This is an automated email from the ASF dual-hosted git repository.
jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 25c86c26a69 reject grant/revoke author statement on audit database
25c86c26a69 is described below
commit 25c86c26a69729100878526e022eee5d29b0da9c
Author: shuwenwei <[email protected]>
AuthorDate: Mon Oct 27 09:40:02 2025 +0800
reject grant/revoke author statement on audit database
---
.../org/apache/iotdb/db/it/auth/IoTDBAuthIT.java | 38 ++++++++++++++++++++++
.../iotdb/db/it/auth/IoTDBRelationalAuthIT.java | 37 +++++++++++++++++++++
.../sql/ast/RelationalAuthorStatement.java | 11 +++++++
.../plan/statement/sys/AuthorStatement.java | 6 ++++
4 files changed, 92 insertions(+)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
index bef61a4b72d..bc77f5d3947 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
@@ -1678,4 +1678,42 @@ public class IoTDBAuthIT {
fail(e.getMessage());
}
}
+
+ @Test
+ public void testAudit() {
+ try (Connection connection = EnvFactory.getEnv().getConnection();
+ Statement statement = connection.createStatement()) {
+ try {
+ statement.execute("grant read_data on root.__audit to user user2");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
root.__audit",
+ e.getMessage());
+ }
+ try {
+ statement.execute("revoke read_data on root.__audit from user user2");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
root.__audit",
+ e.getMessage());
+ }
+ try {
+ statement.execute("grant read_data on root.__audit to role role1");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
root.__audit",
+ e.getMessage());
+ }
+ try {
+ statement.execute("revoke read_data on root.__audit from role role1");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
root.__audit",
+ e.getMessage());
+ }
+ } catch (SQLException e) {
+ e.printStackTrace();
+ fail(e.getMessage());
+ }
+ }
}
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
index d3e05027cc1..5c8420752da 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java
@@ -568,4 +568,41 @@ public class IoTDBRelationalAuthIT {
}
}
}
+
+ @Test
+ public void testAudit() throws SQLException {
+ try (Connection adminCon =
EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT);
+ Statement adminStmt = adminCon.createStatement()) {
+ try {
+ adminStmt.execute("grant select on database __audit to user user2");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
__audit", e.getMessage());
+ }
+ try {
+ adminStmt.execute("grant select on table __audit.t1 to user user2");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
__audit", e.getMessage());
+ }
+ try {
+ adminStmt.execute("revoke select on table __audit.t1 from user user2");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
__audit", e.getMessage());
+ }
+ try {
+ adminStmt.execute("grant select on table __audit.t1 to role role1");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
__audit", e.getMessage());
+ }
+ try {
+ adminStmt.execute("revoke select on table __audit.t1 from role role1");
+ } catch (SQLException e) {
+ assertEquals(
+ "803: Access Denied: Cannot grant or revoke any privileges to
__audit", e.getMessage());
+ }
+ }
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
index 16f38b9c684..d4a0d939854 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
@@ -20,6 +20,7 @@ package
org.apache.iotdb.db.queryengine.plan.relational.sql.ast;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
+import org.apache.iotdb.commons.schema.table.Audit;
import org.apache.iotdb.commons.schema.table.InformationSchema;
import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
@@ -423,6 +424,11 @@ public class RelationalAuthorStatement extends Statement {
return AuthorityChecker.getTSStatus(
false, "Cannot grant or revoke any privileges to
information_schema");
}
+ if (Audit.TABLE_MODEL_AUDIT_DATABASE.equals(database)) {
+ return AuthorityChecker.getTSStatus(
+ false,
+ "Cannot grant or revoke any privileges to " +
Audit.TABLE_MODEL_AUDIT_DATABASE);
+ }
break;
case GRANT_USER_TB:
case GRANT_ROLE_TB:
@@ -436,6 +442,11 @@ public class RelationalAuthorStatement extends Statement {
return AuthorityChecker.getTSStatus(
false, "Cannot grant or revoke any privileges to
information_schema");
}
+ if (Audit.TABLE_MODEL_AUDIT_DATABASE.equals(database)) {
+ return AuthorityChecker.getTSStatus(
+ false,
+ "Cannot grant or revoke any privileges to " +
Audit.TABLE_MODEL_AUDIT_DATABASE);
+ }
break;
default:
break;
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
index a972ddea232..faf0db5391f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
@@ -21,6 +21,7 @@ package org.apache.iotdb.db.queryengine.plan.statement.sys;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.commons.schema.table.Audit;
import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
import org.apache.iotdb.db.auth.AuthorityChecker;
@@ -340,6 +341,11 @@ public class AuthorStatement extends Statement implements
IConfigStatement {
return AuthorityChecker.getTSStatus(
false, "Cannot grant/revoke privileges of admin user");
}
+ List<PartialPath> paths = getNodeNameList();
+ if (paths.stream().anyMatch(Audit::includeByAuditTreeDB)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant or revoke any privileges to " +
Audit.TREE_MODEL_AUDIT_DATABASE);
+ }
break;
}
return RpcUtils.SUCCESS_STATUS;
