This is an automated email from the ASF dual-hosted git repository.
jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 3602124f76b Fix auth upgrade 1.2 (#11355)
3602124f76b is described below
commit 3602124f76b1620f37cc8915205d71887e96f56e
Author: Colin Li <[email protected]>
AuthorDate: Sat Oct 21 16:39:26 2023 +0800
Fix auth upgrade 1.2 (#11355)
---
.../iotdb/confignode/persistence/AuthorInfo.java | 6 +-
.../confignode/persistence/AuthorInfoTest.java | 987 ++++++++-------------
.../db/auth/role/LocalFileRoleAccessorTest.java | 90 +-
.../db/auth/role/LocalFileRoleManagerTest.java | 21 +-
.../db/auth/user/LocalFileUserAccessorTest.java | 106 ++-
.../db/auth/user/LocalFileUserManagerTest.java | 22 +-
.../commons/auth/entity/PriPrivilegeType.java | 118 ++-
.../iotdb/commons/auth/user/BasicUserManager.java | 2 +-
8 files changed, 590 insertions(+), 762 deletions(-)
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
index d41b6802572..1f7d05897af 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
@@ -182,9 +182,12 @@ public class AuthorInfo implements SnapshotProcessor {
String password = authorPlan.getPassword();
String newPassword = authorPlan.getNewPassword();
Set<Integer> permissions = authorPlan.getPermissions();
+ boolean grantOpt = authorPlan.getGrantOpt();
+ List<PartialPath> nodeNameList = authorPlan.getNodeNameList();
if (authorType.ordinal() >= ConfigPhysicalPlanType.GrantRoleDep.ordinal()
&& authorType.ordinal() <=
ConfigPhysicalPlanType.RevokeRoleFromUserDep.ordinal()) {
HashSet<Integer> pricopy = new HashSet<>();
+ // for all privilege. the nodeNameList will be root.**
for (int permission : permissions) {
PriPrivilegeType type = PriPrivilegeType.values()[permission];
if (type.isAccept()) {
@@ -195,8 +198,7 @@ public class AuthorInfo implements SnapshotProcessor {
}
permissions = pricopy;
}
- boolean grantOpt = authorPlan.getGrantOpt();
- List<PartialPath> nodeNameList = authorPlan.getNodeNameList();
+
try {
switch (authorType) {
case UpdateUserDep:
diff --git
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
index 839ba9291d7..26bb15d7ab3 100644
---
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
+++
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
@@ -27,7 +27,6 @@ import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.conf.CommonDescriptor;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
-import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.confignode.consensus.request.ConfigPhysicalPlanType;
import org.apache.iotdb.confignode.consensus.request.auth.AuthorPlan;
import org.apache.iotdb.confignode.consensus.response.auth.PermissionInfoResp;
@@ -676,641 +675,381 @@ public class AuthorInfoTest {
/*--TEST FOR USER CREATE 、UPDATE AND DROP -*/
// this operation will success for pre version.
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateUserDep,
- "user1",
- "",
- "password1",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
-
- // this operation will success for pre version. --length~(32,64)
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateUserDep,
- "user1234567user1234567user1234567user1234567",
- "",
- "password1",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
-
- // this operation will fail for pre version. --length > 64
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateUserDep,
-
"user1234567user1234567user1234567user1234567user1234567user1234567user1234567user1234567",
- "",
- "password1",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
-
- // this operation will fail for pre version. -- contain &%*@
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateUserDep,
- "user1*&%",
- "",
- "password1",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
-
- // root, user1, user1234567user1234567user1234567user1234567
- Assert.assertEquals(
- 3,
- authorInfo
- .executeListUsers(
- new AuthorPlan(
- ConfigPhysicalPlanType.ListUser,
- "",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>()))
- .getMemberList()
- .size());
+ {
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.CreateUserDep,
+ "user1",
+ "",
+ "password1",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.DropUserDep,
- "user1234567user1234567user1234567user1234567",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
+ // this operation will success for pre version. --length~(32,64)
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.CreateUserDep,
+ "user1234567user1234567user1234567user1234567",
+ "",
+ "password1",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- Assert.assertEquals(
- 2,
- authorInfo
- .executeListUsers(
- new AuthorPlan(
- ConfigPhysicalPlanType.ListUserDep,
- "",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>()))
- .getMemberList()
- .size());
-
- // for pre version, password with &% will meet error.
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.UpdateUserDep,
- "user1",
- "",
- "password*&S",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
+ // this operation will fail for pre version. --length > 64
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.CreateUserDep,
+
"user1234567user1234567user1234567user1234567user1234567user1234567user1234567user1234567",
+ "",
+ "password1",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- /*--TEST FOR ROLE CREATE AND DROP -*/
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateRoleDep,
- "",
- "role1",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ // this operation will fail for pre version. -- contain &%*@
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.CreateUserDep,
+ "user1*&%",
+ "",
+ "password1",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
+
+ // root, user1, user1234567user1234567user1234567user1234567
+ Assert.assertEquals(
+ 3,
+ authorInfo
+ .executeListUsers(
+ new AuthorPlan(
+ ConfigPhysicalPlanType.ListUser,
+ "",
+ "",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>()))
+ .getMemberList()
+ .size());
- // name longer than 32, It's ok.
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateRoleDep,
- "",
- "role1234567role1234567role1234567role1234567",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.DropUserDep,
+ "user1234567user1234567user1234567user1234567",
+ "",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
+
+ Assert.assertEquals(
+ 2,
+ authorInfo
+ .executeListUsers(
+ new AuthorPlan(
+ ConfigPhysicalPlanType.ListUserDep,
+ "",
+ "",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>()))
+ .getMemberList()
+ .size());
+
+ // for pre version, password with &% will meet error.
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.UpdateUserDep,
+ "user1",
+ "",
+ "password*&S",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- // contain wrong character, error.
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateRoleDep,
- "",
- "role1234567role1%%234567role1234567role1234567",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ /*--TEST FOR ROLE CREATE AND DROP -*/
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.CreateRoleDep,
+ "",
+ "role1",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.DropRoleDep,
- "",
- "role1234567role1234567role1234567role1234567",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ // name longer than 32, It's ok.
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.CreateRoleDep,
+ "",
+ "role1234567role1234567role1234567role1234567",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
- Assert.assertEquals(
- 1,
- authorInfo
- .executeListRoles(
- new AuthorPlan(
- ConfigPhysicalPlanType.ListRoleDep,
- "",
- "",
- "",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>()))
- .getMemberList()
- .size());
+ // contain wrong character, error.
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.CreateRoleDep,
+ "",
+ "role1234567role1%%234567role1234567role1234567",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.ILLEGAL_PARAMETER.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.DropRoleDep,
+ "",
+ "role1234567role1234567role1234567role1234567",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+
+ Assert.assertEquals(
+ 1,
+ authorInfo
+ .executeListRoles(
+ new AuthorPlan(
+ ConfigPhysicalPlanType.ListRoleDep,
+ "",
+ "",
+ "",
+ "",
+ new HashSet<>(),
+ false,
+ new ArrayList<>()))
+ .getMemberList()
+ .size());
+ }
// NOW WE HAVE USER:user1, root; ROLE: role1
- // 1. ALTER_PASSWORD WILL BE IGNORE
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantUserDep,
- "user1",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.ALTER_PASSWORD.ordinal()),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 0,
BasicAuthorizer.getInstance().getUser("user1").getPathPrivilegeList().size());
- Assert.assertEquals(0,
BasicAuthorizer.getInstance().getUser("user1").getSysPrivilege().size());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
-
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantRoleDep,
- "",
- "role1",
- "",
- "",
- Collections.singleton(PriPrivilegeType.ALTER_PASSWORD.ordinal()),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 0,
BasicAuthorizer.getInstance().getRole("role1").getPathPrivilegeList().size());
- Assert.assertEquals(0,
BasicAuthorizer.getInstance().getRole("role1").getSysPrivilege().size());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
-
- // 2. GRANT_PRIVILEGE WILL BE IGNORE
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantUserDep,
- "user1",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.GRANT_PRIVILEGE.ordinal()),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 0,
BasicAuthorizer.getInstance().getUser("user1").getPathPrivilegeList().size());
- Assert.assertEquals(0,
BasicAuthorizer.getInstance().getUser("user1").getSysPrivilege().size());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantRoleDep,
- "",
- "role1",
- "",
- "",
- Collections.singleton(PriPrivilegeType.GRANT_PRIVILEGE.ordinal()),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 0,
BasicAuthorizer.getInstance().getRole("role1").getPathPrivilegeList().size());
- Assert.assertEquals(0,
BasicAuthorizer.getInstance().getRole("role1").getSysPrivilege().size());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
-
- // 3. check path and complex
-
- // READ -> READ_SCHEMA, READ_DATA
- // root.t1.*.t2 NO ERROR
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantUserDep,
- "user1",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.READ.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.*.t2")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
-
Assert.assertFalse(BasicAuthorizer.getInstance().getUser("user1").getServiceReady());
- Assert.assertEquals(
- 2,
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.*.t2"))
- .size());
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.*.t2"))
- .contains(PrivilegeType.READ_DATA.ordinal()));
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.*.t2"))
- .contains(PrivilegeType.READ_SCHEMA.ordinal()));
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- /** user1 : root.t1.*.t2 : read_data, read_schema */
-
- // READ -> READ_SCHEMA, READ_DATA
- // root.t1.t2.* NO ERROR
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantUserDep,
- "user1",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.WRITE.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2.*")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
-
Assert.assertFalse(BasicAuthorizer.getInstance().getUser("user1").getServiceReady());
- Assert.assertEquals(
- 2,
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.*"))
- .size());
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.*"))
- .contains(PrivilegeType.WRITE_DATA.ordinal()));
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.*"))
- .contains(PrivilegeType.WRITE_SCHEMA.ordinal()));
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- /** user1 : root.t1.*.t2 : read_data, read_schema : root.t1.t2.* :
write_data, write_schema */
-
- // READ -> READ_SCHEMA, READ_DATA
- // root.t1.t2 NO ERROR
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantRoleDep,
- "",
- "role1",
- "",
- "",
- Collections.singleton(PriPrivilegeType.READ.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
-
Assert.assertTrue(BasicAuthorizer.getInstance().getRole("role1").getServiceReady());
- Assert.assertEquals(
- 2,
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2"))
- .size());
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2"))
- .contains(PrivilegeType.READ_DATA.ordinal()));
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2"))
- .contains(PrivilegeType.READ_SCHEMA.ordinal()));
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
- /**
- * user1 : root.t1.*.t2 : read_data, read_schema : root.t1.t2.* :
write_data, write_schema role1
- * : root.t1.t2 : read_data, read_schema
- */
-
- // READ -> READ_SCHEMA, READ_DATA
- // root.t1.t2.* NO ERROR
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantRoleDep,
- "",
- "role1",
- "",
- "",
- Collections.singleton(PriPrivilegeType.WRITE.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2.**")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
-
Assert.assertTrue(BasicAuthorizer.getInstance().getRole("role1").getServiceReady());
- Assert.assertEquals(
- 2,
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2.**"))
- .size());
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2.**"))
- .contains(PrivilegeType.WRITE_DATA.ordinal()));
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2.**"))
- .contains(PrivilegeType.WRITE_SCHEMA.ordinal()));
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
- /**
- * user1 : root.t1.*.t2 : read_data, read_schema : root.t1.t2.* :
write_data, write_schema role1
- * : root.t1.t2 : read_data, read_schema : root.t1.t2.** :write_data,
write_schema
- */
-
- // duplicate grant will not raise an error instead. But it's acceptable.
--skip
- // duplicate revoke will get an error.
-
- // REVOKE TEST
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantUserDep,
- "user1",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.READ.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2.t3")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
-
Assert.assertFalse(BasicAuthorizer.getInstance().getUser("user1").getServiceReady());
- Assert.assertEquals(
- 4,
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .size());
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .contains(PrivilegeType.READ_DATA.ordinal()));
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .contains(PrivilegeType.READ_SCHEMA.ordinal()));
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- /**
- * user1 : root.t1.*.t2 : read_data, read_schema : root.t1.t2.* :
write_data, write_schema :
- * root.t1.t2.t3 : read_data, read_schema role1 : root.t1.t2 : read_data,
read_schema :
- * root.t1.t2.** :write_data, write_schema
- */
-
- // this revoke operation will not match other path privilege.
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.RevokeUserDep,
- "user1",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.WRITE_DATA.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2.*")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 3,
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .size());
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .contains(PrivilegeType.READ_DATA.ordinal()));
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .contains(PrivilegeType.READ_SCHEMA.ordinal()));
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- /**
- * user1 : root.t1.*.t2 : read_data, read_schema : root.t1.t2.* :
write_schema : root.t1.t2.t3 :
- * read_data, read_schema role1 : root.t1.t2 : read_data, read_schema :
root.t1.t2.**
- * :write_data, write_schema
- */
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.RevokeRoleDep,
- "",
- "role1",
- "",
- "",
- Collections.singleton(PriPrivilegeType.WRITE_DATA.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2.**")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertEquals(
- 1,
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .size());
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2.**"))
- .contains(PrivilegeType.WRITE_SCHEMA.ordinal()));
- Assert.assertTrue(
- BasicAuthorizer.getInstance()
- .getRole("role1")
- .getPathPrivileges(new PartialPath("root.t1.t2"))
- .contains(PrivilegeType.READ_SCHEMA.ordinal()));
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- /**
- * user1 : root.t1.*.t2 : read_data, read_schema : root.t1.t2.* :
write_schema : root.t1.t2.t3 :
- * read_data, read_schema role1 : root.t1.t2 : read_data, read_schema :
root.t1.t2.**
- * :write_schema
- */
-
- // duplicate revoke will raise an error.
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.RevokeUserDep,
- "user1",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.WRITE_DATA.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2.*")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.NOT_HAS_PRIVILEGE.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
-
- // duplicate revoke will raise an error.
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.RevokeRoleDep,
- "",
- "role1",
- "",
- "",
- Collections.singleton(PriPrivilegeType.WRITE_DATA.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.t1.t2.**")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.NOT_HAS_PRIVILEGE.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ for (PriPrivilegeType item : PriPrivilegeType.values()) {
+ /*-- TEST IGNORE PRIVILEGES --*/
+ if (!item.isAccept()) {
+ // for user to grant
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.GrantUserDep,
+ "user1",
+ "",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getUser("user1").getPathPrivilegeList().size());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getUser("user1").getSysPrivilege().size());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- HashSet<Integer> priSet = new HashSet<>();
- priSet.add(PriPrivilegeType.READ.ordinal());
- priSet.add(PriPrivilegeType.WRITE_SCHEMA.ordinal());
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantUserDep,
- "user1",
- "",
- "",
- "",
- priSet,
- false,
- Collections.singletonList(new PartialPath("root.t1.*a.**")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
-
- // now check user's path and role's path.
- /**
- * user1 : root.t1.*.t2 : read_data, read_schema : root.t1.t2.* :
write_schema : root.t1.t2.t3 :
- * read_data, read_schema : root.t1.*a.** : read_data, read_schema,
write_schema role1 :
- * root.t1.t2 : read_data, read_schema : root.t1.t2.** :write_schema
- */
-
- // will turn to :
- /**
- * user1 : root.t1.** : read_data, read_schema, write_schema :
root.t1.t2.** : write_schema :
- * root.t1.t2.t3 : read_data, read_schema role1 : root.t1.t2 : read_data,
read_schema :
- * root.t1.t2.** :write_schema
- */
- authorInfo.checkUserPathPrivilege();
- Assert.assertEquals(
- 3,
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.**"))
- .size());
- Assert.assertTrue(
- AuthUtils.hasPrivilege(
- new PartialPath("root.t1.t2.**"),
- PrivilegeType.WRITE_SCHEMA.ordinal(),
-
BasicAuthorizer.getInstance().getUser("user1").getPathPrivilegeList()));
- Assert.assertEquals(
- 3,
- BasicAuthorizer.getInstance()
- .getUser("user1")
- .getPathPrivileges(new PartialPath("root.t1.t2.t3"))
- .size());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ // for role to grant
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.GrantRoleDep,
+ "",
+ "role1",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getRole("role1").getPathPrivilegeList().size());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getRole("role1").getSysPrivilege().size());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.CreateUserDep,
- "userfull",
- "",
- "password1",
- "",
- new HashSet<>(),
- false,
- new ArrayList<>());
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
+ // for user to revoke
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.RevokeUserDep,
+ "user1",
+ "",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getUser("user1").getPathPrivilegeList().size());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getUser("user1").getSysPrivilege().size());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
- authorPlan =
- new AuthorPlan(
- ConfigPhysicalPlanType.GrantUserDep,
- "userfull",
- "",
- "",
- "",
- Collections.singleton(PriPrivilegeType.ALL.ordinal()),
- false,
- Collections.singletonList(new PartialPath("root.**")));
- status = authorInfo.authorNonQuery(authorPlan);
- Assert.assertEquals(
- PrivilegeType.getPathPriCount(),
- BasicAuthorizer.getInstance()
- .getUser("userfull")
- .getPathPrivileges(new PartialPath("root.**"))
- .size());
- Assert.assertEquals(
- PrivilegeType.getSysPriCount(),
-
BasicAuthorizer.getInstance().getUser("userfull").getSysPrivilege().size());
+ // for role to revoke
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.RevokeRoleDep,
+ "",
+ "role1",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ new ArrayList<>());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getRole("role1").getPathPrivilegeList().size());
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getRole("role1").getSysPrivilege().size());
+ Assert.assertFalse(BasicAuthorizer.getInstance().forRolePreVersion());
+ } else {
+ if (item.isPreIsPathRelevant()) {
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.GrantUserDep,
+ "user1",
+ "",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ Collections.singletonList(new PartialPath("root.t1.*.t2")));
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ if (item.isPathRelevant()) {
+ Assert.assertEquals(
+ 1,
+ BasicAuthorizer.getInstance()
+ .getUser("user1")
+ .getPathPrivileges(new PartialPath("root.t1.*.t2"))
+ .size());
+ Assert.assertTrue(
+ BasicAuthorizer.getInstance()
+ .getUser("user1")
+ .getPathPrivileges(new PartialPath("root.t1.*.t2"))
+ .containsAll(item.getSubPriOrd()));
+
Assert.assertFalse(BasicAuthorizer.getInstance().getUser("user1").getServiceReady());
+ } else {
+ Assert.assertTrue(
+ BasicAuthorizer.getInstance()
+ .getUser("user1")
+ .getSysPrivilege()
+ .containsAll(item.getSubPriOrd()));
+ }
+
Assert.assertFalse(BasicAuthorizer.getInstance().forUserPreVersion());
+ authorInfo.checkUserPathPrivilege();
+ // path will turn to root.t1.**
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.RevokeUserDep,
+ "user1",
+ "",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ Collections.singletonList(new PartialPath("root.t1.**")));
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ if (item.isPathRelevant()) {
+ Assert.assertEquals(
+ 0,
+ BasicAuthorizer.getInstance()
+ .getUser("user1")
+ .getPathPrivileges(new PartialPath("root.t1.**"))
+ .size());
+ } else {
+ Assert.assertEquals(
+ 0,
BasicAuthorizer.getInstance().getUser("user1").getSysPrivilege().size());
+ }
+ } else {
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.GrantUserDep,
+ "user1",
+ "",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ Collections.emptyList());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertTrue(
+ BasicAuthorizer.getInstance()
+ .getUser("user1")
+ .getSysPrivilege()
+ .containsAll(item.getSubSysPriOrd()));
+ authorPlan =
+ new AuthorPlan(
+ ConfigPhysicalPlanType.RevokeUserDep,
+ "user1",
+ "",
+ "",
+ "",
+ Collections.singleton(item.ordinal()),
+ false,
+ Collections.emptyList());
+ status = authorInfo.authorNonQuery(authorPlan);
+ Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ Assert.assertEquals(
+ 0,
+ BasicAuthorizer.getInstance()
+ .getUser("user1")
+ .getPathPrivileges(new PartialPath("root.t1.**"))
+ .size());
+ }
+ }
+ }
}
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleAccessorTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleAccessorTest.java
index 6bbc2dd7ece..f8aeec503f5 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleAccessorTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleAccessorTest.java
@@ -20,6 +20,7 @@ package org.apache.iotdb.db.auth.role;
import org.apache.iotdb.commons.auth.entity.PathPrivilege;
import org.apache.iotdb.commons.auth.entity.PriPrivilegeType;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.auth.role.LocalFileRoleAccessor;
import org.apache.iotdb.commons.exception.IllegalPathException;
@@ -40,7 +41,6 @@ import java.util.List;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
@@ -110,55 +110,63 @@ public class LocalFileRoleAccessorTest {
Role role = new Role();
role.setName("root");
List<PathPrivilege> pathPriList = new ArrayList<>();
+ PathPrivilege rootPathPriv = new PathPrivilege(new PartialPath("root.**"));
+ PathPrivilege normalPathPriv = new PathPrivilege(new
PartialPath("root.b.c.**"));
+ PathPrivilege wroPathPriv = new PathPrivilege(new
PartialPath("root.c.*.d"));
+ PathPrivilege wroPathPriv2 = new PathPrivilege(new
PartialPath("root.c.*.**"));
+ for (PriPrivilegeType item : PriPrivilegeType.values()) {
+ if (item.isPreIsPathRelevant()) {
+ normalPathPriv.grantPrivilege(item.ordinal(), false);
+ wroPathPriv.grantPrivilege(item.ordinal(), false);
+ wroPathPriv2.grantPrivilege(item.ordinal(), false);
+ }
+ rootPathPriv.grantPrivilege(item.ordinal(), false);
+ }
- // root.a.b.c -- read_data, wirte_shcema.
- PathPrivilege pathPrivilege = new PathPrivilege(new
PartialPath("root.a.b.c"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.READ_DATA.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.WRITE_SCHEMA.ordinal(),
false);
- pathPriList.add(pathPrivilege);
-
- // root.a.*.b -- read_schema, write_data
- pathPrivilege = new PathPrivilege(new PartialPath("root.a.*.b"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.READ_SCHEMA.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.WRITE_DATA.ordinal(), false);
- pathPriList.add(pathPrivilege);
-
- // root.a.* -- manage_database -- will ignore the path.
- pathPrivilege = new PathPrivilege(new PartialPath("root.a.*"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.MANAGE_DATABASE.ordinal(),
false);
- pathPriList.add(pathPrivilege);
-
- // root.** -- for some systems.
- pathPrivilege = new PathPrivilege(new PartialPath("root.**"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.MAINTAIN.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.MANAGE_ROLE.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.MANAGE_USER.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.ALTER_PASSWORD.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.GRANT_PRIVILEGE.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.USE_CQ.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.USE_PIPE.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.USE_TRIGGER.ordinal(),
false);
- pathPriList.add(pathPrivilege);
+ // In this case, we use four path to store some privileges.
+ // path1: root.** will store all privileges
+ // path2: root.b.c.** will store relevant privileges
+ // path3: root.c.*.d will store relevant privileges but the path will be
transformed to
+ // root.c.**
+ // path4: root.c.*.** will store relevant privileges but the path will be
transformed like path3
+ // 1. for path 1:
+ pathPriList.add(rootPathPriv);
role.setPrivilegeList(pathPriList);
role.setSysPriGrantOpt(new HashSet<>());
role.setSysPrivilegeSet(new HashSet<>());
accessor.saveRoleOldVer(role);
Role newRole = accessor.loadRole("root");
assertEquals("root", newRole.getName());
+ assertTrue(newRole.getServiceReady());
+ assertEquals(1, newRole.getPathPrivilegeList().size());
+ assertEquals(
+ PrivilegeType.getPathPriCount(),
+ newRole.getPathPrivilegeList().get(0).getPrivileges().size());
+ assertEquals(PrivilegeType.getSysPriCount(),
newRole.getSysPrivilege().size());
+ accessor.deleteRole("root");
- // because newRole has illegal path, its not ready to service.
- assertFalse(newRole.getServiceReady());
-
- // ignore manage_database.
- assertEquals(2, newRole.getPathPrivilegeList().size());
-
- // ignore alterpassword and grant_privilege
- assertEquals(7, newRole.getSysPrivilege().size());
- assertNotNull(newRole.getSysPriGrantOpt());
+ // 2. for path2:
+ pathPriList.clear();
+ pathPriList.add(normalPathPriv);
+ role.setPrivilegeList(pathPriList);
+ accessor.saveRoleOldVer(role);
+ newRole = accessor.loadRole("root");
+ assertTrue(newRole.getServiceReady());
+ assertEquals(3,
newRole.getPathPrivilegeList().get(0).getPrivileges().size());
+ assertEquals(2, newRole.getSysPrivilege().size());
accessor.deleteRole("root");
- accessor.saveRole(newRole);
- Role newRole2 = accessor.loadRole("root");
- assertEquals(newRole, newRole2);
+
+ // 3. for path3 and path4
+ pathPriList.clear();
+ pathPriList.add(wroPathPriv2);
+ pathPriList.add(wroPathPriv);
+ role.setPrivilegeList(pathPriList);
+ accessor.saveRoleOldVer(role);
+ newRole = accessor.loadRole("root");
+ assertFalse(newRole.getServiceReady());
+ assertEquals(3,
newRole.getPathPrivilegeList().get(0).getPrivileges().size());
+ assertEquals(3,
newRole.getPathPrivilegeList().get(1).getPrivileges().size());
+ assertEquals(2, newRole.getSysPrivilege().size());
}
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
index 06f13a39a09..d4dce992912 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/role/LocalFileRoleManagerTest.java
@@ -20,7 +20,6 @@ package org.apache.iotdb.db.auth.role;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PathPrivilege;
-import org.apache.iotdb.commons.auth.entity.PriPrivilegeType;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.auth.role.LocalFileRoleManager;
@@ -147,22 +146,22 @@ public class LocalFileRoleManagerTest {
// turn to root.d.a
manager.grantPrivilegeToRole(
- "test", new PartialPath("root.d.a"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.d.a"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.**
manager.grantPrivilegeToRole(
- "test", new PartialPath("root.d*.a"),
PriPrivilegeType.READ_DATA.ordinal(), false);
+ "test", new PartialPath("root.d*.a"),
PrivilegeType.READ_DATA.ordinal(), false);
// turn to root.**
manager.grantPrivilegeToRole(
- "test", new PartialPath("root.d*.a"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.d*.a"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.**
manager.grantPrivilegeToRole(
- "test", new PartialPath("root.*.a.b"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.*.a.b"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.ds.a.**
manager.grantPrivilegeToRole(
- "test", new PartialPath("root.ds.a.b*"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.ds.a.b*"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.ds.a.b
manager.grantPrivilegeToRole(
- "test", new PartialPath("root.ds.a.b"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.ds.a.b"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
assertFalse(manager.getRole("test").getServiceReady());
// after this operation, the user has these privileges:
// root.d.a : read_schema
@@ -174,15 +173,15 @@ public class LocalFileRoleManagerTest {
assertTrue(role.getServiceReady());
assertEquals(4, role.getPathPrivilegeList().size());
manager.revokePrivilegeFromRole(
- "test", new PartialPath("root.**"),
PriPrivilegeType.READ_SCHEMA.ordinal());
+ "test", new PartialPath("root.**"),
PrivilegeType.READ_SCHEMA.ordinal());
manager.revokePrivilegeFromRole(
- "test", new PartialPath("root.**"),
PriPrivilegeType.READ_DATA.ordinal());
+ "test", new PartialPath("root.**"), PrivilegeType.READ_DATA.ordinal());
assertEquals(3, role.getPathPrivilegeList().size());
assertTrue(
role.checkPathPrivilege(
- new PartialPath("root.ds.a.**"),
PriPrivilegeType.READ_SCHEMA.ordinal()));
+ new PartialPath("root.ds.a.**"),
PrivilegeType.READ_SCHEMA.ordinal()));
assertFalse(
role.checkPathPrivilege(
- new PartialPath("root.ds.a.**"),
PriPrivilegeType.READ_DATA.ordinal()));
+ new PartialPath("root.ds.a.**"),
PrivilegeType.READ_DATA.ordinal()));
}
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserAccessorTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserAccessorTest.java
index 84349ea3d8d..2113ff9c4c7 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserAccessorTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserAccessorTest.java
@@ -20,6 +20,8 @@ package org.apache.iotdb.db.auth.user;
import org.apache.iotdb.commons.auth.entity.PathPrivilege;
import org.apache.iotdb.commons.auth.entity.PriPrivilegeType;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
+import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.auth.user.LocalFileUserAccessor;
import org.apache.iotdb.commons.exception.IllegalPathException;
@@ -29,17 +31,18 @@ import org.apache.iotdb.db.utils.constant.TestConstant;
import org.apache.commons.io.FileUtils;
import org.junit.After;
-import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -122,57 +125,66 @@ public class LocalFileUserAccessorTest {
User user = new User();
user.setName("root");
user.setPassword("password1");
+ user.setRoleList(Collections.emptyList());
+
List<PathPrivilege> pathPriList = new ArrayList<>();
+ PathPrivilege rootPathPriv = new PathPrivilege(new PartialPath("root.**"));
+ PathPrivilege normalPathPriv = new PathPrivilege(new
PartialPath("root.b.c.**"));
+ PathPrivilege wroPathPriv = new PathPrivilege(new
PartialPath("root.c.*.d"));
+ PathPrivilege wroPathPriv2 = new PathPrivilege(new
PartialPath("root.c.*.**"));
+ for (PriPrivilegeType item : PriPrivilegeType.values()) {
+ if (item.isPreIsPathRelevant()) {
+ normalPathPriv.grantPrivilege(item.ordinal(), false);
+ wroPathPriv.grantPrivilege(item.ordinal(), false);
+ wroPathPriv2.grantPrivilege(item.ordinal(), false);
+ }
+ rootPathPriv.grantPrivilege(item.ordinal(), false);
+ }
- // root.a.b.c -- read_data, wirte_shcema.
- PathPrivilege pathPrivilege = new PathPrivilege(new
PartialPath("root.a.b.c"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.READ_DATA.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.WRITE_SCHEMA.ordinal(),
false);
- pathPriList.add(pathPrivilege);
-
- // root.a.*.b -- read_schema, write_data
- pathPrivilege = new PathPrivilege(new PartialPath("root.a.*.b"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.READ_SCHEMA.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.WRITE_DATA.ordinal(), false);
- pathPriList.add(pathPrivilege);
-
- // root.a.* -- manage_database -- will ignore the path.
- pathPrivilege = new PathPrivilege(new PartialPath("root.a.*"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.MANAGE_DATABASE.ordinal(),
false);
- pathPriList.add(pathPrivilege);
-
- // root.** -- for some systems.
- pathPrivilege = new PathPrivilege(new PartialPath("root.**"));
- pathPrivilege.grantPrivilege(PriPrivilegeType.MAINTAIN.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.MANAGE_ROLE.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.MANAGE_USER.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.ALTER_PASSWORD.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.GRANT_PRIVILEGE.ordinal(),
false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.USE_CQ.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.USE_PIPE.ordinal(), false);
- pathPrivilege.grantPrivilege(PriPrivilegeType.USE_TRIGGER.ordinal(),
false);
- pathPriList.add(pathPrivilege);
+ // In this case, we use four path to store some privileges.
+ // path1: root.** will store all privileges
+ // path2: root.b.c.** will store relevant privileges
+ // path3: root.c.*.d will store relevant privileges but the path will be
transformed to
+ // root.c.**
+ // path4: root.c.*.** will store relevant privileges but the path will be
transformed like path3
+ // 1. for path 1:
+ pathPriList.add(rootPathPriv);
user.setPrivilegeList(pathPriList);
- ArrayList<String> roleList = new ArrayList<>();
- roleList.add("role1");
- roleList.add("role2");
- user.setRoleList(roleList);
-
+ user.setSysPriGrantOpt(new HashSet<>());
+ user.setSysPrivilegeSet(new HashSet<>());
accessor.saveUserOldVersion(user);
- User newUser = accessor.loadUser("root");
- assertEquals("root", newUser.getName());
- assertEquals("password1", newUser.getPassword());
-
- Assert.assertFalse(newUser.getServiceReady());
-
- assertEquals(2, newUser.getPathPrivilegeList().size());
- assertEquals(7, newUser.getSysPrivilege().size());
- assertNotNull(newUser.getSysPriGrantOpt());
+ Role newRole = accessor.loadUser("root");
+ assertEquals("root", newRole.getName());
+ assertTrue(newRole.getServiceReady());
+ assertEquals(1, newRole.getPathPrivilegeList().size());
+ assertEquals(
+ PrivilegeType.getPathPriCount(),
+ newRole.getPathPrivilegeList().get(0).getPrivileges().size());
+ assertEquals(PrivilegeType.getSysPriCount(),
newRole.getSysPrivilege().size());
+ accessor.deleteUser("root");
+ // 2. for path2:
+ pathPriList.clear();
+ pathPriList.add(normalPathPriv);
+ user.setPrivilegeList(pathPriList);
+ accessor.saveUserOldVersion(user);
+ newRole = accessor.loadUser("root");
+ assertTrue(newRole.getServiceReady());
+ assertEquals(3,
newRole.getPathPrivilegeList().get(0).getPrivileges().size());
+ assertEquals(2, newRole.getSysPrivilege().size());
accessor.deleteUser("root");
- accessor.saveUser(newUser);
- User newUser2 = accessor.loadUser("root");
- assertEquals(newUser2, newUser);
+
+ // 3. for path3 and path4
+ pathPriList.clear();
+ pathPriList.add(wroPathPriv2);
+ pathPriList.add(wroPathPriv);
+ user.setPrivilegeList(pathPriList);
+ accessor.saveUserOldVersion(user);
+ newRole = accessor.loadUser("root");
+ assertFalse(newRole.getServiceReady());
+ assertEquals(3,
newRole.getPathPrivilegeList().get(0).getPrivileges().size());
+ assertEquals(3,
newRole.getPathPrivilegeList().get(1).getPrivileges().size());
+ assertEquals(2, newRole.getSysPrivilege().size());
}
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
index ea659f393b7..5c0e964d6e7 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
@@ -20,7 +20,7 @@ package org.apache.iotdb.db.auth.user;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PathPrivilege;
-import org.apache.iotdb.commons.auth.entity.PriPrivilegeType;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.auth.user.LocalFileUserManager;
@@ -193,22 +193,22 @@ public class LocalFileUserManagerTest {
// turn to root.d.a
manager.grantPrivilegeToUser(
- "test", new PartialPath("root.d.a"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.d.a"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.**
manager.grantPrivilegeToUser(
- "test", new PartialPath("root.d*.a"),
PriPrivilegeType.READ_DATA.ordinal(), false);
+ "test", new PartialPath("root.d*.a"),
PrivilegeType.READ_DATA.ordinal(), false);
// turn to root.**
manager.grantPrivilegeToUser(
- "test", new PartialPath("root.d*.a"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.d*.a"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.**
manager.grantPrivilegeToUser(
- "test", new PartialPath("root.*.a.b"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.*.a.b"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.ds.a.**
manager.grantPrivilegeToUser(
- "test", new PartialPath("root.ds.a.b*"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.ds.a.b*"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
// turn to root.ds.a.b
manager.grantPrivilegeToUser(
- "test", new PartialPath("root.ds.a.b"),
PriPrivilegeType.READ_SCHEMA.ordinal(), false);
+ "test", new PartialPath("root.ds.a.b"),
PrivilegeType.READ_SCHEMA.ordinal(), false);
assertFalse(manager.getUser("test").getServiceReady());
// after this operation, the user has these privileges:
// root.d.a : read_schema
@@ -220,15 +220,15 @@ public class LocalFileUserManagerTest {
assertTrue(role.getServiceReady());
assertEquals(4, role.getPathPrivilegeList().size());
manager.revokePrivilegeFromUser(
- "test", new PartialPath("root.**"),
PriPrivilegeType.READ_SCHEMA.ordinal());
+ "test", new PartialPath("root.**"),
PrivilegeType.READ_SCHEMA.ordinal());
manager.revokePrivilegeFromUser(
- "test", new PartialPath("root.**"),
PriPrivilegeType.READ_DATA.ordinal());
+ "test", new PartialPath("root.**"), PrivilegeType.READ_DATA.ordinal());
assertEquals(3, role.getPathPrivilegeList().size());
assertTrue(
role.checkPathPrivilege(
- new PartialPath("root.ds.a.**"),
PriPrivilegeType.READ_SCHEMA.ordinal()));
+ new PartialPath("root.ds.a.**"),
PrivilegeType.READ_SCHEMA.ordinal()));
assertFalse(
role.checkPathPrivilege(
- new PartialPath("root.ds.a.**"),
PriPrivilegeType.READ_DATA.ordinal()));
+ new PartialPath("root.ds.a.**"),
PrivilegeType.READ_DATA.ordinal()));
}
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
index f0381173e4c..43e055a1a43 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
@@ -19,6 +19,8 @@
package org.apache.iotdb.commons.auth.entity;
+import org.apache.iotdb.commons.utils.TestOnly;
+
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
@@ -26,50 +28,93 @@ import java.util.List;
import java.util.Set;
public enum PriPrivilegeType {
- READ_DATA(true, PrivilegeType.READ_DATA),
- WRITE_DATA(true, PrivilegeType.WRITE_DATA),
- READ_SCHEMA(true, PrivilegeType.READ_SCHEMA),
- WRITE_SCHEMA(true, PrivilegeType.WRITE_SCHEMA),
- MANAGE_USER(false, PrivilegeType.MANAGE_USER),
- MANAGE_ROLE(false, PrivilegeType.MANAGE_ROLE),
- GRANT_PRIVILEGE(false),
- ALTER_PASSWORD(false),
- USE_TRIGGER(false, PrivilegeType.USE_TRIGGER),
- USE_CQ(false, PrivilegeType.USE_CQ),
- USE_PIPE(false, PrivilegeType.USE_PIPE),
- MANAGE_DATABASE(false, PrivilegeType.MANAGE_DATABASE),
- MAINTAIN(false, PrivilegeType.MAINTAIN),
- READ(true, PrivilegeType.READ_DATA, PrivilegeType.READ_SCHEMA),
- WRITE(true, PrivilegeType.WRITE_DATA, PrivilegeType.WRITE_SCHEMA),
+ CREATE_DATABASE(true, false, PrivilegeType.MANAGE_DATABASE),
+ INSERT_TIMESERIES(true, true, PrivilegeType.WRITE_DATA),
+ UPDATE_TIMESERIES(true, true, PrivilegeType.WRITE_DATA),
+ READ_TIMESERIES(true, true, PrivilegeType.READ_DATA),
+ CREATE_TIMESERIES(true, true, PrivilegeType.WRITE_SCHEMA),
+ DELETE_TIMESERIES(true, true, PrivilegeType.WRITE_SCHEMA),
+ CREATE_USER(false, PrivilegeType.MANAGE_USER),
+ DELETE_USER(false, PrivilegeType.MANAGE_USER),
+ MODIFY_PASSWORD(false),
+ LIST_USER(false),
+ GRANT_USER_PRIVILEGE(false),
+ REVOKE_USER_PRIVILEGE(false),
+ GRANT_USER_ROLE(false, PrivilegeType.MANAGE_ROLE),
+ REVOKE_USER_ROLE(false, PrivilegeType.MANAGE_ROLE),
+ CREATE_ROLE(false, PrivilegeType.MANAGE_ROLE),
+ DELETE_ROLE(false, PrivilegeType.MANAGE_ROLE),
+ LIST_ROLE(false),
+ GRANT_ROLE_PRIVILEGE(false),
+ REVOKE_ROLE_PRIVILEGE(false),
+ CREATE_FUNCTION(false, PrivilegeType.USE_UDF),
+ DROP_FUNCTION(false, PrivilegeType.USE_UDF),
+ CREATE_TRIGGER(true, false, PrivilegeType.USE_TRIGGER),
+ DROP_TRIGGER(true, false, PrivilegeType.USE_TRIGGER),
+ START_TRIGGER(true, false, PrivilegeType.USE_TRIGGER),
+ STOP_TRIGGER(true, false, PrivilegeType.USE_TRIGGER),
+ CREATE_CONTINUOUS_QUERY(false, PrivilegeType.USE_CQ),
+ DROP_CONTINUOUS_QUERY(false, PrivilegeType.USE_CQ),
ALL(
true,
- PrivilegeType.READ_SCHEMA,
- PrivilegeType.READ_DATA,
- PrivilegeType.WRITE_DATA,
- PrivilegeType.WRITE_SCHEMA,
- PrivilegeType.MANAGE_USER,
- PrivilegeType.MANAGE_ROLE,
- PrivilegeType.USE_TRIGGER,
- PrivilegeType.USE_CQ,
PrivilegeType.USE_PIPE,
PrivilegeType.USE_UDF,
+ PrivilegeType.USE_CQ,
+ PrivilegeType.USE_TRIGGER,
+ PrivilegeType.MANAGE_USER,
+ PrivilegeType.MANAGE_ROLE,
PrivilegeType.MANAGE_DATABASE,
- PrivilegeType.MAINTAIN,
PrivilegeType.EXTEND_TEMPLATE,
- PrivilegeType.AUDIT);
+ PrivilegeType.WRITE_SCHEMA,
+ PrivilegeType.WRITE_DATA,
+ PrivilegeType.READ_DATA,
+ PrivilegeType.READ_SCHEMA,
+ PrivilegeType.MAINTAIN,
+ PrivilegeType.AUDIT),
+ DELETE_DATABASE(true, false, PrivilegeType.MANAGE_DATABASE),
+ ALTER_TIMESERIES(true, true, PrivilegeType.WRITE_SCHEMA),
+ UPDATE_TEMPLATE(false),
+ READ_TEMPLATE(false),
+ APPLY_TEMPLATE(false),
+ READ_TEMPLATE_APPLICATION(false),
+ SHOW_CONTINUOUS_QUERIES(false),
+ CREATE_PIPEPLUGIN(false, PrivilegeType.USE_PIPE),
+ DROP_PIPEPLUGIN(false, PrivilegeType.USE_PIPE),
+ SHOW_PIPEPLUGINS(false),
+ CREATE_PIPE(false, PrivilegeType.USE_PIPE),
+ START_PIPE(false, PrivilegeType.USE_PIPE),
+ STOP_PIPE(false, PrivilegeType.USE_PIPE),
+ DROP_PIPE(false, PrivilegeType.USE_PIPE),
+ SHOW_PIPES(false),
+ CREATE_VIEW(false),
+ ALTER_VIEW(false),
+ RENAME_VIEW(false),
+ DELETE_VIEW(false),
+ ;
boolean accept = false;
private final boolean isPathRelevant;
+ private final boolean preIsPathRelevant;
private final List<PrivilegeType> refPri = new ArrayList<>();
PriPrivilegeType(boolean accept) {
this.accept = accept;
this.isPathRelevant = false;
+ this.preIsPathRelevant = false;
}
PriPrivilegeType(boolean isPathRelevant, PrivilegeType... privilegeTypes) {
this.accept = true;
this.isPathRelevant = isPathRelevant;
+ this.preIsPathRelevant = false;
+ this.refPri.addAll(Arrays.asList(privilegeTypes));
+ }
+
+ PriPrivilegeType(
+ boolean preIsPathRelevant, boolean isPathRelevant, PrivilegeType...
privilegeTypes) {
+ this.accept = true;
+ this.preIsPathRelevant = preIsPathRelevant;
+ this.isPathRelevant = isPathRelevant;
this.refPri.addAll(Arrays.asList(privilegeTypes));
}
@@ -81,6 +126,11 @@ public enum PriPrivilegeType {
return this.isPathRelevant;
}
+ @TestOnly
+ public boolean isPreIsPathRelevant() {
+ return this.preIsPathRelevant;
+ }
+
public Set<PrivilegeType> getSubPri() {
Set<PrivilegeType> result = new HashSet<>();
for (PrivilegeType peivType : refPri) {
@@ -88,4 +138,22 @@ public enum PriPrivilegeType {
}
return result;
}
+
+ public Set<Integer> getSubPriOrd() {
+ Set<Integer> result = new HashSet<>();
+ for (PrivilegeType peivType : refPri) {
+ result.add(peivType.ordinal());
+ }
+ return result;
+ }
+
+ public Set<Integer> getSubSysPriOrd() {
+ Set<Integer> result = new HashSet<>();
+ for (PrivilegeType peivType : refPri) {
+ if (!peivType.isPathRelevant()) {
+ result.add(peivType.ordinal());
+ }
+ }
+ return result;
+ }
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
index fea98782f0b..473450cc49b 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
@@ -220,7 +220,7 @@ public abstract class BasicUserManager implements
IUserManager {
AuthUtils.validatePath(path);
AuthUtils.removePrivilegePre(path, privilegeId,
user.getPathPrivilegeList());
} else {
- if (user.getSysPrivilege().contains(privilegeId)) {
+ if (!user.getSysPrivilege().contains(privilegeId)) {
return false;
}
user.getSysPrivilege().remove(privilegeId);
