This is an automated email from the ASF dual-hosted git repository.
jiangtian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 44409934426 Avoid CN OOM by Pulling User/Roles to DN When Cache
Misses. (#16888)
44409934426 is described below
commit 44409934426cf9d786669b98996a9cc1edf5c4ab
Author: wenyanshi-123 <[email protected]>
AuthorDate: Mon Dec 15 09:47:17 2025 +0800
Avoid CN OOM by Pulling User/Roles to DN When Cache Misses. (#16888)
* Fix OOM problem for PIPE.
* Fix IT.
* Fix potential NPE.
---------
Co-authored-by: shiwenyan <[email protected]>
---
.../iotdb/db/auth/ClusterAuthorityFetcher.java | 59 +++++++++-------------
1 file changed, 25 insertions(+), 34 deletions(-)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
index b7b3815caca..2894ce8bb47 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
@@ -167,37 +167,37 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
@Override
public List<Integer> checkUserPathPrivileges(
String username, List<? extends PartialPath> allPath, PrivilegeType
permission) {
- checkCacheAvailable();
List<Integer> posList = new ArrayList<>();
- User user = iAuthorCache.getUserCache(username);
- if (user != null) {
- if (user.isOpenIdUser()) {
- return posList;
- }
- int pos = 0;
- for (PartialPath path : allPath) {
- if (!user.checkPathPrivilege(path, permission)) {
- boolean checkFromRole = false;
- for (String rolename : user.getRoleSet()) {
- Role cachedRole = iAuthorCache.getRoleCache(rolename);
- if (cachedRole == null) {
- return checkPathFromConfigNode(username, allPath, permission);
- }
- if (cachedRole.checkPathPrivilege(path, permission)) {
- checkFromRole = true;
- break;
- }
+ if (username.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
+ return posList;
+ }
+ checkCacheAvailable();
+ User user = getUser(username);
+ if (user.isOpenIdUser()) {
+ return posList;
+ }
+ int pos = 0;
+ for (PartialPath path : allPath) {
+ if (!user.checkPathPrivilege(path, permission)) {
+ boolean checkFromRole = false;
+ for (String rolename : user.getRoleSet()) {
+ Role cachedRole = iAuthorCache.getRoleCache(rolename);
+ if (cachedRole == null) {
+ checkRoleFromConfigNode(username, rolename);
+ cachedRole = iAuthorCache.getRoleCache(rolename);
}
- if (!checkFromRole) {
- posList.add(pos);
+ if (cachedRole != null && cachedRole.checkPathPrivilege(path,
permission)) {
+ checkFromRole = true;
+ break;
}
}
- pos++;
+ if (!checkFromRole) {
+ posList.add(pos);
+ }
}
- return posList;
- } else {
- return checkPathFromConfigNode(username, allPath, permission);
+ pos++;
}
+ return posList;
}
@Override
@@ -642,15 +642,6 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
return permissionInfoResp;
}
- private List<Integer> checkPathFromConfigNode(
- String username, List<? extends PartialPath> allPath, PrivilegeType
permission) {
- TCheckUserPrivilegesReq req =
- new TCheckUserPrivilegesReq(
- username, PrivilegeModelType.TREE.ordinal(), permission.ordinal(),
false);
- req.setPaths(AuthUtils.serializePartialPathList(allPath));
- return checkPrivilegeFromConfigNode(req).getFailPos();
- }
-
private boolean checkRoleFromConfigNode(String username, String rolename) {
TAuthorizerReq req = new TAuthorizerReq();
// just reuse authorizer request. only need username and rolename field.
