This is an automated email from the ASF dual-hosted git repository.
shuwenwei pushed a commit to branch AuthEnhance
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/AuthEnhance by this push:
new 34ed2eb0776 modify AccessControl
34ed2eb0776 is described below
commit 34ed2eb077620dcb10cbbf4b8169d7e6f667b5cd
Author: shuwenwei <[email protected]>
AuthorDate: Wed Sep 17 10:24:22 2025 +0800
modify AccessControl
---
.../plan/relational/security/AccessControl.java | 9 ++++++
.../relational/security/AccessControlImpl.java | 32 ++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
index b91c75b0407..1cc7083360b 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
@@ -20,6 +20,7 @@
package org.apache.iotdb.db.queryengine.plan.relational.security;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import org.apache.iotdb.commons.path.PartialPath;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
@@ -175,6 +176,14 @@ public interface AccessControl {
*/
void checkUserGlobalSysPrivilege(String userName);
+ /**
+ * Check if user has sepecified global privilege
+ * @param userName name of user
+ * @param privilegeType needed privilege
+ * @throws AccessDeniedException if not allowed
+ */
+ boolean hasGlobalPrivilege(String userName, PrivilegeType privilegeType);
+
// ====================================== TREE
=============================================
TSStatus checkPermissionBeforeProcess(Statement statement, String userName);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index 50c8d9b2e87..1e5ee6bc82a 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -54,18 +54,27 @@ public class AccessControlImpl implements AccessControl {
@Override
public void checkCanCreateDatabase(String userName, String databaseName) {
InformationSchemaUtils.checkDBNameInWrite(databaseName);
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkDatabasePrivilege(userName, databaseName,
TableModelPrivilege.CREATE);
}
@Override
public void checkCanDropDatabase(String userName, String databaseName) {
InformationSchemaUtils.checkDBNameInWrite(databaseName);
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkDatabasePrivilege(userName, databaseName,
TableModelPrivilege.DROP);
}
@Override
public void checkCanAlterDatabase(String userName, String databaseName) {
InformationSchemaUtils.checkDBNameInWrite(databaseName);
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkDatabasePrivilege(userName, databaseName,
TableModelPrivilege.ALTER);
}
@@ -75,24 +84,36 @@ public class AccessControlImpl implements AccessControl {
if (databaseName.equals(InformationSchema.INFORMATION_DATABASE)) {
return;
}
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkDatabaseVisibility(userName, databaseName);
}
@Override
public void checkCanCreateTable(String userName, QualifiedObjectName
tableName) {
InformationSchemaUtils.checkDBNameInWrite(tableName.getDatabaseName());
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkTablePrivilege(userName, tableName,
TableModelPrivilege.CREATE);
}
@Override
public void checkCanDropTable(String userName, QualifiedObjectName
tableName) {
InformationSchemaUtils.checkDBNameInWrite(tableName.getDatabaseName());
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkTablePrivilege(userName, tableName,
TableModelPrivilege.DROP);
}
@Override
public void checkCanAlterTable(String userName, QualifiedObjectName
tableName) {
InformationSchemaUtils.checkDBNameInWrite(tableName.getDatabaseName());
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkTablePrivilege(userName, tableName,
TableModelPrivilege.ALTER);
}
@@ -136,6 +157,9 @@ public class AccessControlImpl implements AccessControl {
if
(tableName.getDatabaseName().equals(InformationSchema.INFORMATION_DATABASE)) {
return;
}
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
authChecker.checkTableVisibility(userName, tableName);
}
@@ -144,6 +168,9 @@ public class AccessControlImpl implements AccessControl {
if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
+ if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
+ return;
+ }
TSStatus status =
AuthorityChecker.getTSStatus(
AuthorityChecker.checkFullPathOrPatternPermission(
@@ -373,6 +400,11 @@ public class AccessControlImpl implements AccessControl {
}
}
+ @Override
+ public boolean hasGlobalPrivilege(String userName, PrivilegeType
privilegeType) {
+ return AuthorityChecker.SUPER_USER.equals(userName) ||
AuthorityChecker.checkSystemPermission(userName, privilegeType);
+ }
+
@Override
public TSStatus checkPermissionBeforeProcess(Statement statement, String
userName) {
if (AuthorityChecker.SUPER_USER.equals(userName) && !(statement instanceof
AuthorStatement)) {
