This is an automated email from the ASF dual-hosted git repository.
justinchen pushed a commit to branch enable-time-other-name
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/enable-time-other-name by this
push:
new 7614e147178 fix
7614e147178 is described below
commit 7614e14717849476cefa4cb5ecabfb4bb19e1e4e
Author: Caideyipi <[email protected]>
AuthorDate: Thu Dec 25 18:23:36 2025 +0800
fix
---
.../relational/security/AccessControlImpl.java | 120 ++++++++++------
.../relational/security/ITableAuthCheckerImpl.java | 68 ++++-----
.../security/TreeAccessCheckVisitor.java | 159 ++++++++++-----------
.../iotdb/commons/audit/AbstractAuditLogger.java | 15 +-
4 files changed, 186 insertions(+), 176 deletions(-)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index 94323f30c96..dfb97f0287f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -28,6 +28,7 @@ import
org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import org.apache.iotdb.commons.path.MeasurementPath;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.schema.table.InformationSchema;
+import org.apache.iotdb.db.audit.DNAuditLogger;
import org.apache.iotdb.db.auth.AuthorityChecker;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
import
org.apache.iotdb.db.queryengine.plan.relational.sql.ast.RelationalAuthorStatement;
@@ -117,9 +118,10 @@ public class AccessControlImpl implements AccessControl {
}
checkAuditDatabase(tableName.getDatabaseName());
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SYSTEM)) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setPrivilegeType(PrivilegeType.CREATE).setResult(true),
- tableName::getObjectName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+
auditEntity.setPrivilegeType(PrivilegeType.CREATE).setResult(true),
+ tableName::getObjectName);
return;
}
authChecker.checkTablePrivilege(userName, tableName,
TableModelPrivilege.CREATE, auditEntity);
@@ -134,9 +136,10 @@ public class AccessControlImpl implements AccessControl {
InformationSchemaUtils.checkDBNameInWrite(tableName.getDatabaseName());
checkAuditDatabase(tableName.getDatabaseName());
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SYSTEM)) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setPrivilegeType(PrivilegeType.DROP).setResult(true),
- tableName::getObjectName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setPrivilegeType(PrivilegeType.DROP).setResult(true),
+ tableName::getObjectName);
return;
}
authChecker.checkTablePrivilege(userName, tableName,
TableModelPrivilege.DROP, auditEntity);
@@ -148,7 +151,7 @@ public class AccessControlImpl implements AccessControl {
InformationSchemaUtils.checkDBNameInWrite(tableName.getDatabaseName());
checkAuditDatabase(tableName.getDatabaseName());
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SYSTEM)) {
- ITableAuthCheckerImpl.recordAuditLog(auditEntity,
tableName::getObjectName);
+ DNAuditLogger.getInstance().recordAuditLog(auditEntity,
tableName::getObjectName);
return;
}
authChecker.checkTablePrivilege(userName, tableName,
TableModelPrivilege.ALTER, auditEntity);
@@ -256,7 +259,8 @@ public class AccessControlImpl implements AccessControl {
.setAuditLogOperation(AuditLogOperation.DDL)
.setPrivilegeType(PrivilegeType.SECURITY);
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- ITableAuthCheckerImpl.recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
return;
}
authChecker.checkGlobalPrivilege(userName,
TableModelPrivilege.MANAGE_USER, auditEntity);
@@ -266,19 +270,21 @@ public class AccessControlImpl implements AccessControl {
auditEntity.setAuditLogOperation(AuditLogOperation.DDL);
if (statement.getUserName().equals(userName)) {
// users can change the username and password of themselves
- ITableAuthCheckerImpl.recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
return;
}
if (AuthorityChecker.SUPER_USER_ID
==
AuthorityChecker.getUserId(statement.getUserName()).orElse(-1L)) {
// Only the superuser can alter him/herself
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setResult(false), statement::getUserName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(false),
statement::getUserName);
throw new AccessDeniedException("Only the superuser can alter
him/herself.");
}
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
// the superuser can alter anyone
- ITableAuthCheckerImpl.recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
return;
}
authChecker.checkGlobalPrivilege(userName,
TableModelPrivilege.MANAGE_USER, auditEntity);
@@ -287,14 +293,16 @@ public class AccessControlImpl implements AccessControl {
auditEntity.setAuditLogOperation(AuditLogOperation.QUERY);
if (statement.getUserName().equals(userName)) {
// No need any privilege to list him/herself
- ITableAuthCheckerImpl.recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(true),
statement::getUserName);
return;
}
// Require SECURITY privilege to list other users' privileges
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- ITableAuthCheckerImpl.recordAuditLog(
-
auditEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
- statement::getUserName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+
auditEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
+ statement::getUserName);
return;
}
authChecker.checkGlobalPrivilege(userName,
TableModelPrivilege.MANAGE_USER, auditEntity);
@@ -304,11 +312,12 @@ public class AccessControlImpl implements AccessControl {
if (!hasGlobalPrivilege(auditEntity, PrivilegeType.MANAGE_USER)) {
// No need to check privilege to list himself/herself
statement.setUserName(userName);
- ITableAuthCheckerImpl.recordAuditLog(auditEntity,
statement::getUserName);
+ DNAuditLogger.getInstance().recordAuditLog(auditEntity,
statement::getUserName);
} else {
// Require SECURITY privilege to list other users
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setPrivilegeType(PrivilegeType.SECURITY),
statement::getUserName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setPrivilegeType(PrivilegeType.SECURITY),
statement::getUserName);
}
return;
case CREATE_ROLE:
@@ -317,7 +326,8 @@ public class AccessControlImpl implements AccessControl {
.setAuditLogOperation(AuditLogOperation.DDL)
.setPrivilegeType(PrivilegeType.SECURITY);
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- ITableAuthCheckerImpl.recordAuditLog(auditEntity.setResult(true),
statement::getRoleName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(true),
statement::getRoleName);
return;
}
authChecker.checkGlobalPrivilege(userName,
TableModelPrivilege.MANAGE_ROLE, auditEntity);
@@ -328,9 +338,10 @@ public class AccessControlImpl implements AccessControl {
.setAuditLogOperation(AuditLogOperation.DDL)
.setPrivilegeType(PrivilegeType.SECURITY);
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setResult(true),
- () -> "user: " + statement.getUserName() + ", role: " +
statement.getRoleName());
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setResult(true),
+ () -> "user: " + statement.getUserName() + ", role: " +
statement.getRoleName());
return;
}
authChecker.checkGlobalPrivilege(userName,
TableModelPrivilege.MANAGE_ROLE, auditEntity);
@@ -345,26 +356,30 @@ public class AccessControlImpl implements AccessControl {
if (!hasGlobalPrivilege(auditEntity, PrivilegeType.MANAGE_ROLE)) {
// No need to check privilege to list his/hers own role
statement.setUserName(userName);
- ITableAuthCheckerImpl.recordAuditLog(auditEntity.setResult(true),
statement::getRoleName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(true),
statement::getRoleName);
} else {
// Require SECURITY privilege to list all roles
- ITableAuthCheckerImpl.recordAuditLog(
-
auditEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
- statement::getRoleName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+
auditEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
+ statement::getRoleName);
}
return;
case LIST_ROLE_PRIV:
auditEntity.setAuditLogOperation(AuditLogOperation.QUERY);
if (AuthorityChecker.checkRole(userName, statement.getRoleName())) {
// No need any privilege to list his/hers own role
- ITableAuthCheckerImpl.recordAuditLog(auditEntity.setResult(true),
statement::getRoleName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(auditEntity.setResult(true),
statement::getRoleName);
return;
}
// Require SECURITY privilege to list other roles' privileges
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- ITableAuthCheckerImpl.recordAuditLog(
-
auditEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
- statement::getRoleName);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+
auditEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
+ statement::getRoleName);
return;
}
authChecker.checkGlobalPrivilege(userName,
TableModelPrivilege.MANAGE_ROLE, auditEntity);
@@ -378,8 +393,10 @@ public class AccessControlImpl implements AccessControl {
.setPrivilegeType(PrivilegeType.SECURITY)
.setDatabase(statement.getDatabase());
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SECURITY)) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setResult(true), () -> statement.getUserName() +
statement.getRoleName());
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setResult(true),
+ () -> statement.getUserName() + statement.getRoleName());
return;
}
for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
@@ -396,8 +413,10 @@ public class AccessControlImpl implements AccessControl {
.setPrivilegeType(PrivilegeType.SECURITY)
.setDatabase(statement.getDatabase());
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SECURITY)) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setResult(true), () -> statement.getUserName() +
statement.getRoleName());
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setResult(true),
+ () -> statement.getUserName() + statement.getRoleName());
return;
}
for (TableModelPrivilege privilege : TableModelPrivilege.values()) {
@@ -419,8 +438,10 @@ public class AccessControlImpl implements AccessControl {
.setPrivilegeType(PrivilegeType.SECURITY)
.setDatabase(statement.getDatabase());
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SECURITY)) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setResult(true), () -> statement.getUserName() +
statement.getRoleName());
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setResult(true),
+ () -> statement.getUserName() + statement.getRoleName());
return;
}
for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
@@ -440,8 +461,10 @@ public class AccessControlImpl implements AccessControl {
.setPrivilegeType(PrivilegeType.SECURITY)
.setDatabase(statement.getDatabase());
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SECURITY)) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setResult(true), () -> statement.getUserName() +
statement.getRoleName());
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setResult(true),
+ () -> statement.getUserName() + statement.getRoleName());
return;
}
for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
@@ -462,8 +485,10 @@ public class AccessControlImpl implements AccessControl {
.setAuditLogOperation(AuditLogOperation.DDL)
.setPrivilegeType(PrivilegeType.SECURITY);
if (hasGlobalPrivilege(auditEntity, PrivilegeType.SECURITY)) {
- ITableAuthCheckerImpl.recordAuditLog(
- auditEntity.setResult(true), () -> statement.getUserName() +
statement.getRoleName());
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ auditEntity.setResult(true),
+ () -> statement.getUserName() + statement.getRoleName());
return;
}
for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
@@ -545,12 +570,13 @@ public class AccessControlImpl implements AccessControl {
public TSStatus checkCanAlterView(
IAuditEntity entity, List<PartialPath> sourcePaths, List<PartialPath>
targetPaths) {
if (AuthorityChecker.SUPER_USER_ID == entity.getUserId()) {
- ITableAuthCheckerImpl.recordAuditLog(
- entity
- .setPrivilegeTypes(
- Arrays.asList(PrivilegeType.READ_SCHEMA,
PrivilegeType.WRITE_SCHEMA))
- .setResult(true),
- () -> "source: " + sourcePaths + ", target: " + targetPaths);
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+ entity
+ .setPrivilegeTypes(
+ Arrays.asList(PrivilegeType.READ_SCHEMA,
PrivilegeType.WRITE_SCHEMA))
+ .setResult(true),
+ () -> "source: " + sourcePaths + ", target: " + targetPaths);
return SUCCEED;
}
TSStatus status = new
TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
index d1f60445295..8eca0f9b334 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/ITableAuthCheckerImpl.java
@@ -33,20 +33,18 @@ import org.apache.iotdb.rpc.TSStatusCode;
import java.util.Collection;
import java.util.function.Supplier;
+import static
org.apache.iotdb.commons.audit.AbstractAuditLogger.OBJECT_AUTHENTICATION_AUDIT_STR;
import static
org.apache.iotdb.commons.schema.table.Audit.TABLE_MODEL_AUDIT_DATABASE;
public class ITableAuthCheckerImpl implements ITableAuthChecker {
private static final DNAuditLogger AUDIT_LOGGER =
DNAuditLogger.getInstance();
- private static final String OBJECT_AUTHENTICATION_AUDIT_STR =
- "User %s (ID=%d) requests authority on object %s with result %s";
-
@Override
public void checkDatabaseVisibility(
String userName, String databaseName, IAuditEntity auditEntity) {
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -56,7 +54,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
}
// Information_schema is visible to any user
if (databaseName.equals(InformationSchema.INFORMATION_DATABASE)) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -69,7 +67,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
// The audit database only requires audit privilege
boolean hasAuditPrivilege =
AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.AUDIT);
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.AUDIT)
@@ -82,7 +80,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
}
if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -91,7 +89,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
return;
}
if (!AuthorityChecker.checkDBVisible(userName, databaseName)) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -99,7 +97,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
() -> databaseName);
throw new AccessDeniedException("DATABASE " + databaseName);
}
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -121,7 +119,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
}
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -131,7 +129,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
}
if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -161,7 +159,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
if (privilege == TableModelPrivilege.SELECT) {
checkCanSelectAuditTable(auditEntity);
} else {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -177,7 +175,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
String userName = auditEntity.getUsername();
if (AuthorityChecker.SUPER_USER_ID != auditEntity.getUserId()
&& !AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.AUDIT)) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.SELECT)
@@ -201,7 +199,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
String.format(
"The database '%s' can only be queried by AUDIT admin.",
TABLE_MODEL_AUDIT_DATABASE));
}
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.SELECT)
@@ -216,7 +214,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
TableModelPrivilege privilege,
IAuditEntity auditEntity) {
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -241,7 +239,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
IAuditEntity auditEntity) {
auditEntity.setDatabase(tableName.getDatabaseName());
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -269,7 +267,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
TableModelPrivilege privilege,
IAuditEntity auditEntity) {
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -305,7 +303,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
tableName.getObjectName())
.getCode()
== TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.CONTROL)
.setPrivilegeType(PrivilegeType.SYSTEM)
@@ -313,7 +311,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
tableName::getObjectName);
return true;
}
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.CONTROL)
.setPrivilegeType(PrivilegeType.SYSTEM)
@@ -327,7 +325,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
String userName, QualifiedObjectName tableName, IAuditEntity
auditEntity) {
auditEntity.setDatabase(tableName.getDatabaseName());
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -341,7 +339,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
// The audit table only requires audit privilege
boolean hasAuditPrivilege =
AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.AUDIT);
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.AUDIT)
@@ -354,7 +352,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
}
if (AuthorityChecker.checkSystemPermission(userName,
PrivilegeType.SYSTEM)) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -364,7 +362,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
}
if (!AuthorityChecker.checkTableVisible(
userName, tableName.getDatabaseName(), tableName.getObjectName())) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA)
@@ -378,7 +376,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
public void checkGlobalPrivilege(
String userName, TableModelPrivilege privilege, IAuditEntity
auditEntity) {
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -398,7 +396,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
String username, Collection<PrivilegeType> privileges, IAuditEntity
auditEntity) {
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
for (PrivilegeType privilege : privileges) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege)
@@ -419,7 +417,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
public void checkGlobalPrivilegeGrantOption(
String userName, TableModelPrivilege privilege, IAuditEntity
auditEntity) {
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -440,7 +438,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
public void checkAnyScopePrivilegeGrantOption(
String userName, TableModelPrivilege privilege, IAuditEntity
auditEntity) {
if (AuthorityChecker.SUPER_USER_ID == auditEntity.getUserId()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -463,7 +461,7 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
IAuditEntity auditEntity,
TSStatus result) {
if (result.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
@@ -471,23 +469,11 @@ public class ITableAuthCheckerImpl implements
ITableAuthChecker {
auditObject);
throw new AccessDeniedException(result.getMessage());
}
- recordAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity
.setAuditLogOperation(privilege.getAuditLogOperation())
.setPrivilegeType(privilege.getPrivilegeType())
.setResult(true),
auditObject);
}
-
- public static void recordAuditLog(IAuditEntity auditEntity, Supplier<String>
auditObject) {
- AUDIT_LOGGER.log(
- auditEntity.setAuditEventType(AuditEventType.OBJECT_AUTHENTICATION),
- () ->
- String.format(
- OBJECT_AUTHENTICATION_AUDIT_STR,
- auditEntity.getUsername(),
- auditEntity.getUserId(),
- auditObject.get(),
- auditEntity.getResult()));
- }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index e63b63f850e..5631bc0051f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -20,7 +20,6 @@
package org.apache.iotdb.db.queryengine.plan.relational.security;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.audit.AuditEventType;
import org.apache.iotdb.commons.audit.AuditLogOperation;
import org.apache.iotdb.commons.audit.IAuditEntity;
import org.apache.iotdb.commons.auth.AuthException;
@@ -196,7 +195,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.READ_SCHEMA);
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return SUCCEED;
@@ -205,12 +204,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
statement.setAuthorityScope(
AuthorityChecker.getAuthorizedPathTree(context.getUsername(),
PrivilegeType.READ_SCHEMA));
} catch (AuthException e) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(e.getCode().getStatusCode());
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
@@ -220,7 +219,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
final List<MeasurementPath> paths, final TreeAccessCheckContext context)
{
context.setAuditLogOperation(AuditLogOperation.QUERY).setPrivilegeType(PrivilegeType.READ_DATA);
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
paths.stream().distinct().collect(Collectors.toList()).toString());
return paths;
@@ -231,12 +230,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
originalTree.constructTree();
final PathPatternTree tree =
AuthorityChecker.getAuthorizedPathTree(context.getUsername(),
PrivilegeType.READ_DATA);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
paths.stream().distinct().collect(Collectors.toList()).toString());
return
originalTree.intersectWithFullPathPrefixTree(tree).getAllPathPatterns(true);
} catch (AuthException e) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
paths.stream().distinct().collect(Collectors.toList()).toString());
return Collections.emptyList();
@@ -299,7 +298,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
ShowSchemaTemplateStatement statement, TreeAccessCheckContext context) {
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAll(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.SYSTEM)
@@ -379,7 +378,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
public TSStatus checkCanAlterTemplate(IAuditEntity entity, Supplier<String>
auditObject) {
if (AuthorityChecker.SUPER_USER.equals(entity.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
entity
.setAuditLogOperation(AuditLogOperation.DDL)
.setPrivilegeType(PrivilegeType.EXTEND_TEMPLATE)
@@ -410,7 +409,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(path)
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(PrivilegeType.AUDIT).setResult(false),
path::toString);
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
@@ -422,7 +421,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
if (statement.getQueryStatement() != null) {
statement.getQueryStatement().setCanSeeAuditDB(true);
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context
.setPrivilegeTypes(
Arrays.asList(PrivilegeType.WRITE_SCHEMA,
PrivilegeType.READ_SCHEMA))
@@ -480,7 +479,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
if (statement.getQueryStatement() != null) {
statement.getQueryStatement().setCanSeeAuditDB(true);
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context
.setPrivilegeTypes(
Arrays.asList(PrivilegeType.READ_SCHEMA,
PrivilegeType.WRITE_SCHEMA))
@@ -523,7 +522,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(statement.getNewName())
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(PrivilegeType.WRITE_SCHEMA).setResult(false),
() -> statement.getOldName().toString());
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
@@ -555,13 +554,13 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
context.setAuditLogOperation(AuditLogOperation.DDL);
if (statement.getUserName().equals(context.getUsername())) {
// users can change the username and password of themselves
- recordObjectAuthenticationAuditLog(context.setResult(true),
context::getUsername);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(true),
context::getUsername);
return RpcUtils.SUCCESS_STATUS;
}
if (AuthorityChecker.SUPER_USER_ID
==
AuthorityChecker.getUserId(statement.getUserName()).orElse(-1L)) {
// Only the superuser can alter him/herself
- recordObjectAuthenticationAuditLog(context.setResult(false),
context::getUsername);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(false),
context::getUsername);
return AuthorityChecker.getTSStatus(
false,
"Has no permission to execute "
@@ -584,14 +583,14 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
}
// Can only list him/herself without MANAGE_USER privilege
statement.setUserName(context.getUsername());
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(null).setResult(true),
context::getUsername);
return RpcUtils.SUCCESS_STATUS;
case LIST_USER_PRIVILEGE:
context.setAuditLogOperation(AuditLogOperation.QUERY);
if (context.getUsername().equals(statement.getUserName())) {
// No need any privilege to list his/her own privileges
- recordObjectAuthenticationAuditLog(context.setResult(true),
context::getUsername);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(true),
context::getUsername);
return RpcUtils.SUCCESS_STATUS;
}
// Require MANAGE_USER privilege to list other users' privileges
@@ -608,7 +607,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
statement::getRoleName);
} else {
// No need any privilege to list his/her own role's privileges
- recordObjectAuthenticationAuditLog(context.setResult(true),
context::getUsername);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(true),
context::getUsername);
return SUCCEED;
}
case LIST_ROLE:
@@ -622,12 +621,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// list roles of other user is not allowed
if (statement.getUserName() != null
&& !statement.getUserName().equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(PrivilegeType.MANAGE_ROLE).setResult(false),
context::getUsername);
return AuthorityChecker.getTSStatus(false,
PrivilegeType.MANAGE_ROLE);
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(null).setResult(true),
context::getUsername);
statement.setUserName(context.getUsername());
return RpcUtils.SUCCESS_STATUS;
@@ -723,7 +722,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
private TSStatus checkCQManagement(IAuditEntity auditEntity,
Supplier<String> auditObject) {
if (AuthorityChecker.SUPER_USER.equals(auditEntity.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity.setPrivilegeType(PrivilegeType.USE_CQ).setResult(true),
auditObject);
return SUCCEED;
}
@@ -749,7 +748,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
public TSStatus visitShowFunctions(
ShowFunctionsStatement statement, TreeAccessCheckContext context) {
// anyone can show functions
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setAuditLogOperation(AuditLogOperation.QUERY).setResult(true),
null);
return SUCCEED;
}
@@ -917,7 +916,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
public TSStatus visitCreateTrigger(
CreateTriggerStatement statement, TreeAccessCheckContext context) {
if (TREE_MODEL_AUDIT_DATABASE_PATH.include(statement.getPathPattern())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context
.setAuditLogOperation(AuditLogOperation.DDL)
.setPrivilegeType(PrivilegeType.USE_TRIGGER)
@@ -945,7 +944,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
private TSStatus checkTriggerManagement(IAuditEntity auditEntity,
Supplier<String> auditObject) {
if (AuthorityChecker.SUPER_USER.equals(auditEntity.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
auditEntity.setPrivilegeType(PrivilegeType.USE_TRIGGER).setResult(true),
auditObject);
return SUCCEED;
}
@@ -979,7 +978,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.collect(Collectors.toList())
.toString());
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(PrivilegeType.SYSTEM).setResult(true),
context::getDatabase);
return SUCCEED;
}
@@ -998,7 +997,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.collect(Collectors.toList())
.toString());
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(PrivilegeType.SYSTEM).setResult(true),
context::getDatabase);
return SUCCEED;
}
@@ -1015,7 +1014,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
for (String prefixPath : statement.getPrefixPath()) {
// root.__audit can never be deleted
if (TREE_MODEL_AUDIT_DATABASE.equals(prefixPath)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(PrivilegeType.MANAGE_DATABASE).setResult(false),
() -> prefixPath);
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
@@ -1023,7 +1022,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
}
}
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(PrivilegeType.MANAGE_DATABASE).setResult(true),
() -> statement.getPrefixPath().toString());
return SUCCEED;
@@ -1043,13 +1042,13 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// root.__audit can never be created or alter by other users
return SUCCEED;
}
- recordObjectAuthenticationAuditLog(auditEntity.setResult(false),
databaseName::getFullPath);
+ AUDIT_LOGGER.recordAuditLog(auditEntity.setResult(false),
databaseName::getFullPath);
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
if (AuthorityChecker.SUPER_USER.equals(auditEntity.getUsername())) {
- recordObjectAuthenticationAuditLog(auditEntity.setResult(true),
databaseName::getFullPath);
+ AUDIT_LOGGER.recordAuditLog(auditEntity.setResult(true),
databaseName::getFullPath);
return SUCCEED;
}
@@ -1066,7 +1065,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString()))
{
return visitAuthorityInformation(statement, context);
} else {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context
.setAuditLogOperation(AuditLogOperation.QUERY)
.setPrivilegeType(PrivilegeType.MANAGE_DATABASE)
@@ -1084,14 +1083,14 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(path)
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(context.setResult(false),
path::toString);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(false), path::toString);
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
}
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return SUCCEED;
@@ -1108,8 +1107,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(statement.getDevice())
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
- context.setResult(false), () -> statement.getDevice().toString());
+ AUDIT_LOGGER.recordAuditLog(context.setResult(false), () ->
statement.getDevice().toString());
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
@@ -1129,7 +1127,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(path)
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(context.setResult(false),
path::toString);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(false), path::toString);
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
@@ -1142,7 +1140,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
context.setAuditLogOperation(AuditLogOperation.QUERY).setPrivilegeType(PrivilegeType.READ_DATA);
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return SUCCEED;
@@ -1153,12 +1151,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
statement.setAuthorityScope(
AuthorityChecker.getAuthorizedPathTree(context.getUsername(),
PrivilegeType.READ_DATA));
} catch (AuthException e) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(e.getCode().getStatusCode());
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
@@ -1182,7 +1180,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
PrivilegeType permission) {
context.setPrivilegeType(permission);
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true), () ->
checkedPathsSupplier.get().toString());
return SUCCEED;
}
@@ -1195,7 +1193,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
permission);
if (!AuthorityChecker.INTERNAL_AUDIT_USER.equals(context.getUsername())) {
// Internal auditor no needs audit log
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(result.getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode()),
checkedPaths::toString);
}
@@ -1206,13 +1204,13 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
IAuditEntity context, List<? extends PartialPath> checkedPaths,
PrivilegeType permission) {
context.setPrivilegeType(permission);
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(context.setResult(true),
checkedPaths::toString);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(true),
checkedPaths::toString);
return Collections.emptyList();
}
final List<Integer> results =
AuthorityChecker.checkFullPathOrPatternListPermission(
context.getUsername(), checkedPaths, permission);
- recordObjectAuthenticationAuditLog(context.setResult(true),
checkedPaths::toString);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(true),
checkedPaths::toString);
return results;
}
@@ -1225,7 +1223,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(statement.getPath())
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
@@ -1243,7 +1241,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(statement.getDevicePath())
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
@@ -1280,7 +1278,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
for (PartialPath path : statement.getDeviceMap().keySet()) {
if (includeByAuditTreeDB(path)
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(context.setResult(false),
path::toString);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(false), path::toString);
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
@@ -1295,7 +1293,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(statement.getDevicePath())
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
@@ -1312,7 +1310,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.setPrivilegeTypes(Arrays.asList(PrivilegeType.READ_DATA,
PrivilegeType.READ_SCHEMA));
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return SUCCEED;
@@ -1329,7 +1327,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
} catch (AuthException e) {
return new TSStatus(e.getCode().getStatusCode());
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
@@ -1346,7 +1344,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.setPrivilegeType(PrivilegeType.READ_SCHEMA);
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return SUCCEED;
@@ -1361,12 +1359,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
AuthorityChecker.getAuthorizedPathTree(
context.getUsername(), PrivilegeType.READ_DATA)));
} catch (AuthException e) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(e.getCode().getStatusCode());
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
@@ -1380,7 +1378,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
CountLevelTimeSeriesStatement countStatement, TreeAccessCheckContext
context) {
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
countStatement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
countStatement.getPaths().stream()
@@ -1398,7 +1396,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
CountNodesStatement countStatement, TreeAccessCheckContext context) {
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
countStatement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
countStatement.getPaths().stream()
@@ -1416,7 +1414,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
ShowChildNodesStatement showChildNodesStatement, TreeAccessCheckContext
context) {
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
showChildNodesStatement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
showChildNodesStatement.getPaths().stream()
@@ -1434,7 +1432,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
ShowChildPathsStatement showChildPathsStatement, TreeAccessCheckContext
context) {
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
showChildPathsStatement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
showChildPathsStatement.getPaths().stream()
@@ -1454,7 +1452,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// audit db is read-only
if (includeByAuditTreeDB(statement.getPath())
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
@@ -1487,7 +1485,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
alterEncodingCompressorStatement.getPatternTree(), authTree));
return StatusUtils.OK;
} catch (final AuthException e) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
alterEncodingCompressorStatement.getPaths().stream()
@@ -1521,7 +1519,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
for (PartialPath path : statement.getPathPatternList()) {
if (includeByAuditTreeDB(path)
&&
!context.getUsername().equals(AuthorityChecker.INTERNAL_AUDIT_USER)) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
@@ -1606,7 +1604,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
AuthorityChecker.getTSStatus(
AuthorityChecker.checkUserMissingSystemPermissions(
context.getUsername(), relatedPrivileges));
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context
.setResult(result.getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode())
.setAuditLogOperation(AuditLogOperation.CONTROL)
@@ -1614,7 +1612,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
() -> "");
return result;
} catch (IOException e) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false).setAuditLogOperation(AuditLogOperation.CONTROL), () ->
"");
return AuthorityChecker.getTSStatus(false, "Failed to check config item
permission");
}
@@ -1707,7 +1705,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitShowAvailableUrls(
ShowAvailableUrlsStatement showAvailableUrlsStatement,
TreeAccessCheckContext context) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setAuditLogOperation(AuditLogOperation.QUERY).setResult(true),
() -> "");
return SUCCEED;
}
@@ -1845,7 +1843,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
context.getUsername(), pathsForCheckingPermissions,
PrivilegeType.WRITE_SCHEMA),
pathsForCheckingPermissions,
PrivilegeType.WRITE_SCHEMA);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context
.setPrivilegeType(PrivilegeType.WRITE_SCHEMA)
.setResult(result.getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode()),
@@ -1876,7 +1874,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
context.getUsername(),
path.concatNode(IoTDBConstant.MULTI_LEVEL_PATH_WILDCARD),
PrivilegeType.READ_SCHEMA)) {
- recordObjectAuthenticationAuditLog(context.setResult(false),
path::getFullPath);
+ AUDIT_LOGGER.recordAuditLog(context.setResult(false),
path::getFullPath);
return AuthorityChecker.getTSStatus(false, path,
PrivilegeType.READ_SCHEMA);
}
}
@@ -1897,7 +1895,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.setPrivilegeTypes(Arrays.asList(PrivilegeType.READ_DATA,
PrivilegeType.READ_SCHEMA));
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
statement.setCanSeeAuditDB(true);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return SUCCEED;
@@ -1912,12 +1910,12 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
AuthorityChecker.getAuthorizedPathTree(
context.getUsername(), PrivilegeType.READ_DATA)));
} catch (AuthException e) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(false),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(e.getCode().getStatusCode());
}
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
@@ -1933,7 +1931,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
.setPrivilegeTypes(Arrays.asList(PrivilegeType.READ_DATA,
PrivilegeType.READ_SCHEMA))
.setAuditLogOperation(AuditLogOperation.QUERY);
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(true),
() ->
statement.getPaths().stream().distinct().collect(Collectors.toList()).toString());
return SUCCEED;
@@ -1966,7 +1964,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
return SUCCEED;
}
TSStatus result = AuthorityChecker.getTSStatus(false, requiredPrivilege);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setResult(result.getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode()),
auditObject);
return result;
@@ -1983,7 +1981,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
Supplier<String> auditObject,
boolean checkGrantOption) {
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(requiredPrivilege).setResult(true),
auditObject);
return true;
}
@@ -1992,7 +1990,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
? AuthorityChecker.checkSystemPermissionGrantOption(
context.getUsername(), requiredPrivilege)
: AuthorityChecker.checkSystemPermission(context.getUsername(),
requiredPrivilege);
- recordObjectAuthenticationAuditLog(
+ AUDIT_LOGGER.recordAuditLog(
context.setPrivilegeType(requiredPrivilege).setResult(result),
auditObject);
return result;
}
@@ -2000,7 +1998,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
protected TSStatus checkWriteOnReadOnlyPath(IAuditEntity auditEntity,
PartialPath path) {
if (includeByAuditTreeDB(path)
&& !AuthorityChecker.INTERNAL_AUDIT_USER.equals(path.getFullPath())) {
- recordObjectAuthenticationAuditLog(auditEntity, path::getFullPath);
+ AUDIT_LOGGER.recordAuditLog(auditEntity, path::getFullPath);
return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage(String.format(READ_ONLY_DB_ERROR_MSG,
TREE_MODEL_AUDIT_DATABASE));
}
@@ -2018,23 +2016,10 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
IAuditEntity auditEntity, PrivilegeType privilegeType, Supplier<String>
auditObject) {
auditEntity.setPrivilegeType(privilegeType);
if (AuthorityChecker.SUPER_USER.equals(auditEntity.getUsername())) {
- recordObjectAuthenticationAuditLog(auditEntity.setResult(true),
auditObject);
+ AUDIT_LOGGER.recordAuditLog(auditEntity.setResult(true), auditObject);
return SUCCEED;
}
- recordObjectAuthenticationAuditLog(auditEntity.setResult(false),
auditObject);
+ AUDIT_LOGGER.recordAuditLog(auditEntity.setResult(false), auditObject);
return AuthorityChecker.getTSStatus(false, "Only the admin user can
perform this operation");
}
-
- protected static void recordObjectAuthenticationAuditLog(
- IAuditEntity auditEntity, Supplier<String> auditObject) {
- AUDIT_LOGGER.log(
- auditEntity.setAuditEventType(AuditEventType.OBJECT_AUTHENTICATION),
- () ->
- String.format(
- OBJECT_AUTHENTICATION_AUDIT_STR,
- auditEntity.getUsername(),
- auditEntity.getUserId(),
- auditObject.get(),
- auditEntity.getResult()));
- }
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/audit/AbstractAuditLogger.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/audit/AbstractAuditLogger.java
index cec03366321..4e94574accf 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/audit/AbstractAuditLogger.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/audit/AbstractAuditLogger.java
@@ -25,7 +25,8 @@ import org.apache.iotdb.commons.conf.CommonDescriptor;
import java.util.function.Supplier;
public abstract class AbstractAuditLogger {
-
+ public static final String OBJECT_AUTHENTICATION_AUDIT_STR =
+ "User %s (ID=%d) requests authority on object %s with result %s";
public static final String AUDIT_LOG_NODE_ID = "node_id";
public static final String AUDIT_LOG_USER_ID = "user_id";
public static final String AUDIT_LOG_USERNAME = "username";
@@ -47,4 +48,16 @@ public abstract class AbstractAuditLogger {
public boolean noNeedInsertAuditLog(IAuditEntity auditLogFields) {
return true;
}
+
+ public void recordAuditLog(final IAuditEntity auditEntity, final
Supplier<String> auditObject) {
+ log(
+ auditEntity.setAuditEventType(AuditEventType.OBJECT_AUTHENTICATION),
+ () ->
+ String.format(
+ OBJECT_AUTHENTICATION_AUDIT_STR,
+ auditEntity.getUsername(),
+ auditEntity.getUserId(),
+ auditObject.get(),
+ auditEntity.getResult()));
+ }
}
