imay commented on a change in pull request #1472: Support grant GRANT_PRIV on
database or table level
URL: https://github.com/apache/incubator-doris/pull/1472#discussion_r303461517
##########
File path: fe/src/main/java/org/apache/doris/analysis/RevokeStmt.java
##########
@@ -88,25 +88,36 @@ public void analyze(Analyzer analyzer) throws
AnalysisException {
}
// can not revoke NODE_PRIV from any user
- for (PaloPrivilege paloPrivilege : privileges) {
- if (paloPrivilege == PaloPrivilege.NODE_PRIV) {
- throw new AnalysisException("Can not revoke NODE_PRIV from any
users or roles");
- }
+ if (privileges.contains(PaloPrivilege.NODE_PRIV)) {
+ throw new AnalysisException("Can not revoke NODE_PRIV from any
users or roles");
}
- // ADMIN_PRIV and GRANT_PRIV can only be revoked as global
+ // ADMIN_PRIV can only be revoked on GLOBAL level
if (tblPattern.getPrivLevel() != PrivLevel.GLOBAL) {
- for (PaloPrivilege paloPrivilege : privileges) {
- if (paloPrivilege == PaloPrivilege.ADMIN_PRIV || paloPrivilege
== PaloPrivilege.GRANT_PRIV) {
- throw new AnalysisException(
- "Can not revoke ADMIN_PRIV or GRANT_PRIV from
specified database or table. Only support from *.*");
- }
+ if (privileges.contains(PaloPrivilege.ADMIN_PRIV)) {
+ throw new AnalysisException("Can not revoke ADMIN_PRIV from
specified database or table. Only support from *.*");
}
}
- if
(!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
- "REVOKE");
+ if (role != null) {
+ // only user with GLOBAL level's GRANT_PRIV can revoke privileges
to roles.
+ if
(!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"REVOKE");
+ }
+ } else {
+ // revoke from a certain user
+ // 1. check if current user has GLOBAL level GRANT_PRIV.
+ // 2. or if current user has DATABASE level GRANT_PRIV if grant to
certain database.
+ if (tblPattern.getPrivLevel() == PrivLevel.GLOBAL) {
+ if
(!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"GRANT");
+ }
+ } else {
Review comment:
how about table level?
And grant and revoke has same logic? Does these two class reuse some code?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
