jt2594838 commented on code in PR #16531:
URL: https://github.com/apache/iotdb/pull/16531#discussion_r2596961797
##########
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/event/common/tsfile/PipeTsFileInsertionEvent.java:
##########
@@ -441,33 +449,86 @@ public boolean isGeneratedByPipe() {
@Override
public void throwIfNoPrivilege() {
try {
- if (!isTableModelEvent() ||
AuthorityChecker.SUPER_USER.equals(userName)) {
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
if (!waitForTsFileClose()) {
LOGGER.info("Temporary tsFile {} detected, will skip its transfer.",
tsFile);
return;
}
- for (final String table : tableNames) {
- if (!tablePattern.matchesDatabase(getTableModelDatabaseName())
- || !tablePattern.matchesTable(table)) {
- continue;
+ if (isTableModelEvent()) {
+ for (final String table : tableNames) {
+ if (!tablePattern.matchesDatabase(getTableModelDatabaseName())
+ || !tablePattern.matchesTable(table)) {
+ continue;
+ }
+ if (!AuthorityChecker.getAccessControl()
+ .checkCanSelectFromTable4Pipe(
+ userName,
+ new QualifiedObjectName(getTableModelDatabaseName(), table),
+ new UserEntity(Long.parseLong(userId), userName,
cliHostname))) {
+ if (skipIfNoPrivileges) {
+ shouldParse4Privilege = true;
+ } else {
+ throw new AccessDeniedException(
+ String.format(
+ "No privilege for SELECT for user %s at table %s.%s",
+ userName, tableModelDatabaseName, table));
+ }
+ }
}
- if (!AuthorityChecker.getAccessControl()
- .checkCanSelectFromTable4Pipe(
- userName,
- new QualifiedObjectName(getTableModelDatabaseName(), table),
- new UserEntity(Long.parseLong(userId), userName,
cliHostname))) {
+ }
+ // Real-time tsFiles
+ else if (Objects.nonNull(treeSchemaMap)) {
+ final List<MeasurementPath> measurementList = new ArrayList<>();
+ for (final Map.Entry<IDeviceID, String[]> entry :
treeSchemaMap.entrySet()) {
+ final IDeviceID deviceID = entry.getKey();
+ for (final String measurement : entry.getValue()) {
+ if (treePattern.matchesMeasurement(deviceID, measurement)) {
+ measurementList.add(new MeasurementPath(deviceID, measurement));
+ }
+ }
+ }
+ final TSStatus status =
+ AuthorityChecker.getAccessControl()
+ .checkSeriesPrivilege4Pipe(
+ new UserEntity(Long.parseLong(userId), userName,
cliHostname),
+ measurementList,
+ PrivilegeType.READ_DATA);
+ if (TSStatusCode.SUCCESS_STATUS.getStatusCode() != status.getCode()) {
if (skipIfNoPrivileges) {
shouldParse4Privilege = true;
} else {
- throw new AccessDeniedException(
- String.format(
- "No privilege for SELECT for user %s at table %s.%s",
- userName, tableModelDatabaseName, table));
+ throw new AccessDeniedException(status.getMessage());
}
}
}
+ // Historical tsFiles
+ // Coarse filter, will be judged in inner class
+ else {
+ final Set<IDeviceID> devices = getDeviceSet();
+ if (Objects.nonNull(devices)) {
+ final List<MeasurementPath> measurementList = new ArrayList<>();
+ for (final IDeviceID device : devices) {
+ measurementList.add(new MeasurementPath(device,
IoTDBConstant.ONE_LEVEL_PATH_WILDCARD));
+ }
+ final TSStatus status =
+ AuthorityChecker.getAccessControl()
+ .checkSeriesPrivilege4Pipe(
+ new UserEntity(Long.parseLong(userId), userName,
cliHostname),
+ measurementList,
+ PrivilegeType.READ_DATA);
+ if (TSStatusCode.SUCCESS_STATUS.getStatusCode() != status.getCode())
{
+ if (skipIfNoPrivileges) {
+ shouldParse4Privilege = true;
+ } else {
+ throw new AccessDeniedException(status.getMessage());
+ }
+ }
+ } else {
+ shouldParse4Privilege = true;
+ }
+ }
Review Comment:
That is,
1. Root creates root.db1.d1.s1, root.db1.d1.s2;
2. Root grants all on root.db1.d1.s1 to userA;
3. userA writes some data of root.db1.d1.s1 and flush;
4. userA creates a pipe, only selecting root.db1.d1.s1;
5. Still, the data cannot be synchronized?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
