imay commented on a change in pull request #1472: Support grant GRANT_PRIV on
database or table level
URL: https://github.com/apache/incubator-doris/pull/1472#discussion_r303819303
##########
File path: fe/src/main/java/org/apache/doris/analysis/GrantStmt.java
##########
@@ -92,32 +91,51 @@ public void analyze(Analyzer analyzer) throws
AnalysisException, UserException {
throw new AnalysisException("No privileges in grant statement.");
}
- // can not grant NODE_PRIV to any other user(root has NODE_PRIV, no
need to grant)
- for (PaloPrivilege paloPrivilege : privileges) {
- if (paloPrivilege == PaloPrivilege.NODE_PRIV) {
- throw new AnalysisException("Can not grant NODE_PRIV to any
other users or roles");
- }
- }
+ checkPrivileges(analyzer, privileges, role, tblPattern);
+ }
- // ADMIN_PRIV and GRANT_PRIV can only be granted as global
- if (tblPattern.getPrivLevel() != PrivLevel.GLOBAL) {
- for (PaloPrivilege paloPrivilege : privileges) {
- if (paloPrivilege == PaloPrivilege.ADMIN_PRIV || paloPrivilege
== PaloPrivilege.GRANT_PRIV) {
- throw new AnalysisException(
- "Can not grant ADMIN_PRIV or GRANT_PRIV to
specified database or table. Only support to *.*");
- }
- }
+ /*
+ * Rules:
+ * 1. Can not grant/revoke NODE_PRIV to/from any other user.
+ * 2. ADMIN_PRIV can only be granted/revoked on GLOBAL level
+ * 3. Privileges can not be granted/revoked to/from ADMIN and OPERATOR role
+ * 4. Only user with GLOBAL level's GRANT_PRIV can grant/revoke privileges
to/from roles.
+ * 5.1 User should has GLOBAL level GRANT_PRIV
+ * 5.2 or user has DATABASE/TABLE level GRANT_PRIV if grant/revoke to/from
certain database or table.
+ */
+ public static void checkPrivileges(Analyzer analyzer, List<PaloPrivilege>
privileges,
+ String role, TablePattern tblPattern) throws AnalysisException {
+ // Rule 1
+ if (privileges.contains(PaloPrivilege.NODE_PRIV)) {
+ throw new AnalysisException("Can not grant NODE_PRIV to any other
users or roles");
}
- if (role != null) {
- // can not grant to admin or operator role
- FeNameFormat.checkRoleName(role, false /* can not be admin */,
"Can not grant to role");
- role = ClusterNamespace.getFullName(analyzer.getClusterName(),
role);
+ // Rule 2
+ if (tblPattern.getPrivLevel() != PrivLevel.GLOBAL &&
privileges.contains(PaloPrivilege.ADMIN_PRIV)) {
+ throw new AnalysisException("ADMIN_PRIV privilege can only be
granted on *.*");
}
- if
(!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
- "GRANT");
+ if (role != null) {
+ // Rule 3 and 4
+ if
(!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"GRANT");
+ }
+ } else {
+ // Rule 5.1 and 5.2
+ if (tblPattern.getPrivLevel() == PrivLevel.GLOBAL) {
Review comment:
I think TablePattern is a confusing name. It's better you can rename it in
later PR
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
