This is an automated email from the ASF dual-hosted git repository.

jt2594838 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new b35390559a9 Fix config region pipe privilege trimming (#18142)
b35390559a9 is described below

commit b35390559a93643e5bb22d674ff86607d43418b3
Author: Caideyipi <[email protected]>
AuthorDate: Wed Jul 8 11:38:57 2026 +0800

    Fix config region pipe privilege trimming (#18142)
---
 .../pipe/source/IoTDBConfigRegionSource.java       | 21 ++++-------
 .../PipeConfigTreePrivilegeParseVisitorTest.java   | 43 ++++++++++++++++++++++
 2 files changed, 51 insertions(+), 13 deletions(-)

diff --git 
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
 
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
index 8b4f99f5b26..656f517c4e0 100644
--- 
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
+++ 
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/IoTDBConfigRegionSource.java
@@ -267,21 +267,16 @@ public class IoTDBConfigRegionSource extends 
IoTDBNonDataRegionSource {
     final ConfigPhysicalPlan plan =
         ((PipeConfigRegionWritePlanEvent) event).getConfigPhysicalPlan();
     final Boolean isTableDatabasePlan = isTableDatabasePlan(plan);
+    Optional<ConfigPhysicalPlan> result = Optional.of(plan);
     if (!Boolean.TRUE.equals(isTableDatabasePlan)) {
-      final Optional<ConfigPhysicalPlan> result =
-          treePrivilegeParseVisitor.process(plan, userEntity);
-      if (result.isPresent()) {
-        return Optional.of(
-            new PipeConfigRegionWritePlanEvent(result.get(), 
event.isGeneratedByPipe()));
-      }
+      result = treePrivilegeParseVisitor.process(plan, userEntity);
     }
-    if (!Boolean.FALSE.equals(isTableDatabasePlan)) {
-      final Optional<ConfigPhysicalPlan> result =
-          TABLE_PRIVILEGE_PARSE_VISITOR.process(plan, userEntity);
-      if (result.isPresent()) {
-        return Optional.of(
-            new PipeConfigRegionWritePlanEvent(result.get(), 
event.isGeneratedByPipe()));
-      }
+    if (result.isPresent() && !Boolean.FALSE.equals(isTableDatabasePlan)) {
+      result = TABLE_PRIVILEGE_PARSE_VISITOR.process(result.get(), userEntity);
+    }
+    if (result.isPresent()) {
+      return Optional.of(
+          new PipeConfigRegionWritePlanEvent(result.get(), 
event.isGeneratedByPipe()));
     }
     if (skipIfNoPrivileges) {
       return Optional.empty();
diff --git 
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitorTest.java
 
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitorTest.java
index 73d370b5a00..d88a13a2517 100644
--- 
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitorTest.java
+++ 
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitorTest.java
@@ -39,6 +39,7 @@ import 
org.apache.iotdb.confignode.consensus.request.write.pipe.payload.PipeDele
 import 
org.apache.iotdb.confignode.consensus.request.write.pipe.payload.PipeDeleteTimeSeriesPlan;
 import org.apache.iotdb.confignode.manager.ConfigManager;
 import org.apache.iotdb.confignode.manager.PermissionManager;
+import 
org.apache.iotdb.confignode.manager.pipe.event.PipeConfigRegionWritePlanEvent;
 import org.apache.iotdb.confignode.rpc.thrift.TDatabaseSchema;
 import org.apache.iotdb.confignode.rpc.thrift.TPermissionInfoResp;
 import org.apache.iotdb.confignode.service.ConfigNode;
@@ -52,6 +53,7 @@ import org.junit.Before;
 import org.junit.Test;
 
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.nio.ByteBuffer;
 import java.util.Collections;
 import java.util.HashMap;
@@ -275,6 +277,47 @@ public class PipeConfigTreePrivilegeParseVisitorTest {
             .isPresent());
   }
 
+  @Test
+  public void 
testSourcePrivilegeTrimDoesNotFallbackToTableDefaultForTreePlan() throws 
Exception {
+    final PipeConfigRegionWritePlanEvent unauthorizedTreeEvent =
+        new PipeConfigRegionWritePlanEvent(
+            new SetTTLPlan(new String[] {"root", "db2", "device", 
"measurement"}, 100), false);
+
+    final TestIoTDBConfigRegionSource skipSource = new 
TestIoTDBConfigRegionSource(true);
+    
Assert.assertFalse(skipSource.trimRealtimeEventByPrivilege(unauthorizedTreeEvent).isPresent());
+
+    final PipeConfigRegionWritePlanEvent trimmedTreeEvent =
+        (PipeConfigRegionWritePlanEvent)
+            skipSource
+                .trimRealtimeEventByPrivilege(
+                    new PipeConfigRegionWritePlanEvent(
+                        new SetTTLPlan(new String[] {"root", "*", "device", 
"measurement"}, 100),
+                        false))
+                .get();
+    Assert.assertArrayEquals(
+        new String[] {"root", "db", "device", "measurement"},
+        ((SetTTLPlan) 
trimmedTreeEvent.getConfigPhysicalPlan()).getPathPattern());
+
+    final TestIoTDBConfigRegionSource throwSource = new 
TestIoTDBConfigRegionSource(false);
+    Assert.assertThrows(
+        AccessDeniedException.class,
+        () -> throwSource.trimRealtimeEventByPrivilege(unauthorizedTreeEvent));
+  }
+
+  private static class TestIoTDBConfigRegionSource extends 
IoTDBConfigRegionSource {
+
+    private TestIoTDBConfigRegionSource(final boolean skip)
+        throws NoSuchFieldException, IllegalAccessException {
+      userEntity = new UserEntity(0L, "", "");
+      skipIfNoPrivileges = skip;
+
+      final Field visitorField =
+          
IoTDBConfigRegionSource.class.getDeclaredField("treePrivilegeParseVisitor");
+      visitorField.setAccessible(true);
+      visitorField.set(this, new PipeConfigTreePrivilegeParseVisitor(skip));
+    }
+  }
+
   private static class TestPermissionManager extends PermissionManager {
 
     private BiFunction<String, PrivilegeUnion, Boolean> checkUserPrivileges =

Reply via email to