(iotdb) branch master updated: fix grant all to others.

Thu, 03 Apr 2025 08:23:03 -0700 

This is an automated email from the ASF dual-hosted git repository.

jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new e4e3c29d274 fix grant all to others.
e4e3c29d274 is described below

commit e4e3c29d274426df995df12ef1f911729b9c7e0a
Author: Colin Lee <[email protected]>
AuthorDate: Thu Apr 3 19:45:28 2025 +0800

    fix grant all to others.
---
 .../iotdb/db/it/auth/IoTDBRelationalAuthIT.java    | 43 ++++++++++++++++++++++
 .../relational/security/AccessControlImpl.java     |  7 ++--
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git 
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
 
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
index 017b3d57ceb..91efa12273c 100644
--- 
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
+++ 
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
@@ -460,7 +460,9 @@ public class IoTDBRelationalAuthIT {
     try (Connection adminCon = 
EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT);
         Statement adminStmt = adminCon.createStatement()) {
       adminStmt.execute("create user test 'password'");
+      adminStmt.execute("create user test2 'password'");
       adminStmt.execute("grant all to user test");
+      adminStmt.execute("grant all to user test2 with grant option");
       adminStmt.execute("revoke SELECT ON ANY from user test");
       adminStmt.execute("create role role1");
       adminStmt.execute("grant all to role role1 with grant option");
@@ -507,6 +509,47 @@ public class IoTDBRelationalAuthIT {
           () -> {
             userConStatement.execute("GRANT SELECT ON DATABASE TEST to role 
role1");
           });
+
+      // Do not have grant option
+      Assert.assertThrows(
+          SQLException.class,
+          () -> {
+            userConStatement.execute("GRANT ALL to user test2");
+          });
+    }
+
+    try (Connection userCon =
+            EnvFactory.getEnv().getConnection("test2", "password", 
BaseEnv.TABLE_SQL_DIALECT);
+        Statement userConStatement = userCon.createStatement()) {
+      // user2 can grant all to user test
+      userConStatement.execute("GRANT ALL to user test");
+      // user2 can revoke all from user test
+      userConStatement.execute("REVOKE ALL from user test");
+
+      userConStatement.execute("GRANT ALL to user test");
+    }
+
+    try (Connection adminCon = 
EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT);
+        Statement adminStmt = adminCon.createStatement()) {
+      adminStmt.execute("revoke MANAGE_USER from user test2");
+    }
+
+    try (Connection userCon =
+            EnvFactory.getEnv().getConnection("test2", "password", 
BaseEnv.TABLE_SQL_DIALECT);
+        Statement userConStatement = userCon.createStatement()) {
+      // user2 can not grant all to user test
+      Assert.assertThrows(
+          SQLException.class,
+          () -> {
+            userConStatement.execute("GRANT ALL to user test2");
+          });
+
+      // user2 can not revoke all from user test because does not hava all 
privileges
+      Assert.assertThrows(
+          SQLException.class,
+          () -> {
+            userConStatement.execute("REVOKE ALL to user test2");
+          });
     }
 
     try (Connection adminCon = 
EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT);
diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index 8b0bc62e75d..5ee48ac3827 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -254,12 +254,13 @@ public class AccessControlImpl implements AccessControl {
         if (AuthorityChecker.SUPER_USER.equals(userName)) {
           return;
         }
-        for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
+        for (TableModelPrivilege privilege : TableModelPrivilege.values()) {
+          PrivilegeType privilegeType = privilege.getPrivilegeType();
           if (privilegeType.isRelationalPrivilege()) {
-            AuthorityChecker.checkAnyScopePermissionGrantOption(userName, 
privilegeType);
+            authChecker.checkAnyScopePrivilegeGrantOption(userName, privilege);
           }
           if (privilegeType.forRelationalSys()) {
-            AuthorityChecker.checkSystemPermissionGrantOption(userName, 
privilegeType);
+            authChecker.checkGlobalPrivilegeGrantOption(userName, privilege);
           }
         }
         return;

Reply via email to