This is an automated email from the ASF dual-hosted git repository.
justinchen pushed a commit to branch enable-time-other-name
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/enable-time-other-name by this
push:
new c53722a0ec3 permission-change
c53722a0ec3 is described below
commit c53722a0ec32d1b7800fc8fdc1187dd6e2e5c72c
Author: Caideyipi <[email protected]>
AuthorDate: Fri Dec 26 10:00:17 2025 +0800
permission-change
---
.../pipe/source/IoTDBConfigRegionSource.java | 3 +-
.../PipeConfigTreePrivilegeParseVisitor.java | 251 +++++++++++----------
.../execution/config/TableConfigTaskVisitor.java | 7 +-
.../security/TreeAccessCheckVisitor.java | 4 -
.../iotdb/commons/pipe/source/IoTDBSource.java | 2 +
5 files changed, 142 insertions(+), 125 deletions(-)
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
index 86a10d16f1b..8515dee97f6 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
@@ -246,7 +246,8 @@ public class IoTDBConfigRegionSource extends
IoTDBNonDataRegionSource {
((PipeConfigRegionWritePlanEvent) event).getConfigPhysicalPlan();
final Boolean isTableDatabasePlan = isTableDatabasePlan(plan);
if (!Boolean.TRUE.equals(isTableDatabasePlan)) {
- final Optional<ConfigPhysicalPlan> result =
treePrivilegeParseVisitor.process(plan, userName);
+ final Optional<ConfigPhysicalPlan> result =
+ treePrivilegeParseVisitor.process(plan, userEntity);
if (result.isPresent()) {
return Optional.of(
new PipeConfigRegionWritePlanEvent(result.get(),
event.isGeneratedByPipe()));
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitor.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitor.java
index 0d5f331bc39..925ba9ef952 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitor.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitor.java
@@ -19,6 +19,7 @@
package org.apache.iotdb.confignode.manager.pipe.source;
+import org.apache.iotdb.commons.audit.IAuditEntity;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
@@ -27,6 +28,7 @@ import
org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.path.PathPatternTree;
import org.apache.iotdb.commons.schema.template.Template;
+import org.apache.iotdb.confignode.audit.CNAuditLogger;
import org.apache.iotdb.confignode.consensus.request.ConfigPhysicalPlan;
import org.apache.iotdb.confignode.consensus.request.ConfigPhysicalPlanVisitor;
import org.apache.iotdb.confignode.consensus.request.write.auth.AuthorTreePlan;
@@ -40,6 +42,7 @@ import
org.apache.iotdb.confignode.consensus.request.write.pipe.payload.PipeUnse
import
org.apache.iotdb.confignode.consensus.request.write.template.CommitSetSchemaTemplatePlan;
import
org.apache.iotdb.confignode.consensus.request.write.template.CreateSchemaTemplatePlan;
import
org.apache.iotdb.confignode.consensus.request.write.template.ExtendSchemaTemplatePlan;
+import org.apache.iotdb.confignode.manager.ConfigManager;
import org.apache.iotdb.confignode.service.ConfigNode;
import org.apache.iotdb.rpc.TSStatusCode;
@@ -57,7 +60,7 @@ import static
org.apache.iotdb.commons.conf.IoTDBConstant.MULTI_LEVEL_PATH_WILDC
import static org.apache.iotdb.commons.schema.SchemaConstant.ALL_MATCH_SCOPE;
public class PipeConfigTreePrivilegeParseVisitor
- extends ConfigPhysicalPlanVisitor<Optional<ConfigPhysicalPlan>, String> {
+ extends ConfigPhysicalPlanVisitor<Optional<ConfigPhysicalPlan>,
IAuditEntity> {
private static final Logger LOGGER =
LoggerFactory.getLogger(PipeConfigTreePrivilegeParseVisitor.class);
private final boolean skip;
@@ -68,102 +71,79 @@ public class PipeConfigTreePrivilegeParseVisitor
@Override
public Optional<ConfigPhysicalPlan> visitPlan(
- final ConfigPhysicalPlan plan, final String context) {
+ final ConfigPhysicalPlan plan, final IAuditEntity context) {
return Optional.of(plan);
}
@Override
public Optional<ConfigPhysicalPlan> visitCreateDatabase(
- final DatabaseSchemaPlan createDatabasePlan, final String userName) {
- return canReadSysSchema(createDatabasePlan.getSchema().getName(),
userName, true)
+ final DatabaseSchemaPlan createDatabasePlan, final IAuditEntity
userEntity) {
+ return canReadSysSchema(createDatabasePlan.getSchema().getName(),
userEntity, true)
? Optional.of(createDatabasePlan)
: Optional.empty();
}
@Override
public Optional<ConfigPhysicalPlan> visitAlterDatabase(
- final DatabaseSchemaPlan alterDatabasePlan, final String userName) {
- return canReadSysSchema(alterDatabasePlan.getSchema().getName(), userName,
true)
+ final DatabaseSchemaPlan alterDatabasePlan, final IAuditEntity
userEntity) {
+ return canReadSysSchema(alterDatabasePlan.getSchema().getName(),
userEntity, true)
? Optional.of(alterDatabasePlan)
: Optional.empty();
}
@Override
public Optional<ConfigPhysicalPlan> visitDeleteDatabase(
- final DeleteDatabasePlan deleteDatabasePlan, final String userName) {
- return canReadSysSchema(deleteDatabasePlan.getName(), userName, true)
+ final DeleteDatabasePlan deleteDatabasePlan, final IAuditEntity
userEntity) {
+ return canReadSysSchema(deleteDatabasePlan.getName(), userEntity, true)
? Optional.of(deleteDatabasePlan)
: Optional.empty();
}
@Override
public Optional<ConfigPhysicalPlan> visitCreateSchemaTemplate(
- final CreateSchemaTemplatePlan createSchemaTemplatePlan, final String
userName) {
- return
canShowSchemaTemplate(createSchemaTemplatePlan.getTemplate().getName(),
userName)
+ final CreateSchemaTemplatePlan createSchemaTemplatePlan, final
IAuditEntity userEntity) {
+ return
canShowSchemaTemplate(createSchemaTemplatePlan.getTemplate().getName(),
userEntity)
? Optional.of(createSchemaTemplatePlan)
: Optional.empty();
}
@Override
public Optional<ConfigPhysicalPlan> visitCommitSetSchemaTemplate(
- final CommitSetSchemaTemplatePlan commitSetSchemaTemplatePlan, final
String userName) {
- return canReadSysSchema(commitSetSchemaTemplatePlan.getPath(), userName,
false)
+ final CommitSetSchemaTemplatePlan commitSetSchemaTemplatePlan,
+ final IAuditEntity userEntity) {
+ return canReadSysSchema(commitSetSchemaTemplatePlan.getPath(), userEntity,
false)
? Optional.of(commitSetSchemaTemplatePlan)
: Optional.empty();
}
@Override
public Optional<ConfigPhysicalPlan> visitPipeUnsetSchemaTemplate(
- final PipeUnsetSchemaTemplatePlan pipeUnsetSchemaTemplatePlan, final
String userName) {
- return canReadSysSchema(pipeUnsetSchemaTemplatePlan.getPath(), userName,
false)
+ final PipeUnsetSchemaTemplatePlan pipeUnsetSchemaTemplatePlan,
+ final IAuditEntity userEntity) {
+ return canReadSysSchema(pipeUnsetSchemaTemplatePlan.getPath(), userEntity,
false)
? Optional.of(pipeUnsetSchemaTemplatePlan)
: Optional.empty();
}
@Override
public Optional<ConfigPhysicalPlan> visitExtendSchemaTemplate(
- final ExtendSchemaTemplatePlan extendSchemaTemplatePlan, final String
userName) {
+ final ExtendSchemaTemplatePlan extendSchemaTemplatePlan, final
IAuditEntity userEntity) {
return canShowSchemaTemplate(
-
extendSchemaTemplatePlan.getTemplateExtendInfo().getTemplateName(), userName)
+
extendSchemaTemplatePlan.getTemplateExtendInfo().getTemplateName(), userEntity)
? Optional.of(extendSchemaTemplatePlan)
: Optional.empty();
}
- public boolean canShowSchemaTemplate(final String templateName, final String
userName) {
+ public boolean canShowSchemaTemplate(final String templateName, final
IAuditEntity userEntity) {
try {
- return ConfigNode.getInstance()
- .getConfigManager()
- .getPermissionManager()
- .checkUserPrivileges(userName, new
PrivilegeUnion(PrivilegeType.SYSTEM))
- .getStatus()
- .getCode()
- == TSStatusCode.SUCCESS_STATUS.getStatusCode()
+ return hasGlobalPrivilege(userEntity, PrivilegeType.SYSTEM,
templateName, false)
|| ConfigNode.getInstance()
.getConfigManager()
.getClusterSchemaManager()
.getPathsSetTemplate(templateName, ALL_MATCH_SCOPE)
.getPathList()
.stream()
- .anyMatch(
- path -> {
- try {
- return ConfigNode.getInstance()
- .getConfigManager()
- .getPermissionManager()
- .checkUserPrivileges(
- userName,
- new PrivilegeUnion(
- Collections.singletonList(
- new PartialPath(path)
-
.concatNode(MULTI_LEVEL_PATH_WILDCARD)),
- PrivilegeType.READ_SCHEMA))
- .getStatus()
- .getCode()
- == TSStatusCode.SUCCESS_STATUS.getStatusCode();
- } catch (final IllegalPathException e) {
- throw new RuntimeException(e);
- }
- });
+ .anyMatch(path -> hasReadPrivilege(userEntity, path, true,
true));
} catch (final Exception e) {
LOGGER.warn(
"Un-parse-able path name encountered during template privilege
trimming, please check",
@@ -173,103 +153,83 @@ public class PipeConfigTreePrivilegeParseVisitor
}
public boolean canReadSysSchema(
- final String path, final String userName, final boolean canSkipMulti) {
- try {
- return canSkipMulti
- && ConfigNode.getInstance()
- .getConfigManager()
- .getPermissionManager()
- .checkUserPrivileges(
- userName,
- new PrivilegeUnion(
- Collections.singletonList(new PartialPath(path)),
- PrivilegeType.READ_SCHEMA))
- .getStatus()
- .getCode()
- == TSStatusCode.SUCCESS_STATUS.getStatusCode()
- || ConfigNode.getInstance()
- .getConfigManager()
- .getPermissionManager()
- .checkUserPrivileges(
- userName,
- new PrivilegeUnion(
- Collections.singletonList(
- new
PartialPath(path).concatNode(MULTI_LEVEL_PATH_WILDCARD)),
- PrivilegeType.READ_SCHEMA))
- .getStatus()
- .getCode()
- == TSStatusCode.SUCCESS_STATUS.getStatusCode()
- || ConfigNode.getInstance()
- .getConfigManager()
- .getPermissionManager()
- .checkUserPrivileges(userName, new
PrivilegeUnion(PrivilegeType.SYSTEM))
- .getStatus()
- .getCode()
- == TSStatusCode.SUCCESS_STATUS.getStatusCode();
- } catch (final IllegalPathException e) {
- LOGGER.warn("Un-parse-able path name encountered during privilege
trimming, please check", e);
- return false;
- }
+ final String path, final IAuditEntity userEntity, final boolean
canSkipMulti) {
+ return canSkipMulti && hasReadPrivilege(userEntity, path, false, false)
+ || hasReadPrivilege(userEntity, path, true, false)
+ || hasGlobalPrivilege(userEntity, PrivilegeType.SYSTEM, path, true);
}
@Override
public Optional<ConfigPhysicalPlan> visitGrantUser(
- final AuthorTreePlan grantUserPlan, final String userName) {
- return visitUserPlan(grantUserPlan, userName);
+ final AuthorTreePlan grantUserPlan, final IAuditEntity userEntity) {
+ return visitUserPlan(grantUserPlan, userEntity);
}
@Override
public Optional<ConfigPhysicalPlan> visitRevokeUser(
- final AuthorTreePlan revokeUserPlan, final String userName) {
- return visitUserPlan(revokeUserPlan, userName);
+ final AuthorTreePlan revokeUserPlan, final IAuditEntity userEntity) {
+ return visitUserPlan(revokeUserPlan, userEntity);
}
@Override
public Optional<ConfigPhysicalPlan> visitGrantRole(
- final AuthorTreePlan grantRolePlan, final String userName) {
- return visitRolePlan(grantRolePlan, userName);
+ final AuthorTreePlan grantRolePlan, final IAuditEntity userEntity) {
+ return visitRolePlan(grantRolePlan, userEntity);
}
@Override
public Optional<ConfigPhysicalPlan> visitRevokeRole(
- final AuthorTreePlan revokeRolePlan, final String userName) {
- return visitRolePlan(revokeRolePlan, userName);
+ final AuthorTreePlan revokeRolePlan, final IAuditEntity userEntity) {
+ return visitRolePlan(revokeRolePlan, userEntity);
}
private Optional<ConfigPhysicalPlan> visitUserPlan(
- final AuthorTreePlan plan, final String userName) {
- return ConfigNode.getInstance()
- .getConfigManager()
- .getPermissionManager()
- .checkUserPrivileges(userName, new
PrivilegeUnion(PrivilegeType.MANAGE_USER))
- .getStatus()
- .getCode()
- == TSStatusCode.SUCCESS_STATUS.getStatusCode()
+ final AuthorTreePlan plan, final IAuditEntity userEntity) {
+ final String auditObject = plan.getUserName();
+ if (userEntity.getUsername().equals(plan.getUserName())) {
+ ConfigNode.getInstance()
+ .getConfigManager()
+ .getAuditLogger()
+ .recordAuditLog(userEntity.setPrivilegeType(null).setResult(true),
() -> auditObject);
+ return Optional.of(plan);
+ }
+ return hasGlobalPrivilege(userEntity, PrivilegeType.MANAGE_USER,
plan.getUserName(), true)
? Optional.of(plan)
: Optional.empty();
}
private Optional<ConfigPhysicalPlan> visitRolePlan(
- final AuthorTreePlan plan, final String userName) {
- return ConfigNode.getInstance()
- .getConfigManager()
- .getPermissionManager()
- .checkUserPrivileges(userName, new
PrivilegeUnion(PrivilegeType.MANAGE_ROLE))
- .getStatus()
- .getCode()
- == TSStatusCode.SUCCESS_STATUS.getStatusCode()
+ final AuthorTreePlan plan, final IAuditEntity userEntity) {
+ final String auditObject = plan.getRoleName();
+ final ConfigManager configManager =
ConfigNode.getInstance().getConfigManager();
+ try {
+ if (configManager
+ .getPermissionManager()
+ .checkRoleOfUser(userEntity.getUsername(), plan.getRoleName())
+ .getStatus()
+ .getCode()
+ == TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+ configManager
+ .getAuditLogger()
+ .recordAuditLog(userEntity.setPrivilegeType(null).setResult(true),
() -> auditObject);
+ return Optional.of(plan);
+ }
+ } catch (final Exception ignore) {
+ // Check manage role
+ }
+ return hasGlobalPrivilege(userEntity, PrivilegeType.MANAGE_ROLE,
plan.getRoleName(), true)
? Optional.of(plan)
: Optional.empty();
}
@Override
public Optional<ConfigPhysicalPlan> visitPipeDeleteTimeSeries(
- final PipeDeleteTimeSeriesPlan pipeDeleteTimeSeriesPlan, final String
userName) {
+ final PipeDeleteTimeSeriesPlan pipeDeleteTimeSeriesPlan, final
IAuditEntity userEntity) {
try {
final PathPatternTree originalTree =
PathPatternTree.deserialize(pipeDeleteTimeSeriesPlan.getPatternTreeBytes());
final PathPatternTree intersectedTree =
-
originalTree.intersectWithFullPathPrefixTree(getAuthorizedPTree(userName));
+
originalTree.intersectWithFullPathPrefixTree(getAuthorizedPTree(userEntity));
if (!skip && !originalTree.equals(intersectedTree)) {
throw new AccessDeniedException(
"Not has privilege to transfer plan: " + pipeDeleteTimeSeriesPlan);
@@ -294,12 +254,12 @@ public class PipeConfigTreePrivilegeParseVisitor
@Override
public Optional<ConfigPhysicalPlan> visitPipeDeleteLogicalView(
- final PipeDeleteLogicalViewPlan pipeDeleteLogicalViewPlan, final String
userName) {
+ final PipeDeleteLogicalViewPlan pipeDeleteLogicalViewPlan, final
IAuditEntity userEntity) {
try {
final PathPatternTree originalTree =
PathPatternTree.deserialize(pipeDeleteLogicalViewPlan.getPatternTreeBytes());
final PathPatternTree intersectedTree =
-
originalTree.intersectWithFullPathPrefixTree(getAuthorizedPTree(userName));
+
originalTree.intersectWithFullPathPrefixTree(getAuthorizedPTree(userEntity));
if (!skip && !originalTree.equals(intersectedTree)) {
throw new AccessDeniedException(
"Not has privilege to transfer plan: " +
pipeDeleteLogicalViewPlan);
@@ -324,14 +284,14 @@ public class PipeConfigTreePrivilegeParseVisitor
@Override
public Optional<ConfigPhysicalPlan> visitPipeDeactivateTemplate(
- final PipeDeactivateTemplatePlan pipeDeactivateTemplatePlan, final
String userName) {
+ final PipeDeactivateTemplatePlan pipeDeactivateTemplatePlan, final
IAuditEntity userEntity) {
try {
final Map<PartialPath, List<Template>> newTemplateSetInfo = new
HashMap<>();
for (final Map.Entry<PartialPath, List<Template>> templateEntry :
pipeDeactivateTemplatePlan.getTemplateSetInfo().entrySet()) {
for (final PartialPath intersectedPath :
getAllIntersectedPatterns(
- templateEntry.getKey(), userName, pipeDeactivateTemplatePlan))
{
+ templateEntry.getKey(), userEntity,
pipeDeactivateTemplatePlan)) {
// root.db.device2.measurement -> root.db.device.** = root.db
// Note that we cannot take this circumstance into account
if (intersectedPath.getNodeLength() ==
templateEntry.getKey().getNodeLength()) {
@@ -353,11 +313,12 @@ public class PipeConfigTreePrivilegeParseVisitor
}
@Override
- public Optional<ConfigPhysicalPlan> visitTTL(final SetTTLPlan setTTLPlan,
final String userName) {
+ public Optional<ConfigPhysicalPlan> visitTTL(
+ final SetTTLPlan setTTLPlan, final IAuditEntity userEntity) {
try {
final List<PartialPath> paths =
getAllIntersectedPatterns(
- new PartialPath(setTTLPlan.getPathPattern()), userName,
setTTLPlan);
+ new PartialPath(setTTLPlan.getPathPattern()), userEntity,
setTTLPlan);
// The intersectionList is either a singleton list or an empty list,
because the pipe
// pattern and TTL path are each either a prefix path or a full path
return !paths.isEmpty() && paths.get(0).getNodeLength() ==
setTTLPlan.getPathPattern().length
@@ -373,23 +334,79 @@ public class PipeConfigTreePrivilegeParseVisitor
}
private List<PartialPath> getAllIntersectedPatterns(
- final PartialPath partialPath, final String userName, final
ConfigPhysicalPlan plan)
+ final PartialPath partialPath, final IAuditEntity userEntity, final
ConfigPhysicalPlan plan)
throws AuthException {
final PathPatternTree thisPatternTree = new PathPatternTree();
thisPatternTree.appendPathPattern(partialPath);
thisPatternTree.constructTree();
final PathPatternTree intersectedTree =
-
thisPatternTree.intersectWithFullPathPrefixTree(getAuthorizedPTree(userName));
+
thisPatternTree.intersectWithFullPathPrefixTree(getAuthorizedPTree(userEntity));
if (!skip && !thisPatternTree.equals(intersectedTree)) {
throw new AccessDeniedException("Not has privilege to transfer plan: " +
plan);
}
return intersectedTree.getAllPathPatterns();
}
- private PathPatternTree getAuthorizedPTree(final String userName) throws
AuthException {
+ private PathPatternTree getAuthorizedPTree(final IAuditEntity userEntity)
throws AuthException {
return ConfigNode.getInstance()
.getConfigManager()
.getPermissionManager()
- .fetchRawAuthorizedPTree(userName, PrivilegeType.READ_SCHEMA);
+ .fetchRawAuthorizedPTree(userEntity, PrivilegeType.READ_SCHEMA);
+ }
+
+ private boolean hasGlobalPrivilege(
+ final IAuditEntity userEntity,
+ final PrivilegeType privilegeType,
+ final String auditObject,
+ final boolean isLastCheck) {
+ final ConfigManager configManager =
ConfigNode.getInstance().getConfigManager();
+ final CNAuditLogger logger = configManager.getAuditLogger();
+ final boolean result =
+ configManager
+ .getPermissionManager()
+ .checkUserPrivileges(userEntity.getUsername(), new
PrivilegeUnion(privilegeType))
+ .getStatus()
+ .getCode()
+ == TSStatusCode.SUCCESS_STATUS.getStatusCode();
+ if (result || isLastCheck) {
+ logger.recordAuditLog(
+ userEntity.setPrivilegeType(privilegeType).setResult(result), () ->
auditObject);
+ }
+ return result;
+ }
+
+ private boolean hasReadPrivilege(
+ final IAuditEntity userEntity,
+ final String path,
+ final boolean withWildcard,
+ final boolean isLastCheck) {
+ final ConfigManager configManager =
ConfigNode.getInstance().getConfigManager();
+ final CNAuditLogger logger = configManager.getAuditLogger();
+ PartialPath partialPath;
+ try {
+ partialPath = new PartialPath(path);
+ } catch (final IllegalPathException e) {
+ LOGGER.warn("Unable to parse path when checking READ privilege, path:
{}", path);
+ return false;
+ }
+ if (withWildcard) {
+ partialPath = partialPath.concatNode(MULTI_LEVEL_PATH_WILDCARD);
+ }
+ final boolean result =
+ ConfigNode.getInstance()
+ .getConfigManager()
+ .getPermissionManager()
+ .checkUserPrivileges(
+ userEntity.getUsername(),
+ new PrivilegeUnion(
+ Collections.singletonList(partialPath),
PrivilegeType.READ_SCHEMA))
+ .getStatus()
+ .getCode()
+ == TSStatusCode.SUCCESS_STATUS.getStatusCode();
+ if (result || isLastCheck) {
+ logger.recordAuditLog(
+
userEntity.setPrivilegeType(PrivilegeType.READ_SCHEMA).setResult(result), () ->
path);
+ }
+ return result;
}
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
index 1de3643cabe..60be9a46554 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
@@ -41,6 +41,7 @@ import
org.apache.iotdb.commons.schema.table.column.TimeColumnSchema;
import org.apache.iotdb.commons.schema.table.column.TsTableColumnCategory;
import org.apache.iotdb.commons.schema.table.column.TsTableColumnSchema;
import org.apache.iotdb.confignode.rpc.thrift.TDatabaseSchema;
+import org.apache.iotdb.db.audit.DNAuditLogger;
import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.conf.IoTDBConfig;
import org.apache.iotdb.db.exception.sql.SemanticException;
@@ -134,7 +135,6 @@ import
org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.fetcher.TableHeaderSchemaValidator;
import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl;
-import
org.apache.iotdb.db.queryengine.plan.relational.security.ITableAuthCheckerImpl;
import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.AddColumn;
import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.AlterDB;
import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.AlterPipe;
@@ -500,8 +500,9 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
protected IConfigTask visitShowAvailableUrls(
final ShowAvailableUrls showAvailableUrls, final MPPQueryContext
context) {
context.setQueryType(QueryType.READ);
- ITableAuthCheckerImpl.recordAuditLog(
- context.setAuditLogOperation(AuditLogOperation.QUERY).setResult(true),
() -> "");
+ DNAuditLogger.getInstance()
+ .recordAuditLog(
+
context.setAuditLogOperation(AuditLogOperation.QUERY).setResult(true), () ->
"");
return new ShowAvailableUrlsTask();
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index 5631bc0051f..d53b52d2e93 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -652,10 +652,6 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
case GRANT_ROLE:
case REVOKE_ROLE:
case ACCOUNT_UNLOCK:
- context
- .setAuditLogOperation(AuditLogOperation.DDL)
- .setPrivilegeType(PrivilegeType.SECURITY);
- context.setAuditLogOperation(AuditLogOperation.DDL);
auditObject =
() ->
authorType == AuthorType.REVOKE_USER || authorType ==
AuthorType.GRANT_USER
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/pipe/source/IoTDBSource.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/pipe/source/IoTDBSource.java
index 6640fde7f4a..91a149c9f66 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/pipe/source/IoTDBSource.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/pipe/source/IoTDBSource.java
@@ -19,6 +19,7 @@
package org.apache.iotdb.commons.pipe.source;
+import org.apache.iotdb.commons.audit.AuditLogOperation;
import org.apache.iotdb.commons.audit.UserEntity;
import org.apache.iotdb.commons.pipe.agent.task.meta.PipeTaskMeta;
import org.apache.iotdb.commons.pipe.config.constant.PipeSourceConstant;
@@ -195,6 +196,7 @@ public abstract class IoTDBSource implements PipeExtractor {
PipeSourceConstant.EXTRACTOR_IOTDB_CLI_HOSTNAME,
PipeSourceConstant.SOURCE_IOTDB_CLI_HOSTNAME);
userEntity = new UserEntity(Long.parseLong(userId), userName, cliHostname);
+ userEntity.setAuditLogOperation(AuditLogOperation.QUERY);
skipIfNoPrivileges = getSkipIfNoPrivileges(parameters);
}
