TimXu0713 opened a new issue, #16862: URL: https://github.com/apache/iotdb/issues/16862
### Search before asking - [x] I searched in the [issues](https://github.com/apache/iotdb/issues) and found nothing similar. ### Version Apache IoTDB 1.3.5, Cluster mode (3 ConfigNodes, 3 DataNodes). ### Describe the bug and provide the minimal reproduce step Environment Information: Deployment: 3 ConfigNodes (3CN), 3 DataNodes (3DN). User Role Impact: The issue involves differences between the root user and an ordinary user. Description: We are experiencing an inconsistent query permission issue when connecting to a specific DataNode (DN1) using an ordinary user account. The problem does not occur when using the rootuser on the same DN1, or when connecting to the other DataNodes (DN2, DN3) with either the ordinary user or root. Steps to Reproduce: Create an ordinary user in the IoTDB cluster. Grant specific permissions to this user for certain time series (Note: The exact granted privileges and paths are part of the investigation). Connect the ordinary user client session specifically to DN1. Execute a query targeting specific time series (some fail, some succeed). Notably, a broad query like SELECT * FROM root.**might execute successfully even when queries on specific paths within the result set fail. Observe that the same queries, when run by the rootuser connected to DN1, or by any user (ordinary or root) connected to DN2 or DN3, all execute successfully. <img width="1177" height="945" alt="Image" src="https://github.com/user-attachments/assets/58c020e3-2876-4d7f-9caa-a5bebeb3d302"; /> ### What did you expect to see? Query permissions for a user should be consistent across all DataNodes in the cluster. A query that succeeds for a user on one node should succeed on all nodes, provided the underlying data and user privileges are the same. ### What did you see instead? Inconsistent query results are observed for the ordinary user depending on the connected DataNode: DN1 Connection (Ordinary User): Queries on certain specific time series fail, while others succeed. SELECT *works. DN1 Connection (root User): All queries succeed. DN2/DN3 Connection (Any User): All queries succeed. This suggests a potential bug in permission validation or metadata synchronization specific to DN1 for non-root users. ### Anything else? In IoTDB, user privileges are path-dependent . The inconsistency might relate to: Privilege Cache/Synchronization: A potential delay or error in synchronizing the ordinary user's privilege information (or role mappings) across all DataNodes, particularly affecting DN1. Path-Specific Permission Check: A flaw in the permission verification logic on DN1 when handling queries for specific paths, which might be bypassed by a SELECT *query or when using the rootaccount (which has all privileges) . Node-Specific Session Context: An issue where the user's effective privileges (combining user-specific grants and role grants) are not correctly initialized or applied within the session context on DN1 . ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
