This is an automated email from the ASF dual-hosted git repository.
tanxinyu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new ca8482a7bb1 Improve authority control of cluster management (#14924)
ca8482a7bb1 is described below
commit ca8482a7bb107034cb791aa8f2c34222dd33e124
Author: Li Yu Heng <[email protected]>
AuthorDate: Sat Feb 22 23:06:07 2025 +0800
Improve authority control of cluster management (#14924)
* done
* seems done
* done!
* what?
* delete test
---
.../org/apache/iotdb/db/it/auth/IoTDBAuthIT.java | 119 +++++++++++++++++++++
.../iotdb/db/it/auth/IoTDBSystemPermissionIT.java | 2 -
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 9 ++
.../metadata/CountTimeSlotListStatement.java | 7 ++
.../statement/metadata/GetRegionIdStatement.java | 7 ++
.../metadata/GetSeriesSlotListStatement.java | 7 ++
.../metadata/GetTimeSlotListStatement.java | 7 ++
.../metadata/RemoveConfigNodeStatement.java | 9 +-
.../metadata/RemoveDataNodeStatement.java | 9 +-
.../statement/metadata/ShowClusterIdStatement.java | 7 ++
.../statement/metadata/ShowClusterStatement.java | 9 +-
.../metadata/ShowConfigNodesStatement.java | 4 +-
.../statement/metadata/ShowDataNodesStatement.java | 4 +-
.../statement/metadata/ShowRegionStatement.java | 4 +-
.../metadata/model/ShowAINodesStatement.java | 7 ++
.../metadata/region/ExtendRegionStatement.java | 9 +-
.../metadata/region/MigrateRegionStatement.java | 9 +-
.../region/ReconstructRegionStatement.java | 9 +-
.../metadata/region/RemoveRegionStatement.java | 9 +-
.../plan/statement/sys/KillQueryStatement.java | 9 +-
.../plan/statement/sys/ShowQueriesStatement.java | 9 +-
.../statement/sys/TestConnectionStatement.java | 3 +-
.../db/relational/grammar/sql/RelationalSql.g4 | 3 +-
23 files changed, 186 insertions(+), 85 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
index 301de48beda..449be05e131 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
@@ -26,7 +26,11 @@ import org.apache.iotdb.it.env.EnvFactory;
import org.apache.iotdb.it.framework.IoTDBTestRunner;
import org.apache.iotdb.itbase.category.ClusterIT;
import org.apache.iotdb.itbase.category.LocalStandaloneIT;
+import org.apache.iotdb.itbase.env.BaseEnv;
+import org.apache.iotdb.jdbc.IoTDBSQLException;
+import org.apache.iotdb.rpc.TSStatusCode;
+import com.google.common.collect.ImmutableList;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -46,6 +50,7 @@ import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
+import java.util.concurrent.Callable;
import static org.apache.iotdb.db.it.utils.TestUtils.createUser;
import static org.apache.iotdb.db.it.utils.TestUtils.resultSetEqualTest;
@@ -1281,6 +1286,120 @@ public class IoTDBAuthIT {
adminStmt.execute("create user tail 'password'");
}
+ @Test
+ public void testClusterManagementSqlOfTreeModel() throws Exception {
+ ImmutableList<String> clusterManagementSQLList =
+ ImmutableList.of(
+ // show cluster, nodes, regions,
+ "show ainodes",
+ "show confignodes",
+ "show datanodes",
+ "show cluster",
+ "show clusterid",
+ "show regions",
+ "show data regionid where database=root.**",
+
+ // remove node
+ "remove datanode 0",
+ "remove confignode 0",
+
+ // region operation
+ "migrate region 0 from 1 to 2",
+ "reconstruct region 0 on 1",
+ "extend region 0 to 1",
+ "remove region 0 from 1",
+
+ // others
+ "show timeslotid where database=root.test",
+ "count timeslotid where database=root.test",
+ "show data seriesslotid where database=root.test",
+ "verify connection");
+
+ try (Connection adminCon = EnvFactory.getEnv().getConnection();
+ Statement adminStmt = adminCon.createStatement()) {
+ adminStmt.execute("CREATE USER Jack 'temppw'");
+
+ try (Connection JackConnection =
EnvFactory.getEnv().getConnection("Jack", "temppw");
+ Statement Jack = JackConnection.createStatement()) {
+ testClusterManagementSqlImpl(
+ clusterManagementSQLList,
+ () -> adminStmt.execute("GRANT MAINTAIN ON root.** TO USER Jack"),
+ Jack);
+ }
+ }
+ }
+
+ @Test
+ public void testClusterManagementSqlOfTableModel() throws Exception {
+ ImmutableList<String> clusterManagementSQLList =
+ ImmutableList.of(
+ // show cluster, nodes, regions,
+ "show ainodes",
+ "show confignodes",
+ "show datanodes",
+ "show cluster",
+ "show clusterid",
+ "show regions",
+
+ // remove node
+ "remove datanode 0",
+ "remove confignode 0",
+
+ // region operation
+ "migrate region 0 from 1 to 2",
+ "reconstruct region 0 on 1",
+ "extend region 0 to 1",
+ "remove region 0 from 1");
+
+ try (Connection adminCon = EnvFactory.getEnv().getTableConnection();
+ Statement adminStmt = adminCon.createStatement()) {
+ adminStmt.execute("CREATE USER Jack 'temppw'");
+
+ try (Connection JackConnection =
+ EnvFactory.getEnv().getConnection("Jack", "temppw",
BaseEnv.TABLE_SQL_DIALECT);
+ Statement Jack = JackConnection.createStatement()) {
+ testClusterManagementSqlImpl(
+ clusterManagementSQLList, () -> adminStmt.execute("GRANT MAINTAIN
TO USER Jack"), Jack);
+ }
+ }
+ }
+
+ private void testClusterManagementSqlImpl(
+ List<String> clusterManagementSqlList, Callable<Boolean>
giveJackAuthority, Statement Jack)
+ throws Exception {
+ // Jack has no authority to execute these SQLs
+ for (String sql : clusterManagementSqlList) {
+ try {
+ Jack.execute(sql);
+ } catch (IoTDBSQLException e) {
+ if (TSStatusCode.NO_PERMISSION.getStatusCode() != e.getErrorCode()) {
+ fail(
+ String.format(
+ "SQL should fail because of no permission, but the error
code is %d: %s",
+ e.getErrorCode(), sql));
+ }
+ continue;
+ }
+ fail(String.format("SQL should fail because of no permission: %s", sql));
+ }
+
+ // Give Jack authority
+ giveJackAuthority.call();
+
+ // Jack is able to execute these SQLs now
+ for (String sql : clusterManagementSqlList) {
+ try {
+ // No exception is fine
+ Jack.execute(sql);
+ } catch (IoTDBSQLException e) {
+ // If there is an exception, error code must not be NO_PERMISSION
+ if (TSStatusCode.NO_PERMISSION.getStatusCode() == e.getErrorCode()) {
+ fail(String.format("SQL should not fail with no permission: %s",
sql));
+ }
+ }
+ }
+ }
+
@Test
public void noNeedPrivilegeTest() {
createUser("tempuser", "temppw");
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
index 2b04fcc64b1..c3ef62aa67e 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
@@ -247,7 +247,5 @@ public class IoTDBSystemPermissionIT {
"803: Only the admin user can perform this operation",
"test",
"test123");
- assertTestFail(
- "show regions", "803: Only the admin user can perform this operation",
"test", "test123");
}
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index d084e17123f..0dc343d40b0 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -321,6 +321,15 @@ public class AuthorityChecker {
return authorityFetcher.get().checkRole(username, roleName);
}
+ public static TSStatus checkSuperUserOrMaintain(String userName) {
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
+ }
+ return AuthorityChecker.getTSStatus(
+ AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
+ PrivilegeType.MAINTAIN);
+ }
+
public static void buildTSBlock(
TAuthorizerResp authResp, SettableFuture<ConfigTaskResult> future) {
List<TSDataType> types = new ArrayList<>();
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/CountTimeSlotListStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/CountTimeSlotListStatement.java
index 1d93c663d7a..40110bdf2a5 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/CountTimeSlotListStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/CountTimeSlotListStatement.java
@@ -19,8 +19,10 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -114,4 +116,9 @@ public class CountTimeSlotListStatement extends Statement
implements IConfigStat
return new ArrayList<>();
}
}
+
+ @Override
+ public TSStatus checkPermissionBeforeProcess(String userName) {
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetRegionIdStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetRegionIdStatement.java
index c7ba3784194..280e658d54a 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetRegionIdStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetRegionIdStatement.java
@@ -20,8 +20,10 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
import org.apache.iotdb.common.rpc.thrift.TConsensusGroupType;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -119,4 +121,9 @@ public class GetRegionIdStatement extends Statement
implements IConfigStatement
return new ArrayList<>();
}
}
+
+ @Override
+ public TSStatus checkPermissionBeforeProcess(String userName) {
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetSeriesSlotListStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetSeriesSlotListStatement.java
index 0cd67e6418a..1c402f470e0 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetSeriesSlotListStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetSeriesSlotListStatement.java
@@ -20,8 +20,10 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
import org.apache.iotdb.common.rpc.thrift.TConsensusGroupType;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -75,4 +77,9 @@ public class GetSeriesSlotListStatement extends Statement
implements IConfigStat
return new ArrayList<>();
}
}
+
+ @Override
+ public TSStatus checkPermissionBeforeProcess(String userName) {
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetTimeSlotListStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetTimeSlotListStatement.java
index 39d279c0ee6..48da0c633a5 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetTimeSlotListStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/GetTimeSlotListStatement.java
@@ -19,8 +19,10 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -123,4 +125,9 @@ public class GetTimeSlotListStatement extends Statement
implements IConfigStatem
return new ArrayList<>();
}
}
+
+ @Override
+ public TSStatus checkPermissionBeforeProcess(String userName) {
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveConfigNodeStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveConfigNodeStatement.java
index 794df8d6b9d..3aac14ed831 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveConfigNodeStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveConfigNodeStatement.java
@@ -20,14 +20,12 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.List;
@@ -46,12 +44,7 @@ public class RemoveConfigNodeStatement extends Statement
implements IConfigState
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveDataNodeStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveDataNodeStatement.java
index 00be9c88c1c..3fab79a7dd6 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveDataNodeStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/RemoveDataNodeStatement.java
@@ -20,14 +20,12 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.HashSet;
@@ -49,12 +47,7 @@ public class RemoveDataNodeStatement extends Statement
implements IConfigStateme
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterIdStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterIdStatement.java
index 3b0dbf12083..bf3d84a7aca 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterIdStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterIdStatement.java
@@ -19,6 +19,8 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
@@ -33,4 +35,9 @@ public class ShowClusterIdStatement extends ShowStatement
implements IConfigStat
public <R, C> R accept(StatementVisitor<R, C> visitor, C context) {
return visitor.visitShowClusterId(this, context);
}
+
+ @Override
+ public TSStatus checkPermissionBeforeProcess(String userName) {
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterStatement.java
index e7e031a0c87..a835d0779e3 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowClusterStatement.java
@@ -20,12 +20,10 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
public class ShowClusterStatement extends ShowStatement implements
IConfigStatement {
@@ -38,12 +36,7 @@ public class ShowClusterStatement extends ShowStatement
implements IConfigStatem
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowConfigNodesStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowConfigNodesStatement.java
index eb399b8ce39..81f31aeb6cb 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowConfigNodesStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowConfigNodesStatement.java
@@ -34,9 +34,7 @@ public class ShowConfigNodesStatement extends ShowStatement
implements IConfigSt
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.SUPER_USER.equals(userName),
- "Only the admin user can perform this operation");
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowDataNodesStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowDataNodesStatement.java
index 4a7464c5c3f..b1fc67c7b4c 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowDataNodesStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowDataNodesStatement.java
@@ -46,9 +46,7 @@ public class ShowDataNodesStatement extends ShowStatement
implements IConfigStat
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.SUPER_USER.equals(userName),
- "Only the admin user can perform this operation");
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowRegionStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowRegionStatement.java
index 8101a65f1d9..78438d8fcfd 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowRegionStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/ShowRegionStatement.java
@@ -75,9 +75,7 @@ public class ShowRegionStatement extends ShowStatement
implements IConfigStateme
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.SUPER_USER.equals(userName),
- "Only the admin user can perform this operation");
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/model/ShowAINodesStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/model/ShowAINodesStatement.java
index 602d0e01465..d99e158f0cd 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/model/ShowAINodesStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/model/ShowAINodesStatement.java
@@ -19,6 +19,8 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata.model;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
@@ -37,4 +39,9 @@ public class ShowAINodesStatement extends ShowStatement
implements IConfigStatem
public <R, C> R accept(StatementVisitor<R, C> visitor, C context) {
return visitor.visitShowAINodes(this, context);
}
+
+ @Override
+ public TSStatus checkPermissionBeforeProcess(String userName) {
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ExtendRegionStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ExtendRegionStatement.java
index 6d346094201..0048a789f95 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ExtendRegionStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ExtendRegionStatement.java
@@ -20,14 +20,12 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata.region;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.List;
@@ -53,12 +51,7 @@ public class ExtendRegionStatement extends Statement
implements IConfigStatement
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/MigrateRegionStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/MigrateRegionStatement.java
index df788c1414a..ef272c81d2c 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/MigrateRegionStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/MigrateRegionStatement.java
@@ -20,14 +20,12 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata.region;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.List;
@@ -69,12 +67,7 @@ public class MigrateRegionStatement extends Statement
implements IConfigStatemen
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ReconstructRegionStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ReconstructRegionStatement.java
index 0620e34dda0..25f3d65d837 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ReconstructRegionStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/ReconstructRegionStatement.java
@@ -20,14 +20,12 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata.region;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.List;
@@ -51,12 +49,7 @@ public class ReconstructRegionStatement extends Statement
implements IConfigStat
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/RemoveRegionStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/RemoveRegionStatement.java
index 16839a43820..aa185ad627e 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/RemoveRegionStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/region/RemoveRegionStatement.java
@@ -20,14 +20,12 @@
package org.apache.iotdb.db.queryengine.plan.statement.metadata.region;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.List;
@@ -53,12 +51,7 @@ public class RemoveRegionStatement extends Statement
implements IConfigStatement
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
index 1a438d2a6b1..fe2781331ec 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
@@ -20,14 +20,12 @@
package org.apache.iotdb.db.queryengine.plan.statement.sys;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.List;
@@ -58,12 +56,7 @@ public class KillQueryStatement extends Statement implements
IConfigStatement {
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/ShowQueriesStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/ShowQueriesStatement.java
index 472511ffc66..e23f2d647b1 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/ShowQueriesStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/ShowQueriesStatement.java
@@ -20,7 +20,6 @@
package org.apache.iotdb.db.queryengine.plan.statement.sys;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.statement.StatementType;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
@@ -30,7 +29,6 @@ import
org.apache.iotdb.db.queryengine.plan.statement.component.Ordering;
import org.apache.iotdb.db.queryengine.plan.statement.component.SortItem;
import org.apache.iotdb.db.queryengine.plan.statement.component.WhereCondition;
import org.apache.iotdb.db.queryengine.plan.statement.metadata.ShowStatement;
-import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collections;
import java.util.List;
@@ -60,12 +58,7 @@ public class ShowQueriesStatement extends ShowStatement {
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
- PrivilegeType.MAINTAIN);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
public void setWhereCondition(WhereCondition whereCondition) {
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/TestConnectionStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/TestConnectionStatement.java
index 2e01ea151dc..ebcfe8be859 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/TestConnectionStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/TestConnectionStatement.java
@@ -21,6 +21,7 @@ package org.apache.iotdb.db.queryengine.plan.statement.sys;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -57,6 +58,6 @@ public class TestConnectionStatement extends Statement
implements IConfigStateme
@Override
public TSStatus checkPermissionBeforeProcess(String userName) {
- return super.checkPermissionBeforeProcess(userName);
+ return AuthorityChecker.checkSuperUserOrMaintain(userName);
}
}
diff --git
a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
index 3ddc754e87a..ef5d303476f 100644
---
a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
+++
b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
@@ -1100,7 +1100,7 @@ nonReserved
| OBJECT | OF | OFFSET | OMIT | ONE | ONLY | OPTION | ORDINALITY | OUTPUT
| OVER | OVERFLOW
| PARTITION | PARTITIONS | PASSING | PAST | PATH | PATTERN | PER | PERIOD
| PERMUTE | PIPE | PIPEPLUGIN | PIPEPLUGINS | PIPES | PLAN | POSITION |
PRECEDING | PRECISION | PRIVILEGES | PREVIOUS | PROCESSLIST | PROCESSOR |
PROPERTIES | PRUNE
| QUERIES | QUERY | QUOTES
- | RANGE | READ | READONLY | REFRESH | REGION | REGIONID | REGIONS | REMOVE
| RENAME | REPAIR | REPEAT | REPEATABLE | REPLACE | RESET | RESPECT | RESTRICT
| RETURN | RETURNING | RETURNS | REVOKE | ROLE | ROLES | ROLLBACK | ROW | ROWS
| RUNNING
+ | RANGE | READ | READONLY | RECONSTRUCT | REFRESH | REGION | REGIONID |
REGIONS | REMOVE | RENAME | REPAIR | REPEAT | REPEATABLE | REPLACE | RESET |
RESPECT | RESTRICT | RETURN | RETURNING | RETURNS | REVOKE | ROLE | ROLES |
ROLLBACK | ROW | ROWS | RUNNING
| SERIESSLOTID | SCALAR | SCHEMA | SCHEMAS | SECOND | SECURITY | SEEK |
SERIALIZABLE | SESSION | SET | SETS
| SHOW | SINK | SOME | SOURCE | START | STATS | STOP | SUBSCRIPTIONS |
SUBSET | SUBSTRING | SYSTEM
| TABLES | TABLESAMPLE | TAG | TEXT | TEXT_STRING | TIES | TIME |
TIMEPARTITION | TIMESERIES | TIMESLOTID | TIMESTAMP | TO | TOPIC | TOPICS |
TRAILING | TRANSACTION | TRUNCATE | TRY_CAST | TYPE
@@ -1374,6 +1374,7 @@ QUOTES: 'QUOTES';
RANGE: 'RANGE';
READ: 'READ';
READONLY: 'READONLY';
+RECONSTRUCT: 'RECONSTRUCT';
RECURSIVE: 'RECURSIVE';
REFRESH: 'REFRESH';
REGION: 'REGION';
