This is an automated email from the ASF dual-hosted git repository. jackietien pushed a commit to branch ChangeMaintainToRoot in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 32b11f7d1a450187e722f4dd37e0d2f9b5f07403 Author: JackieTien97 <[email protected]> AuthorDate: Thu Mar 6 18:12:49 2025 +0800 Delete Maintain Auth --- .../it/auth/IoTDBClusterAuthorityRelationalIT.java | 1 - .../manual/basic/IoTDBPipeLifeCycleIT.java | 16 ++--- .../it/query/recent/IoTDBMaintainAuthIT.java | 59 ++++++------------- .../it/local/IoTDBSubscriptionBasicIT.java | 8 +-- .../iotdb/db/queryengine/plan/Coordinator.java | 4 +- .../execution/config/TableConfigTaskVisitor.java | 68 +++++++++++----------- .../analyzer/StatementAnalyzerFactory.java | 4 ++ .../plan/relational/security/AccessControl.java | 8 --- .../relational/security/AccessControlImpl.java | 6 +- .../relational/security/AllowAllAccessControl.java | 5 -- .../relational/security/TableModelPrivilege.java | 5 -- .../plan/relational/sql/rewrite/ShowRewrite.java | 22 ++++--- .../sql/rewrite/StatementRewriteFactory.java | 6 +- .../plan/relational/analyzer/AnalyzerTest.java | 4 +- .../plan/relational/planner/PlanTester.java | 9 ++- .../iotdb/commons/auth/entity/PrivilegeType.java | 2 +- .../db/relational/grammar/sql/RelationalSql.g4 | 4 +- 17 files changed, 98 insertions(+), 133 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityRelationalIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityRelationalIT.java index e18e43211be..7d1eec7e72c 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityRelationalIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityRelationalIT.java @@ -348,7 +348,6 @@ public class IoTDBClusterAuthorityRelationalIT { false)); grantSysPrivilegeAndCheck(client, "user1", "role1", true, PrivilegeType.MANAGE_USER, false); grantSysPrivilegeAndCheck(client, "user1", "role1", true, PrivilegeType.MANAGE_ROLE, true); - grantSysPrivilegeAndCheck(client, "user1", "role1", false, PrivilegeType.MAINTAIN, true); grantPrivilegeAndCheck( client, "user1", "", true, new PrivilegeUnion("database", "table", PrivilegeType.SELECT)); grantPrivilegeAndCheck( diff --git a/integration-test/src/test/java/org/apache/iotdb/pipe/it/dual/tablemodel/manual/basic/IoTDBPipeLifeCycleIT.java b/integration-test/src/test/java/org/apache/iotdb/pipe/it/dual/tablemodel/manual/basic/IoTDBPipeLifeCycleIT.java index ff84de1f99c..eb16e26623d 100644 --- a/integration-test/src/test/java/org/apache/iotdb/pipe/it/dual/tablemodel/manual/basic/IoTDBPipeLifeCycleIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/pipe/it/dual/tablemodel/manual/basic/IoTDBPipeLifeCycleIT.java @@ -725,35 +725,35 @@ public class IoTDBPipeLifeCycleIT extends AbstractPipeTableModelDualManualIT { + " 'connector.ip'='127.0.0.1',\n" + " 'connector.port'='6668'\n" + ")", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableNonQueryTestFail( senderEnv, "drop pipe testPipe", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableTestFail( senderEnv, "show pipes", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableNonQueryTestFail( senderEnv, "start pipe testPipe", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableNonQueryTestFail( senderEnv, "stop pipe testPipe", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); @@ -761,21 +761,21 @@ public class IoTDBPipeLifeCycleIT extends AbstractPipeTableModelDualManualIT { assertTableNonQueryTestFail( senderEnv, "create pipePlugin TestProcessor as 'org.apache.iotdb.db.pipe.example.TestProcessor' USING URI 'xxx'", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableNonQueryTestFail( senderEnv, "drop pipePlugin TestProcessor", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableTestFail( senderEnv, "show pipe plugins", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); diff --git a/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java index a67113c30e9..e2d1ad48de1 100644 --- a/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java @@ -34,7 +34,6 @@ import org.junit.runner.RunWith; import static org.apache.iotdb.db.auth.AuthorityChecker.ONLY_ADMIN_ALLOWED; import static org.apache.iotdb.db.it.utils.TestUtils.prepareTableData; import static org.apache.iotdb.db.it.utils.TestUtils.tableAssertTestFail; -import static org.apache.iotdb.db.it.utils.TestUtils.tableExecuteTest; import static org.apache.iotdb.db.it.utils.TestUtils.tableQueryNoVerifyResultTest; @RunWith(IoTDBTestRunner.class) @@ -53,7 +52,6 @@ public class IoTDBMaintainAuthIT { "CREATE TABLE table1(device_id STRING TAG, s1 INT32 FIELD)", "INSERT INTO table1(time,device_id,s1) values(1, 'd1', 1)", String.format(CREATE_USER_FORMAT, USER_1, PASSWORD), - "GRANT MAINTAIN TO USER " + USER_1, "GRANT SELECT ON TABLE table1 TO USER " + USER_1, "GRANT SELECT ON information_schema.queries TO USER " + USER_1, String.format(CREATE_USER_FORMAT, USER_2, PASSWORD) @@ -123,59 +121,47 @@ public class IoTDBMaintainAuthIT { tableQueryNoVerifyResultTest("SHOW CURRENT_TIMESTAMP", expectedHeader, USER_2, PASSWORD); // case 7: show variables - expectedHeader = new String[] {"Variable", "Value"}; - // user1 with MAINTAIN - tableQueryNoVerifyResultTest("SHOW VARIABLES", expectedHeader, USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "SHOW VARIABLES", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 8: show cluster_id - expectedHeader = new String[] {"ClusterId"}; - // user1 with MAINTAIN - tableQueryNoVerifyResultTest("SHOW CLUSTER_ID", expectedHeader, USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "SHOW CLUSTER_ID", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 9: flush - // user1 with MAINTAIN - tableExecuteTest("FLUSH", USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "FLUSH", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 10: clear cache - // user1 with MAINTAIN - tableExecuteTest("CLEAR CACHE", USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "CLEAR CACHE", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 11: set configuration - // user1 with MAINTAIN - tableExecuteTest("SET CONFIGURATION query_timeout_threshold='100000'", USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "SET CONFIGURATION query_timeout_threshold='100000'", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); @@ -183,76 +169,67 @@ public class IoTDBMaintainAuthIT { // user1 with select on information_schema.queries expectedHeader = new String[] {"query_id", "start_time", "datanode_id", "elapsed_time", "statement", "user"}; - tableQueryNoVerifyResultTest("SHOW QUERIES", expectedHeader, USER_1, PASSWORD); + tableAssertTestFail( + "SHOW QUERIES", + TSStatusCode.NO_PERMISSION.getStatusCode() + + ": Access Denied: No permissions for this operation, only root user is allowed", + USER_1, + PASSWORD); // user2 without select on information_schema.queries tableAssertTestFail( "SHOW QUERIES", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege SELECT ON information_schema.queries", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 13: kill query - // user1 with MAINTAIN - tableAssertTestFail( - "kill query '20250206_093300_00001_1'", - TSStatusCode.NO_SUCH_QUERY.getStatusCode() + ": No such query", - USER_1, - PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "kill query '20250206_093300_00001_1'", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 14: load configuration - // user1 with MAINTAIN - tableExecuteTest("LOAD CONFIGURATION", USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "LOAD CONFIGURATION", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 15: set system status - // user1 with MAINTAIN - tableExecuteTest("SET SYSTEM TO RUNNING", USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "SET SYSTEM TO RUNNING", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 16: start repair data - // user1 with MAINTAIN - tableExecuteTest("START REPAIR DATA", USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "START REPAIR DATA", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 17: stop repair data - // user1 with MAINTAIN - tableExecuteTest("STOP REPAIR DATA", USER_1, PASSWORD); // user2 without MAINTAIN tableAssertTestFail( "STOP REPAIR DATA", TSStatusCode.NO_PERMISSION.getStatusCode() - + ": Access Denied: No permissions for this operation, please add privilege MAINTAIN", + + ": Access Denied: No permissions for this operation, only root user is allowed", USER_2, PASSWORD); // case 18: create function - // user1 with MAINTAIN + // user1 without MAINTAIN tableAssertTestFail( "create function udsf as 'org.apache.iotdb.db.query.udf.example.relational.ContainNull'", TSStatusCode.NO_PERMISSION.getStatusCode() + ": Access Denied: " + ONLY_ADMIN_ALLOWED, diff --git a/integration-test/src/test/java/org/apache/iotdb/subscription/it/local/IoTDBSubscriptionBasicIT.java b/integration-test/src/test/java/org/apache/iotdb/subscription/it/local/IoTDBSubscriptionBasicIT.java index 93ed3d48406..85b10588415 100644 --- a/integration-test/src/test/java/org/apache/iotdb/subscription/it/local/IoTDBSubscriptionBasicIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/subscription/it/local/IoTDBSubscriptionBasicIT.java @@ -638,28 +638,28 @@ public class IoTDBSubscriptionBasicIT extends AbstractSubscriptionLocalIT { assertTableNonQueryTestFail( EnvFactory.getEnv(), "create topic topic1", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableTestFail( EnvFactory.getEnv(), "show topics", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableTestFail( EnvFactory.getEnv(), "show subscriptions", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); assertTableNonQueryTestFail( EnvFactory.getEnv(), "drop topic topic1", - "803: Access Denied: No permissions for this operation, please add privilege MAINTAIN", + "803: Access Denied: No permissions for this operation, only root user is allowed", "test", "test123", null); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java index d10bac8b878..5b3e283ec7b 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java @@ -180,8 +180,9 @@ public class Coordinator { this.executor = getQueryExecutor(); this.writeOperationExecutor = getWriteExecutor(); this.scheduledExecutor = getScheduledExecutor(); + this.accessControl = new AccessControlImpl(new ITableAuthCheckerImpl()); this.statementRewrite = - new StatementRewriteFactory(LocalExecutionPlanner.getInstance().metadata) + new StatementRewriteFactory(LocalExecutionPlanner.getInstance().metadata, accessControl) .getStatementRewrite(); this.logicalPlanOptimizers = new LogicalOptimizeFactory( @@ -193,7 +194,6 @@ public class Coordinator { new PlannerContext( LocalExecutionPlanner.getInstance().metadata, new InternalTypeManager())) .getPlanOptimizers(); - this.accessControl = new AccessControlImpl(new ITableAuthCheckerImpl()); this.dataNodeLocationSupplier = DataNodeLocationSupplierFactory.getSupplier(); } diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java index badd434c67d..553b2788f9e 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java @@ -359,7 +359,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitShowCluster( final ShowCluster showCluster, final MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. ShowClusterStatement treeStatement = new ShowClusterStatement(); @@ -371,7 +371,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitShowRegions( final ShowRegions showRegions, final MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. final ShowRegionStatement treeStatement = new ShowRegionStatement(); @@ -385,7 +385,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitRemoveDataNode( final RemoveDataNode removeDataNode, final MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. final RemoveDataNodeStatement treeStatement = @@ -397,7 +397,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitRemoveConfigNode( final RemoveConfigNode removeConfigNode, final MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. final RemoveConfigNodeStatement treeStatement = @@ -409,7 +409,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitShowDataNodes( final ShowDataNodes showDataNodesStatement, final MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowDataNodesTask(); } @@ -417,7 +417,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitShowConfigNodes( final ShowConfigNodes showConfigNodesStatement, final MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowConfigNodesTask(); } @@ -425,7 +425,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitShowAINodes( final ShowAINodes showAINodesStatement, final MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowAINodesTask(); } @@ -433,7 +433,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitClearCache( final ClearCache clearCacheStatement, final MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ClearCacheTask(clearCacheStatement); } @@ -796,42 +796,42 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitFlush(final Flush node, final MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new FlushTask(((FlushStatement) node.getInnerTreeStatement())); } @Override protected IConfigTask visitSetConfiguration(SetConfiguration node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new SetConfigurationTask(((SetConfigurationStatement) node.getInnerTreeStatement())); } @Override protected IConfigTask visitStartRepairData(StartRepairData node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new StartRepairDataTask(((StartRepairDataStatement) node.getInnerTreeStatement())); } @Override protected IConfigTask visitStopRepairData(StopRepairData node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new StopRepairDataTask(((StopRepairDataStatement) node.getInnerTreeStatement())); } @Override protected IConfigTask visitLoadConfiguration(LoadConfiguration node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new LoadConfigurationTask(((LoadConfigurationStatement) node.getInnerTreeStatement())); } @Override protected IConfigTask visitSetSystemStatus(SetSystemStatus node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new SetSystemStatusTask(((SetSystemStatusStatement) node.getInnerTreeStatement())); } @@ -882,7 +882,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitCreatePipe(final CreatePipe node, final MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); for (String ExtractorAttribute : node.getExtractorAttributes().keySet()) { if (ExtractorAttribute.startsWith(SystemConstant.SYSTEM_PREFIX_KEY)) { @@ -903,7 +903,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitAlterPipe(AlterPipe node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); for (String ExtractorAttribute : node.getExtractorAttributes().keySet()) { if (ExtractorAttribute.startsWith(SystemConstant.SYSTEM_PREFIX_KEY)) { @@ -926,35 +926,35 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitDropPipe(DropPipe node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new DropPipeTask(node); } @Override protected IConfigTask visitStartPipe(StartPipe node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new StartPipeTask(node); } @Override protected IConfigTask visitStopPipe(StopPipe node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new StopPipeTask(node); } @Override protected IConfigTask visitShowPipes(ShowPipes node, MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowPipeTask(node); } @Override protected IConfigTask visitCreatePipePlugin(CreatePipePlugin node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); if (node.getUriString() != null && isUriTrusted(node.getUriString())) { // 1. user specified uri and that uri is trusted // 2. user doesn't specify uri @@ -968,21 +968,21 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitDropPipePlugin(DropPipePlugin node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new DropPipePluginTask(node); } @Override protected IConfigTask visitShowPipePlugins(ShowPipePlugins node, MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowPipePluginsTask(node); } @Override protected IConfigTask visitCreateTopic(CreateTopic node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // Inject table model into the topic attributes node.getTopicAttributes() @@ -994,21 +994,21 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitDropTopic(DropTopic node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new DropTopicTask(node); } @Override protected IConfigTask visitShowTopics(ShowTopics node, MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowTopicsTask(node); } @Override protected IConfigTask visitShowSubscriptions(ShowSubscriptions node, MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowSubscriptionsTask(node); } @@ -1047,14 +1047,14 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitShowVariables(ShowVariables node, MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowVariablesTask(); } @Override protected IConfigTask visitShowClusterId(ShowClusterId node, MPPQueryContext context) { context.setQueryType(QueryType.READ); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new ShowClusterIdTask(); } @@ -1077,7 +1077,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitKillQuery(KillQuery node, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); return new KillQueryTask(node); } @@ -1111,7 +1111,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitMigrateRegion(MigrateRegion migrateRegion, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. return new MigrateRegionTask(migrateRegion); @@ -1121,7 +1121,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont protected IConfigTask visitReconstructRegion( ReconstructRegion reconstructRegion, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. return new ReconstructRegionTask(reconstructRegion); @@ -1130,7 +1130,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitExtendRegion(ExtendRegion extendRegion, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. return new ExtendRegionTask(extendRegion); @@ -1139,7 +1139,7 @@ public class TableConfigTaskVisitor extends AstVisitor<IConfigTask, MPPQueryCont @Override protected IConfigTask visitRemoveRegion(RemoveRegion removeRegion, MPPQueryContext context) { context.setQueryType(QueryType.WRITE); - accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName()); + accessControl.checkUserIsAdmin(context.getSession().getUserName()); // As the implementation is identical, we'll simply translate to the // corresponding tree-model variant and execute that. return new RemoveRegionTask(removeRegion); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/StatementAnalyzerFactory.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/StatementAnalyzerFactory.java index 47b03729a51..ba63eb40990 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/StatementAnalyzerFactory.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/StatementAnalyzerFactory.java @@ -66,4 +66,8 @@ public class StatementAnalyzerFactory { Metadata metadata, AccessControl accessControl) { return new StatementAnalyzerFactory(metadata, new SqlParser(), accessControl); } + + public AccessControl getAccessControl() { + return accessControl; + } } diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java index a9724b2636c..b7e2d52f417 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java @@ -124,14 +124,6 @@ public interface AccessControl { */ void checkCanShowOrDescTable(String userName, QualifiedObjectName tableName); - /** - * Check if user has global maintain privilege - * - * @param userName name of user - * @throws AccessDeniedException if not allowed - */ - void checkUserHasMaintainPrivilege(String userName); - /** * Check if user can run relational author statement. * diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java index cafdd13b138..6517347da36 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java @@ -92,11 +92,6 @@ public class AccessControlImpl implements AccessControl { authChecker.checkTableVisibility(userName, tableName); } - @Override - public void checkUserHasMaintainPrivilege(String userName) { - authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MAINTAIN); - } - @Override public void checkUserCanRunRelationalAuthorStatement( String userName, RelationalAuthorStatement statement) { @@ -274,6 +269,7 @@ public class AccessControlImpl implements AccessControl { authChecker.checkGlobalPrivilegeGrantOption( userName, TableModelPrivilege.getTableModelType(privilegeType)); } + break; default: break; } diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java index 7843e1601e5..5dae236a2e3 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java @@ -78,11 +78,6 @@ public class AllowAllAccessControl implements AccessControl { // allow anything } - @Override - public void checkUserHasMaintainPrivilege(String userName) { - // allow anything - } - @Override public void checkUserCanRunRelationalAuthorStatement( String userName, RelationalAuthorStatement statement) { diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TableModelPrivilege.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TableModelPrivilege.java index 2fd59af8b6d..d8ec3d437a0 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TableModelPrivilege.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TableModelPrivilege.java @@ -25,7 +25,6 @@ public enum TableModelPrivilege { // global privilege MANAGE_USER, MANAGE_ROLE, - MAINTAIN, // scope privilege CREATE, @@ -41,8 +40,6 @@ public enum TableModelPrivilege { return PrivilegeType.MANAGE_ROLE; case MANAGE_USER: return PrivilegeType.MANAGE_USER; - case MAINTAIN: - return PrivilegeType.MAINTAIN; case CREATE: return PrivilegeType.CREATE; case DROP: @@ -66,8 +63,6 @@ public enum TableModelPrivilege { return TableModelPrivilege.MANAGE_ROLE; case MANAGE_USER: return TableModelPrivilege.MANAGE_USER; - case MAINTAIN: - return TableModelPrivilege.MAINTAIN; case CREATE: return TableModelPrivilege.CREATE; case DROP: diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java index d852319169d..4648da64666 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java @@ -19,11 +19,13 @@ package org.apache.iotdb.db.queryengine.plan.relational.sql.rewrite; +import org.apache.iotdb.commons.schema.table.InformationSchema; import org.apache.iotdb.db.queryengine.common.SessionInfo; import org.apache.iotdb.db.queryengine.execution.warnings.WarningCollector; import org.apache.iotdb.db.queryengine.plan.relational.analyzer.NodeRef; import org.apache.iotdb.db.queryengine.plan.relational.analyzer.StatementAnalyzerFactory; import org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata; +import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl; import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.AllColumns; import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.AstVisitor; import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.CountStatement; @@ -54,12 +56,12 @@ public final class ShowRewrite implements StatementRewrite.Rewrite { private final Metadata metadata; // private final SqlParser parser; - // private final AccessControl accessControl; + private final AccessControl accessControl; - public ShowRewrite(final Metadata metadata) { + public ShowRewrite(final Metadata metadata, final AccessControl accessControl) { this.metadata = requireNonNull(metadata, "metadata is null"); // this.parser = requireNonNull(parser, "parser is null"); - // this.accessControl = requireNonNull(accessControl, "accessControl is null"); + this.accessControl = requireNonNull(accessControl, "accessControl is null"); } @Override @@ -70,25 +72,27 @@ public final class ShowRewrite implements StatementRewrite.Rewrite { final List<Expression> parameters, final Map<NodeRef<Parameter>, Expression> parameterLookup, final WarningCollector warningCollector) { - final Visitor visitor = new Visitor(metadata, session); + final Visitor visitor = new Visitor(metadata, session, accessControl); return (Statement) visitor.process(node, null); } private static class Visitor extends AstVisitor<Node, Void> { private final Metadata metadata; private final SessionInfo session; + private final AccessControl accessControl; - public Visitor(final Metadata metadata, final SessionInfo session) { + public Visitor( + final Metadata metadata, final SessionInfo session, final AccessControl accessControl) { this.metadata = requireNonNull(metadata, "metadata is null"); this.session = requireNonNull(session, "session is null"); + this.accessControl = requireNonNull(accessControl, "accessControl is null"); } @Override protected Node visitShowStatement(final ShowStatement showStatement, final Void context) { - // CatalogSchemaName schema = createCatalogSchemaName(session, showQueries, - // showQueries.getSchema()); - - // accessControl.checkCanShowQueries(session.toSecurityContext(), schema); + if (InformationSchema.QUERIES.equals(showStatement.getTableName())) { + accessControl.checkUserIsAdmin(session.getUserName()); + } return simpleQuery( selectList(new AllColumns()), diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java index ca3e850ff27..5536220508a 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java @@ -19,14 +19,16 @@ package org.apache.iotdb.db.queryengine.plan.relational.sql.rewrite; import org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata; +import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl; import com.google.common.collect.ImmutableSet; public class StatementRewriteFactory { private final StatementRewrite statementRewrite; - public StatementRewriteFactory(Metadata metadata) { - this.statementRewrite = new StatementRewrite(ImmutableSet.of(new ShowRewrite(metadata))); + public StatementRewriteFactory(Metadata metadata, AccessControl accessControl) { + this.statementRewrite = + new StatementRewrite(ImmutableSet.of(new ShowRewrite(metadata, accessControl))); } public StatementRewrite getStatementRewrite() { diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java index 6152c603da1..574d013a2fe 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java @@ -1271,7 +1271,7 @@ public class AnalyzerTest { statementAnalyzerFactory, Collections.emptyList(), Collections.emptyMap(), - new StatementRewriteFactory(metadata).getStatementRewrite(), + new StatementRewriteFactory(metadata, nopAccessControl).getStatementRewrite(), NOOP); return analyzer.analyze(statement); } catch (final Exception e) { @@ -1296,7 +1296,7 @@ public class AnalyzerTest { statementAnalyzerFactory, Collections.emptyList(), Collections.emptyMap(), - new StatementRewriteFactory(metadata).getStatementRewrite(), + new StatementRewriteFactory(metadata, nopAccessControl).getStatementRewrite(), NOOP); return analyzer.analyze(statement); } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java index 1448a97962d..9a98ab96c7b 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java @@ -39,6 +39,7 @@ import org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata; import org.apache.iotdb.db.queryengine.plan.relational.planner.distribute.TableDistributedPlanner; import org.apache.iotdb.db.queryengine.plan.relational.planner.optimizations.DataNodeLocationSupplierFactory; import org.apache.iotdb.db.queryengine.plan.relational.planner.optimizations.PlanOptimizer; +import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl; import org.apache.iotdb.db.queryengine.plan.relational.security.AllowAllAccessControl; import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.Statement; import org.apache.iotdb.db.queryengine.plan.relational.sql.parser.SqlParser; @@ -161,7 +162,8 @@ public class PlanTester { 0, "test", ZoneId.systemDefault(), databaseName, IClientSession.SqlDialect.TABLE); final MPPQueryContext context = new MPPQueryContext(sql, new QueryId("test_query"), session, null, null); - return analyzeStatement(statement, metadata, context, sqlParser, session); + return analyzeStatement( + statement, metadata, context, sqlParser, session, new AllowAllAccessControl()); } public static Analysis analyzeStatement( @@ -169,7 +171,8 @@ public class PlanTester { Metadata metadata, MPPQueryContext context, SqlParser sqlParser, - SessionInfo session) { + SessionInfo session, + AccessControl accessControl) { try { StatementAnalyzerFactory statementAnalyzerFactory = new StatementAnalyzerFactory(metadata, sqlParser, new AllowAllAccessControl()); @@ -181,7 +184,7 @@ public class PlanTester { statementAnalyzerFactory, Collections.emptyList(), Collections.emptyMap(), - new StatementRewriteFactory(metadata).getStatementRewrite(), + new StatementRewriteFactory(metadata, accessControl).getStatementRewrite(), NOOP); return analyzer.analyze(statement); } catch (Exception e) { diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java index d6852d99a86..773a1be38ba 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java @@ -93,7 +93,7 @@ public enum PrivilegeType { } public boolean forRelationalSys() { - return this == MAINTAIN || this == MANAGE_USER || this == MANAGE_ROLE; + return this == MANAGE_USER || this == MANAGE_ROLE; } public PrivilegeModelType getModelType() { diff --git a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4 b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4 index 01da672b0a2..8e1ded08a06 100644 --- a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4 +++ b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4 @@ -673,7 +673,6 @@ objectScope systemPrivilege : MANAGE_USER | MANAGE_ROLE - | MAINTAIN ; objectPrivilege @@ -1104,7 +1103,7 @@ nonReserved | JSON | KEEP | KEY | KEYS | KILL | LANGUAGE | LAST | LATERAL | LEADING | LEAVE | LEVEL | LIMIT | LINEAR | LOAD | LOCAL | LOGICAL | LOOP - | MAP | MATCH | MATCHED | MATCHES | MATCH_RECOGNIZE | MATERIALIZED | MEASURES | METHOD | MERGE | MICROSECOND | MIGRATE | MILLISECOND | MINUTE | MODIFY | MONTH + | MANAGE_ROLE | MANAGE_USER | MAP | MATCH | MATCHED | MATCHES | MATCH_RECOGNIZE | MATERIALIZED | MEASURES | METHOD | MERGE | MICROSECOND | MIGRATE | MILLISECOND | MINUTE | MODIFY | MONTH | NANOSECOND | NESTED | NEXT | NFC | NFD | NFKC | NFKD | NO | NODEID | NONE | NULLIF | NULLS | OBJECT | OF | OFFSET | OMIT | ONE | ONLY | OPTION | ORDINALITY | OUTPUT | OVER | OVERFLOW | PARTITION | PARTITIONS | PASSING | PAST | PATH | PATTERN | PER | PERIOD | PERMUTE | PIPE | PIPEPLUGIN | PIPEPLUGINS | PIPES | PLAN | POSITION | PRECEDING | PRECISION | PRIVILEGES | PREVIOUS | PROCESSLIST | PROCESSOR | PROPERTIES | PRUNE @@ -1302,7 +1301,6 @@ LOCALTIME: 'LOCALTIME'; LOCALTIMESTAMP: 'LOCALTIMESTAMP'; LOGICAL: 'LOGICAL'; LOOP: 'LOOP'; -MAINTAIN: 'MAINTAIN'; MANAGE_ROLE: 'MANAGE_ROLE'; MANAGE_USER: 'MANAGE_USER'; MAP: 'MAP';
