This is an automated email from the ASF dual-hosted git repository.
shuwenwei pushed a commit to branch AuthEnhance
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/AuthEnhance by this push:
new daece8f4845 set configuration
daece8f4845 is described below
commit daece8f484502935f33bcfc0ac92425f77308d19
Author: shuwenwei <[email protected]>
AuthorDate: Wed Sep 17 17:26:13 2025 +0800
set configuration
---
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 34 ++++++++---
.../iotdb/db/auth/ClusterAuthorityFetcher.java | 25 +++++++-
.../apache/iotdb/db/auth/IAuthorityFetcher.java | 6 +-
.../execution/config/TableConfigTaskVisitor.java | 11 +++-
.../plan/relational/security/AccessControl.java | 4 ++
.../relational/security/AccessControlImpl.java | 9 +++
.../relational/security/AllowAllAccessControl.java | 7 +++
.../relational/security/ITableAuthChecker.java | 5 ++
.../relational/security/ITableAuthCheckerImpl.java | 15 +++++
.../security/TreeAccessCheckVisitor.java | 68 +++++++++++++---------
.../statement/sys/SetConfigurationStatement.java | 18 ++++++
.../conf/iotdb-system.properties.template | 6 ++
.../iotdb/commons/conf/ConfigurationFileUtils.java | 36 +++++++++++-
13 files changed, 203 insertions(+), 41 deletions(-)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 1c4c29c5234..35117bdf34b 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -55,6 +55,7 @@ import org.apache.tsfile.read.common.block.TsBlockBuilder;
import org.apache.tsfile.utils.Binary;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@@ -170,6 +171,14 @@ public class AuthorityChecker {
: new
TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode()).setMessage(errMsg);
}
+ public static TSStatus getTSStatus(Collection<PrivilegeType>
missingPrivileges) {
+ return missingPrivileges.isEmpty()
+ ? SUCCEED
+ : new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
+ .setMessage(
+ NO_PERMISSION_PROMOTION +
getMissingAllNeededPrivilegeString(missingPrivileges));
+ }
+
public static TSStatus getTSStatus(boolean hasPermission, PrivilegeType
neededPrivilege) {
return hasPermission
? SUCCEED
@@ -188,6 +197,14 @@ public class AuthorityChecker {
return sj.toString();
}
+ private static String
getMissingAllNeededPrivilegeString(Collection<PrivilegeType> privileges) {
+ StringJoiner sj = new StringJoiner(",");
+ for (PrivilegeType privilege : privileges) {
+ sj.add(privilege.toString());
+ }
+ return sj.toString();
+ }
+
public static TSStatus getGrantOptTSStatus(
boolean hasPermission, PrivilegeType neededPrivilege, String database) {
return hasPermission
@@ -274,7 +291,7 @@ public class AuthorityChecker {
}
public static boolean checkSystemPermission(String userName, PrivilegeType
permission) {
- return authorityFetcher.get().checkUserSysPrivileges(userName,
permission).getCode()
+ return authorityFetcher.get().checkUserSysPrivilege(userName,
permission).getCode()
== TSStatusCode.SUCCESS_STATUS.getStatusCode();
}
@@ -349,24 +366,23 @@ public class AuthorityChecker {
return authorityFetcher.get().checkRole(username, roleName);
}
- public static TSStatus checkSuperUserOrMaintain(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
+ public static TSStatus checkMaintain(String userName) {
return AuthorityChecker.getTSStatus(
AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.MAINTAIN),
PrivilegeType.MAINTAIN);
}
- public static TSStatus checkSuperUserOrSystemAdmin(String userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName)) {
- return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
- }
+ public static TSStatus checkUserIsSystemAdmin(String userName) {
return AuthorityChecker.getTSStatus(
AuthorityChecker.checkSystemPermission(userName, PrivilegeType.SYSTEM),
PrivilegeType.SYSTEM);
}
+ public static Collection<PrivilegeType> checkUserHaveSystemPermissions(
+ String userName, Collection<PrivilegeType> permissions) {
+ return authorityFetcher.get().checkUserSysPrivileges(userName,
permissions);
+ }
+
public static void buildTSBlock(
TAuthorizerResp authResp, SettableFuture<ConfigTaskResult> future) {
List<TSDataType> types = new ArrayList<>();
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
index 863a3653263..38b840d8215 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
@@ -64,8 +64,11 @@ import org.slf4j.LoggerFactory;
import java.nio.ByteBuffer;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import java.util.function.BiFunction;
public class ClusterAuthorityFetcher implements IAuthorityFetcher {
@@ -117,7 +120,7 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
}
@Override
- public TSStatus checkUserSysPrivileges(String username, PrivilegeType
permission) {
+ public TSStatus checkUserSysPrivilege(String username, PrivilegeType
permission) {
checkCacheAvailable();
return checkPrivilege(
username,
@@ -127,6 +130,26 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
username, PrivilegeModelType.SYSTEM.ordinal(),
permission.ordinal(), false));
}
+ @Override
+ public Collection<PrivilegeType> checkUserSysPrivileges(
+ String username, Collection<PrivilegeType> permissions) {
+ checkCacheAvailable();
+ Set<PrivilegeType> missingPrivileges = new HashSet<>();
+ for (PrivilegeType permission : permissions) {
+ TSStatus status =
+ checkPrivilege(
+ username,
+ new PrivilegeUnion(permission, false),
+ (role, union) ->
role.checkSysPrivilege(union.getPrivilegeType()),
+ new TCheckUserPrivilegesReq(
+ username, PrivilegeModelType.SYSTEM.ordinal(),
permission.ordinal(), false));
+ if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+ missingPrivileges.add(permission);
+ }
+ }
+ return missingPrivileges;
+ }
+
@Override
public TSStatus checkUserSysPrivilegesGrantOpt(String username,
PrivilegeType permission) {
checkCacheAvailable();
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
index 51b9212cf45..3dc95fa41dc 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/IAuthorityFetcher.java
@@ -31,6 +31,7 @@ import
org.apache.iotdb.db.queryengine.plan.statement.sys.AuthorStatement;
import com.google.common.util.concurrent.SettableFuture;
+import java.util.Collection;
import java.util.List;
public interface IAuthorityFetcher {
@@ -45,7 +46,10 @@ public interface IAuthorityFetcher {
TSStatus checkUserPathPrivilegesGrantOpt(
String username, List<? extends PartialPath> allPath, PrivilegeType
permission);
- TSStatus checkUserSysPrivileges(String username, PrivilegeType permissions);
+ TSStatus checkUserSysPrivilege(String username, PrivilegeType permissions);
+
+ Collection<PrivilegeType> checkUserSysPrivileges(
+ String username, Collection<PrivilegeType> permissions);
TSStatus checkUserDBPrivileges(String username, String database,
PrivilegeType permission);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
index 5402992563c..212497ef856 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
@@ -234,6 +234,7 @@ import org.apache.tsfile.enums.TSDataType;
import org.apache.tsfile.utils.Binary;
import org.apache.tsfile.utils.Pair;
+import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@@ -923,7 +924,15 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
protected IConfigTask visitSetConfiguration(SetConfiguration node,
MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
// todo: check all configuration items' privilege requirement
- return new SetConfigurationTask(((SetConfigurationStatement)
node.getInnerTreeStatement()));
+ SetConfigurationStatement setConfigurationStatement =
+ (SetConfigurationStatement) node.getInnerTreeStatement();
+ try {
+ accessControl.checkMissingPrivileges(
+ context.getSession().getUserName(),
setConfigurationStatement.getNeededPrivileges());
+ } catch (IOException e) {
+ throw new AccessDeniedException("Failed to check config item
permission");
+ }
+ return new SetConfigurationTask(setConfigurationStatement);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
index e9376a3a7ac..e9a2cb32c89 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
@@ -27,6 +27,8 @@ import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectN
import
org.apache.iotdb.db.queryengine.plan.relational.sql.ast.RelationalAuthorStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
+import java.util.Collection;
+
public interface AccessControl {
// ====================================== TABLE
=============================================
@@ -185,6 +187,8 @@ public interface AccessControl {
*/
boolean hasGlobalPrivilege(String userName, PrivilegeType privilegeType);
+ void checkMissingPrivileges(String username, Collection<PrivilegeType>
privilegeTypes);
+
// ====================================== TREE
=============================================
TSStatus checkPermissionBeforeProcess(Statement statement, String userName);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index ef913ea8f64..3ddd2cd04be 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -35,6 +35,7 @@ import
org.apache.iotdb.db.queryengine.plan.statement.sys.AuthorStatement;
import org.apache.iotdb.db.schemaengine.table.InformationSchemaUtils;
import org.apache.iotdb.rpc.TSStatusCode;
+import java.util.Collection;
import java.util.Objects;
import static org.apache.iotdb.db.auth.AuthorityChecker.ONLY_ADMIN_ALLOWED;
@@ -403,6 +404,14 @@ public class AccessControlImpl implements AccessControl {
|| AuthorityChecker.checkSystemPermission(userName, privilegeType);
}
+ @Override
+ public void checkMissingPrivileges(String username,
Collection<PrivilegeType> privilegeTypes) {
+ if (AuthorityChecker.SUPER_USER.equals(username)) {
+ return;
+ }
+ authChecker.checkGlobalPrivileges(username, privilegeTypes);
+ }
+
@Override
public TSStatus checkPermissionBeforeProcess(Statement statement, String
userName) {
if (AuthorityChecker.SUPER_USER.equals(userName) && !(statement instanceof
AuthorStatement)) {
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
index 9ccb902453d..16f6b011079 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
@@ -26,6 +26,8 @@ import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectN
import
org.apache.iotdb.db.queryengine.plan.relational.sql.ast.RelationalAuthorStatement;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
+import java.util.Collection;
+
import static org.apache.iotdb.db.auth.AuthorityChecker.SUCCEED;
public class AllowAllAccessControl implements AccessControl {
@@ -120,6 +122,11 @@ public class AllowAllAccessControl implements
AccessControl {
return true;
}
+ @Override
+ public void checkMissingPrivileges(String username,
Collection<PrivilegeType> privilegeTypes) {
+ // allow anything
+ }
+
@Override
public TSStatus checkPermissionBeforeProcess(Statement statement, String
userName) {
return SUCCEED;
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthChecker.java
index fd6e0c95903..e377fa85fde 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthChecker.java
@@ -19,9 +19,12 @@
package org.apache.iotdb.db.queryengine.plan.relational.security;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
+import java.util.Collection;
+
public interface ITableAuthChecker {
/**
@@ -83,6 +86,8 @@ public interface ITableAuthChecker {
*/
void checkGlobalPrivilege(String userName, TableModelPrivilege privilege);
+ void checkGlobalPrivileges(String username, Collection<PrivilegeType>
privileges);
+
/**
* Check if user has the specified global privilege
*
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
index 4ea1995f595..97c4bb2ad99 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
@@ -25,6 +25,8 @@ import org.apache.iotdb.db.auth.AuthorityChecker;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
import org.apache.iotdb.rpc.TSStatusCode;
+import java.util.Collection;
+
public class ITableAuthCheckerImpl implements ITableAuthChecker {
@Override
@@ -155,6 +157,19 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
}
}
+ @Override
+ public void checkGlobalPrivileges(String username, Collection<PrivilegeType>
privileges) {
+ if (AuthorityChecker.SUPER_USER.equals(username)) {
+ return;
+ }
+ TSStatus result =
+ AuthorityChecker.getTSStatus(
+ AuthorityChecker.checkUserHaveSystemPermissions(username,
privileges));
+ if (result.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+ throw new AccessDeniedException(result.getMessage());
+ }
+ }
+
@Override
public void checkGlobalPrivilegeGrantOption(String userName,
TableModelPrivilege privilege) {
if (AuthorityChecker.SUPER_USER.equals(userName)) {
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index 246fc8d3661..6732d3cafd3 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -125,6 +125,7 @@ import
org.apache.iotdb.db.queryengine.plan.statement.sys.ClearCacheStatement;
import
org.apache.iotdb.db.queryengine.plan.statement.sys.ExplainAnalyzeStatement;
import org.apache.iotdb.db.queryengine.plan.statement.sys.FlushStatement;
import org.apache.iotdb.db.queryengine.plan.statement.sys.KillQueryStatement;
+import
org.apache.iotdb.db.queryengine.plan.statement.sys.SetConfigurationStatement;
import
org.apache.iotdb.db.queryengine.plan.statement.sys.SetSqlDialectStatement;
import
org.apache.iotdb.db.queryengine.plan.statement.sys.SetSystemStatusStatement;
import
org.apache.iotdb.db.queryengine.plan.statement.sys.ShowCurrentSqlDialectStatement;
@@ -139,6 +140,7 @@ import org.apache.iotdb.rpc.TSStatusCode;
import com.google.common.collect.ImmutableList;
+import java.io.IOException;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
@@ -885,35 +887,35 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitExtendRegion(
ExtendRegionStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitGetRegionId(GetRegionIdStatement statement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitGetSeriesSlotList(
GetSeriesSlotListStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitGetTimeSlotList(
GetTimeSlotListStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitCountTimeSlotList(
CountTimeSlotListStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitKillQuery(KillQueryStatement statement,
TreeAccessCheckContext context) {
- if (AuthorityChecker.checkSuperUserOrMaintain(context.userName).getCode()
+ if (AuthorityChecker.checkMaintain(context.userName).getCode()
!= TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
statement.setAllowedUsername(context.userName);
}
@@ -922,67 +924,79 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitFlush(FlushStatement flushStatement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrSystemAdmin(context.userName);
+ return AuthorityChecker.checkUserIsSystemAdmin(context.userName);
+ }
+
+ @Override
+ public TSStatus visitSetConfiguration(
+ SetConfigurationStatement setConfigurationStatement,
TreeAccessCheckContext context) {
+ try {
+ return AuthorityChecker.getTSStatus(
+ AuthorityChecker.checkUserHaveSystemPermissions(
+ context.userName,
setConfigurationStatement.getNeededPrivileges()));
+ } catch (IOException e) {
+ return AuthorityChecker.getTSStatus(false, "Failed to check config item
permission");
+ }
}
@Override
public TSStatus visitSetSystemStatus(
SetSystemStatusStatement setSystemStatusStatement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrSystemAdmin(context.userName);
+ return AuthorityChecker.checkUserIsSystemAdmin(context.userName);
}
@Override
public TSStatus visitStartRepairData(
StartRepairDataStatement startRepairDataStatement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrSystemAdmin(context.userName);
+ return AuthorityChecker.checkUserIsSystemAdmin(context.userName);
}
@Override
public TSStatus visitStopRepairData(
StopRepairDataStatement stopRepairDataStatement, TreeAccessCheckContext
context) {
- return AuthorityChecker.checkSuperUserOrSystemAdmin(context.userName);
+ return AuthorityChecker.checkUserIsSystemAdmin(context.userName);
}
@Override
public TSStatus visitClearCache(
ClearCacheStatement clearCacheStatement, TreeAccessCheckContext context)
{
- return AuthorityChecker.checkSuperUserOrSystemAdmin(context.userName);
+ return AuthorityChecker.checkUserIsSystemAdmin(context.userName);
}
@Override
public TSStatus visitMigrateRegion(
MigrateRegionStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitReconstructRegion(
ReconstructRegionStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitRemoveAINode(
RemoveAINodeStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitRemoveConfigNode(
RemoveConfigNodeStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitRemoveDataNode(
RemoveDataNodeStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitRemoveRegion(
RemoveRegionStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
@@ -993,24 +1007,24 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitShowAINodes(ShowAINodesStatement statement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitShowClusterId(
ShowClusterIdStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitShowCluster(ShowClusterStatement statement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitShowConfigNodes(
ShowConfigNodesStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
@@ -1028,12 +1042,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitShowDataNodes(
ShowDataNodesStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitShowQueries(ShowQueriesStatement statement,
TreeAccessCheckContext context) {
- if (AuthorityChecker.checkSuperUserOrMaintain(context.userName).getCode()
+ if (AuthorityChecker.checkMaintain(context.userName).getCode()
!= TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
statement.setAllowedUsername(context.userName);
}
@@ -1042,24 +1056,24 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitShowRegion(ShowRegionStatement statement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitShowVariables(
ShowVariablesStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitShowVersion(ShowVersionStatement statement,
TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
public TSStatus visitTestConnection(
TestConnectionStatement statement, TreeAccessCheckContext context) {
- return AuthorityChecker.checkSuperUserOrMaintain(context.userName);
+ return AuthorityChecker.checkMaintain(context.userName);
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/SetConfigurationStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/SetConfigurationStatement.java
index 8f519de0280..12b036aa8f4 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/SetConfigurationStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/SetConfigurationStatement.java
@@ -19,6 +19,8 @@
package org.apache.iotdb.db.queryengine.plan.statement.sys;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
+import org.apache.iotdb.commons.conf.ConfigurationFileUtils;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
@@ -26,9 +28,13 @@ import
org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementType;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
+import java.io.IOException;
+import java.util.Collection;
import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
public class SetConfigurationStatement extends Statement implements
IConfigStatement {
@@ -69,4 +75,16 @@ public class SetConfigurationStatement extends Statement
implements IConfigState
public <R, C> R accept(StatementVisitor<R, C> visitor, C context) {
return visitor.visitSetConfiguration(this, context);
}
+
+ public Collection<PrivilegeType> getNeededPrivileges() throws IOException {
+ Set<PrivilegeType> neededPrivileges = new HashSet<>();
+ for (String key : this.getConfigItems().keySet()) {
+ PrivilegeType neededPrivilege =
ConfigurationFileUtils.getConfigurationItemPrivilege(key);
+ if (neededPrivilege == null) {
+ continue;
+ }
+ neededPrivileges.add(neededPrivilege);
+ }
+ return neededPrivileges;
+ }
}
diff --git
a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
index d35a191b97d..c7633fbde5a 100644
---
a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
+++
b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
@@ -441,22 +441,26 @@ dn_metric_internal_reporter_type=MEMORY
# Whether enable SSL for thrift client connections
# effectiveMode: restart
# Datatype: boolean
+# Privilege: SECURITY
enable_thrift_ssl=false
# Whether enable SSL for Rest Service
# effectiveMode: restart
# Datatype: boolean
+# Privilege: SECURITY
enable_https=false
# SSL key store path
# linux e.g. /home/iotdb/server.keystore (absolute path) or server.keystore
(relative path)
# windows e.g. C:\\iotdb\\server.keystore (absolute path) or server.keystore
(relative path)
# effectiveMode: restart
+# Privilege: SECURITY
key_store_path=
# SSL key store password
# effectiveMode: restart
# Datatype: String
+# Privilege: SECURITY
key_store_pwd=
# SSL trust store path
@@ -1688,10 +1692,12 @@ compressor=LZ4
# which class to serve for authorization. By default, it is
LocalFileAuthorizer.
# Another choice is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer
# effectiveMode: restart
+# Privilege: SECURITY
authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer
# If OpenIdAuthorizer is enabled, then openID_url must be set.
# effectiveMode: restart
+# Privilege: SECURITY
openID_url=
# encryption provider class
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/ConfigurationFileUtils.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/ConfigurationFileUtils.java
index e09a376cbbf..b66b4150635 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/ConfigurationFileUtils.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/ConfigurationFileUtils.java
@@ -19,6 +19,8 @@
package org.apache.iotdb.commons.conf;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -74,6 +76,7 @@ public class ConfigurationFileUtils {
.toString();
private static final String EFFECTIVE_MODE_PREFIX = "effectiveMode:";
private static final String DATATYPE_PREFIX = "Datatype:";
+ private static final String PRIVILEGE_PREFIX = "Privilege:";
private static Map<String, DefaultConfigurationItem>
configuration2DefaultValue;
private static final Map<String, String> lastAppliedProperties = new
HashMap<>();
@@ -180,6 +183,17 @@ public class ConfigurationFileUtils {
return defaultConfigurationItem == null ? null :
defaultConfigurationItem.value;
}
+ public static PrivilegeType getConfigurationItemPrivilege(String
parameterName)
+ throws IOException {
+ parameterName = parameterName.trim();
+ if (configuration2DefaultValue == null) {
+ loadConfigurationDefaultValueFromTemplate();
+ }
+ DefaultConfigurationItem defaultConfigurationItem =
+ configuration2DefaultValue.get(parameterName);
+ return defaultConfigurationItem == null ? null :
defaultConfigurationItem.privilege;
+ }
+
public static void releaseDefault() {
configuration2DefaultValue = null;
}
@@ -354,6 +368,7 @@ public class ConfigurationFileUtils {
BufferedReader reader = new BufferedReader(isr)) {
List<String> independentLines = new ArrayList<>();
EffectiveModeType effectiveMode = null;
+ PrivilegeType privilege = null;
StringBuilder description = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
@@ -369,6 +384,7 @@ public class ConfigurationFileUtils {
if (line.isEmpty()) {
description = new StringBuilder();
effectiveMode = null;
+ privilege = null;
independentLines.clear();
continue;
}
@@ -386,6 +402,12 @@ public class ConfigurationFileUtils {
} else if (comment.startsWith(DATATYPE_PREFIX)) {
independentLines.add(comment);
continue;
+ } else if (comment.startsWith(PRIVILEGE_PREFIX)) {
+ privilege =
+ PrivilegeType.valueOf(
+
comment.substring(PRIVILEGE_PREFIX.length()).trim().toUpperCase());
+ independentLines.add(comment);
+ continue;
} else {
description.append(" ");
}
@@ -406,7 +428,11 @@ public class ConfigurationFileUtils {
items.put(
key,
new DefaultConfigurationItem(
- key, value, withDesc ? description.toString().trim() : null,
effectiveMode));
+ key,
+ value,
+ withDesc ? description.toString().trim() : null,
+ effectiveMode,
+ privilege));
}
}
} catch (IOException e) {
@@ -421,13 +447,19 @@ public class ConfigurationFileUtils {
public String value;
public String description;
public EffectiveModeType effectiveMode;
+ public PrivilegeType privilege;
public DefaultConfigurationItem(
- String name, String value, String description, EffectiveModeType
effectiveMode) {
+ String name,
+ String value,
+ String description,
+ EffectiveModeType effectiveMode,
+ PrivilegeType privilegeType) {
this.name = name;
this.value = value;
this.description = description;
this.effectiveMode = effectiveMode == null ? EffectiveModeType.UNKNOWN :
effectiveMode;
+ this.privilege = privilegeType == null ? PrivilegeType.SYSTEM :
privilegeType;
}
}
