This is an automated email from the ASF dual-hosted git repository.
jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 0f222397691 Added privilege for information_schema & Removed the
privilege requirement for show pipePlugins
0f222397691 is described below
commit 0f222397691751eac3ea364a32af359368e24f33
Author: Caideyipi <[email protected]>
AuthorDate: Wed May 21 16:07:13 2025 +0800
Added privilege for information_schema & Removed the privilege requirement
for show pipePlugins
---
.../it/query/recent/IoTDBMaintainAuthIT.java | 18 +--
.../relational/it/schema/IoTDBDatabaseIT.java | 54 ++++++++-
.../iotdb/relational/it/schema/IoTDBTableIT.java | 14 ++-
.../InformationSchemaContentSupplierFactory.java | 124 +++++++++++++++------
.../iotdb/db/queryengine/plan/Coordinator.java | 4 +-
.../execution/config/TableConfigTaskVisitor.java | 48 ++++----
.../plan/planner/TableOperatorGenerator.java | 15 ++-
.../relational/security/AccessControlImpl.java | 2 -
.../plan/relational/sql/rewrite/ShowRewrite.java | 26 +----
.../sql/rewrite/StatementRewriteFactory.java | 8 +-
.../plan/relational/analyzer/AnalyzerTest.java | 4 +-
.../plan/relational/planner/PlanTester.java | 9 +-
12 files changed, 200 insertions(+), 126 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java
index 800af040335..fd5d0d94e01 100644
---
a/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java
@@ -165,20 +165,10 @@ public class IoTDBMaintainAuthIT {
PASSWORD);
// case 12: show queries
- // user1 with select on information_schema.queries
- tableAssertTestFail(
- "SHOW QUERIES",
- TSStatusCode.NO_PERMISSION.getStatusCode()
- + ": Access Denied: No permissions for this operation, only root
user is allowed",
- USER_1,
- PASSWORD);
- // user2 without select on information_schema.queries
- tableAssertTestFail(
- "SHOW QUERIES",
- TSStatusCode.NO_PERMISSION.getStatusCode()
- + ": Access Denied: No permissions for this operation, only root
user is allowed",
- USER_2,
- PASSWORD);
+ // non-root users can access its own queries
+ expectedHeader =
+ new String[] {"query_id", "start_time", "datanode_id", "elapsed_time",
"statement", "user"};
+ tableQueryNoVerifyResultTest("show queries", expectedHeader, USER_2,
PASSWORD);
// case 13: kill query
// user2
diff --git
a/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java
b/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java
index a049bd5e7c3..78bf4a1c574 100644
---
a/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java
@@ -514,12 +514,50 @@ public class IoTDBDatabaseIT {
"ColumnName,DataType,Category,",
new HashSet<>(Arrays.asList("word,STRING,TAG,",
"reserved,INT32,ATTRIBUTE,")));
- // Currently only root can query information_schema
+ // Only root user is allowed
+ Assert.assertThrows(SQLException.class, () -> statement.execute("select
* from regions"));
+ Assert.assertThrows(SQLException.class, () -> statement.execute("select
* from pipes"));
+ Assert.assertThrows(SQLException.class, () -> statement.execute("select
* from topics"));
Assert.assertThrows(
- SQLException.class,
- () -> {
- statement.execute("select * from databases");
- });
+ SQLException.class, () -> statement.execute("select * from
subscriptions"));
+ Assert.assertThrows(
+ SQLException.class, () -> statement.execute("select * from
configurations"));
+
+ // No auth needed
+ TestUtils.assertResultSetEqual(
+ statement.executeQuery(
+ "select * from pipe_plugins where plugin_name =
'IOTDB-THRIFT-SINK'"),
+ "plugin_name,plugin_type,class_name,plugin_jar,",
+ Collections.singleton(
+
"IOTDB-THRIFT-SINK,Builtin,org.apache.iotdb.commons.pipe.agent.plugin.builtin.connector.iotdb.thrift.IoTDBThriftConnector,null,"));
+
+ TestUtils.assertResultSetEqual(
+ statement.executeQuery(
+ "select model_id from information_schema.models where model_type
= 'BUILT_IN_FORECAST'"),
+ "model_id,",
+ new HashSet<>(
+ Arrays.asList(
+ "_timerxl,",
+ "_STLForecaster,",
+ "_NaiveForecaster,",
+ "_ARIMA,",
+ "_ExponentialSmoothing,")));
+
+ TestUtils.assertResultSetEqual(
+ statement.executeQuery(
+ "select distinct(function_type) from
information_schema.functions"),
+ "function_type,",
+ new HashSet<>(
+ Arrays.asList(
+ "built-in scalar function,",
+ "built-in aggregate function,",
+ "built-in table function,")));
+
+ TestUtils.assertResultSetEqual(
+ statement.executeQuery(
+ "select * from information_schema.keywords where reserved > 0
limit 1"),
+ "word,reserved,",
+ Collections.singleton("AINODES,1,"));
}
try (final Connection connection =
@@ -715,6 +753,8 @@ public class IoTDBDatabaseIT {
final Statement adminStmt = adminCon.createStatement()) {
adminStmt.execute("create user test 'password'");
adminStmt.execute("create database db");
+ adminStmt.execute(
+ "create pipe a2b with source('double-living'='true') with sink
('sink'='write-back-sink')");
}
try (final Connection userCon =
@@ -724,6 +764,10 @@ public class IoTDBDatabaseIT {
userStmt.executeQuery("show databases"),
"Database,TTL(ms),SchemaReplicationFactor,DataReplicationFactor,TimePartitionInterval,",
Collections.singleton("information_schema,INF,null,null,null,"));
+ TestUtils.assertResultSetEqual(
+ userStmt.executeQuery("select * from information_schema.databases"),
+
"database,ttl(ms),schema_replication_factor,data_replication_factor,time_partition_interval,schema_region_group_num,data_region_group_num,",
+
Collections.singleton("information_schema,INF,null,null,null,null,null,"));
}
try (final Connection adminCon =
EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT);
diff --git
a/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBTableIT.java
b/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBTableIT.java
index cef3d3a754d..2e4572d969d 100644
---
a/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBTableIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBTableIT.java
@@ -636,11 +636,15 @@ public class IoTDBTableIT {
try (final Connection userCon =
EnvFactory.getEnv().getConnection("test", "password",
BaseEnv.TABLE_SQL_DIALECT);
final Statement userStmt = userCon.createStatement()) {
- Assert.assertThrows(
- SQLException.class,
- () -> {
- userStmt.execute("select * from db.test");
- });
+ Assert.assertThrows(SQLException.class, () -> userStmt.execute("select *
from db.test"));
+ TestUtils.assertResultSetEqual(
+ userStmt.executeQuery("select * from information_schema.tables where
database = 'db'"),
+ "database,table_name,ttl(ms),status,comment,table_type,",
+ Collections.emptySet());
+ TestUtils.assertResultSetEqual(
+ userStmt.executeQuery("select * from information_schema.columns
where database = 'db'"),
+ "database,table_name,column_name,datatype,category,status,comment,",
+ Collections.emptySet());
}
try (final Connection adminCon =
EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
index 7699da64050..2d4df80fec1 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
@@ -22,6 +22,7 @@ package
org.apache.iotdb.db.queryengine.execution.operator.source.relational;
import org.apache.iotdb.common.rpc.thrift.Model;
import org.apache.iotdb.common.rpc.thrift.TConsensusGroupType;
import org.apache.iotdb.commons.conf.IoTDBConstant;
+import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import org.apache.iotdb.commons.model.ModelType;
import org.apache.iotdb.commons.pipe.agent.plugin.builtin.BuiltinPipePlugin;
import org.apache.iotdb.commons.pipe.agent.plugin.meta.PipePluginMeta;
@@ -60,6 +61,7 @@ import org.apache.iotdb.db.queryengine.plan.Coordinator;
import org.apache.iotdb.db.queryengine.plan.execution.IQueryExecution;
import
org.apache.iotdb.db.queryengine.plan.execution.config.metadata.relational.ShowCreateViewTask;
import
org.apache.iotdb.db.queryengine.plan.relational.function.TableBuiltinTableFunction;
+import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl;
import
org.apache.iotdb.db.queryengine.plan.relational.sql.util.ReservedIdentifiers;
import org.apache.iotdb.db.relational.grammar.sql.RelationalSqlKeywords;
import org.apache.iotdb.db.schemaengine.table.InformationSchemaUtils;
@@ -97,6 +99,8 @@ import static
org.apache.iotdb.commons.conf.IoTDBConstant.TTL_INFINITE;
import static org.apache.iotdb.commons.schema.SchemaConstant.ALL_MATCH_SCOPE;
import static org.apache.iotdb.commons.schema.SchemaConstant.ALL_RESULT_NODES;
import static org.apache.iotdb.commons.schema.table.TsTable.TTL_PROPERTY;
+import static
org.apache.iotdb.db.queryengine.plan.execution.config.TableConfigTaskVisitor.canShowDB;
+import static
org.apache.iotdb.db.queryengine.plan.execution.config.TableConfigTaskVisitor.canShowTable;
import static
org.apache.iotdb.db.queryengine.plan.execution.config.metadata.ShowFunctionsTask.BINARY_MAP;
import static
org.apache.iotdb.db.queryengine.plan.execution.config.metadata.ShowFunctionsTask.getFunctionState;
import static
org.apache.iotdb.db.queryengine.plan.execution.config.metadata.ShowFunctionsTask.getFunctionType;
@@ -110,35 +114,37 @@ import static
org.apache.iotdb.db.queryengine.plan.execution.config.metadata.ai.
public class InformationSchemaContentSupplierFactory {
private InformationSchemaContentSupplierFactory() {}
+ private static final AccessControl accessControl =
Coordinator.getInstance().getAccessControl();
+
public static Iterator<TsBlock> getSupplier(
- final String tableName, final List<TSDataType> dataTypes) {
+ final String tableName, final List<TSDataType> dataTypes, final String
userName) {
switch (tableName) {
case InformationSchema.QUERIES:
- return new QueriesSupplier(dataTypes);
+ return new QueriesSupplier(dataTypes, userName);
case InformationSchema.DATABASES:
- return new DatabaseSupplier(dataTypes);
+ return new DatabaseSupplier(dataTypes, userName);
case InformationSchema.TABLES:
- return new TableSupplier(dataTypes);
+ return new TableSupplier(dataTypes, userName);
case InformationSchema.COLUMNS:
- return new ColumnSupplier(dataTypes);
+ return new ColumnSupplier(dataTypes, userName);
case InformationSchema.REGIONS:
- return new RegionSupplier(dataTypes);
+ return new RegionSupplier(dataTypes, userName);
case InformationSchema.PIPES:
- return new PipeSupplier(dataTypes);
+ return new PipeSupplier(dataTypes, userName);
case InformationSchema.PIPE_PLUGINS:
return new PipePluginSupplier(dataTypes);
case InformationSchema.TOPICS:
- return new TopicSupplier(dataTypes);
+ return new TopicSupplier(dataTypes, userName);
case InformationSchema.SUBSCRIPTIONS:
- return new SubscriptionSupplier(dataTypes);
+ return new SubscriptionSupplier(dataTypes, userName);
case InformationSchema.VIEWS:
- return new ViewsSupplier(dataTypes);
+ return new ViewsSupplier(dataTypes, userName);
case InformationSchema.MODELS:
return new ModelsSupplier(dataTypes);
case InformationSchema.FUNCTIONS:
return new FunctionsSupplier(dataTypes);
case InformationSchema.CONFIGURATIONS:
- return new ConfigurationsSupplier(dataTypes);
+ return new ConfigurationsSupplier(dataTypes, userName);
case InformationSchema.KEYWORDS:
return new KeywordsSupplier(dataTypes);
default:
@@ -149,12 +155,22 @@ public class InformationSchemaContentSupplierFactory {
private static class QueriesSupplier extends TsBlockSupplier {
private final long currTime = System.currentTimeMillis();
// We initialize it later for the convenience of data preparation
+ protected int totalSize;
protected int nextConsumedIndex;
- private final List<IQueryExecution> queryExecutions;
+ private List<IQueryExecution> queryExecutions;
- private QueriesSupplier(final List<TSDataType> dataTypes) {
+ private QueriesSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
queryExecutions = Coordinator.getInstance().getAllQueryExecutions();
+ try {
+ accessControl.checkUserIsAdmin(userName);
+ } catch (final AccessDeniedException e) {
+ queryExecutions =
+ queryExecutions.stream()
+ .filter(iQueryExecution ->
userName.equals(iQueryExecution.getUser()))
+ .collect(Collectors.toList());
+ }
+ this.totalSize = queryExecutions.size();
}
@Override
@@ -190,9 +206,11 @@ public class InformationSchemaContentSupplierFactory {
private Iterator<Map.Entry<String, TDatabaseInfo>> iterator;
private TDatabaseInfo currentDatabase;
private boolean hasShownInformationSchema;
+ private final String userName;
- private DatabaseSupplier(final List<TSDataType> dataTypes) {
+ private DatabaseSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
+ this.userName = userName;
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
iterator =
@@ -238,10 +256,19 @@ public class InformationSchemaContentSupplierFactory {
@Override
public boolean hasNext() {
if (!hasShownInformationSchema) {
- return true;
+ if (!canShowDB(accessControl, userName,
InformationSchema.INFORMATION_DATABASE)) {
+ hasShownInformationSchema = true;
+ } else {
+ return true;
+ }
}
- if (iterator.hasNext()) {
- currentDatabase = iterator.next().getValue();
+ while (iterator.hasNext()) {
+ final Map.Entry<String, TDatabaseInfo> result = iterator.next();
+ if (!canShowDB(accessControl, userName, result.getKey())) {
+ continue;
+ }
+ currentDatabase = result.getValue();
+ break;
}
return Objects.nonNull(currentDatabase);
}
@@ -252,9 +279,11 @@ public class InformationSchemaContentSupplierFactory {
private Iterator<TTableInfo> tableInfoIterator = null;
private TTableInfo currentTable;
private String dbName;
+ private final String userName;
- private TableSupplier(final List<TSDataType> dataTypes) {
+ private TableSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
+ this.userName = userName;
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
final Map<String, List<TTableInfo>> databaseTableInfoMap =
@@ -313,15 +342,21 @@ public class InformationSchemaContentSupplierFactory {
public boolean hasNext() {
// Get next table info iterator
while (Objects.isNull(currentTable)) {
- if (Objects.nonNull(tableInfoIterator) && tableInfoIterator.hasNext())
{
- currentTable = tableInfoIterator.next();
- return true;
+ while (Objects.nonNull(tableInfoIterator) &&
tableInfoIterator.hasNext()) {
+ final TTableInfo info = tableInfoIterator.next();
+ if (canShowTable(accessControl, userName, dbName,
info.getTableName())) {
+ currentTable = info;
+ return true;
+ }
}
if (!dbIterator.hasNext()) {
return false;
}
final Map.Entry<String, List<TTableInfo>> entry = dbIterator.next();
dbName = entry.getKey();
+ if (!canShowDB(accessControl, userName, dbName)) {
+ continue;
+ }
tableInfoIterator = entry.getValue().iterator();
}
return true;
@@ -335,9 +370,11 @@ public class InformationSchemaContentSupplierFactory {
private String dbName;
private String tableName;
private Set<String> preDeletedColumns;
+ private final String userName;
- private ColumnSupplier(final List<TSDataType> dataTypes) {
+ private ColumnSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
+ this.userName = userName;
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
final TDescTable4InformationSchemaResp resp =
client.descTables4InformationSchema();
@@ -404,14 +441,22 @@ public class InformationSchemaContentSupplierFactory {
final Map.Entry<String, Map<String, Pair<TsTable, Set<String>>>>
entry =
dbIterator.next();
dbName = entry.getKey();
+ if (!canShowDB(accessControl, userName, dbName)) {
+ continue;
+ }
tableInfoIterator = entry.getValue().entrySet().iterator();
}
- final Map.Entry<String, Pair<TsTable, Set<String>>> tableEntry =
tableInfoIterator.next();
- tableName = tableEntry.getKey();
- preDeletedColumns = tableEntry.getValue().getRight();
- columnSchemaIterator =
tableEntry.getValue().getLeft().getColumnList().iterator();
- break;
+ Map.Entry<String, Pair<TsTable, Set<String>>> tableEntry;
+ while (tableInfoIterator.hasNext()) {
+ tableEntry = tableInfoIterator.next();
+ if (canShowTable(accessControl, userName, dbName,
tableEntry.getKey())) {
+ tableName = tableEntry.getKey();
+ preDeletedColumns = tableEntry.getValue().getRight();
+ columnSchemaIterator =
tableEntry.getValue().getLeft().getColumnList().iterator();
+ break;
+ }
+ }
}
return true;
}
@@ -420,8 +465,9 @@ public class InformationSchemaContentSupplierFactory {
private static class RegionSupplier extends TsBlockSupplier {
private Iterator<TRegionInfo> iterator;
- private RegionSupplier(final List<TSDataType> dataTypes) {
+ private RegionSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
+ accessControl.checkUserIsAdmin(userName);
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
iterator =
@@ -475,8 +521,9 @@ public class InformationSchemaContentSupplierFactory {
private static class PipeSupplier extends TsBlockSupplier {
private Iterator<TShowPipeInfo> iterator;
- private PipeSupplier(final List<TSDataType> dataTypes) {
+ private PipeSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
+ accessControl.checkUserIsAdmin(userName);
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
iterator =
@@ -571,8 +618,9 @@ public class InformationSchemaContentSupplierFactory {
private static class TopicSupplier extends TsBlockSupplier {
private Iterator<TShowTopicInfo> iterator;
- private TopicSupplier(final List<TSDataType> dataTypes) {
+ private TopicSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
+ accessControl.checkUserIsAdmin(userName);
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
iterator =
@@ -604,8 +652,9 @@ public class InformationSchemaContentSupplierFactory {
private static class SubscriptionSupplier extends TsBlockSupplier {
private Iterator<TShowSubscriptionInfo> iterator;
- private SubscriptionSupplier(final List<TSDataType> dataTypes) {
+ private SubscriptionSupplier(final List<TSDataType> dataTypes, final
String userName) {
super(dataTypes);
+ accessControl.checkUserIsAdmin(userName);
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
iterator =
@@ -641,9 +690,11 @@ public class InformationSchemaContentSupplierFactory {
private Iterator<Map.Entry<String, Pair<TsTable, Set<String>>>>
tableInfoIterator;
private String dbName;
private TsTable currentTable;
+ private final String userName;
- private ViewsSupplier(final List<TSDataType> dataTypes) {
+ private ViewsSupplier(final List<TSDataType> dataTypes, final String
userName) {
super(dataTypes);
+ this.userName = userName;
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
final TDescTable4InformationSchemaResp resp =
client.descTables4InformationSchema();
@@ -690,12 +741,16 @@ public class InformationSchemaContentSupplierFactory {
final Map.Entry<String, Map<String, Pair<TsTable, Set<String>>>>
entry =
dbIterator.next();
dbName = entry.getKey();
+ if (!canShowDB(accessControl, userName, dbName)) {
+ continue;
+ }
tableInfoIterator = entry.getValue().entrySet().iterator();
}
while (tableInfoIterator.hasNext()) {
final Map.Entry<String, Pair<TsTable, Set<String>>> tableEntry =
tableInfoIterator.next();
- if
(!TreeViewSchema.isTreeViewTable(tableEntry.getValue().getLeft())) {
+ if (!TreeViewSchema.isTreeViewTable(tableEntry.getValue().getLeft())
+ || !canShowTable(accessControl, userName, dbName,
tableEntry.getKey())) {
continue;
}
currentTable = tableEntry.getValue().getLeft();
@@ -825,8 +880,9 @@ public class InformationSchemaContentSupplierFactory {
private static class ConfigurationsSupplier extends TsBlockSupplier {
private Iterator<Pair<Binary, Binary>> resultIterator;
- private ConfigurationsSupplier(final List<TSDataType> dataTypes) {
+ private ConfigurationsSupplier(final List<TSDataType> dataTypes, final
String userName) {
super(dataTypes);
+ accessControl.checkUserIsAdmin(userName);
try (final ConfigNodeClient client =
ConfigNodeClientManager.getInstance().borrowClient(ConfigNodeInfo.CONFIG_REGION_ID))
{
final TClusterParameters parameters =
client.showVariables().getClusterParameters();
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java
index 6e11644725d..a5d25ab0852 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/Coordinator.java
@@ -185,9 +185,7 @@ public class Coordinator {
this.writeOperationExecutor = getWriteExecutor();
this.scheduledExecutor = getScheduledExecutor();
this.accessControl = new AccessControlImpl(new ITableAuthCheckerImpl());
- this.statementRewrite =
- new
StatementRewriteFactory(LocalExecutionPlanner.getInstance().metadata,
accessControl)
- .getStatementRewrite();
+ this.statementRewrite = new
StatementRewriteFactory().getStatementRewrite();
this.logicalPlanOptimizers =
new LogicalOptimizeFactory(
new PlannerContext(
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
index 43116bbbe77..a169096341f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
@@ -364,15 +364,17 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
context.setQueryType(QueryType.READ);
return new ShowDBTask(
node,
- databaseName -> {
- try {
- accessControl.checkCanShowOrUseDatabase(
- context.getSession().getUserName(), databaseName);
- return true;
- } catch (final AccessDeniedException e) {
- return false;
- }
- });
+ databaseName -> canShowDB(accessControl,
context.getSession().getUserName(), databaseName));
+ }
+
+ public static boolean canShowDB(
+ final AccessControl accessControl, final String userName, final String
databaseName) {
+ try {
+ accessControl.checkCanShowOrUseDatabase(userName, databaseName);
+ return true;
+ } catch (final AccessDeniedException e) {
+ return false;
+ }
}
@Override
@@ -835,21 +837,28 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
}
String finalDatabase = database;
final Predicate<String> checkCanShowTable =
- tableName -> {
- try {
- accessControl.checkCanShowOrDescTable(
- context.getSession().getUserName(),
- new QualifiedObjectName(finalDatabase, tableName));
- return true;
- } catch (final AccessDeniedException e) {
- return false;
- }
- };
+ tableName ->
+ canShowTable(
+ accessControl, context.getSession().getUserName(),
finalDatabase, tableName);
return node.isDetails()
? new ShowTablesDetailsTask(database, checkCanShowTable)
: new ShowTablesTask(database, checkCanShowTable);
}
+ public static boolean canShowTable(
+ final AccessControl accessControl,
+ final String userName,
+ final String databaseName,
+ final String tableName) {
+ try {
+ accessControl.checkCanShowOrDescTable(
+ userName, new QualifiedObjectName(databaseName, tableName));
+ return true;
+ } catch (final AccessDeniedException e) {
+ return false;
+ }
+ }
+
@Override
protected IConfigTask visitDescribeTable(
final DescribeTable node, final MPPQueryContext context) {
@@ -1170,7 +1179,6 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitShowPipePlugins(ShowPipePlugins node,
MPPQueryContext context) {
context.setQueryType(QueryType.READ);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
return new ShowPipePluginsTask(node);
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/planner/TableOperatorGenerator.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/planner/TableOperatorGenerator.java
index d067f7cb84b..cc359fabfff 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/planner/TableOperatorGenerator.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/planner/TableOperatorGenerator.java
@@ -1143,8 +1143,8 @@ public class TableOperatorGenerator extends
PlanVisitor<Operator, LocalExecution
@Override
public Operator visitInformationSchemaTableScan(
- InformationSchemaTableScanNode node, LocalExecutionPlanContext context) {
- OperatorContext operatorContext =
+ final InformationSchemaTableScanNode node, final
LocalExecutionPlanContext context) {
+ final OperatorContext operatorContext =
context
.getDriverContext()
.addOperatorContext(
@@ -1152,7 +1152,7 @@ public class TableOperatorGenerator extends
PlanVisitor<Operator, LocalExecution
node.getPlanNodeId(),
InformationSchemaTableScanOperator.class.getSimpleName());
- List<TSDataType> dataTypes =
+ final List<TSDataType> dataTypes =
node.getOutputSymbols().stream()
.map(symbol ->
getTSDataType(context.getTypeProvider().getTableModelType(symbol)))
.collect(Collectors.toList());
@@ -1160,7 +1160,14 @@ public class TableOperatorGenerator extends
PlanVisitor<Operator, LocalExecution
return new InformationSchemaTableScanOperator(
operatorContext,
node.getPlanNodeId(),
- getSupplier(node.getQualifiedObjectName().getObjectName(), dataTypes));
+ getSupplier(
+ node.getQualifiedObjectName().getObjectName(),
+ dataTypes,
+ context
+ .getDriverContext()
+ .getFragmentInstanceContext()
+ .getSessionInfo()
+ .getUserName()));
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index 413676d43cc..abfb7e48901 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -98,8 +98,6 @@ public class AccessControlImpl implements AccessControl {
@Override
public void checkCanSelectFromTable(String userName, QualifiedObjectName
tableName) {
if
(tableName.getDatabaseName().equals(InformationSchema.INFORMATION_DATABASE)) {
- // Currently only root user can select from information schema
- checkUserIsAdmin(userName);
return;
}
authChecker.checkTablePrivilege(userName, tableName,
TableModelPrivilege.SELECT);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java
index 78378b13f1c..12fd67d5017 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/ShowRewrite.java
@@ -23,8 +23,6 @@ import org.apache.iotdb.db.queryengine.common.SessionInfo;
import org.apache.iotdb.db.queryengine.execution.warnings.WarningCollector;
import org.apache.iotdb.db.queryengine.plan.relational.analyzer.NodeRef;
import
org.apache.iotdb.db.queryengine.plan.relational.analyzer.StatementAnalyzerFactory;
-import org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata;
-import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl;
import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.AllColumns;
import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.AstVisitor;
import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.CountStatement;
@@ -46,23 +44,12 @@ import java.util.List;
import java.util.Map;
import java.util.Optional;
-import static java.util.Objects.requireNonNull;
import static
org.apache.iotdb.commons.schema.table.InformationSchema.INFORMATION_DATABASE;
import static
org.apache.iotdb.db.queryengine.plan.relational.sql.util.QueryUtil.selectList;
import static
org.apache.iotdb.db.queryengine.plan.relational.sql.util.QueryUtil.simpleQuery;
import static
org.apache.iotdb.db.queryengine.plan.relational.sql.util.QueryUtil.table;
public final class ShowRewrite implements StatementRewrite.Rewrite {
- private final Metadata metadata;
-
- // private final SqlParser parser;
- private final AccessControl accessControl;
-
- public ShowRewrite(final Metadata metadata, final AccessControl
accessControl) {
- this.metadata = requireNonNull(metadata, "metadata is null");
- // this.parser = requireNonNull(parser, "parser is null");
- this.accessControl = requireNonNull(accessControl, "accessControl is
null");
- }
@Override
public Statement rewrite(
@@ -72,25 +59,14 @@ public final class ShowRewrite implements
StatementRewrite.Rewrite {
final List<Expression> parameters,
final Map<NodeRef<Parameter>, Expression> parameterLookup,
final WarningCollector warningCollector) {
- final Visitor visitor = new Visitor(metadata, session, accessControl);
+ final Visitor visitor = new Visitor();
return (Statement) visitor.process(node, null);
}
private static class Visitor extends AstVisitor<Node, Void> {
- private final Metadata metadata;
- private final SessionInfo session;
- private final AccessControl accessControl;
-
- public Visitor(
- final Metadata metadata, final SessionInfo session, final
AccessControl accessControl) {
- this.metadata = requireNonNull(metadata, "metadata is null");
- this.session = requireNonNull(session, "session is null");
- this.accessControl = requireNonNull(accessControl, "accessControl is
null");
- }
@Override
protected Node visitShowQueriesStatement(ShowQueriesStatement node, Void
context) {
- accessControl.checkUserIsAdmin(session.getUserName());
return visitShowStatement(node, context);
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java
index 5536220508a..15ec9a9a693 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/rewrite/StatementRewriteFactory.java
@@ -18,17 +18,13 @@
*/
package org.apache.iotdb.db.queryengine.plan.relational.sql.rewrite;
-import org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata;
-import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl;
-
import com.google.common.collect.ImmutableSet;
public class StatementRewriteFactory {
private final StatementRewrite statementRewrite;
- public StatementRewriteFactory(Metadata metadata, AccessControl
accessControl) {
- this.statementRewrite =
- new StatementRewrite(ImmutableSet.of(new ShowRewrite(metadata,
accessControl)));
+ public StatementRewriteFactory() {
+ this.statementRewrite = new StatementRewrite(ImmutableSet.of(new
ShowRewrite()));
}
public StatementRewrite getStatementRewrite() {
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java
index 7f8ff3683c6..fe404ab5a84 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/analyzer/AnalyzerTest.java
@@ -1241,7 +1241,7 @@ public class AnalyzerTest {
statementAnalyzerFactory,
Collections.emptyList(),
Collections.emptyMap(),
- new StatementRewriteFactory(metadata,
nopAccessControl).getStatementRewrite(),
+ new StatementRewriteFactory().getStatementRewrite(),
NOOP);
return analyzer.analyze(statement);
} catch (final Exception e) {
@@ -1266,7 +1266,7 @@ public class AnalyzerTest {
statementAnalyzerFactory,
Collections.emptyList(),
Collections.emptyMap(),
- new StatementRewriteFactory(metadata,
nopAccessControl).getStatementRewrite(),
+ new StatementRewriteFactory().getStatementRewrite(),
NOOP);
return analyzer.analyze(statement);
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java
index d33628c3013..1d388876b29 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/queryengine/plan/relational/planner/PlanTester.java
@@ -39,7 +39,6 @@ import
org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata;
import
org.apache.iotdb.db.queryengine.plan.relational.planner.distribute.TableDistributedPlanner;
import
org.apache.iotdb.db.queryengine.plan.relational.planner.optimizations.DataNodeLocationSupplierFactory;
import
org.apache.iotdb.db.queryengine.plan.relational.planner.optimizations.PlanOptimizer;
-import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl;
import
org.apache.iotdb.db.queryengine.plan.relational.security.AllowAllAccessControl;
import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.Statement;
import org.apache.iotdb.db.queryengine.plan.relational.sql.parser.SqlParser;
@@ -160,8 +159,7 @@ public class PlanTester {
SessionInfo session =
new SessionInfo(
0, "test", ZoneId.systemDefault(), databaseName,
IClientSession.SqlDialect.TABLE);
- return analyzeStatement(
- statement, metadata, context, sqlParser, session, new
AllowAllAccessControl());
+ return analyzeStatement(statement, metadata, context, sqlParser, session);
}
public static Analysis analyzeStatement(
@@ -169,8 +167,7 @@ public class PlanTester {
Metadata metadata,
MPPQueryContext context,
SqlParser sqlParser,
- SessionInfo session,
- AccessControl accessControl) {
+ SessionInfo session) {
try {
StatementAnalyzerFactory statementAnalyzerFactory =
new StatementAnalyzerFactory(metadata, sqlParser, new
AllowAllAccessControl());
@@ -182,7 +179,7 @@ public class PlanTester {
statementAnalyzerFactory,
Collections.emptyList(),
Collections.emptyMap(),
- new StatementRewriteFactory(metadata,
accessControl).getStatementRewrite(),
+ new StatementRewriteFactory().getStatementRewrite(),
NOOP);
return analyzer.analyze(statement);
} catch (Exception e) {
