This is an automated email from the ASF dual-hosted git repository. shuwenwei pushed a commit to branch rejectGrantOrRevokeAuthorStatementOnAuditDB in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit b3fab6b10ec9e29d97a5e2b9fb029b956c192671 Author: shuwenwei <[email protected]> AuthorDate: Mon Oct 20 18:44:33 2025 +0800 reject grant/revoke author statement on audit database --- .../org/apache/iotdb/db/it/auth/IoTDBAuthIT.java | 38 ++++++++++++++++++++++ .../iotdb/db/it/auth/IoTDBRelationalAuthIT.java | 37 +++++++++++++++++++++ .../sql/ast/RelationalAuthorStatement.java | 11 +++++++ .../plan/statement/sys/AuthorStatement.java | 6 ++++ 4 files changed, 92 insertions(+) diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java index bef61a4b72d..bc77f5d3947 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java @@ -1678,4 +1678,42 @@ public class IoTDBAuthIT { fail(e.getMessage()); } } + + @Test + public void testAudit() { + try (Connection connection = EnvFactory.getEnv().getConnection(); + Statement statement = connection.createStatement()) { + try { + statement.execute("grant read_data on root.__audit to user user2"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to root.__audit", + e.getMessage()); + } + try { + statement.execute("revoke read_data on root.__audit from user user2"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to root.__audit", + e.getMessage()); + } + try { + statement.execute("grant read_data on root.__audit to role role1"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to root.__audit", + e.getMessage()); + } + try { + statement.execute("revoke read_data on root.__audit from role role1"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to root.__audit", + e.getMessage()); + } + } catch (SQLException e) { + e.printStackTrace(); + fail(e.getMessage()); + } + } } diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java index d3e05027cc1..5c8420752da 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java @@ -568,4 +568,41 @@ public class IoTDBRelationalAuthIT { } } } + + @Test + public void testAudit() throws SQLException { + try (Connection adminCon = EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT); + Statement adminStmt = adminCon.createStatement()) { + try { + adminStmt.execute("grant select on database __audit to user user2"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage()); + } + try { + adminStmt.execute("grant select on table __audit.t1 to user user2"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage()); + } + try { + adminStmt.execute("revoke select on table __audit.t1 from user user2"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage()); + } + try { + adminStmt.execute("grant select on table __audit.t1 to role role1"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage()); + } + try { + adminStmt.execute("revoke select on table __audit.t1 from role role1"); + } catch (SQLException e) { + assertEquals( + "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage()); + } + } + } } diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java index 16f38b9c684..d4a0d939854 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java @@ -20,6 +20,7 @@ package org.apache.iotdb.db.queryengine.plan.relational.sql.ast; import org.apache.iotdb.common.rpc.thrift.TSStatus; import org.apache.iotdb.commons.auth.entity.PrivilegeType; +import org.apache.iotdb.commons.schema.table.Audit; import org.apache.iotdb.commons.schema.table.InformationSchema; import org.apache.iotdb.commons.utils.AuthUtils; import org.apache.iotdb.commons.utils.CommonDateTimeUtils; @@ -423,6 +424,11 @@ public class RelationalAuthorStatement extends Statement { return AuthorityChecker.getTSStatus( false, "Cannot grant or revoke any privileges to information_schema"); } + if (Audit.TABLE_MODEL_AUDIT_DATABASE.equals(database)) { + return AuthorityChecker.getTSStatus( + false, + "Cannot grant or revoke any privileges to " + Audit.TABLE_MODEL_AUDIT_DATABASE); + } break; case GRANT_USER_TB: case GRANT_ROLE_TB: @@ -436,6 +442,11 @@ public class RelationalAuthorStatement extends Statement { return AuthorityChecker.getTSStatus( false, "Cannot grant or revoke any privileges to information_schema"); } + if (Audit.TABLE_MODEL_AUDIT_DATABASE.equals(database)) { + return AuthorityChecker.getTSStatus( + false, + "Cannot grant or revoke any privileges to " + Audit.TABLE_MODEL_AUDIT_DATABASE); + } break; default: break; diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java index a972ddea232..faf0db5391f 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java @@ -21,6 +21,7 @@ package org.apache.iotdb.db.queryengine.plan.statement.sys; import org.apache.iotdb.common.rpc.thrift.TSStatus; import org.apache.iotdb.commons.path.PartialPath; +import org.apache.iotdb.commons.schema.table.Audit; import org.apache.iotdb.commons.utils.AuthUtils; import org.apache.iotdb.commons.utils.CommonDateTimeUtils; import org.apache.iotdb.db.auth.AuthorityChecker; @@ -340,6 +341,11 @@ public class AuthorStatement extends Statement implements IConfigStatement { return AuthorityChecker.getTSStatus( false, "Cannot grant/revoke privileges of admin user"); } + List<PartialPath> paths = getNodeNameList(); + if (paths.stream().anyMatch(Audit::includeByAuditTreeDB)) { + return AuthorityChecker.getTSStatus( + false, "Cannot grant or revoke any privileges to " + Audit.TREE_MODEL_AUDIT_DATABASE); + } break; } return RpcUtils.SUCCESS_STATUS;
