(iotdb) branch master updated: The grant option check for path privileges was not correctly logged in the audit log (#16969)

Wed, 31 Dec 2025 15:41:27 -0800 

This is an automated email from the ASF dual-hosted git repository.

jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new 4e78cb24959 The grant option check for path privileges was not 
correctly logged in the audit log (#16969)
4e78cb24959 is described below

commit 4e78cb24959fbcdfa02454529c2bfc40d0c054ec
Author: shuwenwei <[email protected]>
AuthorDate: Thu Jan 1 07:41:13 2026 +0800

    The grant option check for path privileges was not correctly logged in the 
audit log (#16969)
---
 .../security/TreeAccessCheckVisitor.java           | 84 +++++++++++++++-------
 1 file changed, 59 insertions(+), 25 deletions(-)

diff --git 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index e63b63f850e..4daa322d58e 100644
--- 
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++ 
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -167,6 +167,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
+import java.util.StringJoiner;
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
@@ -668,31 +669,12 @@ public class TreeAccessCheckVisitor extends 
StatementVisitor<TSStatus, TreeAcces
             auditObject)) {
           return RpcUtils.SUCCESS_STATUS;
         }
-        for (String s : statement.getPrivilegeList()) {
-          PrivilegeType privilegeType = PrivilegeType.valueOf(s.toUpperCase());
-          if (privilegeType.isSystemPrivilege()) {
-            if (!checkHasGlobalAuth(context, privilegeType, auditObject, 
true)) {
-              return AuthorityChecker.getTSStatus(
-                  false,
-                  "Has no permission to execute "
-                      + authorType
-                      + ", please ensure you have these privileges and the 
grant option is TRUE when granted)");
-            }
-          } else if (privilegeType.isPathPrivilege()) {
-            if (!AuthorityChecker.checkPathPermissionGrantOption(
-                context.getUsername(), privilegeType, 
statement.getNodeNameList())) {
-              return AuthorityChecker.getTSStatus(
-                  false,
-                  "Has no permission to execute "
-                      + authorType
-                      + ", please ensure you have these privileges and the 
grant option is TRUE when granted)");
-            }
-          } else {
-            return AuthorityChecker.getTSStatus(
-                false, "Not support Relation statement in tree sql_dialect");
-          }
-        }
-        return RpcUtils.SUCCESS_STATUS;
+        return checkPermissionsWithGrantOption(
+            context,
+            Arrays.stream(statement.getPrivilegeList())
+                .map(s -> PrivilegeType.valueOf(s.toUpperCase()))
+                .collect(Collectors.toList()),
+            statement.getNodeNameList());
       default:
         throw new IllegalArgumentException("Unknown authorType: " + 
authorType);
     }
@@ -1997,6 +1979,58 @@ public class TreeAccessCheckVisitor extends 
StatementVisitor<TSStatus, TreeAcces
     return result;
   }
 
+  protected TSStatus checkPermissionsWithGrantOption(
+      IAuditEntity auditEntity, List<PrivilegeType> privilegeList, 
List<PartialPath> paths) {
+    Supplier<String> supplier =
+        () -> {
+          StringJoiner joiner = new StringJoiner(" ");
+          if (paths != null) {
+            paths.forEach(path -> joiner.add(path.getFullPath()));
+          }
+          return joiner.toString();
+        };
+    auditEntity.setPrivilegeTypes(privilegeList);
+    if (AuthorityChecker.SUPER_USER.equals(auditEntity.getUsername())) {
+      recordObjectAuthenticationAuditLog(auditEntity.setResult(true), 
supplier);
+      return SUCCEED;
+    }
+    TSStatus status = SUCCEED;
+    for (PrivilegeType privilegeType : privilegeList) {
+      if (privilegeType.isSystemPrivilege()) {
+        if (!AuthorityChecker.checkSystemPermissionGrantOption(
+            auditEntity.getUsername(), privilegeType)) {
+          status =
+              AuthorityChecker.getTSStatus(
+                  false,
+                  "Has no permission to execute "
+                      + privilegeType
+                      + ", please ensure you have these privileges and the 
grant option is TRUE when granted");
+          break;
+        }
+      } else if (privilegeType.isPathPrivilege()) {
+        if (!AuthorityChecker.checkPathPermissionGrantOption(
+            auditEntity.getUsername(), privilegeType, paths)) {
+          status =
+              AuthorityChecker.getTSStatus(
+                  false,
+                  "Has no permission to execute "
+                      + privilegeType
+                      + ", please ensure you have these privileges and the 
grant option is TRUE when granted");
+          break;
+        }
+      } else {
+        status =
+            AuthorityChecker.getTSStatus(
+                false, "Not support Relation statement in tree sql_dialect");
+        break;
+      }
+    }
+    recordObjectAuthenticationAuditLog(
+        auditEntity.setResult(status.getCode() == 
TSStatusCode.SUCCESS_STATUS.getStatusCode()),
+        supplier);
+    return status;
+  }
+
   protected TSStatus checkWriteOnReadOnlyPath(IAuditEntity auditEntity, 
PartialPath path) {
     if (includeByAuditTreeDB(path)
         && !AuthorityChecker.INTERNAL_AUDIT_USER.equals(path.getFullPath())) {

Reply via email to