(iotdb) branch authRefactor updated: add admin privileges

Sun, 14 Sep 2025 19:30:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

shuwenwei pushed a commit to branch authRefactor
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/authRefactor by this push:
     new 0fbcb00795a add admin privileges
0fbcb00795a is described below

commit 0fbcb00795a59bdbde811d85194e5a3910a9f029
Author: shuwenwei <[email protected]>
AuthorDate: Mon Sep 15 10:29:16 2025 +0800

    add admin privileges
---
 .../antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4  | 11 ++++++++
 .../org/apache/iotdb/db/auth/AuthorityChecker.java | 15 +++++++++-
 .../apache/iotdb/db/auth/IAuthorityFetcher.java    |  2 +-
 .../iotdb/commons/auth/entity/PrivilegeType.java   | 17 +++++++++--
 .../org/apache/iotdb/commons/auth/entity/Role.java |  3 +-
 .../org/apache/iotdb/commons/utils/AuthUtils.java  | 33 ++++++++++++++++++++++
 .../db/relational/grammar/sql/RelationalSql.g4     |  4 +++
 7 files changed, 80 insertions(+), 5 deletions(-)

diff --git 
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
index 72b4001390d..b95674ace76 100644
--- a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
+++ b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
@@ -1080,6 +1080,9 @@ PRIVILEGE_VALUE
     | EXTEND_TEMPLATE
     | MANAGE_DATABASE
     | MAINTAIN
+    | SYSTEM
+    | SECURITY
+    | AUDIT
     ;
 
 READ_DATA
@@ -1138,6 +1141,14 @@ MAINTAIN
     : M A I N T A I N
     ;
 
+SECURITY
+    : S E C U R I T Y
+    ;
+
+AUDIT
+    : A U D I T
+    ;
+
 REPAIR
     : R E P A I R
     ;
diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 71f064008df..18fd49d8521 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -28,6 +28,7 @@ import org.apache.iotdb.commons.path.PathPatternTree;
 import org.apache.iotdb.commons.schema.column.ColumnHeader;
 import org.apache.iotdb.commons.schema.column.ColumnHeaderConstant;
 import org.apache.iotdb.commons.service.metric.PerformanceOverviewMetrics;
+import org.apache.iotdb.commons.utils.AuthUtils;
 import org.apache.iotdb.confignode.rpc.thrift.TAuthorizerResp;
 import org.apache.iotdb.confignode.rpc.thrift.TDBPrivilege;
 import org.apache.iotdb.confignode.rpc.thrift.TPathPrivilege;
@@ -55,6 +56,7 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.StringJoiner;
 import java.util.stream.Collectors;
 
 import static 
org.apache.iotdb.commons.schema.column.ColumnHeaderConstant.LIST_USER_OR_ROLE_PRIVILEGES_COLUMN_HEADERS;
@@ -154,7 +156,18 @@ public class AuthorityChecker {
     return hasPermission
         ? SUCCEED
         : new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
-            .setMessage(NO_PERMISSION_PROMOTION + neededPrivilege);
+            .setMessage(
+                NO_PERMISSION_PROMOTION
+                    + getSatisfyAnyNeededPrivilegeString(
+                        
AuthUtils.getAllPrivilegesContainingCurrentPrivilege(neededPrivilege)));
+  }
+
+  private static String getSatisfyAnyNeededPrivilegeString(List<PrivilegeType> 
privileges) {
+    StringJoiner sj = new StringJoiner("/");
+    for (PrivilegeType privilege : privileges) {
+      sj.add(privilege.toString());
+    }
+    return sj.toString();
   }
 
   public static TSStatus getGrantOptTSStatus(
diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
index 6b93c211fd6..51b9212cf45 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
@@ -45,7 +45,7 @@ public interface IAuthorityFetcher {
   TSStatus checkUserPathPrivilegesGrantOpt(
       String username, List<? extends PartialPath> allPath, PrivilegeType 
permission);
 
-  TSStatus checkUserSysPrivileges(String username, PrivilegeType permission);
+  TSStatus checkUserSysPrivileges(String username, PrivilegeType permissions);
 
   TSStatus checkUserDBPrivileges(String username, String database, 
PrivilegeType permission);
 
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
index 773a1be38ba..bb455073d49 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
@@ -44,7 +44,11 @@ public enum PrivilegeType {
   ALTER(PrivilegeModelType.RELATIONAL),
   SELECT(PrivilegeModelType.RELATIONAL),
   INSERT(PrivilegeModelType.RELATIONAL),
-  DELETE(PrivilegeModelType.RELATIONAL);
+  DELETE(PrivilegeModelType.RELATIONAL),
+
+  SYSTEM(PrivilegeModelType.SYSTEM),
+  SECURITY(PrivilegeModelType.SYSTEM),
+  AUDIT(PrivilegeModelType.SYSTEM);
 
   private final PrivilegeModelType modelType;
 
@@ -93,7 +97,16 @@ public enum PrivilegeType {
   }
 
   public boolean forRelationalSys() {
-    return this == MANAGE_USER || this == MANAGE_ROLE;
+    switch (this) {
+      case MANAGE_USER:
+      case MANAGE_ROLE:
+      case SYSTEM:
+      case SECURITY:
+      case AUDIT:
+        return true;
+      default:
+        return false;
+    }
   }
 
   public PrivilegeModelType getModelType() {
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
index 21481de80c4..d798f0085ca 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
@@ -515,7 +515,8 @@ public class Role {
   }
 
   public boolean checkSysPrivilege(PrivilegeType priv) {
-    return sysPrivilegeSet.contains(priv);
+    return AuthUtils.getAllPrivilegesContainingCurrentPrivilege(priv).stream()
+        .anyMatch(sysPrivilegeSet::contains);
   }
 
   public boolean checkSysPriGrantOpt(PrivilegeType priv) {
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
index 09824dfbd69..1ee4c8beb46 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
@@ -41,6 +41,8 @@ import java.io.DataOutputStream;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -508,6 +510,12 @@ public class AuthUtils {
         return PrivilegeType.MAINTAIN;
       case 9:
         return PrivilegeType.USE_MODEL;
+      case 10:
+        return PrivilegeType.SYSTEM;
+      case 11:
+        return PrivilegeType.SECURITY;
+      case 12:
+        return PrivilegeType.AUDIT;
       default:
         // Not reach here.
         LOGGER.warn("Not support position");
@@ -537,11 +545,36 @@ public class AuthUtils {
         return 8;
       case USE_MODEL:
         return 9;
+      case SYSTEM:
+        return 10;
+      case SECURITY:
+        return 11;
+      case AUDIT:
+        return 12;
       default:
         return -1;
     }
   }
 
+  public static List<PrivilegeType> 
getAllPrivilegesContainingCurrentPrivilege(PrivilegeType priv) {
+    switch (priv) {
+      case MANAGE_USER:
+      case MANAGE_ROLE:
+        return Arrays.asList(priv, PrivilegeType.SECURITY);
+      case MAINTAIN:
+      case USE_UDF:
+      case USE_MODEL:
+      case USE_TRIGGER:
+      case USE_CQ:
+      case USE_PIPE:
+      case MANAGE_DATABASE:
+      case EXTEND_TEMPLATE:
+        return Arrays.asList(priv, PrivilegeType.SYSTEM);
+      default:
+        return Collections.singletonList(priv);
+    }
+  }
+
   public static int pathPosToPri(int pos) {
     switch (pos) {
       case 0:
diff --git 
a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
 
b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
index 3fd595b149a..7a00fc46bc9 100644
--- 
a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
+++ 
b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
@@ -765,6 +765,9 @@ objectScope
 systemPrivilege
     : MANAGE_USER
     | MANAGE_ROLE
+    | SYSTEM
+    | SECURITY
+    | AUDIT
     ;
 
 objectPrivilege
@@ -1797,6 +1800,7 @@ WRAPPER: 'WRAPPER';
 WRITE: 'WRITE';
 YEAR: 'YEAR' | 'Y';
 ZONE: 'ZONE';
+AUDIT: 'AUDIT';
 
 EQ: '=';
 NEQ: '<>' | '!=';

Reply via email to