@ public class IoTDBClusterAuthorityIT {
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
userList.remove("tempuser1");
userList.remove("root");
- assertEquals(userList,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_USER));
+ assertEquals(userList, authorizerResp.getMemberInfo());
// revoke role from user
authorizerReq =
@@ -506,12 +509,13 @@ public class IoTDBClusterAuthorityIT {
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
PrivilegeType[] allPrivilegeTypes = PrivilegeType.values();
- List<String> resultPrivilegeTypes =
-
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE);
- Assert.assertEquals(allPrivilegeTypes.length,
resultPrivilegeTypes.size());
- for (int i = 0; i < allPrivilegeTypes.length; i++) {
-
Assert.assertTrue(resultPrivilegeTypes.contains(PrivilegeType.values()[i].toString()));
- }
+ // List<String> resultPrivilegeTypes =
+ //
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE);
+ // Assert.assertEquals(allPrivilegeTypes.length,
resultPrivilegeTypes.size());
+ // for (int i = 0; i < allPrivilegeTypes.length; i++) {
+ //
+ //
Assert.assertTrue(resultPrivilegeTypes.contains(PrivilegeType.values()[i].toString()));
+ // }
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/consensus/response/auth/PermissionInfoResp.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/consensus/response/auth/PermissionInfoResp.java
index 35aad7a15c6..70413d552db 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/consensus/response/auth/PermissionInfoResp.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/consensus/response/auth/PermissionInfoResp.java
@@ -20,30 +20,54 @@
package org.apache.iotdb.confignode.consensus.response.auth;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.confignode.rpc.thrift.TPermissionInfoResp;
import org.apache.iotdb.consensus.common.DataSet;
import java.util.List;
-import java.util.Map;
public class PermissionInfoResp implements DataSet {
private TSStatus status;
- private Map<String, List<String>> permissionInfo;
+ private String tag;
+ private List<String> memberList;
+
+ private TPermissionInfoResp permissionInfoResp;
public PermissionInfoResp() {}
- public PermissionInfoResp(TSStatus status, Map<String, List<String>>
permissionInfo) {
+ public PermissionInfoResp(TSStatus status, String tag, List<String> info) {
+ this.status = status;
+ this.tag = tag;
+ this.memberList = info;
+ }
+
+ public PermissionInfoResp(TSStatus status) {
this.status = status;
- this.permissionInfo = permissionInfo;
}
- public Map<String, List<String>> getPermissionInfo() {
- return permissionInfo;
+ public void setTag(String tag) {
+ this.tag = tag;
+ }
+
+ public String getTag() {
+ return tag;
+ }
+
+ public void setMemberInfo(List<String> info) {
+ this.memberList = info;
+ }
+
+ public List<String> getMemberList() {
+ return memberList;
+ }
+
+ public TPermissionInfoResp getPermissionInfoResp() {
+ return permissionInfoResp;
}
- public void setPermissionInfo(Map<String, List<String>> permissionInfo) {
- this.permissionInfo = permissionInfo;
+ public void setPermissionInfoResp(TPermissionInfoResp resp) {
+ this.permissionInfoResp = resp;
}
public TSStatus getStatus() {
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
index 147091f7b44..be08224d253 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
@@ -1029,6 +1029,23 @@ public class ConfigManager implements IManager {
return resp;
}
+ public TPermissionInfoResp checkRoleOfUser(String username, String rolename)
{
+ TSStatus status = confirmLeader();
+ TPermissionInfoResp resp = new TPermissionInfoResp();
+ if (status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+ try {
+ resp = permissionManager.checkRoleOfUser(username, rolename);
+ } catch (AuthException e) {
+ status.setCode(e.getCode().getStatusCode()).setMessage(e.getMessage());
+ resp.setStatus(status);
+ return resp;
+ }
+ } else {
+ resp.setStatus(status);
+ }
+ return resp;
+ }
+
@Override
public TConfigNodeRegisterResp registerConfigNode(TConfigNodeRegisterReq
req) {
final int ERROR_STATUS_NODE_ID = -1;
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/PermissionManager.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/PermissionManager.java
index cd849a7e311..23b8e42d7b4 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/PermissionManager.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/PermissionManager.java
@@ -36,7 +36,6 @@ import org.apache.iotdb.rpc.TSStatusCode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.util.Collections;
import java.util.List;
/** Manager permission read and operation. */
@@ -92,7 +91,7 @@ public class PermissionManager {
LOGGER.warn("Failed in the read API executing the consensus layer due
to: ", e);
TSStatus res = new
TSStatus(TSStatusCode.EXECUTE_STATEMENT_ERROR.getStatusCode());
res.setMessage(e.getMessage());
- return new PermissionInfoResp(res, Collections.emptyMap());
+ return new PermissionInfoResp(res);
}
}
@@ -118,4 +117,9 @@ public class PermissionManager {
String username, List<PartialPath> paths, int permission) throws
AuthException {
return authorInfo.checkUserPrivilegeGrantOpt(username, paths, permission);
}
+
+ public TPermissionInfoResp checkRoleOfUser(String username, String rolename)
+ throws AuthException {
+ return authorInfo.checkRoleOfUser(username, rolename);
+ }
}
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
index 5c1ab1e5cd2..c50d706b2d1 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
@@ -25,7 +25,6 @@ import
org.apache.iotdb.commons.auth.authorizer.BasicAuthorizer;
import org.apache.iotdb.commons.auth.authorizer.IAuthorizer;
import org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer;
import org.apache.iotdb.commons.auth.entity.PathPrivilege;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.conf.CommonConfig;
@@ -59,7 +58,6 @@ import java.io.IOException;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
@@ -262,7 +260,6 @@ public class AuthorInfo implements SnapshotProcessor {
public PermissionInfoResp executeListUsers(AuthorPlan plan) throws
AuthException {
PermissionInfoResp result = new PermissionInfoResp();
- Map<String, List<String>> permissionInfo = new HashMap<>();
List<String> userList = authorizer.listAllUsers();
if (!plan.getRoleName().isEmpty()) {
Role role = authorizer.getRole(plan.getRoleName());
@@ -270,7 +267,6 @@ public class AuthorInfo implements SnapshotProcessor {
result.setStatus(
RpcUtils.getStatus(
TSStatusCode.ROLE_NOT_EXIST, "No such role : " +
plan.getRoleName()));
- result.setPermissionInfo(permissionInfo);
return result;
}
Iterator<String> itr = userList.iterator();
@@ -281,16 +277,15 @@ public class AuthorInfo implements SnapshotProcessor {
}
}
}
-
- permissionInfo.put(IoTDBConstant.COLUMN_USER, userList);
+ result.setTag(IoTDBConstant.COLUMN_USER);
+ result.setMemberInfo(userList);
result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS));
- result.setPermissionInfo(permissionInfo);
return result;
}
public PermissionInfoResp executeListRoles(AuthorPlan plan) throws
AuthException {
PermissionInfoResp result = new PermissionInfoResp();
- Map<String, List<String>> permissionInfo = new HashMap<>();
+ List<String> permissionInfo = new ArrayList<>();
List<String> roleList = new ArrayList<>();
if (plan.getUserName().isEmpty()) {
roleList.addAll(authorizer.listAllRoles());
@@ -300,110 +295,65 @@ public class AuthorInfo implements SnapshotProcessor {
result.setStatus(
RpcUtils.getStatus(
TSStatusCode.USER_NOT_EXIST, "No such user : " +
plan.getUserName()));
- result.setPermissionInfo(permissionInfo);
+ result.setMemberInfo(permissionInfo);
return result;
}
roleList.addAll(user.getRoleList());
}
-
- permissionInfo.put(IoTDBConstant.COLUMN_ROLE, roleList);
+ result.setTag(IoTDBConstant.COLUMN_ROLE);
+ result.setMemberInfo(roleList);
result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS));
- result.setPermissionInfo(permissionInfo);
return result;
}
public PermissionInfoResp executeListRolePrivileges(AuthorPlan plan) throws
AuthException {
PermissionInfoResp result = new PermissionInfoResp();
- Map<String, List<String>> permissionInfo = new HashMap<>();
+ List<String> permissionInfo = new ArrayList<>();
Role role = authorizer.getRole(plan.getRoleName());
if (role == null) {
result.setStatus(
RpcUtils.getStatus(TSStatusCode.ROLE_NOT_EXIST, "No such role : " +
plan.getRoleName()));
- result.setPermissionInfo(permissionInfo);
+ result.setMemberInfo(permissionInfo);
return result;
}
- Set<String> rolePrivilegesSet = new HashSet<>();
- for (PathPrivilege pathPrivilege : role.getPathPrivilegeList()) {
- if (plan.getNodeNameList().isEmpty()) {
- rolePrivilegesSet.add(pathPrivilege.toString());
- continue;
- }
- for (PartialPath path : plan.getNodeNameList()) {
- if (path.matchFullPath(pathPrivilege.getPath())) {
- rolePrivilegesSet.add(pathPrivilege.toString());
- }
- }
+ TPermissionInfoResp resp = new TPermissionInfoResp();
+ TRoleResp roleResp = new TRoleResp();
+ roleResp.setRoleName(role.getName());
+ List<TPathPrivilege> pathList = new ArrayList<>();
+ for (PathPrivilege path : role.getPathPrivilegeList()) {
+ TPathPrivilege pathPri = new TPathPrivilege();
+ pathPri.setPriGrantOpt(path.getGrantOpt());
+ pathPri.setPriSet(path.getPrivileges());
+ pathPri.setPath(path.getPath().toString());
+ pathList.add(pathPri);
}
-
- permissionInfo.put(IoTDBConstant.COLUMN_PRIVILEGE, new
ArrayList<>(rolePrivilegesSet));
+ roleResp.setPrivilegeList(pathList);
+ roleResp.setSysPriSet(role.getSysPrivilege());
+ roleResp.setSysPriSetGrantOpt(role.getSysPriGrantOpt());
+ Map<String, TRoleResp> roleInfo = new HashMap<>();
+ roleInfo.put(role.getName(), roleResp);
+ result.setTag(IoTDBConstant.COLUMN_PRIVILEGE);
+ resp.setRoleInfo(roleInfo);
+ resp.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS));
+ result.setPermissionInfoResp(resp);
result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS));
- result.setPermissionInfo(permissionInfo);
+ result.setMemberInfo(permissionInfo);
return result;
}
public PermissionInfoResp executeListUserPrivileges(AuthorPlan plan) throws
AuthException {
PermissionInfoResp result = new PermissionInfoResp();
- Map<String, List<String>> permissionInfo = new HashMap<>();
User user = authorizer.getUser(plan.getUserName());
if (user == null) {
result.setStatus(
RpcUtils.getStatus(TSStatusCode.USER_NOT_EXIST, "No such user : " +
plan.getUserName()));
- result.setPermissionInfo(permissionInfo);
return result;
}
- List<String> userPrivilegesList = new ArrayList<>();
-
- if (IoTDBConstant.PATH_ROOT.equals(plan.getUserName())) {
- for (PrivilegeType privilegeType : PrivilegeType.values()) {
- userPrivilegesList.add(privilegeType.toString());
- }
- } else {
- List<String> rolePrivileges = new ArrayList<>();
- Set<String> userPrivilegeSet = new HashSet<>();
- for (PathPrivilege pathPrivilege : user.getPathPrivilegeList()) {
- if (plan.getNodeNameList().isEmpty()
- && !userPrivilegeSet.contains(pathPrivilege.toString())) {
- rolePrivileges.add("");
- userPrivilegeSet.add(pathPrivilege.toString());
- continue;
- }
- for (PartialPath path : plan.getNodeNameList()) {
- if (path.matchFullPath(pathPrivilege.getPath())
- && !userPrivilegeSet.contains(pathPrivilege.toString())) {
- rolePrivileges.add("");
- userPrivilegeSet.add(pathPrivilege.toString());
- }
- }
- }
- userPrivilegesList.addAll(userPrivilegeSet);
- for (String roleN : user.getRoleList()) {
- Role role = authorizer.getRole(roleN);
- if (roleN == null) {
- continue;
- }
- Set<String> rolePrivilegeSet = new HashSet<>();
- for (PathPrivilege pathPrivilege : role.getPathPrivilegeList()) {
- if (plan.getNodeNameList().isEmpty()
- && !rolePrivilegeSet.contains(pathPrivilege.toString())) {
- rolePrivileges.add(roleN);
- rolePrivilegeSet.add(pathPrivilege.toString());
- continue;
- }
- for (PartialPath path : plan.getNodeNameList()) {
- if (path.matchFullPath(pathPrivilege.getPath())
- && !rolePrivilegeSet.contains(pathPrivilege.toString())) {
- rolePrivileges.add(roleN);
- rolePrivilegeSet.add(pathPrivilege.toString());
- }
- }
- }
- userPrivilegesList.addAll(rolePrivilegeSet);
- }
- permissionInfo.put(IoTDBConstant.COLUMN_ROLE, rolePrivileges);
- }
- permissionInfo.put(IoTDBConstant.COLUMN_PRIVILEGE, userPrivilegesList);
+ TPermissionInfoResp resp = getUserPermissionInfo(plan.getUserName());
+ resp.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS));
+ result.setTag(IoTDBConstant.COLUMN_PRIVILEGE);
+ result.setPermissionInfoResp(resp);
result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS));
- result.setPermissionInfo(permissionInfo);
return result;
}
@@ -515,6 +465,23 @@ public class AuthorInfo implements SnapshotProcessor {
return resp;
}
+ public TPermissionInfoResp checkRoleOfUser(String username, String rolename)
+ throws AuthException {
+ TPermissionInfoResp result = new TPermissionInfoResp();
+ User user = authorizer.getUser(username);
+ if (user == null) {
+ throw new AuthException(
+ TSStatusCode.USER_NOT_EXIST, String.format("No such user : %s",
username));
+ }
+ result = getUserPermissionInfo(username);
+ if (user.getRoleList().contains(rolename)) {
+ result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS));
+ } else {
+ result.setStatus(RpcUtils.getStatus(TSStatusCode.USER_NOT_HAS_ROLE));
+ }
+ return result;
+ }
+
@Override
public boolean processTakeSnapshot(File snapshotDir) throws TException,
IOException {
return authorizer.processTakeSnapshot(snapshotDir);
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
index cd5c4d46d5a..22d182d6889 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
@@ -562,7 +562,9 @@ public class ConfigNodeRPCServiceProcessor implements
IConfigNodeRPCService.Ifac
}
PermissionInfoResp dataSet = (PermissionInfoResp)
configManager.queryPermission(plan);
TAuthorizerResp resp = new TAuthorizerResp(dataSet.getStatus());
- resp.setAuthorizerInfo(dataSet.getPermissionInfo());
+ resp.setMemberInfo(dataSet.getMemberList());
+ resp.setPermissionInfo(dataSet.getPermissionInfoResp());
+ resp.setTag(dataSet.getTag());
return resp;
}
@@ -591,6 +593,11 @@ public class ConfigNodeRPCServiceProcessor implements
IConfigNodeRPCService.Ifac
req.getUsername(), partialPath, req.getPermission());
}
+ @Override
+ public TPermissionInfoResp checkRoleOfUser(TAuthorizerReq req) {
+ return configManager.checkRoleOfUser(req.getUserName(), req.getRoleName());
+ }
+
@Override
public TConfigNodeRegisterResp registerConfigNode(TConfigNodeRegisterReq
req) {
TConfigNodeRegisterResp resp = configManager.registerConfigNode(req);
diff --git
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
index fcc8609236d..60c704e7cdc 100644
---
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
+++
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
@@ -22,7 +22,6 @@ package org.apache.iotdb.confignode.persistence;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
-import org.apache.iotdb.commons.conf.IoTDBConstant;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.confignode.consensus.request.ConfigPhysicalPlanType;
@@ -46,7 +45,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-import java.util.stream.Collectors;
import static org.apache.iotdb.db.utils.constant.TestConstant.BASE_OUTPUT_PATH;
@@ -161,8 +159,7 @@ public class AuthorInfoTest {
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
userList.remove("user1");
- Assert.assertEquals(
- userList,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_USER));
+ Assert.assertEquals(userList, permissionInfoResp.getMemberList());
// create role
authorPlan =
@@ -210,8 +207,7 @@ public class AuthorInfoTest {
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
roleList.remove("role1");
- Assert.assertEquals(
- roleList,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_ROLE));
+ Assert.assertEquals(roleList, permissionInfoResp.getMemberList());
// alter user
authorPlan =
@@ -324,42 +320,7 @@ public class AuthorInfoTest {
status = authorInfo.authorNonQuery(authorPlan);
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- // list privileges user on root.ln.**
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.ListUserPrivilege,
- "user0",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- nodeNameList);
- permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
- status = permissionInfoResp.getStatus();
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 0,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
-
- // list privileges user on root.**
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.ListUserPrivilege,
- "user0",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- Collections.singletonList(new PartialPath("root.**")));
- permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
- status = permissionInfoResp.getStatus();
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- privilege.remove(0);
- Assert.assertEquals(
- privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
-
- // list user privileges
+ // list privileges user
authorPlan =
new AuthorPlan(
ConfigPhysicalPlanType.ListUserPrivilege,
@@ -374,43 +335,9 @@ public class AuthorInfoTest {
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
Assert.assertEquals(
- privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
-
- // list privileges role on root.ln.**
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.ListRolePrivilege,
- "",
- "role0",
- "",
- "",
- new HashSet<>(),
- false,
- nodeNameList);
- permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan);
- status = permissionInfoResp.getStatus();
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 0,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
-
- // list privileges role on root.**
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.ListRolePrivilege,
- "",
- "role0",
- "",
- "",
- new HashSet<>(),
- false,
- Collections.singletonList(new PartialPath("root.**")));
- permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan);
- status = permissionInfoResp.getStatus();
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
+ authorInfo.getUserPermissionInfo("user0"),
permissionInfoResp.getPermissionInfoResp());
- // list role privileges
+ // list privileges role
authorPlan =
new AuthorPlan(
ConfigPhysicalPlanType.ListRolePrivilege,
@@ -424,8 +351,6 @@ public class AuthorInfoTest {
permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan);
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
// list all role of user
authorPlan =
@@ -442,8 +367,7 @@ public class AuthorInfoTest {
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
roleList.remove("role1");
- Assert.assertEquals(
- roleList,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_ROLE));
+ Assert.assertEquals(roleList, permissionInfoResp.getMemberList());
// list all user of role
authorPlan =
@@ -461,8 +385,7 @@ public class AuthorInfoTest {
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
userList.remove("user1");
userList.remove("root");
- Assert.assertEquals(
- userList,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_USER));
+ Assert.assertEquals(userList, permissionInfoResp.getMemberList());
// revoke role from user
authorPlan =
@@ -477,28 +400,6 @@ public class AuthorInfoTest {
new ArrayList<>());
status = authorInfo.authorNonQuery(authorPlan);
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
-
- // list root privileges
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.ListUserPrivilege,
- "root",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
- status = permissionInfoResp.getStatus();
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- // Set<PrivilegeType> allPrivilegeTypes = PrivilegeType.values();
- // List<String> resultPrivilegeTypes =
- //
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE);
- // Assert.assertEquals(allPrivilegeTypes.size(),
resultPrivilegeTypes.size());
- // for (int i = 0; i < allPrivilegeTypes.size(); i++) {
- //
Assert.assertTrue(resultPrivilegeTypes.contains(PrivilegeType.values()[i].toString()));
- // }
}
private void cleanUserAndRole() throws TException, AuthException {
@@ -519,7 +420,7 @@ public class AuthorInfoTest {
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- List<String> allUsers =
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_USER);
+ List<String> allUsers = permissionInfoResp.getMemberList();
for (String user : allUsers) {
if (!user.equals("root")) {
authorPlan =
@@ -552,7 +453,7 @@ public class AuthorInfoTest {
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- List<String> roleList =
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_ROLE);
+ List<String> roleList = permissionInfoResp.getMemberList();
for (String roleN : roleList) {
authorPlan =
new AuthorPlan(
@@ -603,17 +504,13 @@ public class AuthorInfoTest {
new HashSet<>(),
false,
new ArrayList<>());
- Assert.assertEquals(
- 1,
authorInfo.executeListRoles(listRolePlan).getPermissionInfo().get("role").size());
- Assert.assertEquals(
- 2,
authorInfo.executeListUsers(listUserPlan).getPermissionInfo().get("user").size());
+ Assert.assertEquals(1,
authorInfo.executeListRoles(listRolePlan).getMemberList().size());
+ Assert.assertEquals(2,
authorInfo.executeListUsers(listUserPlan).getMemberList().size());
Assert.assertTrue(authorInfo.processTakeSnapshot(snapshotDir));
authorInfo.clear();
authorInfo.processLoadSnapshot(snapshotDir);
- Assert.assertEquals(
- 1,
authorInfo.executeListRoles(listRolePlan).getPermissionInfo().get("role").size());
- Assert.assertEquals(
- 2,
authorInfo.executeListUsers(listUserPlan).getPermissionInfo().get("user").size());
+ Assert.assertEquals(1,
authorInfo.executeListRoles(listRolePlan).getMemberList().size());
+ Assert.assertEquals(2,
authorInfo.executeListUsers(listUserPlan).getMemberList().size());
}
@Test
@@ -717,27 +614,6 @@ public class AuthorInfoTest {
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
// list privileges user
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.ListUserPrivilege,
- "user0",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- userPaths);
- PermissionInfoResp permissionInfoResp;
- permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
- status = permissionInfoResp.getStatus();
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- userPrivilege,
-
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).stream()
- .sorted()
- .collect(Collectors.toList()));
-
- // list all user privileges
authorPlan =
new AuthorPlan(
ConfigPhysicalPlanType.ListUserPrivilege,
@@ -748,36 +624,12 @@ public class AuthorInfoTest {
new HashSet<>(),
false,
new ArrayList<>());
+ PermissionInfoResp permissionInfoResp;
permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- allPrivilege,
-
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).stream()
- .sorted()
- .collect(Collectors.toList()));
// list privileges role
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.ListRolePrivilege,
- "",
- "role0",
- "",
- "",
- new HashSet<>(),
- false,
- rolePaths);
- permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan);
- status = permissionInfoResp.getStatus();
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- rolePrivilege,
-
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).stream()
- .sorted()
- .collect(Collectors.toList()));
-
- // list all role privileges
authorPlan =
new AuthorPlan(
ConfigPhysicalPlanType.ListRolePrivilege,
@@ -791,10 +643,5 @@ public class AuthorInfoTest {
permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan);
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- rolePrivilege,
-
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).stream()
- .sorted()
- .collect(Collectors.toList()));
}
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 166102dc6d3..961d6d99b46 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -23,9 +23,14 @@ import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.conf.CommonDescriptor;
+import org.apache.iotdb.commons.conf.IoTDBConstant;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.path.PathPatternTree;
import org.apache.iotdb.commons.service.metric.PerformanceOverviewMetrics;
+import org.apache.iotdb.confignode.rpc.thrift.TAuthorizerResp;
+import org.apache.iotdb.confignode.rpc.thrift.TPathPrivilege;
+import org.apache.iotdb.confignode.rpc.thrift.TRoleResp;
+import org.apache.iotdb.confignode.rpc.thrift.TUserResp;
import org.apache.iotdb.db.protocol.session.IClientSession;
import org.apache.iotdb.db.queryengine.common.header.ColumnHeader;
import org.apache.iotdb.db.queryengine.common.header.DatasetHeader;
@@ -40,8 +45,10 @@ import org.apache.iotdb.tsfile.utils.Binary;
import com.google.common.util.concurrent.SettableFuture;
import java.util.ArrayList;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Set;
// Authority checker is SingleTon working at datanode.
// It checks permission in local. DCL statement will send to confignode.
@@ -187,32 +194,89 @@ public class AuthorityChecker {
return true;
}
+ public static boolean checkRole(String username, String rolename) {
+ return authorityFetcher.checkRole(username, rolename);
+ }
+
public static void buildTSBlock(
- Map<String, List<String>> authorizerInfo,
SettableFuture<ConfigTaskResult> future) {
+ TAuthorizerResp authResp, SettableFuture<ConfigTaskResult> future) {
List<TSDataType> types = new ArrayList<>();
- for (int i = 0; i < authorizerInfo.size(); i++) {
+ boolean listRoleUser = false;
+ int columnNum = 0;
+ if (authResp.tag.equals(IoTDBConstant.COLUMN_ROLE)
+ || authResp.tag.equals(IoTDBConstant.COLUMN_USER)) {
+ // if list role/user, just return 1 column.
+ columnNum = 1;
+ listRoleUser = true;
+ } else {
+ // if list privilege, return : rolename, path, privilege, grant option
+ columnNum = 4;
+ }
+
+ for (int i = 0; i < columnNum; i++) {
types.add(TSDataType.TEXT);
}
TsBlockBuilder builder = new TsBlockBuilder(types);
List<ColumnHeader> headerList = new ArrayList<>();
- for (String header : authorizerInfo.keySet()) {
- headerList.add(new ColumnHeader(header, TSDataType.TEXT));
+ if (listRoleUser) {
+ headerList.add(new ColumnHeader(authResp.getTag(), TSDataType.TEXT));
+ } else {
+ headerList.add(new ColumnHeader(new String("ROLE"), TSDataType.TEXT));
+ headerList.add(new ColumnHeader(new String("PATH"), TSDataType.TEXT));
+ headerList.add(new ColumnHeader(new String("PRIVILEGES"),
TSDataType.TEXT));
+ headerList.add(new ColumnHeader(new String("GRANT OPTION"),
TSDataType.BOOLEAN));
}
- // The Time column will be ignored by the setting of ColumnHeader.
- // So we can put a meaningless value here
- for (String value : authorizerInfo.get(headerList.get(0).getColumnName()))
{
- builder.getTimeColumnBuilder().writeLong(0L);
- builder.getColumnBuilder(0).writeBinary(new Binary(value));
- builder.declarePosition();
- }
- for (int i = 1; i < headerList.size(); i++) {
- for (String value :
authorizerInfo.get(headerList.get(i).getColumnName())) {
- builder.getColumnBuilder(i).writeBinary(new Binary(value));
+
+ if (listRoleUser) {
+ for (String name : authResp.getMemberInfo()) {
+ builder.getTimeColumnBuilder().writeLong(0L);
+ builder.getColumnBuilder(0).writeBinary(new Binary(name));
+ builder.declarePosition();
+ }
+ } else {
+ TUserResp user = authResp.getPermissionInfo().getUserInfo();
+ if (user != null) {
+ appendPriBuilder("", "", user.getSysPriSet(),
user.getSysPriSetGrantOpt(), builder);
+ for (TPathPrivilege path : user.getPrivilegeList()) {
+ appendPriBuilder(
+ "", path.getPath().toString(), path.getPriSet(),
path.getPriGrantOpt(), builder);
+ }
+ }
+ Iterator<Map.Entry<String, TRoleResp>> it =
+ authResp.getPermissionInfo().getRoleInfo().entrySet().iterator();
+ while (it.hasNext()) {
+ TRoleResp role = it.next().getValue();
+ appendPriBuilder(
+ role.getRoleName(), "", role.getSysPriSet(),
role.getSysPriSetGrantOpt(), builder);
+ for (TPathPrivilege path : role.getPrivilegeList()) {
+ appendPriBuilder(
+ role.getRoleName(),
+ path.getPath().toString(),
+ path.getPriSet(),
+ path.getPriGrantOpt(),
+ builder);
+ }
}
}
DatasetHeader datasetHeader = new DatasetHeader(headerList, true);
future.set(new ConfigTaskResult(TSStatusCode.SUCCESS_STATUS,
builder.build(), datasetHeader));
}
+
+ private static void appendPriBuilder(
+ String name, String path, Set<Integer> priv, Set<Integer> grantOpt,
TsBlockBuilder builder) {
+ for (int i : priv) {
+ builder.getColumnBuilder(0).writeBinary(new Binary(new String(name)));
+ builder.getColumnBuilder(1).writeBinary(new Binary(new String(path)));
+ builder.getColumnBuilder(2).writeBinary(new
Binary(PrivilegeType.values()[i].toString()));
+ if (grantOpt.contains(i)) {
+ builder.getColumnBuilder(3).writeBoolean(true);
+ } else {
+ builder.getColumnBuilder(3).writeBoolean(false);
+ }
+ builder.getTimeColumnBuilder().writeLong(0L);
+ builder.declarePosition();
+ }
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
index 1ad4256d430..a482c9f568a 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
@@ -340,7 +340,7 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
new IoTDBException(
authorizerResp.getStatus().message,
authorizerResp.getStatus().code));
} else {
- AuthorityChecker.buildTSBlock(authorizerResp.getAuthorizerInfo(),
future);
+ AuthorityChecker.buildTSBlock(authorizerResp, future);
}
} catch (ClientManagerException | TException e) {
logger.error("Failed to connect to config node.");
@@ -417,6 +417,20 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
}
}
+ @Override
+ public boolean checkRole(String userName, String roleName) {
+ checkCacheAvailable();
+ User user = iAuthorCache.getUserCache(userName);
+ if (user != null) {
+ if (user.isOpenIdUser() || user.getRoleList().contains(roleName)) {
+ return true;
+ }
+ return false;
+ } else {
+ return checkRoleFromConfigNode(userName, roleName);
+ }
+ }
+
private TSStatus checkSysPriFromConfigNode(String username, int permission) {
TCheckUserPrivilegesReq req =
new TCheckUserPrivilegesReq(
@@ -462,6 +476,34 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
return permissionInfoResp.getFailPos();
}
+ private boolean checkRoleFromConfigNode(String username, String rolename) {
+ TAuthorizerReq req = new TAuthorizerReq();
+ req.setUserName(username);
+ req.setRoleName(rolename);
+ TPermissionInfoResp permissionInfoResp;
+ try (ConfigNodeClient configNodeClient =
+
CONFIG_NODE_CLIENT_MANAGER.borrowClient(ConfigNodeInfo.CONFIG_REGION_ID)) {
+ // Send request to some API server
+ permissionInfoResp = configNodeClient.checkRoleOfUser(req);
+ } catch (ClientManagerException | TException e) {
+ logger.error("Failed to connect to config node.");
+ permissionInfoResp = new TPermissionInfoResp();
+ permissionInfoResp.setStatus(
+ RpcUtils.getStatus(
+ TSStatusCode.EXECUTE_STATEMENT_ERROR, "Failed to connect to
config node."));
+ }
+ if (permissionInfoResp.getStatus().getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+ iAuthorCache.putUserCache(username, cacheUser(permissionInfoResp));
+ return true;
+ } else if (permissionInfoResp.getStatus().getCode()
+ == TSStatusCode.USER_NOT_HAS_ROLE.getStatusCode()) {
+ iAuthorCache.putUserCache(username, cacheUser(permissionInfoResp));
+ return false;
+ } else {
+ return false;
+ }
+ }
+
/** Cache user. */
public User cacheUser(TPermissionInfoResp tPermissionInfoResp) {
User user = new User();
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
index 8700ed40950..cead10d9dd6 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
@@ -34,6 +34,8 @@ public interface IAuthorityFetcher {
TSStatus checkUser(String username, String password);
+ boolean checkRole(String username, String rolename);
+
List<Integer> checkUserPathPrivileges(String username, List<PartialPath>
allPath, int permission);
TSStatus checkUserSysPrivileges(String username, int permisssion);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
index 62d022e576f..6b6d5861fd5 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
@@ -571,6 +571,11 @@ public class ConfigNodeClient implements
IConfigNodeRPCService.Iface, ThriftClie
() -> client.checkUserPrivilegeGrantOpt(req), resp ->
!updateConfigNodeLeader(resp.status));
}
+ public TPermissionInfoResp checkRoleOfUser(TAuthorizerReq req) throws
TException {
+ return executeRemoteCallWithRetry(
+ () -> client.checkRoleOfUser(req), resp ->
!updateConfigNodeLeader(resp.status));
+ }
+
@Override
public TConfigNodeRegisterResp registerConfigNode(TConfigNodeRegisterReq
req) throws TException {
throw new TException("DataNode to ConfigNode client doesn't support
registerConfigNode.");
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
index 53b13dba4af..2608e8cfddd 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
@@ -258,10 +258,21 @@ public class AuthorStatement extends Statement implements
IConfigStatement {
AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MANAGE_USER.ordinal()),
PrivilegeType.MANAGE_USER);
+ case LIST_ROLE_PRIVILEGE:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
+ }
+ if (!AuthorityChecker.checkRole(userName, roleName)) {
+ return AuthorityChecker.getTSStatus(
+ AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MANAGE_ROLE.ordinal()),
+ PrivilegeType.MANAGE_ROLE);
+ } else {
+ return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
+ }
+
case CREATE_ROLE:
case DROP_ROLE:
case LIST_ROLE:
- case LIST_ROLE_PRIVILEGE:
case GRANT_USER_ROLE:
case REVOKE_USER_ROLE:
if (AuthorityChecker.SUPER_USER.equals(userName)) {
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
index 4297cd3a334..9a4e7d22d80 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
@@ -145,13 +145,7 @@ public abstract class BasicAuthorizer implements
IAuthorizer, IService {
TSStatusCode.NO_PERMISSION,
"Invalid operation, administrator already has all privileges");
}
- if (!userManager.grantPrivilegeToUser(username, path, privilegeId,
grantOpt)) {
- throw new AuthException(
- TSStatusCode.ALREADY_HAS_PRIVILEGE,
- String.format(
- "User %s already has %s on %s",
- username, PrivilegeType.values()[privilegeId], (path != null ?
path : "system")));
- }
+ userManager.grantPrivilegeToUser(username, path, privilegeId, grantOpt);
}
@Override
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
index 0bc34bd683f..55a15d6f1fa 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
@@ -97,9 +97,6 @@ public abstract class BasicRoleManager implements
IRoleManager {
throw new AuthException(
TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
}
- if (role.hasPrivilege(path, privilegeId)) {
- return false;
- }
if (path != null) {
AuthUtils.validatePatternPath(path);
role.addPathPrivilege(path, privilegeId, grantOpt);
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
index 93f0a976e5f..bd1a54e5b25 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
@@ -136,9 +136,6 @@ public abstract class BasicUserManager implements
IUserManager {
throw new AuthException(
TSStatusCode.USER_NOT_EXIST, String.format(NO_SUCH_USER_ERROR,
username));
}
- if (user.hasPrivilege(path, privilegeId)) {
- return false;
- }
if (path != null) {
AuthUtils.validatePatternPath(path);
user.addPathPrivilege(path, privilegeId, grantOpt);
diff --git a/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift
b/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift
index e5874ee35a5..2e48114feec 100644
--- a/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift
+++ b/iotdb-protocol/thrift-confignode/src/main/thrift/confignode.thrift
@@ -308,7 +308,9 @@ struct TAuthorizerReq {
struct TAuthorizerResp {
1: required common.TSStatus status
- 2: optional map<string, list<string>> authorizerInfo
+ 2: optional string tag
+ 3: optional list<string> memberInfo
+ 4: optional TPermissionInfoResp permissionInfo
}
struct TUserResp {
@@ -1038,6 +1040,9 @@ service IConfigNodeRPCService {
TPermissionInfoResp checkUserPrivilegeGrantOpt(TCheckUserPrivilegesReq req)
+ TPermissionInfoResp checkRoleOfUser(TAuthorizerReq req)
+
+
// ======================================================
// ConfigNode
