Re: Refactor the rule of auth check
Hi, root.sg.** should be a legal path. If a user has read permission under root.sg.**, he could query all paths like root.sg.x.x (a sub pattern of root.sg.**) Thanks, — Jialin Qiao Apache IoTDB PMC Xiangdong Huang 于2022年5月8日周日 19:48写道: > Hi, > > Just want to make a confirmation: so we cannot grant privileges to > 'root.sg.**'. > It is illegal, right? > --- > Xiangdong Huang > School of Software, Tsinghua University > > 黄向东 > 清华大学 软件学院 > > > 周钰坤 于2022年5月6日周五 19:14写道: > > > Hi > > > > Currently, the rule of iotdb's auth check is prefix match, which is > > inconsistent with pattern match in DDL and DML. Therefore, we want to > > refactor the rule to pattern match. > > For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES > > INSERT_TIMESERIES on root.ln', won't work any more. The replacement is > > 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**' > > . > > > > Besides, we introduce the concept, sub pattern, which means a > > pattern's result set contains all the elements of its sub pattern's > > result set. For example, 'root.sg.d.*' is a sub pattern of > > 'root.sg.*.*', while 'root.sg.**' is not a sub pattern of > > 'root.sg.*.*'. > > When a user is granted privilege on a pattern, the pattern used in his > > DDL or DML must be a sub pattern of the previlige pattern, which > > guarantees that the user won't access the timeseries exceed his > > privilege scope. > > > > To guarantee the efficiency and performance of auth check, we will > > implement the auth check after the generation of statement and before > > the execution of statement. > > > > Hope for some suggestions. > > > > > > Best > > > > Yukun Zhou > > School of Software, Tsinghua University > > > > 周钰坤 > > 清华大学 软件学院 > > >
Re: Refactor the rule of auth check
Hi, Just want to make a confirmation: so we cannot grant privileges to 'root.sg.**'. It is illegal, right? --- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院 周钰坤 于2022年5月6日周五 19:14写道: > Hi > > Currently, the rule of iotdb's auth check is prefix match, which is > inconsistent with pattern match in DDL and DML. Therefore, we want to > refactor the rule to pattern match. > For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES > INSERT_TIMESERIES on root.ln', won't work any more. The replacement is > 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**' > . > > Besides, we introduce the concept, sub pattern, which means a > pattern's result set contains all the elements of its sub pattern's > result set. For example, 'root.sg.d.*' is a sub pattern of > 'root.sg.*.*', while 'root.sg.**' is not a sub pattern of > 'root.sg.*.*'. > When a user is granted privilege on a pattern, the pattern used in his > DDL or DML must be a sub pattern of the previlige pattern, which > guarantees that the user won't access the timeseries exceed his > privilege scope. > > To guarantee the efficiency and performance of auth check, we will > implement the auth check after the generation of statement and before > the execution of statement. > > Hope for some suggestions. > > > Best > > Yukun Zhou > School of Software, Tsinghua University > > 周钰坤 > 清华大学 软件学院 >
Refactor the rule of auth check
Hi Currently, the rule of iotdb's auth check is prefix match, which is inconsistent with pattern match in DDL and DML. Therefore, we want to refactor the rule to pattern match. For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln', won't work any more. The replacement is 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**' . Besides, we introduce the concept, sub pattern, which means a pattern's result set contains all the elements of its sub pattern's result set. For example, 'root.sg.d.*' is a sub pattern of 'root.sg.*.*', while 'root.sg.**' is not a sub pattern of 'root.sg.*.*'. When a user is granted privilege on a pattern, the pattern used in his DDL or DML must be a sub pattern of the previlige pattern, which guarantees that the user won't access the timeseries exceed his privilege scope. To guarantee the efficiency and performance of auth check, we will implement the auth check after the generation of statement and before the execution of statement. Hope for some suggestions. Best Yukun Zhou School of Software, Tsinghua University 周钰坤 清华大学 软件学院