This is an automated email from the ASF dual-hosted git repository. jackietien pushed a commit to branch force_ci/object_type in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 900ff029b1f3b6ea95cf62cc358c8aa71815b1e9 Author: wenyanshi-123 <[email protected]> AuthorDate: Mon Dec 15 09:47:17 2025 +0800 Avoid CN OOM by Pulling User/Roles to DN When Cache Misses. (#16888) * Fix OOM problem for PIPE. * Fix IT. * Fix potential NPE. --------- Co-authored-by: shiwenyan <[email protected]> (cherry picked from commit 44409934426cf9d786669b98996a9cc1edf5c4ab) --- .../iotdb/db/auth/ClusterAuthorityFetcher.java | 59 +++++++++------------- 1 file changed, 25 insertions(+), 34 deletions(-) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java index b7b3815caca..2894ce8bb47 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java @@ -167,37 +167,37 @@ public class ClusterAuthorityFetcher implements IAuthorityFetcher { @Override public List<Integer> checkUserPathPrivileges( String username, List<? extends PartialPath> allPath, PrivilegeType permission) { - checkCacheAvailable(); List<Integer> posList = new ArrayList<>(); - User user = iAuthorCache.getUserCache(username); - if (user != null) { - if (user.isOpenIdUser()) { - return posList; - } - int pos = 0; - for (PartialPath path : allPath) { - if (!user.checkPathPrivilege(path, permission)) { - boolean checkFromRole = false; - for (String rolename : user.getRoleSet()) { - Role cachedRole = iAuthorCache.getRoleCache(rolename); - if (cachedRole == null) { - return checkPathFromConfigNode(username, allPath, permission); - } - if (cachedRole.checkPathPrivilege(path, permission)) { - checkFromRole = true; - break; - } + if (username.equals(AuthorityChecker.INTERNAL_AUDIT_USER)) { + return posList; + } + checkCacheAvailable(); + User user = getUser(username); + if (user.isOpenIdUser()) { + return posList; + } + int pos = 0; + for (PartialPath path : allPath) { + if (!user.checkPathPrivilege(path, permission)) { + boolean checkFromRole = false; + for (String rolename : user.getRoleSet()) { + Role cachedRole = iAuthorCache.getRoleCache(rolename); + if (cachedRole == null) { + checkRoleFromConfigNode(username, rolename); + cachedRole = iAuthorCache.getRoleCache(rolename); } - if (!checkFromRole) { - posList.add(pos); + if (cachedRole != null && cachedRole.checkPathPrivilege(path, permission)) { + checkFromRole = true; + break; } } - pos++; + if (!checkFromRole) { + posList.add(pos); + } } - return posList; - } else { - return checkPathFromConfigNode(username, allPath, permission); + pos++; } + return posList; } @Override @@ -642,15 +642,6 @@ public class ClusterAuthorityFetcher implements IAuthorityFetcher { return permissionInfoResp; } - private List<Integer> checkPathFromConfigNode( - String username, List<? extends PartialPath> allPath, PrivilegeType permission) { - TCheckUserPrivilegesReq req = - new TCheckUserPrivilegesReq( - username, PrivilegeModelType.TREE.ordinal(), permission.ordinal(), false); - req.setPaths(AuthUtils.serializePartialPathList(allPath)); - return checkPrivilegeFromConfigNode(req).getFailPos(); - } - private boolean checkRoleFromConfigNode(String username, String rolename) { TAuthorizerReq req = new TAuthorizerReq(); // just reuse authorizer request. only need username and rolename field.
