jt2594838 commented on code in PR #16531:
URL: https://github.com/apache/iotdb/pull/16531#discussion_r2541473294
##########
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/event/common/tsfile/PipeTsFileInsertionEvent.java:
##########
@@ -441,33 +449,86 @@ public boolean isGeneratedByPipe() {
@Override
public void throwIfNoPrivilege() {
try {
- if (!isTableModelEvent() ||
AuthorityChecker.SUPER_USER.equals(userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
if (!waitForTsFileClose()) {
LOGGER.info("Temporary tsFile {} detected, will skip its transfer.",
tsFile);
return;
}
- for (final String table : tableNames) {
- if (!tablePattern.matchesDatabase(getTableModelDatabaseName())
- || !tablePattern.matchesTable(table)) {
- continue;
+ if (isTableModelEvent()) {
+ for (final String table : tableNames) {
+ if (!tablePattern.matchesDatabase(getTableModelDatabaseName())
+ || !tablePattern.matchesTable(table)) {
+ continue;
+ }
+ if (!AuthorityChecker.getAccessControl()
+ .checkCanSelectFromTable4Pipe(
+ userName,
+ new QualifiedObjectName(getTableModelDatabaseName(), table),
+ new UserEntity(Long.parseLong(userId), userName,
cliHostname))) {
+ if (skipIfNoPrivileges) {
+ shouldParse4Privilege = true;
+ } else {
+ throw new AccessDeniedException(
+ String.format(
+ "No privilege for SELECT for user %s at table %s.%s",
+ userName, tableModelDatabaseName, table));
+ }
+ }
}
- if (!AuthorityChecker.getAccessControl()
- .checkCanSelectFromTable4Pipe(
- userName,
- new QualifiedObjectName(getTableModelDatabaseName(), table),
- new UserEntity(Long.parseLong(userId), userName,
cliHostname))) {
+ }
+ // Real-time tsFiles
+ else if (Objects.nonNull(treeSchemaMap)) {
+ final List<MeasurementPath> measurementList = new ArrayList<>();
+ for (final Map.Entry<IDeviceID, String[]> entry :
treeSchemaMap.entrySet()) {
+ final IDeviceID deviceID = entry.getKey();
+ for (final String measurement : entry.getValue()) {
+ if (treePattern.matchesMeasurement(deviceID, measurement)) {
+ measurementList.add(new MeasurementPath(deviceID, measurement));
+ }
+ }
+ }
+ final TSStatus status =
+ AuthorityChecker.getAccessControl()
+ .checkSeriesPrivilege4Pipe(
+ new UserEntity(Long.parseLong(userId), userName,
cliHostname),
+ measurementList,
+ PrivilegeType.READ_DATA);
+ if (TSStatusCode.SUCCESS_STATUS.getStatusCode() != status.getCode()) {
if (skipIfNoPrivileges) {
shouldParse4Privilege = true;
} else {
- throw new AccessDeniedException(
- String.format(
- "No privilege for SELECT for user %s at table %s.%s",
- userName, tableModelDatabaseName, table));
+ throw new AccessDeniedException(status.getMessage());
}
}
}
+ // Historical tsFiles
+ // Coarse filter, will be judged in inner class
+ else {
+ final Set<IDeviceID> devices = getDeviceSet();
+ if (Objects.nonNull(devices)) {
+ final List<MeasurementPath> measurementList = new ArrayList<>();
+ for (final IDeviceID device : devices) {
+ measurementList.add(new MeasurementPath(device,
IoTDBConstant.ONE_LEVEL_PATH_WILDCARD));
+ }
+ final TSStatus status =
+ AuthorityChecker.getAccessControl()
+ .checkSeriesPrivilege4Pipe(
+ new UserEntity(Long.parseLong(userId), userName,
cliHostname),
+ measurementList,
+ PrivilegeType.READ_DATA);
+ if (TSStatusCode.SUCCESS_STATUS.getStatusCode() != status.getCode())
{
+ if (skipIfNoPrivileges) {
+ shouldParse4Privilege = true;
+ } else {
+ throw new AccessDeniedException(status.getMessage());
+ }
+ }
+ } else {
+ shouldParse4Privilege = true;
+ }
+ }
Review Comment:
If the file only contains root.db1.d1.s1 (on which the user has privileges),
but the user does not have privileges on root.db1.d1.s2, and skipIfNoPrivileges
= false, then the file will not be transferred?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
