This is an automated email from the ASF dual-hosted git repository. shuwenwei pushed a commit to branch fixGrantOption in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit e3ca8e9d3e1be9785dde9e1dbacc6715cd00b146 Author: shuwenwei <[email protected]> AuthorDate: Mon Dec 1 18:03:46 2025 +0800 fix check of grant option for tree model --- .../java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java | 14 ++++++++++++++ .../plan/relational/security/TreeAccessCheckVisitor.java | 15 +++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java index 24204320f75..441dd1fdb5c 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java @@ -981,6 +981,8 @@ public class IoTDBAuthIT { adminStmt.execute("CREATE USER user1 'password123456'"); adminStmt.execute("CREATE USER user2 'password123456'"); adminStmt.execute("CREATE USER user3 'password123456'"); + adminStmt.execute("CREATE USER user4 'password123456'"); + adminStmt.execute("CREATE USER user5 'password123456'"); adminStmt.execute("CREATE ROLE testRole"); adminStmt.execute("GRANT system ON root.** TO ROLE testRole WITH GRANT OPTION"); adminStmt.execute("GRANT READ_DATA ON root.t1.** TO ROLE testRole"); @@ -1095,6 +1097,18 @@ public class IoTDBAuthIT { } } + try (Connection userCon = EnvFactory.getEnv().getConnection("user4", "password123456"); + Statement userStmt = userCon.createStatement()) { + adminStmt.execute("GRANT SYSTEM ON root.** TO USER user4"); + try { + Assert.assertThrows( + SQLException.class, () -> userStmt.execute("GRANT SYSTEM ON root.** TO USER user5")); + adminStmt.execute("GRANT SYSTEM ON root.** TO USER user5"); + } finally { + userStmt.close(); + } + } + adminStmt.close(); } diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java index 89daafccfbb..86f4dce2b84 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java @@ -643,7 +643,7 @@ public class TreeAccessCheckVisitor extends StatementVisitor<TSStatus, TreeAcces for (String s : statement.getPrivilegeList()) { PrivilegeType privilegeType = PrivilegeType.valueOf(s.toUpperCase()); if (privilegeType.isSystemPrivilege()) { - if (!checkHasGlobalAuth(context, privilegeType, auditObject)) { + if (!checkHasGlobalAuth(context, privilegeType, auditObject, true)) { return AuthorityChecker.getTSStatus( false, "Has no permission to execute " @@ -1932,13 +1932,24 @@ public class TreeAccessCheckVisitor extends StatementVisitor<TSStatus, TreeAcces protected boolean checkHasGlobalAuth( IAuditEntity context, PrivilegeType requiredPrivilege, Supplier<String> auditObject) { + return checkHasGlobalAuth(context, requiredPrivilege, auditObject, false); + } + + protected boolean checkHasGlobalAuth( + IAuditEntity context, + PrivilegeType requiredPrivilege, + Supplier<String> auditObject, + boolean checkGrantOption) { if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) { recordObjectAuthenticationAuditLog( context.setPrivilegeType(requiredPrivilege).setResult(true), auditObject); return true; } boolean result = - AuthorityChecker.checkSystemPermission(context.getUsername(), requiredPrivilege); + checkGrantOption + ? AuthorityChecker.checkSystemPermissionGrantOption( + context.getUsername(), requiredPrivilege) + : AuthorityChecker.checkSystemPermission(context.getUsername(), requiredPrivilege); recordObjectAuthenticationAuditLog( context.setPrivilegeType(requiredPrivilege).setResult(result), auditObject); return result;
