This is an automated email from the ASF dual-hosted git repository.
yongzao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 33be57566cf Implement IAuditEntity interface for
TreeAccessCheckContext (#16469)
33be57566cf is described below
commit 33be57566cf7e96a0432cb1b8da4aba2c621062b
Author: Yongzao <[email protected]>
AuthorDate: Tue Sep 23 19:48:31 2025 +0800
Implement IAuditEntity interface for TreeAccessCheckContext (#16469)
---
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 9 +-
.../rest/handler/AuthorizationHandler.java | 15 +-
.../load/TreeSchemaAutoCreatorAndVerifier.java | 2 +-
.../analyze/schema/AutoCreateSchemaExecutor.java | 6 +-
.../plan/relational/security/AccessControl.java | 3 +-
.../relational/security/AccessControlImpl.java | 5 +-
.../relational/security/AllowAllAccessControl.java | 3 +-
.../security/TreeAccessCheckContext.java | 102 +++++-
.../security/TreeAccessCheckVisitor.java | 346 +++++++++++----------
9 files changed, 309 insertions(+), 182 deletions(-)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index df9fd988933..61c79979ad9 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -20,6 +20,7 @@
package org.apache.iotdb.db.auth;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.audit.UserEntity;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.conf.CommonDescriptor;
@@ -153,16 +154,18 @@ public class AuthorityChecker {
public static TSStatus checkAuthority(Statement statement, IClientSession
session) {
long startTime = System.nanoTime();
try {
- return accessControl.checkPermissionBeforeProcess(statement,
session.getUsername());
+ return accessControl.checkPermissionBeforeProcess(
+ statement,
+ new UserEntity(session.getUserId(), session.getUsername(),
session.getClientAddress()));
} finally {
PERFORMANCE_OVERVIEW_METRICS.recordAuthCost(System.nanoTime() -
startTime);
}
}
- public static TSStatus checkAuthority(Statement statement, String userName) {
+ public static TSStatus checkAuthority(Statement statement, UserEntity
userEntity) {
long startTime = System.nanoTime();
try {
- return accessControl.checkPermissionBeforeProcess(statement, userName);
+ return accessControl.checkPermissionBeforeProcess(statement, userEntity);
} finally {
PERFORMANCE_OVERVIEW_METRICS.recordAuthCost(System.nanoTime() -
startTime);
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/rest/handler/AuthorizationHandler.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/rest/handler/AuthorizationHandler.java
index eba8d8b365f..989f5211670 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/rest/handler/AuthorizationHandler.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/rest/handler/AuthorizationHandler.java
@@ -18,19 +18,32 @@
package org.apache.iotdb.db.protocol.rest.handler;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.audit.UserEntity;
+import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.db.auth.AuthorityChecker;
+import org.apache.iotdb.db.auth.BasicAuthorityCache;
+import org.apache.iotdb.db.auth.ClusterAuthorityFetcher;
+import org.apache.iotdb.db.auth.IAuthorityFetcher;
import org.apache.iotdb.db.protocol.rest.model.ExecutionStatus;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.rpc.TSStatusCode;
+import org.apache.ratis.util.MemoizedSupplier;
+
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
public class AuthorizationHandler {
+ private static final MemoizedSupplier<IAuthorityFetcher> authorityFetcher =
+ MemoizedSupplier.valueOf(() -> new ClusterAuthorityFetcher(new
BasicAuthorityCache()));
+
public Response checkAuthority(SecurityContext securityContext, Statement
statement) {
String userName = securityContext.getUserPrincipal().getName();
- TSStatus status = AuthorityChecker.checkAuthority(statement, userName);
+ User user = authorityFetcher.get().getUser(userName);
+ long userId = user == null ? -1 : user.getUserId();
+ TSStatus status =
+ AuthorityChecker.checkAuthority(statement, new UserEntity(userId,
userName, ""));
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return Response.ok()
.entity(new
ExecutionStatus().code(status.getCode()).message(status.getMessage()))
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/load/TreeSchemaAutoCreatorAndVerifier.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/load/TreeSchemaAutoCreatorAndVerifier.java
index 91fc7fd3e86..1bc8ba52b82 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/load/TreeSchemaAutoCreatorAndVerifier.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/load/TreeSchemaAutoCreatorAndVerifier.java
@@ -323,7 +323,7 @@ public class TreeSchemaAutoCreatorAndVerifier {
// 1.check Authority
TSStatus status =
AuthorityChecker.checkAuthority(
- statement, loadTsFileAnalyzer.context.getSession().getUserName());
+ statement,
loadTsFileAnalyzer.context.getSession().getUserEntity());
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
throw new AuthException(TSStatusCode.representOf(status.getCode()),
status.getMessage());
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/schema/AutoCreateSchemaExecutor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/schema/AutoCreateSchemaExecutor.java
index 9b8d1047ce0..6e17deddd3f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/schema/AutoCreateSchemaExecutor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/schema/AutoCreateSchemaExecutor.java
@@ -505,7 +505,7 @@ class AutoCreateSchemaExecutor {
private List<MeasurementPath> executeInternalCreateTimeseriesStatement(
final Statement statement, final MPPQueryContext context) {
final TSStatus status =
- AuthorityChecker.checkAuthority(statement,
context.getSession().getUserName());
+ AuthorityChecker.checkAuthority(statement,
context.getSession().getUserEntity());
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
throw new IoTDBRuntimeException(status.getMessage(), status.getCode());
}
@@ -546,7 +546,7 @@ class AutoCreateSchemaExecutor {
private void internalActivateTemplate(PartialPath devicePath,
MPPQueryContext context) {
ActivateTemplateStatement statement = new
ActivateTemplateStatement(devicePath);
TSStatus status =
- AuthorityChecker.checkAuthority(statement,
context.getSession().getUserName());
+ AuthorityChecker.checkAuthority(statement,
context.getSession().getUserEntity());
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
throw new IoTDBRuntimeException(status.getMessage(), status.getCode());
}
@@ -564,7 +564,7 @@ class AutoCreateSchemaExecutor {
InternalBatchActivateTemplateStatement statement =
new
InternalBatchActivateTemplateStatement(devicesNeedActivateTemplate);
TSStatus status =
- AuthorityChecker.checkAuthority(statement,
context.getSession().getUserName());
+ AuthorityChecker.checkAuthority(statement,
context.getSession().getUserEntity());
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
throw new IoTDBRuntimeException(status.getMessage(), status.getCode());
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
index 3f049c1c6cf..c8c9ee4d9ae 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
@@ -21,6 +21,7 @@ package
org.apache.iotdb.db.queryengine.plan.relational.security;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.audit.IAuditEntity;
+import org.apache.iotdb.commons.audit.UserEntity;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import org.apache.iotdb.commons.path.PartialPath;
@@ -218,7 +219,7 @@ public interface AccessControl {
// ====================================== TREE
=============================================
- TSStatus checkPermissionBeforeProcess(Statement statement, String userName);
+ TSStatus checkPermissionBeforeProcess(Statement statement, UserEntity
userEntity);
/** called by load */
TSStatus checkFullPathWriteDataPermission(
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index a410d988842..94eac9ab5ea 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -21,6 +21,7 @@ package
org.apache.iotdb.db.queryengine.plan.relational.security;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.audit.IAuditEntity;
+import org.apache.iotdb.commons.audit.UserEntity;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
@@ -410,8 +411,8 @@ public class AccessControlImpl implements AccessControl {
}
@Override
- public TSStatus checkPermissionBeforeProcess(Statement statement, String
userName) {
- return treeAccessCheckVisitor.process(statement, new
TreeAccessCheckContext(userName));
+ public TSStatus checkPermissionBeforeProcess(Statement statement, UserEntity
userEntity) {
+ return treeAccessCheckVisitor.process(statement, new
TreeAccessCheckContext(userEntity));
}
@Override
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
index d7a7f680d3e..b717e1104fd 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
@@ -21,6 +21,7 @@ package
org.apache.iotdb.db.queryengine.plan.relational.security;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.audit.IAuditEntity;
+import org.apache.iotdb.commons.audit.UserEntity;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.path.PartialPath;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
@@ -113,7 +114,7 @@ public class AllowAllAccessControl implements AccessControl
{
String username, Collection<PrivilegeType> privilegeTypes, IAuditEntity
auditEntity) {}
@Override
- public TSStatus checkPermissionBeforeProcess(Statement statement, String
userName) {
+ public TSStatus checkPermissionBeforeProcess(Statement statement, UserEntity
userEntity) {
return SUCCEED;
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckContext.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckContext.java
index 231f49332eb..30ff465d0a2 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckContext.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckContext.java
@@ -19,11 +19,105 @@
package org.apache.iotdb.db.queryengine.plan.relational.security;
-public class TreeAccessCheckContext {
+import org.apache.iotdb.commons.audit.AuditEventType;
+import org.apache.iotdb.commons.audit.AuditLogOperation;
+import org.apache.iotdb.commons.audit.IAuditEntity;
+import org.apache.iotdb.commons.audit.UserEntity;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
- final String userName;
+public class TreeAccessCheckContext implements IAuditEntity {
- public TreeAccessCheckContext(String userName) {
- this.userName = userName;
+ private final UserEntity userEntity;
+
+ public TreeAccessCheckContext(UserEntity userEntity) {
+ this.userEntity = userEntity;
+ }
+
+ @Override
+ public long getUserId() {
+ return userEntity.getUserId();
+ }
+
+ @Override
+ public String getUsername() {
+ return userEntity.getUsername();
+ }
+
+ @Override
+ public String getCliHostname() {
+ return userEntity.getCliHostname();
+ }
+
+ private AuditEventType auditEventType;
+ private AuditLogOperation auditLogOperation;
+ private PrivilegeType privilegeType;
+ private boolean result;
+ private String database;
+ private String sqlString;
+
+ @Override
+ public AuditEventType getAuditEventType() {
+ return auditEventType;
+ }
+
+ @Override
+ public IAuditEntity setAuditEventType(AuditEventType auditEventType) {
+ this.auditEventType = auditEventType;
+ return this;
+ }
+
+ @Override
+ public AuditLogOperation getAuditLogOperation() {
+ return auditLogOperation;
+ }
+
+ @Override
+ public IAuditEntity setAuditLogOperation(AuditLogOperation
auditLogOperation) {
+ this.auditLogOperation = auditLogOperation;
+ return this;
+ }
+
+ @Override
+ public PrivilegeType getPrivilegeType() {
+ return privilegeType;
+ }
+
+ @Override
+ public IAuditEntity setPrivilegeType(PrivilegeType privilegeType) {
+ this.privilegeType = privilegeType;
+ return this;
+ }
+
+ @Override
+ public boolean getResult() {
+ return result;
+ }
+
+ @Override
+ public IAuditEntity setResult(boolean result) {
+ this.result = result;
+ return this;
+ }
+
+ @Override
+ public String getDatabase() {
+ return database;
+ }
+
+ @Override
+ public IAuditEntity setDatabase(String database) {
+ this.database = database;
+ return this;
+ }
+
+ @Override
+ public String getSqlString() {
+ return sqlString;
+ }
+
+ @Override
+ public IAuditEntity setSqlString(String sqlString) {
+ this.sqlString = sqlString;
+ return this;
}
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index 16633a14359..b0e018eb8aa 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -161,7 +161,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitNode(StatementNode node, TreeAccessCheckContext
context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
return AuthorityChecker.getTSStatus(false, "Only the admin user can
perform this operation");
@@ -170,12 +170,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitAuthorityInformation(
AuthorityInformationStatement statement, TreeAccessCheckContext context)
{
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
try {
statement.setAuthorityScope(
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_SCHEMA));
+ AuthorityChecker.getAuthorizedPathTree(context.getUsername(),
PrivilegeType.READ_SCHEMA));
} catch (AuthException e) {
return new TSStatus(e.getCode().getStatusCode());
}
@@ -187,7 +187,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCreateSchemaTemplate(
CreateSchemaTemplateStatement createTemplateStatement,
TreeAccessCheckContext context) {
- return checkSystemAuth(context.userName);
+ return checkSystemAuth(context.getUsername());
}
@Override
@@ -198,38 +198,38 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return status;
}
- return checkSystemAuth(context.userName);
+ return checkSystemAuth(context.getUsername());
}
@Override
public TSStatus visitActivateTemplate(
ActivateTemplateStatement statement, TreeAccessCheckContext context) {
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
public TSStatus visitBatchActivateTemplate(
BatchActivateTemplateStatement statement, TreeAccessCheckContext
context) {
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
public TSStatus visitInternalBatchActivateTemplate(
InternalBatchActivateTemplateStatement statement, TreeAccessCheckContext
context) {
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
private TSStatus checkTemplateShowRelated(
ShowSchemaTemplateStatement statement, TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAll(true);
return SUCCEED;
}
// own SYSTEM can see all, otherwise can only see PATHS that user has
READ_SCHEMA auth
- if (!AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SYSTEM)) {
+ if (!AuthorityChecker.checkSystemPermission(context.getUsername(),
PrivilegeType.SYSTEM)) {
statement.setCanSeeAll(false);
return visitAuthorityInformation(statement, context);
} else {
@@ -268,31 +268,31 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
public TSStatus visitDeactivateTemplate(
DeactivateTemplateStatement statement, TreeAccessCheckContext context) {
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
public TSStatus visitUnsetSchemaTemplate(
UnsetSchemaTemplateStatement unsetSchemaTemplateStatement,
TreeAccessCheckContext context) {
- return checkSystemAuth(context.userName);
+ return checkSystemAuth(context.getUsername());
}
@Override
public TSStatus visitDropSchemaTemplate(
DropSchemaTemplateStatement dropSchemaTemplateStatement,
TreeAccessCheckContext context) {
- return checkSystemAuth(context.userName);
+ return checkSystemAuth(context.getUsername());
}
@Override
public TSStatus visitAlterSchemaTemplate(
AlterSchemaTemplateStatement alterSchemaTemplateStatement,
TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SYSTEM)
+ AuthorityChecker.checkSystemPermission(context.getUsername(),
PrivilegeType.SYSTEM)
|| AuthorityChecker.checkSystemPermission(
- context.userName, PrivilegeType.EXTEND_TEMPLATE),
+ context.getUsername(), PrivilegeType.EXTEND_TEMPLATE),
PrivilegeType.SYSTEM);
}
@@ -311,20 +311,20 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
for (PartialPath path : paths) {
// audit db is read-only
if (includeByAuditTreeDB(path)
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
if (statement.getQueryStatement() != null) {
statement.getQueryStatement().setCanSeeAuditDB(true);
}
return SUCCEED;
}
- if (!checkHasGlobalAuth(context.userName, PrivilegeType.AUDIT)) {
+ if (!checkHasGlobalAuth(context.getUsername(), PrivilegeType.AUDIT)) {
statement.setCanSeeAuditDB(false);
if (statement.getQueryStatement() != null) {
statement.getQueryStatement().setCanSeeAuditDB(false);
@@ -335,17 +335,19 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
List<PartialPath> sourcePathList = statement.getSourcePaths().fullPathList;
if (sourcePathList != null) {
status =
- checkTimeSeriesPermission(context.userName, sourcePathList,
PrivilegeType.READ_SCHEMA);
+ checkTimeSeriesPermission(
+ context.getUsername(), sourcePathList,
PrivilegeType.READ_SCHEMA);
}
QueryStatement queryStatement = statement.getQueryStatement();
if (queryStatement != null && status.getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
sourcePathList = queryStatement.getPaths();
status =
- checkTimeSeriesPermission(context.userName, sourcePathList,
PrivilegeType.READ_SCHEMA);
+ checkTimeSeriesPermission(
+ context.getUsername(), sourcePathList,
PrivilegeType.READ_SCHEMA);
}
if (status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
- return checkTimeSeriesPermission(context.userName, paths,
PrivilegeType.WRITE_SCHEMA);
+ return checkTimeSeriesPermission(context.getUsername(), paths,
PrivilegeType.WRITE_SCHEMA);
}
return status;
}
@@ -354,7 +356,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
public TSStatus visitDeleteLogicalView(
DeleteLogicalViewStatement statement, TreeAccessCheckContext context) {
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
@@ -366,14 +368,14 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitAlterLogicalView(
AlterLogicalViewStatement statement, TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
if (statement.getQueryStatement() != null) {
statement.getQueryStatement().setCanSeeAuditDB(true);
}
return SUCCEED;
}
- if (!checkHasGlobalAuth(context.userName, PrivilegeType.AUDIT)) {
+ if (!checkHasGlobalAuth(context.getUsername(), PrivilegeType.AUDIT)) {
statement.setCanSeeAuditDB(false);
if (statement.getQueryStatement() != null) {
statement.getQueryStatement().setCanSeeAuditDB(false);
@@ -384,18 +386,20 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
List<PartialPath> sourcePathList = statement.getSourcePaths().fullPathList;
if (sourcePathList != null) {
status =
- checkTimeSeriesPermission(context.userName, sourcePathList,
PrivilegeType.READ_SCHEMA);
+ checkTimeSeriesPermission(
+ context.getUsername(), sourcePathList,
PrivilegeType.READ_SCHEMA);
}
QueryStatement queryStatement = statement.getQueryStatement();
if (queryStatement != null && status.getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
sourcePathList = queryStatement.getPaths();
status =
- checkTimeSeriesPermission(context.userName, sourcePathList,
PrivilegeType.READ_SCHEMA);
+ checkTimeSeriesPermission(
+ context.getUsername(), sourcePathList,
PrivilegeType.READ_SCHEMA);
}
if (status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return checkTimeSeriesPermission(
- context.userName, statement.getTargetPathList(),
PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getTargetPathList(),
PrivilegeType.WRITE_SCHEMA);
}
return status;
}
@@ -405,12 +409,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
RenameLogicalViewStatement statement, TreeAccessCheckContext context) {
// audit db is read-only
if (includeByAuditTreeDB(statement.getNewName())
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
return checkTimeSeriesPermission(
- context.userName,
+ context.getUsername(),
ImmutableList.of(statement.getOldName(), statement.getNewName()),
PrivilegeType.WRITE_SCHEMA);
}
@@ -422,63 +426,65 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
switch (authorType) {
case CREATE_USER:
case DROP_USER:
- return checkGlobalAuth(context.userName, PrivilegeType.MANAGE_USER);
+ return checkGlobalAuth(context.getUsername(),
PrivilegeType.MANAGE_USER);
case UPDATE_USER:
// users can change passwords of themselves
- if (statement.getUserName().equals(context.userName)) {
+ if (statement.getUserName().equals(context.getUsername())) {
return RpcUtils.SUCCESS_STATUS;
}
- return checkGlobalAuth(context.userName, PrivilegeType.MANAGE_USER);
+ return checkGlobalAuth(context.getUsername(),
PrivilegeType.MANAGE_USER);
case LIST_USER:
- if (checkHasGlobalAuth(context.userName, PrivilegeType.MANAGE_USER)) {
+ if (checkHasGlobalAuth(context.getUsername(),
PrivilegeType.MANAGE_USER)) {
return RpcUtils.SUCCESS_STATUS;
}
- statement.setUserName(context.userName);
+ statement.setUserName(context.getUsername());
return RpcUtils.SUCCESS_STATUS;
case LIST_USER_PRIVILEGE:
- if (context.userName.equals(statement.getUserName())) {
+ if (context.getUsername().equals(statement.getUserName())) {
return RpcUtils.SUCCESS_STATUS;
}
- return checkGlobalAuth(context.userName, PrivilegeType.MANAGE_USER);
+ return checkGlobalAuth(context.getUsername(),
PrivilegeType.MANAGE_USER);
case LIST_ROLE_PRIVILEGE:
- if (!AuthorityChecker.checkRole(context.userName,
statement.getRoleName())) {
- return checkGlobalAuth(context.userName, PrivilegeType.MANAGE_ROLE);
+ if (!AuthorityChecker.checkRole(context.getUsername(),
statement.getRoleName())) {
+ return checkGlobalAuth(context.getUsername(),
PrivilegeType.MANAGE_ROLE);
} else {
return SUCCEED;
}
case LIST_ROLE:
- if (AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.MANAGE_ROLE)) {
+ if (AuthorityChecker.checkSystemPermission(
+ context.getUsername(), PrivilegeType.MANAGE_ROLE)) {
return SUCCEED;
}
// list roles of other user is not allowed
- if (statement.getUserName() != null &&
!statement.getUserName().equals(context.userName)) {
+ if (statement.getUserName() != null
+ && !statement.getUserName().equals(context.getUsername())) {
return AuthorityChecker.getTSStatus(false,
PrivilegeType.MANAGE_ROLE);
}
- statement.setUserName(context.userName);
+ statement.setUserName(context.getUsername());
return RpcUtils.SUCCESS_STATUS;
case CREATE_ROLE:
case DROP_ROLE:
case GRANT_USER_ROLE:
case REVOKE_USER_ROLE:
- return checkGlobalAuth(context.userName, PrivilegeType.MANAGE_ROLE);
+ return checkGlobalAuth(context.getUsername(),
PrivilegeType.MANAGE_ROLE);
case REVOKE_USER:
case GRANT_USER:
case GRANT_ROLE:
case REVOKE_ROLE:
- if (checkHasGlobalAuth(context.userName, PrivilegeType.SECURITY)) {
+ if (checkHasGlobalAuth(context.getUsername(), PrivilegeType.SECURITY))
{
return RpcUtils.SUCCESS_STATUS;
}
for (String s : statement.getPrivilegeList()) {
PrivilegeType privilegeType = PrivilegeType.valueOf(s.toUpperCase());
if (privilegeType.isSystemPrivilege()) {
- if (!checkHasGlobalAuth(context.userName, privilegeType)) {
+ if (!checkHasGlobalAuth(context.getUsername(), privilegeType)) {
return AuthorityChecker.getTSStatus(
false,
"Has no permission to execute "
@@ -487,7 +493,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
}
} else if (privilegeType.isPathPrivilege()) {
if (!AuthorityChecker.checkPathPermissionGrantOption(
- context.userName, privilegeType, statement.getNodeNameList()))
{
+ context.getUsername(), privilegeType,
statement.getNodeNameList())) {
return AuthorityChecker.getTSStatus(
false,
"Has no permission to execute "
@@ -509,19 +515,19 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCreateContinuousQuery(
CreateContinuousQueryStatement statement, TreeAccessCheckContext
context) {
- return checkCQManagement(context.userName);
+ return checkCQManagement(context.getUsername());
}
@Override
public TSStatus visitDropContinuousQuery(
DropContinuousQueryStatement statement, TreeAccessCheckContext context) {
- return checkCQManagement(context.userName);
+ return checkCQManagement(context.getUsername());
}
@Override
public TSStatus visitShowContinuousQueries(
ShowContinuousQueriesStatement statement, TreeAccessCheckContext
context) {
- return checkCQManagement(context.userName);
+ return checkCQManagement(context.getUsername());
}
private TSStatus checkCQManagement(String userName) {
@@ -535,13 +541,13 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCreateFunction(
CreateFunctionStatement statement, TreeAccessCheckContext context) {
- return checkUDFManagement(context.userName);
+ return checkUDFManagement(context.getUsername());
}
@Override
public TSStatus visitDropFunction(
DropFunctionStatement statement, TreeAccessCheckContext context) {
- return checkUDFManagement(context.userName);
+ return checkUDFManagement(context.getUsername());
}
@Override
@@ -558,12 +564,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// =================================== model related
====================================
@Override
public TSStatus visitCreateModel(CreateModelStatement statement,
TreeAccessCheckContext context) {
- return checkModelManagement(context.userName);
+ return checkModelManagement(context.getUsername());
}
@Override
public TSStatus visitDropModel(DropModelStatement statement,
TreeAccessCheckContext context) {
- return checkModelManagement(context.userName);
+ return checkModelManagement(context.getUsername());
}
@Override
@@ -579,51 +585,51 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCreatePipePlugin(
CreatePipePluginStatement statement, TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitDropPipePlugin(
DropPipePluginStatement statement, TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitShowPipePlugins(
ShowPipePluginsStatement statement, TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
// =============================== pipe related
========================================
@Override
public TSStatus visitCreatePipe(CreatePipeStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitShowPipes(ShowPipesStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitDropPipe(DropPipeStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitAlterPipe(AlterPipeStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitStartPipe(StartPipeStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitStopPipe(StopPipeStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
private TSStatus checkPipeManagement(String userName) {
@@ -634,29 +640,29 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCreateTopic(CreateTopicStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitShowTopics(ShowTopicsStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitDropTopic(DropTopicStatement statement,
TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitShowSubscriptions(
ShowSubscriptionsStatement statement, TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
@Override
public TSStatus visitDropSubscription(
DropSubscriptionStatement statement, TreeAccessCheckContext context) {
- return checkPipeManagement(context.userName);
+ return checkPipeManagement(context.getUsername());
}
// ======================= trigger related ================================
@@ -667,18 +673,18 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
- return checkTriggerManagement(context.userName);
+ return checkTriggerManagement(context.getUsername());
}
@Override
public TSStatus visitDropTrigger(DropTriggerStatement statement,
TreeAccessCheckContext context) {
- return checkTriggerManagement(context.userName);
+ return checkTriggerManagement(context.getUsername());
}
@Override
public TSStatus visitShowTriggers(
ShowTriggersStatement statement, TreeAccessCheckContext context) {
- return checkTriggerManagement(context.userName);
+ return checkTriggerManagement(context.getUsername());
}
private TSStatus checkTriggerManagement(String userName) {
@@ -695,33 +701,33 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitSetDatabase(
DatabaseSchemaStatement statement, TreeAccessCheckContext context) {
- return checkCreateOrAlterDatabasePermission(context.userName,
statement.getDatabasePath());
+ return checkCreateOrAlterDatabasePermission(context.getUsername(),
statement.getDatabasePath());
}
@Override
public TSStatus visitAlterDatabase(
DatabaseSchemaStatement databaseSchemaStatement, TreeAccessCheckContext
context) {
return checkCreateOrAlterDatabasePermission(
- context.userName, databaseSchemaStatement.getDatabasePath());
+ context.getUsername(), databaseSchemaStatement.getDatabasePath());
}
@Override
public TSStatus visitShowStorageGroup(
ShowDatabaseStatement showDatabaseStatement, TreeAccessCheckContext
context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
- setCanSeeAuditDB(showDatabaseStatement, context.userName);
+ setCanSeeAuditDB(showDatabaseStatement, context.getUsername());
return checkShowOrCountDatabasePermission(showDatabaseStatement, context);
}
@Override
public TSStatus visitCountStorageGroup(
CountDatabaseStatement countDatabaseStatement, TreeAccessCheckContext
context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
- setCanSeeAuditDB(countDatabaseStatement, context.userName);
+ setCanSeeAuditDB(countDatabaseStatement, context.getUsername());
return checkShowOrCountDatabasePermission(countDatabaseStatement, context);
}
@@ -735,13 +741,13 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SYSTEM)
+ AuthorityChecker.checkSystemPermission(context.getUsername(),
PrivilegeType.SYSTEM)
|| AuthorityChecker.checkSystemPermission(
- context.userName, PrivilegeType.MANAGE_DATABASE),
+ context.getUsername(), PrivilegeType.MANAGE_DATABASE),
PrivilegeType.SYSTEM);
}
@@ -766,7 +772,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
AuthorityInformationStatement statement, TreeAccessCheckContext context)
{
// own SYSTEM/MAINTAIN can see all except for root.__audit, otherwise can
only see PATHS that
// user has READ_SCHEMA auth
- if (!checkHasGlobalAuth(context.userName, PrivilegeType.MANAGE_DATABASE)) {
+ if (!checkHasGlobalAuth(context.getUsername(),
PrivilegeType.MANAGE_DATABASE)) {
return visitAuthorityInformation(statement, context);
} else {
return SUCCEED;
@@ -780,17 +786,17 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
for (PartialPath path : statement.getDevicePaths()) {
// audit db is read-only
if (includeByAuditTreeDB(path)
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
return checkTimeSeriesPermission(
- context.userName,
+ context.getUsername(),
statement.getPaths().stream().distinct().collect(Collectors.toList()),
PrivilegeType.WRITE_DATA);
}
@@ -799,12 +805,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
public TSStatus visitInsert(InsertStatement statement,
TreeAccessCheckContext context) {
// audit db is read-only
if (includeByAuditTreeDB(statement.getDevice())
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_DATA);
+ context.getUsername(), statement.getPaths(), PrivilegeType.WRITE_DATA);
}
@Override
@@ -818,25 +824,25 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
for (PartialPath path : statement.getPaths()) {
// audit db is read-only
if (includeByAuditTreeDB(path)
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_DATA);
+ context.getUsername(), statement.getPaths(), PrivilegeType.WRITE_DATA);
}
@Override
public TSStatus visitQuery(QueryStatement statement, TreeAccessCheckContext
context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(statement, context.userName);
+ setCanSeeAuditDB(statement, context.getUsername());
try {
statement.setAuthorityScope(
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_DATA));
+ AuthorityChecker.getAuthorizedPathTree(context.getUsername(),
PrivilegeType.READ_DATA));
} catch (AuthException e) {
return new TSStatus(e.getCode().getStatusCode());
}
@@ -866,12 +872,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
CreateTimeSeriesStatement statement, TreeAccessCheckContext context) {
// audit db is read-only
if (includeByAuditTreeDB(statement.getPath())
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
@@ -879,12 +885,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
CreateAlignedTimeSeriesStatement statement, TreeAccessCheckContext
context) {
// audit db is read-only
if (includeByAuditTreeDB(statement.getDevicePath())
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
@@ -893,14 +899,14 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
for (PartialPath path : statement.getPaths()) {
if (includeByAuditTreeDB(path)
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
@@ -909,13 +915,13 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
for (PartialPath path : statement.getDeviceMap().keySet()) {
if (includeByAuditTreeDB(path)
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
@@ -923,28 +929,30 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
InternalCreateTimeSeriesStatement statement, TreeAccessCheckContext
context) {
// audit db is read-only
if (includeByAuditTreeDB(statement.getDevicePath())
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
public TSStatus visitShowTimeSeries(
ShowTimeSeriesStatement statement, TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(statement, context.userName);
+ setCanSeeAuditDB(statement, context.getUsername());
if (statement.hasTimeCondition()) {
try {
statement.setAuthorityScope(
PathPatternTreeUtils.intersectWithFullPathPrefixTree(
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_SCHEMA),
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_DATA)));
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_SCHEMA),
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_DATA)));
} catch (AuthException e) {
return new TSStatus(e.getCode().getStatusCode());
}
@@ -957,17 +965,19 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCountTimeSeries(
CountTimeSeriesStatement statement, TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(statement, context.userName);
+ setCanSeeAuditDB(statement, context.getUsername());
if (statement.hasTimeCondition()) {
try {
statement.setAuthorityScope(
PathPatternTreeUtils.intersectWithFullPathPrefixTree(
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_SCHEMA),
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_DATA)));
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_SCHEMA),
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_DATA)));
} catch (AuthException e) {
return new TSStatus(e.getCode().getStatusCode());
}
@@ -980,44 +990,44 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCountLevelTimeSeries(
CountLevelTimeSeriesStatement countStatement, TreeAccessCheckContext
context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
countStatement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(countStatement, context.userName);
+ setCanSeeAuditDB(countStatement, context.getUsername());
return visitAuthorityInformation(countStatement, context);
}
@Override
public TSStatus visitCountNodes(
CountNodesStatement countStatement, TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
countStatement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(countStatement, context.userName);
+ setCanSeeAuditDB(countStatement, context.getUsername());
return visitAuthorityInformation(countStatement, context);
}
@Override
public TSStatus visitShowChildNodes(
ShowChildNodesStatement showChildNodesStatement, TreeAccessCheckContext
context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
showChildNodesStatement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(showChildNodesStatement, context.userName);
+ setCanSeeAuditDB(showChildNodesStatement, context.getUsername());
return visitAuthorityInformation(showChildNodesStatement, context);
}
@Override
public TSStatus visitShowChildPaths(
ShowChildPathsStatement showChildPathsStatement, TreeAccessCheckContext
context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
showChildPathsStatement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(showChildPathsStatement, context.userName);
+ setCanSeeAuditDB(showChildPathsStatement, context.getUsername());
return visitAuthorityInformation(showChildPathsStatement, context);
}
@@ -1026,12 +1036,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
AlterTimeSeriesStatement statement, TreeAccessCheckContext context) {
// audit db is read-only
if (includeByAuditTreeDB(statement.getPath())
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
@Override
@@ -1040,56 +1050,56 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
for (PartialPath path : statement.getPathPatternList()) {
if (includeByAuditTreeDB(path)
- && !context.userName.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ &&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
return checkTimeSeriesPermission(
- context.userName, statement.getPaths(), PrivilegeType.WRITE_SCHEMA);
+ context.getUsername(), statement.getPaths(),
PrivilegeType.WRITE_SCHEMA);
}
// ================================== maintain related
=============================
@Override
public TSStatus visitExtendRegion(
ExtendRegionStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitGetRegionId(GetRegionIdStatement statement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitGetSeriesSlotList(
GetSeriesSlotListStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitGetTimeSlotList(
GetTimeSlotListStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitCountTimeSlotList(
CountTimeSlotListStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitKillQuery(KillQueryStatement statement,
TreeAccessCheckContext context) {
- if (checkHasGlobalAuth(context.userName, PrivilegeType.MAINTAIN)) {
- statement.setAllowedUsername(context.userName);
+ if (checkHasGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN)) {
+ statement.setAllowedUsername(context.getUsername());
}
return SUCCEED;
}
@Override
public TSStatus visitFlush(FlushStatement flushStatement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
@@ -1098,7 +1108,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
try {
return AuthorityChecker.getTSStatus(
AuthorityChecker.checkUserMissingSystemPermissions(
- context.userName,
setConfigurationStatement.getNeededPrivileges()));
+ context.getUsername(),
setConfigurationStatement.getNeededPrivileges()));
} catch (IOException e) {
return AuthorityChecker.getTSStatus(false, "Failed to check config item
permission");
}
@@ -1107,61 +1117,61 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitSetSystemStatus(
SetSystemStatusStatement setSystemStatusStatement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitStartRepairData(
StartRepairDataStatement startRepairDataStatement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitStopRepairData(
StopRepairDataStatement stopRepairDataStatement, TreeAccessCheckContext
context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitClearCache(
ClearCacheStatement clearCacheStatement, TreeAccessCheckContext context)
{
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitMigrateRegion(
MigrateRegionStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitReconstructRegion(
ReconstructRegionStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitRemoveAINode(
RemoveAINodeStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitRemoveConfigNode(
RemoveConfigNodeStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitRemoveDataNode(
RemoveDataNodeStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitRemoveRegion(
RemoveRegionStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
@@ -1172,24 +1182,24 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitShowAINodes(ShowAINodesStatement statement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitShowClusterId(
ShowClusterIdStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitShowCluster(ShowClusterStatement statement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitShowConfigNodes(
ShowConfigNodesStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
@@ -1207,61 +1217,61 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitShowDataNodes(
ShowDataNodesStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitShowQueries(ShowQueriesStatement statement,
TreeAccessCheckContext context) {
- if (checkHasGlobalAuth(context.userName, PrivilegeType.MAINTAIN)) {
- statement.setAllowedUsername(context.userName);
+ if (checkHasGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN)) {
+ statement.setAllowedUsername(context.getUsername());
}
return SUCCEED;
}
@Override
public TSStatus visitShowRegion(ShowRegionStatement statement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitSetSpaceQuota(
SetSpaceQuotaStatement setSpaceQuotaStatement, TreeAccessCheckContext
context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitSetThrottleQuota(
SetThrottleQuotaStatement setThrottleQuotaStatement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitShowThrottleQuota(
ShowThrottleQuotaStatement showThrottleQuotaStatement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitShowSpaceQuota(
ShowSpaceQuotaStatement showSpaceQuotaStatement, TreeAccessCheckContext
context) {
- return checkGlobalAuth(context.userName, PrivilegeType.SYSTEM);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM);
}
@Override
public TSStatus visitShowVariables(
ShowVariablesStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitShowVersion(ShowVersionStatement statement,
TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
public TSStatus visitTestConnection(
TestConnectionStatement statement, TreeAccessCheckContext context) {
- return checkGlobalAuth(context.userName, PrivilegeType.MAINTAIN);
+ return checkGlobalAuth(context.getUsername(), PrivilegeType.MAINTAIN);
}
@Override
@@ -1289,7 +1299,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
pathsNotEndWithMultiLevelWildcard[i] = true;
}
}
- if (checkHasGlobalAuth(context.userName, PrivilegeType.SYSTEM)) {
+ if (checkHasGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM)) {
return SUCCEED;
}
@@ -1308,14 +1318,14 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
}
return AuthorityChecker.getTSStatus(
AuthorityChecker.checkFullPathOrPatternListPermission(
- context.userName, pathsForCheckingPermissions,
PrivilegeType.WRITE_SCHEMA),
+ context.getUsername(), pathsForCheckingPermissions,
PrivilegeType.WRITE_SCHEMA),
pathsForCheckingPermissions,
PrivilegeType.WRITE_SCHEMA);
}
@Override
public TSStatus visitShowTTL(ShowTTLStatement showTTLStatement,
TreeAccessCheckContext context) {
- if (checkHasGlobalAuth(context.userName, PrivilegeType.SYSTEM)) {
+ if (checkHasGlobalAuth(context.getUsername(), PrivilegeType.SYSTEM)) {
return SUCCEED;
}
for (PartialPath path : showTTLStatement.getPaths()) {
@@ -1323,7 +1333,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
continue;
}
if (!AuthorityChecker.checkFullPathOrPatternPermission(
- context.userName,
+ context.getUsername(),
path.concatNode(IoTDBConstant.MULTI_LEVEL_PATH_WILDCARD),
PrivilegeType.READ_SCHEMA)) {
return AuthorityChecker.getTSStatus(false, path,
PrivilegeType.READ_SCHEMA);
@@ -1341,17 +1351,19 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// ================================= device related
=============================
@Override
public TSStatus visitShowDevices(ShowDevicesStatement statement,
TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
return SUCCEED;
}
- setCanSeeAuditDB(statement, context.userName);
+ setCanSeeAuditDB(statement, context.getUsername());
if (statement.hasTimeCondition()) {
try {
statement.setAuthorityScope(
PathPatternTreeUtils.intersectWithFullPathPrefixTree(
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_SCHEMA),
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_DATA)));
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_SCHEMA),
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_DATA)));
} catch (AuthException e) {
return new TSStatus(e.getCode().getStatusCode());
}
@@ -1364,16 +1376,18 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCountDevices(
CountDevicesStatement statement, TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
return SUCCEED;
}
- setCanSeeAuditDB(statement, context.userName);
+ setCanSeeAuditDB(statement, context.getUsername());
if (statement.hasTimeCondition()) {
try {
statement.setAuthorityScope(
PathPatternTreeUtils.intersectWithFullPathPrefixTree(
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_SCHEMA),
- AuthorityChecker.getAuthorizedPathTree(context.userName,
PrivilegeType.READ_DATA)));
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_SCHEMA),
+ AuthorityChecker.getAuthorizedPathTree(
+ context.getUsername(), PrivilegeType.READ_DATA)));
} catch (AuthException e) {
return new TSStatus(e.getCode().getStatusCode());
}
