This is an automated email from the ASF dual-hosted git repository.
shuwenwei pushed a commit to branch AuthEnhance
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/AuthEnhance by this push:
new a472ae0453a check deprecated privileges
a472ae0453a is described below
commit a472ae0453a5ebd2d2e15def98dd49996a286fb5
Author: shuwenwei <s13979062...@gmail.com>
AuthorDate: Wed Sep 17 18:49:36 2025 +0800
check deprecated privileges
---
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 5 +--
.../db/queryengine/plan/parser/ASTVisitor.java | 11 +++++-
.../plan/relational/sql/parser/AstBuilder.java | 11 +++++-
.../iotdb/commons/auth/entity/PrivilegeType.java | 45 ++++++++++++++++++++++
.../org/apache/iotdb/commons/auth/entity/Role.java | 2 +-
5 files changed, 68 insertions(+), 6 deletions(-)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 35117bdf34b..26f320b8fe8 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -28,7 +28,6 @@ import org.apache.iotdb.commons.path.PathPatternTree;
import org.apache.iotdb.commons.schema.column.ColumnHeader;
import org.apache.iotdb.commons.schema.column.ColumnHeaderConstant;
import org.apache.iotdb.commons.service.metric.PerformanceOverviewMetrics;
-import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.confignode.rpc.thrift.TAuthorizerResp;
import org.apache.iotdb.confignode.rpc.thrift.TDBPrivilege;
import org.apache.iotdb.confignode.rpc.thrift.TPathPrivilege;
@@ -186,10 +185,10 @@ public class AuthorityChecker {
.setMessage(
NO_PERMISSION_PROMOTION
+ getSatisfyAnyNeededPrivilegeString(
-
AuthUtils.getAllPrivilegesContainingCurrentPrivilege(neededPrivilege)));
+ neededPrivilege.getReplacedPrivilegeType()));
}
- private static String getSatisfyAnyNeededPrivilegeString(List<PrivilegeType>
privileges) {
+ private static String getSatisfyAnyNeededPrivilegeString(PrivilegeType...
privileges) {
StringJoiner sj = new StringJoiner("/");
for (PrivilegeType privilege : privileges) {
sj.add(privilege.toString());
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
index 06c6d345d09..104a8b1b431 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
@@ -2633,6 +2633,15 @@ public class ASTVisitor extends
IoTDBSqlParserBaseVisitor<Statement> {
|| (!"READ".equalsIgnoreCase(privilege)
&& !"WRITE".equalsIgnoreCase(privilege)
&&
!PrivilegeType.valueOf(privilege.toUpperCase()).isPathPrivilege())) {
+ PrivilegeType privilegeType =
PrivilegeType.valueOf(privilege.toUpperCase());
+ if (privilegeType.isDeprecated()) {
+ throw new SemanticException(
+ "Privilege type "
+ + privilege.toUpperCase()
+ + " is deprecated, use "
+ + privilegeType.getReplacedPrivilegeType()
+ + " to instead it");
+ }
hasSystemPri = true;
errorPrivilegeName = privilege.toUpperCase();
break;
@@ -2659,7 +2668,7 @@ public class ASTVisitor extends
IoTDBSqlParserBaseVisitor<Statement> {
continue;
} else if (priv.equalsIgnoreCase("ALL")) {
for (PrivilegeType type : PrivilegeType.values()) {
- if (type.isRelationalPrivilege() || type.isAdminPrivilege()) {
+ if (type.isRelationalPrivilege() || type.isDeprecated()) {
continue;
}
privSet.add(type.toString());
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
index 89941c896c2..43de4fcc77d 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
@@ -1795,7 +1795,16 @@ public class AstBuilder extends
RelationalSqlBaseVisitor<Node> {
List<RelationalSqlParser.SystemPrivilegeContext> privilegeContexts =
ctx.systemPrivilege();
Set<PrivilegeType> privileges = new HashSet<>();
for (RelationalSqlParser.SystemPrivilegeContext privilege :
privilegeContexts) {
- privileges.add(PrivilegeType.valueOf(privilege.getText().toUpperCase()));
+ PrivilegeType privilegeType =
PrivilegeType.valueOf(privilege.getText().toUpperCase());
+ if (privilegeType.isDeprecated()) {
+ throw new SemanticException(
+ "Privilege type "
+ + privilege.getText().toUpperCase()
+ + " is deprecated, use "
+ + privilegeType.getReplacedPrivilegeType()
+ + " to instead it");
+ }
+ privileges.add(privilegeType);
}
return privileges;
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
index c7330ac8356..4763c2fd454 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
@@ -19,7 +19,10 @@
package org.apache.iotdb.commons.auth.entity;
+import java.util.Arrays;
+import java.util.Collections;
import java.util.HashSet;
+import java.util.List;
import java.util.Set;
/** This enum class contains all available privileges in IoTDB. */
@@ -116,4 +119,46 @@ public enum PrivilegeType {
public PrivilegeModelType getModelType() {
return modelType;
}
+
+ public List<PrivilegeType> getAllPrivilegesContainingCurrentPrivilege() {
+ switch (this) {
+ case MANAGE_USER:
+ case MANAGE_ROLE:
+ return Arrays.asList(this, PrivilegeType.SECURITY);
+ case MAINTAIN:
+ case USE_UDF:
+ case USE_MODEL:
+ case USE_TRIGGER:
+ case USE_CQ:
+ case USE_PIPE:
+ case MANAGE_DATABASE:
+ case EXTEND_TEMPLATE:
+ return Arrays.asList(this, PrivilegeType.SYSTEM);
+ default:
+ return Collections.singletonList(this);
+ }
+ }
+
+ public PrivilegeType getReplacedPrivilegeType() {
+ switch (this) {
+ case MANAGE_USER:
+ case MANAGE_ROLE:
+ return PrivilegeType.SECURITY;
+ case MAINTAIN:
+ case USE_UDF:
+ case USE_MODEL:
+ case USE_TRIGGER:
+ case USE_CQ:
+ case USE_PIPE:
+ case MANAGE_DATABASE:
+ case EXTEND_TEMPLATE:
+ return PrivilegeType.SYSTEM;
+ default:
+ return this;
+ }
+ }
+
+ public boolean isDeprecated() {
+ return this.getReplacedPrivilegeType() != this;
+ }
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
index d798f0085ca..2443ef38a17 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
@@ -515,7 +515,7 @@ public class Role {
}
public boolean checkSysPrivilege(PrivilegeType priv) {
- return AuthUtils.getAllPrivilegesContainingCurrentPrivilege(priv).stream()
+ return priv.getAllPrivilegesContainingCurrentPrivilege().stream()
.anyMatch(sysPrivilegeSet::contains);
}
