[iotdb] branch master updated: [auth].fix error when check role. (#11293)

Thu, 12 Oct 2023 23:15:07 -0700 

This is an automated email from the ASF dual-hosted git repository.

jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new 0b57fd39e1d [auth].fix error when check role. (#11293)
0b57fd39e1d is described below

commit 0b57fd39e1d2422ed2ac7a4765efc73dea558636
Author: Colin Li <[email protected]>
AuthorDate: Fri Oct 13 14:14:56 2023 +0800

    [auth].fix error when check role. (#11293)
---
 .../src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java |  6 ++++++
 .../java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java | 10 +++++++++-
 .../db/queryengine/plan/statement/sys/AuthorStatement.java     |  4 ++--
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git 
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java 
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
index 6abb63b615a..59bd2829542 100644
--- 
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
+++ 
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
@@ -382,6 +382,12 @@ public class IoTDBAuthIT {
         adminStmt.execute("CREATE ROLE admin");
         adminStmt.execute("GRANT MANAGE_DATABASE,WRITE_SCHEMA,WRITE_DATA on 
root.** TO ROLE admin");
         adminStmt.execute("GRANT ROLE admin TO tempuser");
+        adminStmt.execute("CREATE ROLE admin_temp");
+
+        // tempuser can get privileges of his role
+        userStmt.execute("LIST PRIVILEGES OF ROLE admin");
+        Assert.assertThrows(
+            SQLException.class, () -> userStmt.execute("LIST PRIVILEGS OF ROLE 
admin_temp"));
 
         userStmt.execute("CREATE DATABASE root.a");
         userStmt.execute("CREATE TIMESERIES root.a.b WITH 
DATATYPE=INT32,ENCODING=PLAIN");
diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
index 82a550cea0b..107561bdca3 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
@@ -377,6 +377,7 @@ public class ClusterAuthorityFetcher implements 
IAuthorityFetcher {
     if (currentTime - heartBeatTimeStamp > CONFIG.getDatanodeTokenTimeoutMS()) 
{
       cacheOutDate = true;
     }
+    heartBeatTimeStamp = currentTime;
   }
 
   private void checkCacheAvailable() {
@@ -430,7 +431,7 @@ public class ClusterAuthorityFetcher implements 
IAuthorityFetcher {
     checkCacheAvailable();
     User user = iAuthorCache.getUserCache(userName);
     if (user != null) {
-      return user.isOpenIdUser() || user.getRoleList().contains(userName);
+      return user.isOpenIdUser() || user.getRoleList().contains(roleName);
     } else {
       return checkRoleFromConfigNode(userName, roleName);
     }
@@ -485,6 +486,13 @@ public class ClusterAuthorityFetcher implements 
IAuthorityFetcher {
 
   private boolean checkRoleFromConfigNode(String username, String rolename) {
     TAuthorizerReq req = new TAuthorizerReq();
+    // just reuse authorizer request. only need username and rolename field.
+    req.setAuthorType(0);
+    req.setPassword("");
+    req.setNewPassword("");
+    
req.setNodeNameList(AuthUtils.serializePartialPathList(Collections.emptyList()));
+    req.setPermissions(Collections.emptySet());
+    req.setGrantOpt(false);
     req.setUserName(username);
     req.setRoleName(rolename);
     TPermissionInfoResp permissionInfoResp;
diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
index dd56fadaf04..5acbf06a12e 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
@@ -315,7 +315,7 @@ public class AuthorStatement extends Statement implements 
IConfigStatement {
         }
         return AuthorityChecker.getOptTSStatus(
             AuthorityChecker.checkGrantOption(userName, privilegeList, 
nodeNameList),
-            "Has no permission to "
+            "Has no permission to execute"
                 + authorType
                 + ", please ensure you have these privileges and the grant 
option is TRUE when granted");
 
@@ -326,7 +326,7 @@ public class AuthorStatement extends Statement implements 
IConfigStatement {
         }
         return AuthorityChecker.getOptTSStatus(
             AuthorityChecker.checkGrantOption(userName, privilegeList, 
nodeNameList),
-            "Has no permission to "
+            "Has no permission to execute "
                 + authorType
                 + ", please ensure you have these privileges and the grant 
option is TRUE when granted");
       default:

Reply via email to