This is an automated email from the ASF dual-hosted git repository.
shuwenwei pushed a commit to branch AuthEnhance
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/AuthEnhance by this push:
new eaf082c5707 table model cluster management & maintain
eaf082c5707 is described below
commit eaf082c57074004baec89e23f9a9e3861f250eb4
Author: shuwenwei <[email protected]>
AuthorDate: Wed Sep 17 11:15:16 2025 +0800
table model cluster management & maintain
---
.../CnToDnInternalServiceAsyncRequestManager.java | 4 ++-
.../client/sync/SyncDataNodeClientPool.java | 3 +-
.../iotdb/confignode/manager/ConfigManager.java | 4 +--
.../apache/iotdb/confignode/manager/IManager.java | 2 +-
.../iotdb/confignode/manager/node/NodeManager.java | 24 ++++++++++-----
.../thrift/ConfigNodeRPCServiceProcessor.java | 4 +--
.../iotdb/db/protocol/client/ConfigNodeClient.java | 6 ++--
.../impl/DataNodeInternalRPCServiceImpl.java | 14 +++++++--
.../InformationSchemaContentSupplierFactory.java | 2 +-
.../execution/config/TableConfigTaskVisitor.java | 35 ++++++++++++----------
.../config/executor/ClusterConfigTaskExecutor.java | 3 +-
.../plan/execution/config/sys/KillQueryTask.java | 3 +-
.../plan/relational/security/AccessControl.java | 1 +
.../relational/security/AccessControlImpl.java | 3 +-
.../relational/security/AllowAllAccessControl.java | 6 ++++
.../plan/statement/sys/KillQueryStatement.java | 10 +++++++
16 files changed, 86 insertions(+), 38 deletions(-)
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/async/CnToDnInternalServiceAsyncRequestManager.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/async/CnToDnInternalServiceAsyncRequestManager.java
index f683b9d8e42..d23e14728dc 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/async/CnToDnInternalServiceAsyncRequestManager.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/async/CnToDnInternalServiceAsyncRequestManager.java
@@ -77,6 +77,7 @@ import org.apache.iotdb.mpp.rpc.thrift.TInvalidateCacheReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidateColumnCacheReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidateMatchedSchemaCacheReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidateTableCacheReq;
+import org.apache.iotdb.mpp.rpc.thrift.TKillQueryInstanceReq;
import org.apache.iotdb.mpp.rpc.thrift.TNotifyRegionMigrationReq;
import org.apache.iotdb.mpp.rpc.thrift.TPipeHeartbeatReq;
import org.apache.iotdb.mpp.rpc.thrift.TPushConsumerGroupMetaReq;
@@ -364,7 +365,8 @@ public class CnToDnInternalServiceAsyncRequestManager
actionMapBuilder.put(
CnToDnAsyncRequestType.KILL_QUERY_INSTANCE,
(req, client, handler) ->
- client.killQueryInstance((String) req,
(DataNodeTSStatusRPCHandler) handler));
+ client.killQueryInstance(
+ (TKillQueryInstanceReq) req, (DataNodeTSStatusRPCHandler)
handler));
actionMapBuilder.put(
CnToDnAsyncRequestType.SET_SPACE_QUOTA,
(req, client, handler) ->
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/sync/SyncDataNodeClientPool.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/sync/SyncDataNodeClientPool.java
index 902793ffbb4..d63d5a74f60 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/sync/SyncDataNodeClientPool.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/client/sync/SyncDataNodeClientPool.java
@@ -34,6 +34,7 @@ import org.apache.iotdb.mpp.rpc.thrift.TCreatePeerReq;
import org.apache.iotdb.mpp.rpc.thrift.TCreateSchemaRegionReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidateCacheReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidatePermissionCacheReq;
+import org.apache.iotdb.mpp.rpc.thrift.TKillQueryInstanceReq;
import org.apache.iotdb.mpp.rpc.thrift.TMaintainPeerReq;
import org.apache.iotdb.mpp.rpc.thrift.TRegionLeaderChangeReq;
import org.apache.iotdb.mpp.rpc.thrift.TRegionLeaderChangeResp;
@@ -111,7 +112,7 @@ public class SyncDataNodeClientPool {
(req, client) -> client.setSystemStatus((String) req));
actionMapBuilder.put(
CnToDnSyncRequestType.KILL_QUERY_INSTANCE,
- (req, client) -> client.killQueryInstance((String) req));
+ (req, client) -> client.killQueryInstance((TKillQueryInstanceReq)
req));
actionMapBuilder.put(
CnToDnSyncRequestType.UPDATE_TEMPLATE,
(req, client) -> client.updateTemplate((TUpdateTemplateReq) req));
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
index cd7d295aea8..b70a21d9117 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java
@@ -1834,10 +1834,10 @@ public class ConfigManager implements IManager {
}
@Override
- public TSStatus killQuery(String queryId, int dataNodeId) {
+ public TSStatus killQuery(String queryId, int dataNodeId, String
allowedUsername) {
TSStatus status = confirmLeader();
return status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()
- ? nodeManager.killQuery(queryId, dataNodeId)
+ ? nodeManager.killQuery(queryId, dataNodeId, allowedUsername)
: status;
}
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/IManager.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/IManager.java
index 012171ff679..a0771a68ebd 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/IManager.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/IManager.java
@@ -613,7 +613,7 @@ public interface IManager {
/** TestOnly. Set the target DataNode to the specified status */
TSStatus setDataNodeStatus(TSetDataNodeStatusReq req);
- TSStatus killQuery(String queryId, int dataNodeId);
+ TSStatus killQuery(String queryId, int dataNodeId, String allowedUsername);
TGetDataNodeLocationsResp getReadableDataNodeLocations();
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java
index 706bd09529f..ab247fcad12 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/node/NodeManager.java
@@ -98,6 +98,7 @@ import
org.apache.iotdb.confignode.rpc.thrift.TSetDataNodeStatusReq;
import org.apache.iotdb.consensus.common.DataSet;
import org.apache.iotdb.consensus.common.Peer;
import org.apache.iotdb.consensus.exception.ConsensusException;
+import org.apache.iotdb.mpp.rpc.thrift.TKillQueryInstanceReq;
import org.apache.iotdb.rpc.RpcUtils;
import org.apache.iotdb.rpc.TSStatusCode;
@@ -1182,35 +1183,42 @@ public class NodeManager {
* @param dataNodeId the DataNode obtains target read, -1 means we will kill
all queries on all
* DataNodes
*/
- public TSStatus killQuery(String queryId, int dataNodeId) {
+ public TSStatus killQuery(String queryId, int dataNodeId, String
allowedUsername) {
if (dataNodeId < 0) {
- return killAllQueries();
+ return killAllQueries(allowedUsername);
} else {
- return killSpecificQuery(queryId,
getRegisteredDataNodeLocations().get(dataNodeId));
+ return killSpecificQuery(
+ queryId, getRegisteredDataNodeLocations().get(dataNodeId),
allowedUsername);
}
}
- private TSStatus killAllQueries() {
+ private TSStatus killAllQueries(String allowedUsername) {
Map<Integer, TDataNodeLocation> dataNodeLocationMap =
configManager.getNodeManager().getRegisteredDataNodeLocations();
- DataNodeAsyncRequestContext<String, TSStatus> clientHandler =
+ TKillQueryInstanceReq req = new TKillQueryInstanceReq();
+ req.setAllowedUsername(allowedUsername);
+ DataNodeAsyncRequestContext<TKillQueryInstanceReq, TSStatus> clientHandler
=
new DataNodeAsyncRequestContext<>(
- CnToDnAsyncRequestType.KILL_QUERY_INSTANCE, dataNodeLocationMap);
+ CnToDnAsyncRequestType.KILL_QUERY_INSTANCE, req,
dataNodeLocationMap);
CnToDnInternalServiceAsyncRequestManager.getInstance().sendAsyncRequestWithRetry(clientHandler);
return RpcUtils.squashResponseStatusList(clientHandler.getResponseList());
}
- private TSStatus killSpecificQuery(String queryId, TDataNodeLocation
dataNodeLocation) {
+ private TSStatus killSpecificQuery(
+ String queryId, TDataNodeLocation dataNodeLocation, String
allowedUsername) {
if (dataNodeLocation == null) {
return new TSStatus(TSStatusCode.INTERNAL_SERVER_ERROR.getStatusCode())
.setMessage(
"The target DataNode is not existed, please ensure your input
<queryId> is correct");
} else {
+ TKillQueryInstanceReq req = new TKillQueryInstanceReq();
+ req.setQueryId(queryId);
+ req.setAllowedUsername(allowedUsername);
return (TSStatus)
SyncDataNodeClientPool.getInstance()
.sendSyncRequestToDataNodeWithRetry(
dataNodeLocation.getInternalEndPoint(),
- queryId,
+ req,
CnToDnSyncRequestType.KILL_QUERY_INSTANCE);
}
}
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
index 970f563f1e2..935aa1064e7 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCServiceProcessor.java
@@ -1012,8 +1012,8 @@ public class ConfigNodeRPCServiceProcessor implements
IConfigNodeRPCService.Ifac
}
@Override
- public TSStatus killQuery(String queryId, int dataNodeId) {
- return configManager.killQuery(queryId, dataNodeId);
+ public TSStatus killQuery(String queryId, int dataNodeId, String
allowedUsername) {
+ return configManager.killQuery(queryId, dataNodeId, allowedUsername);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
index ad27881c162..4f6548ef112 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java
@@ -856,9 +856,11 @@ public class ConfigNodeClient implements
IConfigNodeRPCService.Iface, ThriftClie
}
@Override
- public TSStatus killQuery(String queryId, int dataNodeId) throws TException {
+ public TSStatus killQuery(String queryId, int dataNodeId, String
allowedUsername)
+ throws TException {
return executeRemoteCallWithRetry(
- () -> client.killQuery(queryId, dataNodeId), status ->
!updateConfigNodeLeader(status));
+ () -> client.killQuery(queryId, dataNodeId, allowedUsername),
+ status -> !updateConfigNodeLeader(status));
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/DataNodeInternalRPCServiceImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/DataNodeInternalRPCServiceImpl.java
index f7a2fa87980..a7e9ee828bf 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/DataNodeInternalRPCServiceImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/thrift/impl/DataNodeInternalRPCServiceImpl.java
@@ -249,6 +249,7 @@ import
org.apache.iotdb.mpp.rpc.thrift.TInvalidateColumnCacheReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidateMatchedSchemaCacheReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidatePermissionCacheReq;
import org.apache.iotdb.mpp.rpc.thrift.TInvalidateTableCacheReq;
+import org.apache.iotdb.mpp.rpc.thrift.TKillQueryInstanceReq;
import org.apache.iotdb.mpp.rpc.thrift.TLoadCommandReq;
import org.apache.iotdb.mpp.rpc.thrift.TLoadResp;
import org.apache.iotdb.mpp.rpc.thrift.TMaintainPeerReq;
@@ -2427,16 +2428,25 @@ public class DataNodeInternalRPCServiceImpl implements
IDataNodeRPCService.Iface
}
@Override
- public TSStatus killQueryInstance(String queryId) {
+ public TSStatus killQueryInstance(TKillQueryInstanceReq req) {
Coordinator coordinator = Coordinator.getInstance();
+ String queryId = req.getQueryId();
+ String allowedUsername = req.getAllowedUsername();
if (queryId == null) {
- coordinator.getAllQueryExecutions().forEach(IQueryExecution::cancel);
+ coordinator.getAllQueryExecutions().stream()
+ .filter(
+ iQueryExecution ->
+ allowedUsername == null ||
allowedUsername.equals(iQueryExecution.getUser()))
+ .forEach(IQueryExecution::cancel);
} else {
Optional<IQueryExecution> queryExecution =
coordinator.getAllQueryExecutions().stream()
.filter(iQueryExecution ->
iQueryExecution.getQueryId().equals(queryId))
.findAny();
if (queryExecution.isPresent()) {
+ if (allowedUsername != null &&
!allowedUsername.equals(queryExecution.get().getUser())) {
+ return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode());
+ }
queryExecution.get().cancel();
} else {
return new
TSStatus(TSStatusCode.NO_SUCH_QUERY.getStatusCode()).setMessage("No such
query");
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
index 3ba3668e990..c2004972b47 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java
@@ -180,7 +180,7 @@ public class InformationSchemaContentSupplierFactory {
super(dataTypes);
queryExecutions = Coordinator.getInstance().getAllQueryExecutions();
try {
- accessControl.checkUserIsAdmin(userName);
+ accessControl.checkUserGlobalSysPrivilege(userName);
} catch (final AccessDeniedException e) {
queryExecutions =
queryExecutions.stream()
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
index b796cb1e81e..5402992563c 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
@@ -20,6 +20,7 @@
package org.apache.iotdb.db.queryengine.plan.execution.config;
import org.apache.iotdb.common.rpc.thrift.Model;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
@@ -414,7 +415,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
protected IConfigTask visitShowRegions(
final ShowRegions showRegions, final MPPQueryContext context) {
context.setQueryType(QueryType.READ);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
// As the implementation is identical, we'll simply translate to the
// corresponding tree-model variant and execute that.
final ShowRegionStatement treeStatement = new ShowRegionStatement();
@@ -465,7 +466,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
protected IConfigTask visitShowDataNodes(
final ShowDataNodes showDataNodesStatement, final MPPQueryContext
context) {
context.setQueryType(QueryType.READ);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new ShowDataNodesTask();
}
@@ -473,7 +474,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
protected IConfigTask visitShowConfigNodes(
final ShowConfigNodes showConfigNodesStatement, final MPPQueryContext
context) {
context.setQueryType(QueryType.READ);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new ShowConfigNodesTask();
}
@@ -481,7 +482,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
protected IConfigTask visitShowAINodes(
final ShowAINodes showAINodesStatement, final MPPQueryContext context) {
context.setQueryType(QueryType.READ);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new ShowAINodesTask();
}
@@ -489,7 +490,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
protected IConfigTask visitClearCache(
final ClearCache clearCacheStatement, final MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new ClearCacheTask(clearCacheStatement);
}
@@ -914,14 +915,14 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitFlush(final Flush node, final MPPQueryContext
context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new FlushTask(((FlushStatement) node.getInnerTreeStatement()));
}
@Override
protected IConfigTask visitSetConfiguration(SetConfiguration node,
MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+ // todo: check all configuration items' privilege requirement
return new SetConfigurationTask(((SetConfigurationStatement)
node.getInnerTreeStatement()));
}
@@ -935,14 +936,14 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitStartRepairData(StartRepairData node,
MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new StartRepairDataTask(((StartRepairDataStatement)
node.getInnerTreeStatement()));
}
@Override
protected IConfigTask visitStopRepairData(StopRepairData node,
MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new StopRepairDataTask(((StopRepairDataStatement)
node.getInnerTreeStatement()));
}
@@ -956,7 +957,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitSetSystemStatus(SetSystemStatus node,
MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new SetSystemStatusTask(((SetSystemStatusStatement)
node.getInnerTreeStatement()));
}
@@ -1285,20 +1286,21 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitShowVersion(ShowVersion node, MPPQueryContext
context) {
context.setQueryType(QueryType.READ);
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new ShowVersionTask();
}
@Override
protected IConfigTask visitShowVariables(ShowVariables node, MPPQueryContext
context) {
context.setQueryType(QueryType.READ);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new ShowVariablesTask();
}
@Override
protected IConfigTask visitShowClusterId(ShowClusterId node, MPPQueryContext
context) {
context.setQueryType(QueryType.READ);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
return new ShowClusterIdTask();
}
@@ -1333,8 +1335,11 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitKillQuery(KillQuery node, MPPQueryContext
context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
- return new KillQueryTask(node);
+ String allowedUsername = context.getSession().getUserName();
+ if (accessControl.hasGlobalPrivilege(allowedUsername,
PrivilegeType.SYSTEM)) {
+ allowedUsername = null;
+ }
+ return new KillQueryTask(node, allowedUsername);
}
@Override
@@ -1367,7 +1372,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitMigrateRegion(MigrateRegion migrateRegion,
MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
- accessControl.checkUserIsAdmin(context.getSession().getUserName());
+
accessControl.checkUserGlobalSysPrivilege(context.getSession().getUserName());
// As the implementation is identical, we'll simply translate to the
// corresponding tree-model variant and execute that.
return new MigrateRegionTask(migrateRegion);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
index 4df8a6a4f71..c8de8583103 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
@@ -1481,7 +1481,8 @@ public class ClusterConfigTaskExecutor implements
IConfigTaskExecutor {
}
try (ConfigNodeClient client =
CONFIG_NODE_CLIENT_MANAGER.borrowClient(ConfigNodeInfo.CONFIG_REGION_ID)) {
- final TSStatus executionStatus = client.killQuery(queryId, dataNodeId);
+ final TSStatus executionStatus =
+ client.killQuery(queryId, dataNodeId,
killQueryStatement.getAllowedUsername());
if (TSStatusCode.SUCCESS_STATUS.getStatusCode() !=
executionStatus.getCode()) {
future.setException(new IoTDBException(executionStatus));
} else {
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/sys/KillQueryTask.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/sys/KillQueryTask.java
index 9c4aa415d16..362e3a567c7 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/sys/KillQueryTask.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/sys/KillQueryTask.java
@@ -35,8 +35,9 @@ public class KillQueryTask implements IConfigTask {
this.killQueryStatement = killQueryStatement;
}
- public KillQueryTask(KillQuery killQuery) {
+ public KillQueryTask(KillQuery killQuery, String username) {
this.killQueryStatement = new KillQueryStatement(killQuery.getQueryId());
+ this.killQueryStatement.setAllowedUsername(username);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
index 1cc7083360b..e9376a3a7ac 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
@@ -178,6 +178,7 @@ public interface AccessControl {
/**
* Check if user has sepecified global privilege
+ *
* @param userName name of user
* @param privilegeType needed privilege
* @throws AccessDeniedException if not allowed
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index 1e5ee6bc82a..e0268913d39 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -402,7 +402,8 @@ public class AccessControlImpl implements AccessControl {
@Override
public boolean hasGlobalPrivilege(String userName, PrivilegeType
privilegeType) {
- return AuthorityChecker.SUPER_USER.equals(userName) ||
AuthorityChecker.checkSystemPermission(userName, privilegeType);
+ return AuthorityChecker.SUPER_USER.equals(userName)
+ || AuthorityChecker.checkSystemPermission(userName, privilegeType);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
index c6f8237b2c9..9ccb902453d 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
@@ -20,6 +20,7 @@
package org.apache.iotdb.db.queryengine.plan.relational.security;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
import
org.apache.iotdb.db.queryengine.plan.relational.sql.ast.RelationalAuthorStatement;
@@ -114,6 +115,11 @@ public class AllowAllAccessControl implements
AccessControl {
// allow anything
}
+ @Override
+ public boolean hasGlobalPrivilege(String userName, PrivilegeType
privilegeType) {
+ return true;
+ }
+
@Override
public TSStatus checkPermissionBeforeProcess(Statement statement, String
userName) {
return SUCCEED;
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
index 4e1a8618561..f5f236f1b91 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/KillQueryStatement.java
@@ -30,6 +30,8 @@ import java.util.List;
public class KillQueryStatement extends Statement implements IConfigStatement {
private final String queryId;
+ // if allowedUsername is null, this statement can kill other user's queries
+ private String allowedUsername;
public KillQueryStatement(String queryId) {
this.queryId = queryId;
@@ -47,6 +49,14 @@ public class KillQueryStatement extends Statement implements
IConfigStatement {
return queryId;
}
+ public String getAllowedUsername() {
+ return allowedUsername;
+ }
+
+ public void setAllowedUsername(String allowedUsername) {
+ this.allowedUsername = allowedUsername;
+ }
+
@Override
public List<PartialPath> getPaths() {
return Collections.emptyList();
