From 673abb17979bf1b61e93e6589a3bdec7f1cebb3e Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 8 Apr 2024 10:52:01 +0800 Subject: [PATCH 01/68] 1 --- .../apache/doris/analysis/AdminCopyTabletStmt.java | 4 ++-- .../org/apache/doris/analysis/AlterPolicyStmt.java | 4 ++-- .../apache/doris/analysis/CancelAlterSystemStmt.java | 9 +++++++++ .../org/apache/doris/analysis/CreatePolicyStmt.java | 4 ++-- .../org/apache/doris/analysis/DropPolicyStmt.java | 4 ++-- .../org/apache/doris/analysis/SetLdapPassVar.java | 12 +++++++----- .../doris/analysis/ShowCatalogRecycleBinStmt.java | 10 ++++++++++ .../org/apache/doris/analysis/ShowCreateDbStmt.java | 2 +- .../doris/analysis/ShowCreateRepositoryStmt.java | 10 +++++++++- .../java/org/apache/doris/analysis/ShowDataStmt.java | 5 +++++ .../apache/doris/analysis/ShowEncryptKeysStmt.java | 7 +++---- .../org/apache/doris/analysis/ShowPluginsStmt.java | 12 +++++++++++- .../apache/doris/analysis/ShowStreamLoadStmt.java | 9 +++++++++ .../apache/doris/analysis/ShowTabletsBelongStmt.java | 9 +++++++++ .../apache/doris/analysis/ShowTransactionStmt.java | 10 +++++++++- 15 files changed, 90 insertions(+), 21 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java index 63832d9cd65d22..e7dfa958e61a7d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java @@ -71,8 +71,8 @@ public long getExpirationMinutes() { @Override public void analyze(Analyzer analyzer) throws AnalysisException { - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.OPERATOR)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "NODE"); + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); } if (properties == null) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java index 91a5f143752c3b..6f154672757685 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java @@ -53,8 +53,8 @@ public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT"); } if (properties == null || properties.isEmpty()) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java index 9b547a4de53b77..dbc0668cf79968 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java @@ -17,7 +17,12 @@ package org.apache.doris.analysis; +import org.apache.doris.catalog.Env; import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.system.SystemInfoService; import org.apache.doris.system.SystemInfoService.HostInfo; @@ -44,6 +49,10 @@ public CancelAlterSystemStmt(List params) { @Override public void analyze(Analyzer analyzer) throws AnalysisException { + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.OPERATOR)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + "NODE"); + } for (String param : params) { if (!param.contains(":")) { ids.add(param); diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java index 4d8527c0f79245..086074b57bee28 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java @@ -114,8 +114,8 @@ public void analyze(Analyzer analyzer) throws UserException { } } // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT"); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java index 2a3e3a2bf5c5fc..2b0dba5e5389a1 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java @@ -69,8 +69,8 @@ public void analyze(Analyzer analyzer) throws UserException { } } // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT"); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java index c4eed0e5b262e6..bf73ae165f7f23 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java @@ -17,8 +17,11 @@ package org.apache.doris.analysis; +import org.apache.doris.catalog.Env; import org.apache.doris.common.AnalysisException; -import org.apache.doris.mysql.privilege.Auth; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; +import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; public class SetLdapPassVar extends SetVar { @@ -35,11 +38,10 @@ public String getLdapPassword() { @Override public void analyze(Analyzer analyzer) throws AnalysisException { - if (!ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ROOT_USER) - && !ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ADMIN_USER)) { - throw new AnalysisException("Only root and admin user can set ldap admin password."); + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + "ADMIN"); } - if (!passVar.isPlain()) { throw new AnalysisException("Only support set ldap password with plain text"); } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java index fe241acf04764f..bb98949fcc2e3d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java @@ -18,12 +18,17 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.CaseSensibility; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.PatternMatcher; import org.apache.doris.common.PatternMatcherWrapper; import org.apache.doris.common.UserException; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -52,6 +57,11 @@ public String getNameValue() { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } + if (where == null) { return; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java index 0cadde094b8bf5..dd624e1f514532 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java @@ -58,7 +58,7 @@ public void analyze(Analyzer analyzer) throws AnalysisException, UserException { } if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), db, - PrivPredicate.ALTER_CREATE_DROP)) { + PrivPredicate.SHOW)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, ConnectContext.get().getQualifiedUser(), db); } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java index f11a02253699c3..5e3bc0b3ddc328 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java @@ -18,8 +18,13 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; // SHOW CREATE REPOSITORY statement @@ -43,7 +48,10 @@ public String getRepoName() { @Override public void analyze(Analyzer analyzer) throws AnalysisException { - + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java index 6be5ab00ea2874..78aaf139c8a49c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java @@ -123,6 +123,11 @@ public void analyze(Analyzer analyzer) throws UserException { Util.prohibitExternalCatalog(analyzer.getDefaultCatalog(), this.getClass().getSimpleName()); } + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } + Database db = Env.getCurrentInternalCatalog().getDbOrAnalysisException(dbName); // order by diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java index 36c1162f720fb5..054eaa9881c8cc 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java @@ -63,10 +63,9 @@ public void analyze(Analyzer analyzer) throws AnalysisException, UserException { } } - // must check after analyze dbName, for case dbName is null. - if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException( - ErrorCode.ERR_DBACCESS_DENIED_ERROR, ConnectContext.get().getQualifiedUser(), dbName); + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java index 65ffa65622af33..90dc49a3a7879d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java @@ -18,7 +18,13 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; +import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; // Show plugins statement. @@ -39,7 +45,11 @@ public class ShowPluginsStmt extends ShowStmt { .build(); @Override - public void analyze(Analyzer analyzer) { + public void analyze(Analyzer analyzer) throws AnalysisException { + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java index ae133aa2a23e9e..6969eeb9302e1c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java @@ -19,12 +19,15 @@ import org.apache.doris.analysis.BinaryPredicate.Operator; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; import org.apache.doris.common.util.OrderByPair; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -139,6 +142,12 @@ public boolean isAccurateMatch() { @Override public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); + + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } + if (Strings.isNullOrEmpty(dbName)) { dbName = analyzer.getDefaultDb(); if (Strings.isNullOrEmpty(dbName)) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java index b321dace7f555e..58cde408a7e110 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java @@ -18,8 +18,13 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.collect.ImmutableList; @@ -54,6 +59,10 @@ public List getTabletIds() { @Override public void analyze(Analyzer analyzer) throws UserException { + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } if (tabletIds == null || tabletIds.isEmpty()) { throw new UserException("Please supply at least one tablet id"); } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java index f34c0e5e3363bb..4cf22c1aa595c6 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java @@ -19,12 +19,15 @@ import org.apache.doris.analysis.BinaryPredicate.Operator; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; import org.apache.doris.common.proc.TransProcDir; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import org.apache.doris.transaction.TransactionStatus; @@ -70,9 +73,14 @@ public boolean labelMatch() { } @Override - public void analyze(Analyzer analyzer) throws AnalysisException, UserException { + public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } + if (Strings.isNullOrEmpty(dbName)) { dbName = analyzer.getDefaultDb(); if (Strings.isNullOrEmpty(dbName)) { From 5342d561ef6fb007c6a280de93494a54f9116fc9 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Tue, 9 Apr 2024 10:13:35 +0800 Subject: [PATCH 02/68] 1 --- .../doris/analysis/CancelExportStmt.java | 13 +++++ .../analysis/DropMaterializedViewStmt.java | 4 +- .../doris/analysis/ShowRepositoriesStmt.java | 14 ++++++ .../doris/analysis/ShowSnapshotStmt.java | 10 ++++ .../apache/doris/job/manager/JobManager.java | 49 +++++++++++++++++++ .../java/org/apache/doris/load/ExportMgr.java | 26 ++++++++++ .../apache/doris/load/loadv2/LoadManager.java | 24 ++++++++- 7 files changed, 137 insertions(+), 3 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java index ebdd7997d416b6..93055b9b6bd89c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java @@ -18,9 +18,14 @@ package org.apache.doris.analysis; import org.apache.doris.analysis.BinaryPredicate.Operator; +import org.apache.doris.catalog.Env; import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; import org.apache.doris.load.ExportJobState; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import com.google.common.base.Strings; import com.google.common.collect.ImmutableSet; @@ -137,6 +142,14 @@ public void analyze(Analyzer analyzer) throws UserException { } } + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, + PrivPredicate.SELECT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "SELECT", + ConnectContext.get().getQualifiedUser(), + ConnectContext.get().getRemoteIP(), dbName); + } + if (null == whereClause) { throw new AnalysisException("Where clause can't be null"); } else if (whereClause instanceof LikePredicate) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java index 68cd29688d508c..505da734265ba8 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java @@ -72,8 +72,8 @@ public void analyze(Analyzer analyzer) throws UserException { // check access if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), tableName.getDb(), - tableName.getTbl(), PrivPredicate.DROP)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "DROP"); + tableName.getTbl(), PrivPredicate.ALTER)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ALTER"); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java index dbbd5d7b36f98d..d3729c2a8e172b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java @@ -18,7 +18,13 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; +import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.collect.ImmutableList; @@ -33,6 +39,14 @@ public ShowRepositoriesStmt() { } + @Override + public void analyze(Analyzer analyzer) throws AnalysisException { + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } + } + @Override public ShowResultSetMetaData getMetaData() { ShowResultSetMetaData.Builder builder = ShowResultSetMetaData.builder(); diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java index d10d216b120ad1..b1b7e69799c8c2 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java @@ -19,9 +19,14 @@ import org.apache.doris.analysis.CompoundPredicate.Operator; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -55,6 +60,11 @@ public ShowSnapshotStmt(String repoName, Expr where) { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } + // analyze where clause if not null if (where != null) { // eg: WHERE snapshot="snapshot_label" [and timestamp="2018-04-19-11-11:11"]; diff --git a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java index 7e8b01ce28775a..2a8f5e4662a148 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java @@ -24,11 +24,14 @@ import org.apache.doris.common.AnalysisException; import org.apache.doris.common.CaseSensibility; import org.apache.doris.common.DdlException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.PatternMatcher; import org.apache.doris.common.PatternMatcherWrapper; import org.apache.doris.common.io.Writable; import org.apache.doris.common.util.LogBuilder; import org.apache.doris.common.util.LogKey; +import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.job.base.AbstractJob; import org.apache.doris.job.common.JobStatus; import org.apache.doris.job.common.JobType; @@ -37,6 +40,8 @@ import org.apache.doris.job.extensions.insert.InsertJob; import org.apache.doris.job.scheduler.JobScheduler; import org.apache.doris.load.loadv2.JobState; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import com.google.common.collect.Lists; import lombok.extern.log4j.Log4j2; @@ -48,6 +53,7 @@ import java.util.ArrayList; import java.util.LinkedList; import java.util.List; +import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.locks.ReentrantReadWriteLock; import java.util.stream.Collectors; @@ -356,6 +362,28 @@ public List> getLoadJobInfosByDb(long dbId, String dbName, if (jobState != null && !validState(jobState, loadJob)) { continue; } + // check auth + Set tableNames = loadJob.getTableNames(); + // check auth + if (tableNames.isEmpty()) { + // forward compatibility + if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, + PrivPredicate.LOAD)) { + continue; + } + } else { + boolean auth = true; + for (String tblName : tableNames) { + if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), dbName, + tblName, PrivPredicate.LOAD)) { + auth = false; + break; + } + } + if (!auth) { + continue; + } + } // add load job info, convert String list to Comparable list loadJobInfos.add(new ArrayList<>(loadJob.getShowInfo())); } catch (RuntimeException e) { @@ -412,6 +440,27 @@ public void cancelLoadJob(CancelLoadStmt cs) } finally { readUnlock(); } + // check auth + if (unfinishedLoadJob.size() > 1 || unfinishedLoadJob.get(0).getTableNames().isEmpty()) { + if (Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, + PrivPredicate.LOAD)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, "LOAD", + ConnectContext.get().getQualifiedUser(), + ConnectContext.get().getRemoteIP(), dbName); + } + } else { + for (String tableName : unfinishedLoadJob.get(0).getTableNames()) { + if (Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, + tableName, + PrivPredicate.LOAD)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "LOAD", + ConnectContext.get().getQualifiedUser(), + ConnectContext.get().getRemoteIP(), dbName + ":" + tableName); + } + } + } for (InsertJob loadJob : unfinishedLoadJob) { try { alterJobStatus(loadJob.getJobId(), JobStatus.STOPPED); diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java index f72c0b44a6346c..226f9bad861638 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java @@ -26,6 +26,8 @@ import org.apache.doris.common.CaseSensibility; import org.apache.doris.common.Config; import org.apache.doris.common.DdlException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeConstants; import org.apache.doris.common.LabelAlreadyUsedException; import org.apache.doris.common.PatternMatcher; @@ -33,6 +35,7 @@ import org.apache.doris.common.util.ListComparator; import org.apache.doris.common.util.OrderByPair; import org.apache.doris.common.util.TimeUtils; +import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; import org.apache.doris.scheduler.exception.JobException; @@ -122,6 +125,29 @@ public void cancelExportJob(CancelExportStmt stmt) throws DdlException, Analysis if (matchExportJobs.isEmpty()) { throw new DdlException("All export job(s) are at final state (CANCELLED/FINISHED)"); } + + // check auth + String dbName = stmt.getDbName(); + if (matchExportJobs.size() > 1) { + if (Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, + PrivPredicate.SELECT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, "SELECT", + ConnectContext.get().getQualifiedUser(), + ConnectContext.get().getRemoteIP(), dbName); + } + } else { + String tableName = matchExportJobs.get(0).getTableName().getTbl(); + if (Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, + tableName, + PrivPredicate.SELECT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "SELECT", + ConnectContext.get().getQualifiedUser(), + ConnectContext.get().getRemoteIP(), dbName + ":" + tableName); + } + } + try { for (ExportJob exportJob : matchExportJobs) { // exportJob.cancel(ExportFailMsg.CancelType.USER_CANCEL, "user cancel"); diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java index 4ae86e224f6c2d..67220e5183f7ba 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java @@ -611,9 +611,31 @@ public List> getLoadJobInfosByDb(long dbId, String labelValue, if (!states.contains(loadJob.getState())) { continue; } + String dbName = loadJob.getDb().getName(); + Set tableNames = loadJob.getTableNames(); + // check auth + if (tableNames.isEmpty()) { + // forward compatibility + if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, + PrivPredicate.LOAD)) { + continue; + } + } else { + boolean auth = true; + for (String tblName : tableNames) { + if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), dbName, + tblName, PrivPredicate.LOAD)) { + auth = false; + break; + } + } + if (!auth) { + continue; + } + } // add load job info loadJobInfos.add(loadJob.getShowInfo()); - } catch (RuntimeException | DdlException e) { + } catch (RuntimeException | DdlException | MetaNotFoundException e) { // ignore this load job LOG.warn("get load job info failed. job id: {}", loadJob.getId(), e); } From f6fad5485165623d41f25e1d016941e45247e6ac Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 11:49:10 +0800 Subject: [PATCH 03/68] 1 --- .../org/apache/doris/analysis/AlterViewStmt.java | 2 +- .../org/apache/doris/analysis/BaseViewStmt.java | 16 ++++++++++++++++ .../apache/doris/analysis/CreateViewStmt.java | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java index a46d580ffdc942..7e5e1c09bded46 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java @@ -73,7 +73,7 @@ public void analyze(Analyzer analyzer) throws UserException { viewDefStmt.setNeedToSql(true); Analyzer viewAnalyzer = new Analyzer(analyzer); viewDefStmt.analyze(viewAnalyzer); - + checkQueryAuth(); createColumnAndViewDefs(analyzer); } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java index 8114448f0d4e15..1e0a7774a09a3f 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java @@ -18,12 +18,15 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.Type; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; import org.apache.doris.common.util.ToSqlContext; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import com.google.common.base.Preconditions; import com.google.common.collect.Lists; @@ -74,6 +77,19 @@ public String getInlineViewDef() { return inlineViewDef; } + protected void checkQueryAuth() throws UserException { + for (int i = 0; i < viewDefStmt.getBaseTblResultExprs().size(); ++i) { + SlotRef expr = (SlotRef) viewDefStmt.getBaseTblResultExprs().get(i); + TableName queryTableName = expr.getTableName(); + String queryColumnName = expr.getColumnName(); + // check privilege + Env.getCurrentEnv().getAccessManager() + .checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), queryTableName.getCtl(), + queryTableName.getDb(), queryTableName.getTbl(), Sets.newHashSet(queryColumnName), + PrivPredicate.SELECT); + } + } + /** * Sets the originalViewDef and the expanded inlineViewDef based on viewDefStmt. * If columnNames were given, checks that they do not contain duplicate column names diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java index ba5007ccce85cd..f290ac59e88728 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java @@ -82,7 +82,7 @@ public void analyze(Analyzer analyzer) throws UserException { Analyzer viewAnalyzer = new Analyzer(analyzer); viewDefStmt.forbiddenMVRewrite(); viewDefStmt.analyze(viewAnalyzer); - + checkQueryAuth(); createColumnAndViewDefs(viewAnalyzer); } finally { // must reset this flag, otherwise, all following query statement in this connection From c2eeaa74f3b24582f9c7ac53de4d313a6ad15f9b Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 14:48:40 +0800 Subject: [PATCH 04/68] 1 --- .../suites/auth_p0/admin_copy_tablet.groovy | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 regression-test/suites/auth_p0/admin_copy_tablet.groovy diff --git a/regression-test/suites/auth_p0/admin_copy_tablet.groovy b/regression-test/suites/auth_p0/admin_copy_tablet.groovy new file mode 100644 index 00000000000000..f8f35a74ce8065 --- /dev/null +++ b/regression-test/suites/auth_p0/admin_copy_tablet.groovy @@ -0,0 +1,34 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_admin_copy_tablet_auth","p0,auth") { + String user = 'test_admin_copy_tablet_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "ADMIN COPY TABLET 10010 PROPERTIES('backend_id' = '10001');" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("admin")) + } + } + try_sql("DROP USER ${user}") +} From 355587625b0a5405a4b68c992387002ca186e7cc Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 14:50:06 +0800 Subject: [PATCH 05/68] 1 --- regression-test/suites/auth_p0/admin_copy_tablet.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/admin_copy_tablet.groovy b/regression-test/suites/auth_p0/admin_copy_tablet.groovy index f8f35a74ce8065..2df90b4836ea39 100644 --- a/regression-test/suites/auth_p0/admin_copy_tablet.groovy +++ b/regression-test/suites/auth_p0/admin_copy_tablet.groovy @@ -27,7 +27,7 @@ suite("test_admin_copy_tablet_auth","p0,auth") { sql "ADMIN COPY TABLET 10010 PROPERTIES('backend_id' = '10001');" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("admin")) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) } } try_sql("DROP USER ${user}") From 45c03c9f004a9d0d2e6b30f87e9d8b24fc54d156 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 14:53:21 +0800 Subject: [PATCH 06/68] 1 --- regression-test/suites/auth_p0/admin_copy_tablet.groovy | 1 + 1 file changed, 1 insertion(+) diff --git a/regression-test/suites/auth_p0/admin_copy_tablet.groovy b/regression-test/suites/auth_p0/admin_copy_tablet.groovy index 2df90b4836ea39..f2541fd6053f20 100644 --- a/regression-test/suites/auth_p0/admin_copy_tablet.groovy +++ b/regression-test/suites/auth_p0/admin_copy_tablet.groovy @@ -22,6 +22,7 @@ suite("test_admin_copy_tablet_auth","p0,auth") { String pwd = 'C123_567p' try_sql("DROP USER ${user}") sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { sql "ADMIN COPY TABLET 10010 PROPERTIES('backend_id' = '10001');" From c4a67d571d03fb81854da8f35db708011c1cf111 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 15:13:24 +0800 Subject: [PATCH 07/68] 1 --- ...ovy => test_admin_copy_tablet_auth.groovy} | 0 .../test_cancel_alter_system_auth.groovy | 35 +++++++++++++++++++ 2 files changed, 35 insertions(+) rename regression-test/suites/auth_p0/{admin_copy_tablet.groovy => test_admin_copy_tablet_auth.groovy} (100%) create mode 100644 regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy diff --git a/regression-test/suites/auth_p0/admin_copy_tablet.groovy b/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy similarity index 100% rename from regression-test/suites/auth_p0/admin_copy_tablet.groovy rename to regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy diff --git a/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy b/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy new file mode 100644 index 00000000000000..e5793c6a3c1b10 --- /dev/null +++ b/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_cancel_alter_system_auth","p0,auth") { + String user = 'test_cancel_alter_system_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "CANCEL DECOMMISSION BACKEND 'id1';" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the NODE privilege")) + } + } + try_sql("DROP USER ${user}") +} From 9f8febefdc09c7e25c579d34b1d173db35abae63 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 15:18:57 +0800 Subject: [PATCH 08/68] 1 --- .../test_set_ldap_admin_password_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy diff --git a/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy b/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy new file mode 100644 index 00000000000000..96c319e7680f1a --- /dev/null +++ b/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_set_ldap_admin_password_auth","p0,auth") { + String user = 'test_set_ldap_admin_password_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SET LDAP_ADMIN_PASSWORD = PASSWORD('plain password')" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From 7823d6e6a8186b89cfdd99f362567ad8fe44dae0 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 15:26:10 +0800 Subject: [PATCH 09/68] 1 --- .../test_show_catalog_recycle_bin_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy b/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy new file mode 100644 index 00000000000000..0612b4b2c0023f --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_catalog_recycle_bin_auth","p0,auth") { + String user = 'test_show_catalog_recycle_bin_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW CATALOG RECYCLE BIN WHERE NAME = 'test'" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From 018073c096510783c45a417186d8a9a4b2b3edbf Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 15:36:07 +0800 Subject: [PATCH 10/68] 1 --- .../java/org/apache/doris/analysis/ShowDataStmt.java | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java index 78aaf139c8a49c..6713c9b40dc192 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java @@ -123,11 +123,6 @@ public void analyze(Analyzer analyzer) throws UserException { Util.prohibitExternalCatalog(analyzer.getDefaultCatalog(), this.getClass().getSimpleName()); } - // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); - } - Database db = Env.getCurrentInternalCatalog().getDbOrAnalysisException(dbName); // order by @@ -427,7 +422,11 @@ public String toString() { return toSql(); } - private void getAllDbStats() { + private void getAllDbStats() throws AnalysisException { + // check auth + if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + } List dbNames = Env.getCurrentInternalCatalog().getDbNames(); if (dbNames == null || dbNames.isEmpty()) { return; From cb25644ab8ab439c7c31602e46bfa540c07c4d04 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 16:03:25 +0800 Subject: [PATCH 11/68] 1 --- .../suites/auth_p0/test_show_data_auth.groovy | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_data_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_data_auth.groovy b/regression-test/suites/auth_p0/test_show_data_auth.groovy new file mode 100644 index 00000000000000..f1d874d6dc368e --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_data_auth.groovy @@ -0,0 +1,42 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_data_auth","p0,auth") { + String user = 'test_show_data_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW DATA" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + try { + sql "use regression_test" + sql "show data from aa.bb" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("denied")) + } + } + try_sql("DROP USER ${user}") +} From ac9585ecdbd9d406ef901bd9fccb2782e72af4ed Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 16:06:59 +0800 Subject: [PATCH 12/68] 1 --- regression-test/suites/auth_p0/test_show_data_auth.groovy | 7 ------- 1 file changed, 7 deletions(-) diff --git a/regression-test/suites/auth_p0/test_show_data_auth.groovy b/regression-test/suites/auth_p0/test_show_data_auth.groovy index f1d874d6dc368e..869f2a941441eb 100644 --- a/regression-test/suites/auth_p0/test_show_data_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_data_auth.groovy @@ -30,13 +30,6 @@ suite("test_show_data_auth","p0,auth") { log.info(e.getMessage()) assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) } - try { - sql "use regression_test" - sql "show data from aa.bb" - } catch (Exception e) { - log.info(e.getMessage()) - assertTrue(e.getMessage().contains("denied")) - } } try_sql("DROP USER ${user}") } From c63316d8c307469054b905fbcfcb083968c96994 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 16:11:42 +0800 Subject: [PATCH 13/68] 1 --- .../auth_p0/test_show_encryptkeys_auth.groovy | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy b/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy new file mode 100644 index 00000000000000..7e9f31895c8f83 --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy @@ -0,0 +1,36 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_encryptkeys_auth","p0,auth") { + String user = 'test_show_encryptkeys_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "use regression_test" + sql "SHOW ENCRYPTKEYS" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From f7a67cf1be3283ec33349e301e8182e8d27a8aae Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 16:14:49 +0800 Subject: [PATCH 14/68] 1 --- .../auth_p0/test_show_plugins_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_plugins_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_plugins_auth.groovy b/regression-test/suites/auth_p0/test_show_plugins_auth.groovy new file mode 100644 index 00000000000000..aff803198b3fe4 --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_plugins_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_plugins_auth","p0,auth") { + String user = 'test_show_plugins_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW PLUGINS" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From fc0c3c3d16ba973274c9c974a5fcc41640dc410f Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 17:47:09 +0800 Subject: [PATCH 15/68] 1 --- .../test_show_tablets_belong_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy new file mode 100644 index 00000000000000..922a45df3ebd4f --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_tablets_belong_auth","p0,auth") { + String user = 'test_show_tablets_belong_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW TABLETS BELONG 27028;;" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From e3beedbabbbb9710f558f958a4f5a77a68b3b311 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 17:51:05 +0800 Subject: [PATCH 16/68] 1 --- .../test_show_tablets_belong_auth.groovy | 2 +- .../auth_p0/test_show_transaction_auth.groovy | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 regression-test/suites/auth_p0/test_show_transaction_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy index 922a45df3ebd4f..d7c6ef12c8f848 100644 --- a/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy @@ -25,7 +25,7 @@ suite("test_show_tablets_belong_auth","p0,auth") { sql """grant select_priv on regression_test to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { - sql "SHOW TABLETS BELONG 27028;;" + sql "SHOW TABLETS BELONG 27028" } catch (Exception e) { log.info(e.getMessage()) assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) diff --git a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy new file mode 100644 index 00000000000000..94d0731232a204 --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_transaction_auth","p0,auth") { + String user = 'test_show_transaction_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW TRANSACTION WHERE ID=4005;" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From 0657358814adb853b65cae10b59e109e5500decd Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 17:54:35 +0800 Subject: [PATCH 17/68] 1 --- .../auth_p0/test_show_snapshot_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_snapshot_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy b/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy new file mode 100644 index 00000000000000..cc5f3e6ab11536 --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_snapshot_auth","p0,auth") { + String user = 'test_show_snapshot_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW SNAPSHOT ON example_repo" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From 7173f80d431904bcec6294c18658f2cd3434ba74 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 17:59:50 +0800 Subject: [PATCH 18/68] 1 --- .../test_show_repositories_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_repositories_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_repositories_auth.groovy b/regression-test/suites/auth_p0/test_show_repositories_auth.groovy new file mode 100644 index 00000000000000..1d9105947cb04e --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_repositories_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_repositories_auth","p0,auth") { + String user = 'test_show_repositories_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW REPOSITORIES" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From 3423de90f188f70bb343c6a6fd6434d0c973ac4c Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 18:03:27 +0800 Subject: [PATCH 19/68] 1 --- .../test_show_create_repository_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_create_repository_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy b/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy new file mode 100644 index 00000000000000..40497b253525d5 --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_create_repository_auth","p0,auth") { + String user = 'test_show_create_repository_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW CREATE REPOSITORY for repository_name" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + } + } + try_sql("DROP USER ${user}") +} From 8b9ecff737eb0c936a9cce73dbbfd302ff2aa8c0 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 18:41:50 +0800 Subject: [PATCH 20/68] 1 --- .../auth_p0/test_create_policy_auth.groovy | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_create_policy_auth.groovy diff --git a/regression-test/suites/auth_p0/test_create_policy_auth.groovy b/regression-test/suites/auth_p0/test_create_policy_auth.groovy new file mode 100644 index 00000000000000..c947b0f87acd98 --- /dev/null +++ b/regression-test/suites/auth_p0/test_create_policy_auth.groovy @@ -0,0 +1,36 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_create_policy_auth","p0,auth") { + String user = 'test_create_policy_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "CREATE ROW POLICY test_row_policy_1 ON test.table1 + AS RESTRICTIVE TO test USING (c1 = 'a');" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the GRANT privilege")) + } + } + try_sql("DROP USER ${user}") +} From 7297a3fea9aa18d21c52d7e9876ddac06a24e754 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 18:44:16 +0800 Subject: [PATCH 21/68] 1 --- regression-test/suites/auth_p0/test_create_policy_auth.groovy | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/regression-test/suites/auth_p0/test_create_policy_auth.groovy b/regression-test/suites/auth_p0/test_create_policy_auth.groovy index c947b0f87acd98..9564b9464cc756 100644 --- a/regression-test/suites/auth_p0/test_create_policy_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_policy_auth.groovy @@ -25,8 +25,7 @@ suite("test_create_policy_auth","p0,auth") { sql """grant select_priv on regression_test to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { - sql "CREATE ROW POLICY test_row_policy_1 ON test.table1 - AS RESTRICTIVE TO test USING (c1 = 'a');" + sql "CREATE ROW POLICY test_create_policy_auth ON test.table1 AS RESTRICTIVE TO test USING (c1 = 'a');" } catch (Exception e) { log.info(e.getMessage()) assertTrue(e.getMessage().contains("need (at least one of) the GRANT privilege")) From e7a61b8dd7a69c6a74387a353b2c196abc48847f Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 18:54:49 +0800 Subject: [PATCH 22/68] 1 --- .../apache/doris/analysis/CreatePolicyStmt.java | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java index 086074b57bee28..8aedccb6e75ca2 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java @@ -101,6 +101,12 @@ public void analyze(Analyzer analyzer) throws UserException { throw new UserException("storage policy feature is disabled by default. " + "Enable it by setting 'enable_storage_policy=true' in fe.conf"); } + // check auth + if (!Env.getCurrentEnv().getAccessManager() + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); + } break; case ROW: default: @@ -112,10 +118,12 @@ public void analyze(Analyzer analyzer) throws UserException { user.getQualifiedUser(), user.getHost(), tableName.getTbl()); } } - } - // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT"); + // check auth + if (!Env.getCurrentEnv().getAccessManager() + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.GRANT.getPrivs().toString()); + } } } From df50758abb047d86efbd1f1b0e78ad938f3e9e82 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 18:57:07 +0800 Subject: [PATCH 23/68] 1 --- .../apache/doris/analysis/AlterPolicyStmt.java | 6 ++++-- .../apache/doris/analysis/DropPolicyStmt.java | 16 ++++++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java index 6f154672757685..c8128e2bcbdb68 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java @@ -53,8 +53,10 @@ public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT"); + if (!Env.getCurrentEnv().getAccessManager() + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } if (properties == null || properties.isEmpty()) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java index 2b0dba5e5389a1..4bd20fe8c9b084 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java @@ -60,6 +60,12 @@ public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); switch (type) { case STORAGE: + // check auth + if (!Env.getCurrentEnv().getAccessManager() + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); + } break; case ROW: default: @@ -67,10 +73,12 @@ public void analyze(Analyzer analyzer) throws UserException { if (user != null) { user.analyze(); } - } - // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT"); + // check auth + if (!Env.getCurrentEnv().getAccessManager() + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.GRANT.getPrivs().toString()); + } } } From b2581dc6a32865ff20645f24ab50c9f0454ebb0b Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 19:31:59 +0800 Subject: [PATCH 24/68] 1 --- .../src/main/java/org/apache/doris/common/ErrorCode.java | 2 +- .../org/apache/doris/mysql/privilege/PrivBitSet.java | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index c5841f571b4752..c955e61d38a554 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -73,7 +73,7 @@ public enum ErrorCode { ERR_USER_LIMIT_REACHED(1226, new byte[]{'4', '2', '0', '0', '0'}, "User '%s' has exceeded the '%s' resource " + "(current value: %d)"), ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " - + "one of) the %s privilege(s) for this operation"), + + "one of) the (%s) privilege(s) for this operation"), ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1227, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all " + " %s privilege(s) for this operation"), ERR_LOCAL_VARIABLE(1228, new byte[]{'H', 'Y', '0', '0', '0'}, "Variable '%s' is a SESSION variable and can't be " diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java index 1397d3ce477a9a..f2335e63c89268 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java @@ -158,10 +158,15 @@ public String toString() { StringBuilder sb = new StringBuilder(); Privilege.privileges.keySet().forEach(idx -> { if (get(idx)) { - sb.append(Privilege.getPriv(idx)).append(" "); + sb.append(Privilege.getPriv(idx)).append(","); } }); - return sb.toString(); + String res = sb.toString(); + if (res.length() > 0) { + return res.substring(0, res.length() - 1); + } else { + return res; + } } public static PrivBitSet read(DataInput in) throws IOException { From 4f948d938c437e7cdaf3d179db371831530968cf Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 19:38:22 +0800 Subject: [PATCH 25/68] 1 --- .../suites/auth_p0/test_create_policy_auth.groovy | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_create_policy_auth.groovy b/regression-test/suites/auth_p0/test_create_policy_auth.groovy index 9564b9464cc756..90c05740276254 100644 --- a/regression-test/suites/auth_p0/test_create_policy_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_policy_auth.groovy @@ -28,7 +28,19 @@ suite("test_create_policy_auth","p0,auth") { sql "CREATE ROW POLICY test_create_policy_auth ON test.table1 AS RESTRICTIVE TO test USING (c1 = 'a');" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the GRANT privilege")) + assertTrue(e.getMessage().contains("need (at least one of) the (Admin_priv,Grant_priv) privilege")) + } + try { + sql """ + CREATE STORAGE POLICY testPolicy + PROPERTIES( + "storage_resource" = "s3", + "cooldown_datetime" = "2022-06-08 00:00:00" + ); + """ + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("need (at least one of) the (Admin_priv) privilege")) } } try_sql("DROP USER ${user}") From 40d04d96296f60c4ec7ccc99842f7c8b5888681d Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 19:53:11 +0800 Subject: [PATCH 26/68] 1 --- .../java/org/apache/doris/analysis/AdminCopyTabletStmt.java | 3 ++- .../java/org/apache/doris/analysis/CancelAlterSystemStmt.java | 2 +- .../main/java/org/apache/doris/analysis/SetLdapPassVar.java | 2 +- .../org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java | 3 ++- .../org/apache/doris/analysis/ShowCreateRepositoryStmt.java | 3 ++- .../src/main/java/org/apache/doris/analysis/ShowDataStmt.java | 3 ++- .../java/org/apache/doris/analysis/ShowEncryptKeysStmt.java | 3 ++- .../main/java/org/apache/doris/analysis/ShowPluginsStmt.java | 3 ++- .../java/org/apache/doris/analysis/ShowRepositoriesStmt.java | 3 ++- .../main/java/org/apache/doris/analysis/ShowSnapshotStmt.java | 3 ++- .../java/org/apache/doris/analysis/ShowTabletsBelongStmt.java | 3 ++- .../java/org/apache/doris/analysis/ShowTransactionStmt.java | 3 ++- .../suites/auth_p0/test_admin_copy_tablet_auth.groovy | 2 +- .../suites/auth_p0/test_cancel_alter_system_auth.groovy | 2 +- regression-test/suites/auth_p0/test_create_policy_auth.groovy | 4 ++-- .../suites/auth_p0/test_set_ldap_admin_password_auth.groovy | 2 +- .../suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy | 2 +- .../suites/auth_p0/test_show_create_repository_auth.groovy | 2 +- regression-test/suites/auth_p0/test_show_data_auth.groovy | 2 +- .../suites/auth_p0/test_show_encryptkeys_auth.groovy | 2 +- regression-test/suites/auth_p0/test_show_plugins_auth.groovy | 2 +- .../suites/auth_p0/test_show_repositories_auth.groovy | 2 +- regression-test/suites/auth_p0/test_show_snapshot_auth.groovy | 2 +- .../suites/auth_p0/test_show_tablets_belong_auth.groovy | 2 +- .../suites/auth_p0/test_show_transaction_auth.groovy | 2 +- 25 files changed, 36 insertions(+), 26 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java index e7dfa958e61a7d..475219ca343c53 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java @@ -72,7 +72,8 @@ public long getExpirationMinutes() { @Override public void analyze(Analyzer analyzer) throws AnalysisException { if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } if (properties == null) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java index dbc0668cf79968..e3a465d2d904ea 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java @@ -51,7 +51,7 @@ public CancelAlterSystemStmt(List params) { public void analyze(Analyzer analyzer) throws AnalysisException { if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.OPERATOR)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, - "NODE"); + PrivPredicate.OPERATOR.getPrivs().toString()); } for (String param : params) { if (!param.contains(":")) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java index bf73ae165f7f23..5f33c171a81567 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java @@ -40,7 +40,7 @@ public String getLdapPassword() { public void analyze(Analyzer analyzer) throws AnalysisException { if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, - "ADMIN"); + PrivPredicate.ADMIN.getPrivs().toString()); } if (!passVar.isPlain()) { throw new AnalysisException("Only support set ldap password with plain text"); diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java index bb98949fcc2e3d..f15c3657240d87 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java @@ -59,7 +59,8 @@ public void analyze(Analyzer analyzer) throws UserException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } if (where == null) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java index 5e3bc0b3ddc328..9de7dd0e9eed72 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java @@ -50,7 +50,8 @@ public String getRepoName() { public void analyze(Analyzer analyzer) throws AnalysisException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java index 6713c9b40dc192..3671f943d11f44 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java @@ -425,7 +425,8 @@ public String toString() { private void getAllDbStats() throws AnalysisException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } List dbNames = Env.getCurrentInternalCatalog().getDbNames(); if (dbNames == null || dbNames.isEmpty()) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java index 054eaa9881c8cc..ef33f8e74fec7b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java @@ -65,7 +65,8 @@ public void analyze(Analyzer analyzer) throws AnalysisException, UserException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java index 90dc49a3a7879d..249e49da28dbaf 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java @@ -48,7 +48,8 @@ public class ShowPluginsStmt extends ShowStmt { public void analyze(Analyzer analyzer) throws AnalysisException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java index d3729c2a8e172b..6e5166a5c870b8 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java @@ -43,7 +43,8 @@ public ShowRepositoriesStmt() { public void analyze(Analyzer analyzer) throws AnalysisException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java index b1b7e69799c8c2..83465a34600587 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java @@ -62,7 +62,8 @@ public void analyze(Analyzer analyzer) throws UserException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } // analyze where clause if not null diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java index 58cde408a7e110..3819541fea9a72 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java @@ -61,7 +61,8 @@ public List getTabletIds() { public void analyze(Analyzer analyzer) throws UserException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } if (tabletIds == null || tabletIds.isEmpty()) { throw new UserException("Please supply at least one tablet id"); diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java index 4cf22c1aa595c6..3d5d03bdf8f768 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java @@ -78,7 +78,8 @@ public void analyze(Analyzer analyzer) throws UserException { // check auth if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } if (Strings.isNullOrEmpty(dbName)) { diff --git a/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy b/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy index f2541fd6053f20..c040dfb8e956c3 100644 --- a/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy +++ b/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy @@ -28,7 +28,7 @@ suite("test_admin_copy_tablet_auth","p0,auth") { sql "ADMIN COPY TABLET 10010 PROPERTIES('backend_id' = '10001');" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy b/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy index e5793c6a3c1b10..0e630fdae8e9cc 100644 --- a/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy +++ b/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy @@ -28,7 +28,7 @@ suite("test_cancel_alter_system_auth","p0,auth") { sql "CANCEL DECOMMISSION BACKEND 'id1';" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the NODE privilege")) + assertTrue(e.getMessage().contains("Node_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_create_policy_auth.groovy b/regression-test/suites/auth_p0/test_create_policy_auth.groovy index 90c05740276254..8debfaedb273a7 100644 --- a/regression-test/suites/auth_p0/test_create_policy_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_policy_auth.groovy @@ -28,7 +28,7 @@ suite("test_create_policy_auth","p0,auth") { sql "CREATE ROW POLICY test_create_policy_auth ON test.table1 AS RESTRICTIVE TO test USING (c1 = 'a');" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the (Admin_priv,Grant_priv) privilege")) + assertTrue(e.getMessage().contains("Admin_priv,Grant_priv")) } try { sql """ @@ -40,7 +40,7 @@ suite("test_create_policy_auth","p0,auth") { """ } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the (Admin_priv) privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy b/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy index 96c319e7680f1a..6c5032f7ef9867 100644 --- a/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy +++ b/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy @@ -28,7 +28,7 @@ suite("test_set_ldap_admin_password_auth","p0,auth") { sql "SET LDAP_ADMIN_PASSWORD = PASSWORD('plain password')" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy b/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy index 0612b4b2c0023f..aa3ba7f8e2bfa2 100644 --- a/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_catalog_recycle_bin_auth","p0,auth") { sql "SHOW CATALOG RECYCLE BIN WHERE NAME = 'test'" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy b/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy index 40497b253525d5..5e787aead258bf 100644 --- a/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_create_repository_auth","p0,auth") { sql "SHOW CREATE REPOSITORY for repository_name" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_data_auth.groovy b/regression-test/suites/auth_p0/test_show_data_auth.groovy index 869f2a941441eb..fdd42d2759664f 100644 --- a/regression-test/suites/auth_p0/test_show_data_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_data_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_data_auth","p0,auth") { sql "SHOW DATA" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy b/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy index 7e9f31895c8f83..1e2cf4c27fd212 100644 --- a/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy @@ -29,7 +29,7 @@ suite("test_show_encryptkeys_auth","p0,auth") { sql "SHOW ENCRYPTKEYS" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_plugins_auth.groovy b/regression-test/suites/auth_p0/test_show_plugins_auth.groovy index aff803198b3fe4..b5b4de84265162 100644 --- a/regression-test/suites/auth_p0/test_show_plugins_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_plugins_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_plugins_auth","p0,auth") { sql "SHOW PLUGINS" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_repositories_auth.groovy b/regression-test/suites/auth_p0/test_show_repositories_auth.groovy index 1d9105947cb04e..507d8768669973 100644 --- a/regression-test/suites/auth_p0/test_show_repositories_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_repositories_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_repositories_auth","p0,auth") { sql "SHOW REPOSITORIES" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy b/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy index cc5f3e6ab11536..f90e1fdc57aaab 100644 --- a/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_snapshot_auth","p0,auth") { sql "SHOW SNAPSHOT ON example_repo" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy index d7c6ef12c8f848..b7d66af9348f0d 100644 --- a/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_tablets_belong_auth","p0,auth") { sql "SHOW TABLETS BELONG 27028" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") diff --git a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy index 94d0731232a204..f4e564c52889a0 100644 --- a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_transaction_auth","p0,auth") { sql "SHOW TRANSACTION WHERE ID=4005;" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("need (at least one of) the ADMIN privilege")) + assertTrue(e.getMessage().contains("Admin_priv")) } } try_sql("DROP USER ${user}") From ad0cafe449791a38fc09c64b0aaffe69e5a82755 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 20:07:38 +0800 Subject: [PATCH 27/68] 1 --- .../auth_p0/test_alter_policy_auth.groovy | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_alter_policy_auth.groovy diff --git a/regression-test/suites/auth_p0/test_alter_policy_auth.groovy b/regression-test/suites/auth_p0/test_alter_policy_auth.groovy new file mode 100644 index 00000000000000..3b1e9af6e2c609 --- /dev/null +++ b/regression-test/suites/auth_p0/test_alter_policy_auth.groovy @@ -0,0 +1,37 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_alter_policy_auth","p0,auth") { + String user = 'test_alter_policy_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql """ + ALTER STORAGE POLICY has_test_policy_to_alter PROPERTIES("cooldown_datetime" = "2023-06-08 00:00:00"); + """ + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv")) + } + } + try_sql("DROP USER ${user}") +} From 4efba5e634985ac672d15f84200b9173e328b168 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 20:21:50 +0800 Subject: [PATCH 28/68] 1 --- .../auth_p0/test_drop_policy_auth.groovy | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_drop_policy_auth.groovy diff --git a/regression-test/suites/auth_p0/test_drop_policy_auth.groovy b/regression-test/suites/auth_p0/test_drop_policy_auth.groovy new file mode 100644 index 00000000000000..0d6a9e103d173f --- /dev/null +++ b/regression-test/suites/auth_p0/test_drop_policy_auth.groovy @@ -0,0 +1,43 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_drop_policy_auth","p0,auth") { + String user = 'test_drop_policy_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "DROP ROW POLICY test_row_policy_1 on table1;" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv,Grant_priv")) + } + try { + sql """ + DROP STORAGE POLICY policy_name1 + """ + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv")) + } + } + try_sql("DROP USER ${user}") +} From 25a6bba270200251fa47bb4b8aed9ae94d0c65cb Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 20:37:18 +0800 Subject: [PATCH 29/68] 1 --- .../main/java/org/apache/doris/analysis/ShowCreateDbStmt.java | 4 ++-- .../src/main/java/org/apache/doris/common/ErrorCode.java | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java index dd624e1f514532..7a8104f6368203 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java @@ -59,8 +59,8 @@ public void analyze(Analyzer analyzer) throws AnalysisException, UserException { if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), db, PrivPredicate.SHOW)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, - ConnectContext.get().getQualifiedUser(), db); + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), db); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index c955e61d38a554..c3c0307e060db1 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -74,6 +74,8 @@ public enum ErrorCode { + "(current value: %d)"), ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) for this operation"), + ERR_DB_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + + "one of) the (%s) privilege(s) on database %s for this operation"), ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1227, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all " + " %s privilege(s) for this operation"), ERR_LOCAL_VARIABLE(1228, new byte[]{'H', 'Y', '0', '0', '0'}, "Variable '%s' is a SESSION variable and can't be " From be29416de9a3c8d1d2a329cdc4b4808969f6f311 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 20:39:43 +0800 Subject: [PATCH 30/68] 1 --- .../test_show_create_database_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_create_database_auth.groovy diff --git a/regression-test/suites/auth_p0/test_show_create_database_auth.groovy b/regression-test/suites/auth_p0/test_show_create_database_auth.groovy new file mode 100644 index 00000000000000..70fca649665af5 --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_create_database_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_create_database_auth","p0,auth") { + String user = 'test_show_create_database_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "SHOW CREATE DATABASE db_name" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Select_priv,Load_priv,Alter_priv,Create_priv,Show_view_priv,Drop_priv")) + } + } + try_sql("DROP USER ${user}") +} From 50a9c3a8aa56845704c3060ef71c6835a914e610 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 10 Apr 2024 20:48:24 +0800 Subject: [PATCH 31/68] 1 --- .../suites/auth_p0/test_show_create_database_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_show_create_database_auth.groovy b/regression-test/suites/auth_p0/test_show_create_database_auth.groovy index 70fca649665af5..c4efff7d662478 100644 --- a/regression-test/suites/auth_p0/test_show_create_database_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_create_database_auth.groovy @@ -28,7 +28,7 @@ suite("test_show_create_database_auth","p0,auth") { sql "SHOW CREATE DATABASE db_name" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("Select_priv,Load_priv,Alter_priv,Create_priv,Show_view_priv,Drop_priv")) + assertTrue(e.getMessage().contains("Admin_priv,Select_priv,Load_priv,Alter_priv,Create_priv,Drop_priv,Show_view_priv")) } } try_sql("DROP USER ${user}") From 6466daab9f8efda27626ee536a532e202d6ac08e Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 11:49:42 +0800 Subject: [PATCH 32/68] 1 --- .../main/java/org/apache/doris/analysis/ShowCreateDbStmt.java | 2 -- .../java/org/apache/doris/analysis/ShowEncryptKeysStmt.java | 1 - 2 files changed, 3 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java index e212a453b9592d..b709be8d7e95c2 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java @@ -24,13 +24,11 @@ import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; -import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; -import org.apache.commons.lang3.StringUtils; // Show create database statement // Syntax: diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java index 2515041f841e95..83358209c23539 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java @@ -24,7 +24,6 @@ import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; -import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; From 93ac16735e43ade96419ce182eef508099918e0b Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 12:30:44 +0800 Subject: [PATCH 33/68] 1 --- .../org/apache/doris/analysis/CancelExportStmt.java | 6 ++++-- .../org/apache/doris/job/manager/JobManager.java | 12 +++++++----- .../org/apache/doris/load/loadv2/LoadManager.java | 10 ++++++---- .../main/java/org/apache/doris/qe/ShowExecutor.java | 2 +- 4 files changed, 18 insertions(+), 12 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java index 93055b9b6bd89c..3ef1edc42f7087 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java @@ -23,6 +23,7 @@ import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; +import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.load.ExportJobState; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; @@ -143,8 +144,9 @@ public void analyze(Analyzer analyzer) throws UserException { } // check auth - if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, - PrivPredicate.SELECT)) { + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, + PrivPredicate.SELECT)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "SELECT", ConnectContext.get().getQualifiedUser(), ConnectContext.get().getRemoteIP(), dbName); diff --git a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java index 2a8f5e4662a148..fceeb13a1d7cbd 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java @@ -347,7 +347,7 @@ public T getJob(Long jobId) { public List> getLoadJobInfosByDb(long dbId, String dbName, String labelValue, boolean accurateMatch, - JobState jobState) throws AnalysisException { + JobState jobState, String catalogName) throws AnalysisException { LinkedList> loadJobInfos = new LinkedList<>(); if (!Env.getCurrentEnv().getLabelProcessor().existJobs(dbId)) { return loadJobInfos; @@ -367,15 +367,17 @@ public List> getLoadJobInfosByDb(long dbId, String dbName, // check auth if (tableNames.isEmpty()) { // forward compatibility - if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, - PrivPredicate.LOAD)) { + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), catalogName, dbName, + PrivPredicate.LOAD)) { continue; } } else { boolean auth = true; for (String tblName : tableNames) { - if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), dbName, - tblName, PrivPredicate.LOAD)) { + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), catalogName, dbName, + tblName, PrivPredicate.LOAD)) { auth = false; break; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java index 57cd3bdee15801..a07f109c35b44d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java @@ -618,15 +618,17 @@ public List> getLoadJobInfosByDb(long dbId, String labelValue, // check auth if (tableNames.isEmpty()) { // forward compatibility - if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), dbName, - PrivPredicate.LOAD)) { + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), loadJob.getDb().getCatalog().getName(), dbName, + PrivPredicate.LOAD)) { continue; } } else { boolean auth = true; for (String tblName : tableNames) { - if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), dbName, - tblName, PrivPredicate.LOAD)) { + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), loadJob.getDb().getCatalog().getName(), dbName, + tblName, PrivPredicate.LOAD)) { auth = false; break; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java index 6136a0be42ebd9..e60c1aa68cbf05 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java +++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java @@ -1307,7 +1307,7 @@ private void handleShowLoad() throws AnalysisException { // add the nerieds load info JobManager loadMgr = env.getJobManager(); loadInfos.addAll(loadMgr.getLoadJobInfosByDb(dbId, db.getFullName(), showStmt.getLabelValue(), - showStmt.isAccurateMatch(), showStmt.getStateV2())); + showStmt.isAccurateMatch(), showStmt.getStateV2(), db.getCatalog().getName())); // order the result of List by orderByPairs in show stmt List orderByPairs = showStmt.getOrderByPairs(); From 30746a3ae7ee33c97bba2d09d4ba04fa7a50ad28 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 15:48:33 +0800 Subject: [PATCH 34/68] 1 --- .../main/java/org/apache/doris/analysis/AlterViewStmt.java | 5 ++--- .../main/java/org/apache/doris/analysis/CreateViewStmt.java | 3 ++- .../src/main/java/org/apache/doris/common/ErrorCode.java | 4 ++++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java index d9e9b833bc8184..355c9723c8b220 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java @@ -62,9 +62,8 @@ public void analyze(Analyzer analyzer) throws UserException { if (!Env.getCurrentEnv().getAccessManager() .checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), tableName.getTbl(), PrivPredicate.ALTER)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "ALTER VIEW", - ConnectContext.get().getQualifiedUser(), ConnectContext.get().getRemoteIP(), - tableName.getDb() + ": " + tableName.getTbl()); + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.ALTER.getPrivs().toString(), tableName.getTbl()); } if (cols != null) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java index 2ce5c2637878d0..4a9cc3b99f6a71 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java @@ -66,7 +66,8 @@ public void analyze(Analyzer analyzer) throws UserException { if (!Env.getCurrentEnv().getAccessManager() .checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), tableName.getTbl(), PrivPredicate.CREATE)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "CREATE"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.CREATE.getPrivs().toString(), tableName.getTbl()); } // Do not rewrite nondeterministic functions to constant in create view's def stmt diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index c3c0307e060db1..0ddd5ddc15301b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -76,6 +76,10 @@ public enum ErrorCode { + "one of) the (%s) privilege(s) for this operation"), ERR_DB_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) on database %s for this operation"), + + ERR_TABLE_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + + "one of) the (%s) privilege(s) on table %s for this operation"), + ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1227, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all " + " %s privilege(s) for this operation"), ERR_LOCAL_VARIABLE(1228, new byte[]{'H', 'Y', '0', '0', '0'}, "Variable '%s' is a SESSION variable and can't be " From b09449dbbbcc5aa881f0f2196b3cbd6bd7196b79 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 15:56:49 +0800 Subject: [PATCH 35/68] 1 --- .../auth_p0/test_create_view_auth.groovy | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_create_view_auth.groovy diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy b/regression-test/suites/auth_p0/test_create_view_auth.groovy new file mode 100644 index 00000000000000..528d3230a09b53 --- /dev/null +++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy @@ -0,0 +1,39 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_create_view_auth","p0,auth") { + String user = 'test_create_view_auth_user' + String pwd = 'C123_567p' + String dbName = 'test_create_view_auth_db' + try_sql("DROP USER ${user}") + sql """drop database if exists ${dbName}""" + + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """create database ${dbName}""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "create view ${dbName}.v1 as select * from ${dbName}.t1;" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Create_priv")) + } + } + try_sql("DROP USER ${user}") +} From 086ab49383078f23e2d4fbb84ff8bbcb08070141 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:00:10 +0800 Subject: [PATCH 36/68] 1 --- .../suites/auth_p0/test_create_view_auth.groovy | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy b/regression-test/suites/auth_p0/test_create_view_auth.groovy index 528d3230a09b53..ec24b2214292e9 100644 --- a/regression-test/suites/auth_p0/test_create_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy @@ -32,8 +32,18 @@ suite("test_create_view_auth","p0,auth") { sql "create view ${dbName}.v1 as select * from ${dbName}.t1;" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("Create_priv")) + assertTrue(e.getMessage().contains("Admin_priv,Create_priv")) } } + sql """grant create_priv on ${dbName}.v1 to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "create view ${dbName}.v1 as select * from ${dbName}.t1;" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv,Create_priv")) + } + } + sql """drop database if exists ${dbName}""" try_sql("DROP USER ${user}") } From 4e13521d8b67083bbb5bc479b230f133fdb19479 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:04:57 +0800 Subject: [PATCH 37/68] 1 --- .../suites/auth_p0/test_create_view_auth.groovy | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy b/regression-test/suites/auth_p0/test_create_view_auth.groovy index ec24b2214292e9..16286be35140e6 100644 --- a/regression-test/suites/auth_p0/test_create_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy @@ -21,11 +21,23 @@ suite("test_create_view_auth","p0,auth") { String user = 'test_create_view_auth_user' String pwd = 'C123_567p' String dbName = 'test_create_view_auth_db' + String tableName = 'test_create_view_auth_table' try_sql("DROP USER ${user}") + sql """drop table if exists ${dbName}.${tableName}""" sql """drop database if exists ${dbName}""" sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """create database ${dbName}""" + sql """ + CREATE TABLE IF NOT EXISTS `${tableName}` ( + id BIGINT, + username VARCHAR(20) + ) + DISTRIBUTED BY HASH(id) BUCKETS 2 + PROPERTIES ( + "replication_num" = "1" + ); + """ sql """grant select_priv on regression_test to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { @@ -38,12 +50,13 @@ suite("test_create_view_auth","p0,auth") { sql """grant create_priv on ${dbName}.v1 to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { - sql "create view ${dbName}.v1 as select * from ${dbName}.t1;" + sql "create view ${dbName}.v1 as select * from ${dbName}.${tableName};" } catch (Exception e) { log.info(e.getMessage()) - assertTrue(e.getMessage().contains("Admin_priv,Create_priv")) + assertTrue(e.getMessage().contains("Admin_priv,Select_priv")) } } + sql """drop table if exists ${dbName}.${tableName}""" sql """drop database if exists ${dbName}""" try_sql("DROP USER ${user}") } From f4d046dce34c2372b226b74b0422aca49cd94413 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:06:54 +0800 Subject: [PATCH 38/68] 1 --- regression-test/suites/auth_p0/test_create_view_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy b/regression-test/suites/auth_p0/test_create_view_auth.groovy index 16286be35140e6..63293ffc3db049 100644 --- a/regression-test/suites/auth_p0/test_create_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy @@ -29,7 +29,7 @@ suite("test_create_view_auth","p0,auth") { sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """create database ${dbName}""" sql """ - CREATE TABLE IF NOT EXISTS `${tableName}` ( + CREATE TABLE IF NOT EXISTS `${dbName}.${tableName}` ( id BIGINT, username VARCHAR(20) ) From 7de735604c5b04ba27d64588b1248bced92ae6d4 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:10:05 +0800 Subject: [PATCH 39/68] 1 --- regression-test/suites/auth_p0/test_create_view_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy b/regression-test/suites/auth_p0/test_create_view_auth.groovy index 63293ffc3db049..40c631c16a8c23 100644 --- a/regression-test/suites/auth_p0/test_create_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy @@ -29,7 +29,7 @@ suite("test_create_view_auth","p0,auth") { sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """create database ${dbName}""" sql """ - CREATE TABLE IF NOT EXISTS `${dbName}.${tableName}` ( + CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName}` ( id BIGINT, username VARCHAR(20) ) From e4384c090133e3955f3c76d451752f21fd03fd2d Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:14:26 +0800 Subject: [PATCH 40/68] 1 --- .../auth_p0/test_alter_view_auth.groovy | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_alter_view_auth.groovy diff --git a/regression-test/suites/auth_p0/test_alter_view_auth.groovy b/regression-test/suites/auth_p0/test_alter_view_auth.groovy new file mode 100644 index 00000000000000..283a2c4d9d6c40 --- /dev/null +++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy @@ -0,0 +1,62 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_alter_view_auth","p0,auth") { + String user = 'test_alter_view_auth_user' + String pwd = 'C123_567p' + String dbName = 'test_alter_view_auth_db' + String tableName = 'test_alter_view_auth_table' + try_sql("DROP USER ${user}") + sql """drop table if exists ${dbName}.${tableName}""" + sql """drop database if exists ${dbName}""" + + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """create database ${dbName}""" + sql """ + CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName}` ( + id BIGINT, + username VARCHAR(20) + ) + DISTRIBUTED BY HASH(id) BUCKETS 2 + PROPERTIES ( + "replication_num" = "1" + ); + """ + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "alter view ${dbName}.v1 as select * from ${dbName}.t1;" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv,Alter_priv")) + } + } + sql """grant Alter_priv on ${dbName}.v1 to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "alter view ${dbName}.v1 as select * from ${dbName}.${tableName};" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv,Select_priv")) + } + } + sql """drop table if exists ${dbName}.${tableName}""" + sql """drop database if exists ${dbName}""" + try_sql("DROP USER ${user}") +} From f22afa1e85d47540a77e2f09b69e7858645b7673 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:23:08 +0800 Subject: [PATCH 41/68] 1 --- regression-test/suites/auth_p0/test_alter_view_auth.groovy | 4 ++-- regression-test/suites/auth_p0/test_create_view_auth.groovy | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/regression-test/suites/auth_p0/test_alter_view_auth.groovy b/regression-test/suites/auth_p0/test_alter_view_auth.groovy index 283a2c4d9d6c40..a8807cd9b2634e 100644 --- a/regression-test/suites/auth_p0/test_alter_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy @@ -23,7 +23,7 @@ suite("test_alter_view_auth","p0,auth") { String dbName = 'test_alter_view_auth_db' String tableName = 'test_alter_view_auth_table' try_sql("DROP USER ${user}") - sql """drop table if exists ${dbName}.${tableName}""" + try_sql """drop table if exists ${dbName}.${tableName}""" sql """drop database if exists ${dbName}""" sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" @@ -56,7 +56,7 @@ suite("test_alter_view_auth","p0,auth") { assertTrue(e.getMessage().contains("Admin_priv,Select_priv")) } } - sql """drop table if exists ${dbName}.${tableName}""" + try_sql """drop table if exists ${dbName}.${tableName}""" sql """drop database if exists ${dbName}""" try_sql("DROP USER ${user}") } diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy b/regression-test/suites/auth_p0/test_create_view_auth.groovy index 40c631c16a8c23..124d3f96014073 100644 --- a/regression-test/suites/auth_p0/test_create_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy @@ -23,7 +23,7 @@ suite("test_create_view_auth","p0,auth") { String dbName = 'test_create_view_auth_db' String tableName = 'test_create_view_auth_table' try_sql("DROP USER ${user}") - sql """drop table if exists ${dbName}.${tableName}""" + try_sql """drop table if exists ${dbName}.${tableName}""" sql """drop database if exists ${dbName}""" sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" From ec51e0d01d0cc6a53ecea7536bb252940a944e1f Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:28:12 +0800 Subject: [PATCH 42/68] 1 --- regression-test/suites/auth_p0/test_alter_view_auth.groovy | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_alter_view_auth.groovy b/regression-test/suites/auth_p0/test_alter_view_auth.groovy index a8807cd9b2634e..6866569e70a836 100644 --- a/regression-test/suites/auth_p0/test_alter_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy @@ -22,8 +22,10 @@ suite("test_alter_view_auth","p0,auth") { String pwd = 'C123_567p' String dbName = 'test_alter_view_auth_db' String tableName = 'test_alter_view_auth_table' + String viewName = 'test_alter_view_auth_view' try_sql("DROP USER ${user}") try_sql """drop table if exists ${dbName}.${tableName}""" + try_sql """drop view if exists ${dbName}.${viewName}""" sql """drop database if exists ${dbName}""" sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" @@ -39,9 +41,10 @@ suite("test_alter_view_auth","p0,auth") { ); """ sql """grant select_priv on regression_test to ${user}""" + sql """create view ${dbName}.${viewName} as select * from ${dbName}.${tableName};""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { - sql "alter view ${dbName}.v1 as select * from ${dbName}.t1;" + sql "alter view ${dbName}.v1 as select * from ${dbName}.${tableName};" } catch (Exception e) { log.info(e.getMessage()) assertTrue(e.getMessage().contains("Admin_priv,Alter_priv")) @@ -57,6 +60,7 @@ suite("test_alter_view_auth","p0,auth") { } } try_sql """drop table if exists ${dbName}.${tableName}""" + try_sql """drop view if exists ${dbName}.${viewName}""" sql """drop database if exists ${dbName}""" try_sql("DROP USER ${user}") } From 6b2b1d853db9418db60aaefd9a667e0a5c8524bd Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:30:03 +0800 Subject: [PATCH 43/68] 1 --- regression-test/suites/auth_p0/test_alter_view_auth.groovy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/regression-test/suites/auth_p0/test_alter_view_auth.groovy b/regression-test/suites/auth_p0/test_alter_view_auth.groovy index 6866569e70a836..0a51e4190f9bff 100644 --- a/regression-test/suites/auth_p0/test_alter_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy @@ -44,7 +44,7 @@ suite("test_alter_view_auth","p0,auth") { sql """create view ${dbName}.${viewName} as select * from ${dbName}.${tableName};""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { - sql "alter view ${dbName}.v1 as select * from ${dbName}.${tableName};" + sql "alter view ${dbName}.${viewName} as select * from ${dbName}.${tableName};" } catch (Exception e) { log.info(e.getMessage()) assertTrue(e.getMessage().contains("Admin_priv,Alter_priv")) @@ -53,7 +53,7 @@ suite("test_alter_view_auth","p0,auth") { sql """grant Alter_priv on ${dbName}.v1 to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { - sql "alter view ${dbName}.v1 as select * from ${dbName}.${tableName};" + sql "alter view ${dbName}.${viewName} as select * from ${dbName}.${tableName};" } catch (Exception e) { log.info(e.getMessage()) assertTrue(e.getMessage().contains("Admin_priv,Select_priv")) From 8486fb3c16741ddd4e335d5c4ea9a244b5c130f2 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:32:31 +0800 Subject: [PATCH 44/68] 1 --- regression-test/suites/auth_p0/test_alter_view_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_alter_view_auth.groovy b/regression-test/suites/auth_p0/test_alter_view_auth.groovy index 0a51e4190f9bff..52bf8ac75c7217 100644 --- a/regression-test/suites/auth_p0/test_alter_view_auth.groovy +++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy @@ -50,7 +50,7 @@ suite("test_alter_view_auth","p0,auth") { assertTrue(e.getMessage().contains("Admin_priv,Alter_priv")) } } - sql """grant Alter_priv on ${dbName}.v1 to ${user}""" + sql """grant Alter_priv on ${dbName}.${viewName} to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { try { sql "alter view ${dbName}.${viewName} as select * from ${dbName}.${tableName};" From 767c83ede491d4246ab23a75a32c1f5b53bdb58e Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:37:35 +0800 Subject: [PATCH 45/68] 1 --- .../org/apache/doris/analysis/DropMaterializedViewStmt.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java index 5153c6a64ecd5f..377cdcf415240e 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java @@ -74,7 +74,8 @@ public void analyze(Analyzer analyzer) throws UserException { if (!Env.getCurrentEnv().getAccessManager() .checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), tableName.getTbl(), PrivPredicate.ALTER)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ALTER"); + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.ALTER.getPrivs().toString(), tableName.getTbl()); } } From b62cd8cd9b6dfe8743e4a8ea8435803d08c6db84 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:40:07 +0800 Subject: [PATCH 46/68] 1 --- .../test_drop_materialized_view_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy diff --git a/regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy b/regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy new file mode 100644 index 00000000000000..4d55b1482cff12 --- /dev/null +++ b/regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_drop_materialized_view_auth","p0,auth") { + String user = 'test_drop_materialized_view_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "DROP MATERIALIZED VIEW mv_name ON table_name;" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv,Alter_priv")) + } + } + try_sql("DROP USER ${user}") +} From 5d383ec92fc460e11df8ab607c2298c16b688245 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:52:12 +0800 Subject: [PATCH 47/68] 1 --- .../java/org/apache/doris/analysis/CancelExportStmt.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java index 3ef1edc42f7087..8db97f35ab7b08 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java @@ -147,9 +147,8 @@ public void analyze(Analyzer analyzer) throws UserException { if (!Env.getCurrentEnv().getAccessManager() .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SELECT)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "SELECT", - ConnectContext.get().getQualifiedUser(), - ConnectContext.get().getRemoteIP(), dbName); + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SELECT.getPrivs().toString(), dbName); } if (null == whereClause) { From 41c10d7506b871357a47e15c6089e08fabee6232 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 16:54:39 +0800 Subject: [PATCH 48/68] 1 --- .../auth_p0/test_cancel_export_auth.groovy | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_cancel_export_auth.groovy diff --git a/regression-test/suites/auth_p0/test_cancel_export_auth.groovy b/regression-test/suites/auth_p0/test_cancel_export_auth.groovy new file mode 100644 index 00000000000000..9c3214b141a6bb --- /dev/null +++ b/regression-test/suites/auth_p0/test_cancel_export_auth.groovy @@ -0,0 +1,35 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_cancel_export_auth","p0,auth") { + String user = 'test_cancel_export_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + try { + sql "CANCEL EXPORT FROM example_db WHERE STATE = 'PENDING';" + } catch (Exception e) { + log.info(e.getMessage()) + assertTrue(e.getMessage().contains("Admin_priv,Select_priv")) + } + } + try_sql("DROP USER ${user}") +} From 1712fce1fe8b09eda4873a86e63c65f0ce5e21b5 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 17:59:10 +0800 Subject: [PATCH 49/68] 1 --- .../auth_p0/test_show_stream_load_auth.groovy | 55 +++++++++++++++++++ .../suites/auth_p0/test_strict_mode.csv | 2 + 2 files changed, 57 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_show_stream_load_auth.groovy create mode 100644 regression-test/suites/auth_p0/test_strict_mode.csv diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy new file mode 100644 index 00000000000000..4a6a420a5ed062 --- /dev/null +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -0,0 +1,55 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_show_stream_load_auth","p0,auth") { + String tableName = "test_show_stream_load_auth_table" + String label = "test_show_stream_load_auth_label" + String user = 'test_show_stream_load_auth_user' + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + sql """ DROP TABLE IF EXISTS ${tableName} """ + + + sql """ + CREATE TABLE IF NOT EXISTS ${tableName} ( + `k1` bigint(20) NULL, + `k2` bigint(20) NULL + ) ENGINE=OLAP + COMMENT 'OLAP' + DISTRIBUTED BY HASH(`k1`) BUCKETS 2 + PROPERTIES ("replication_allocation" = "tag.location.default: 1"); + """ + + streamLoad { + table "${tableName}" + + set 'column_separator', '\t' + set 'columns', 'k1, k2' + set 'label', '${label}' + set 'strict_mode', 'true' + + file 'test_strict_mode.csv' + time 10000 // limit inflight 10s + } + + sql "sync" + String aa = sql "SHOW STREAM LOAD where label = ${label}" + log.info(aa) + sql """ DROP TABLE IF EXISTS ${tableName} """ +} diff --git a/regression-test/suites/auth_p0/test_strict_mode.csv b/regression-test/suites/auth_p0/test_strict_mode.csv new file mode 100644 index 00000000000000..3a4b4a04af34f3 --- /dev/null +++ b/regression-test/suites/auth_p0/test_strict_mode.csv @@ -0,0 +1,2 @@ +1 1 +1 2 From d8a913b644c773ccf8e9fc66dd194122f5e4a39d Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 18:08:31 +0800 Subject: [PATCH 50/68] 1 --- regression-test/{suites => data}/auth_p0/test_strict_mode.csv | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename regression-test/{suites => data}/auth_p0/test_strict_mode.csv (100%) diff --git a/regression-test/suites/auth_p0/test_strict_mode.csv b/regression-test/data/auth_p0/test_strict_mode.csv similarity index 100% rename from regression-test/suites/auth_p0/test_strict_mode.csv rename to regression-test/data/auth_p0/test_strict_mode.csv From 75f9a3470edd402d197747f728df28d973a260c3 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 18:18:27 +0800 Subject: [PATCH 51/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 4a6a420a5ed062..46d79d69f0938d 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -41,7 +41,7 @@ suite("test_show_stream_load_auth","p0,auth") { set 'column_separator', '\t' set 'columns', 'k1, k2' - set 'label', '${label}' + set 'label', label set 'strict_mode', 'true' file 'test_strict_mode.csv' From f08f1ba6423c480f41b3f09650c3e90dd18203cf Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 18:34:44 +0800 Subject: [PATCH 52/68] 1 --- regression-test/data/auth_p0/test_strict_mode.csv | 4 ++-- .../suites/auth_p0/test_show_stream_load_auth.groovy | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/regression-test/data/auth_p0/test_strict_mode.csv b/regression-test/data/auth_p0/test_strict_mode.csv index 3a4b4a04af34f3..fbad74eb481183 100644 --- a/regression-test/data/auth_p0/test_strict_mode.csv +++ b/regression-test/data/auth_p0/test_strict_mode.csv @@ -1,2 +1,2 @@ -1 1 -1 2 +1,1 +1,2 diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 46d79d69f0938d..3ccafa5370959d 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -39,7 +39,7 @@ suite("test_show_stream_load_auth","p0,auth") { streamLoad { table "${tableName}" - set 'column_separator', '\t' + set 'column_separator', ',' set 'columns', 'k1, k2' set 'label', label set 'strict_mode', 'true' From a2385893f5f1803e93494d92e589e7deccc0ef8b Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 18:36:42 +0800 Subject: [PATCH 53/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 3ccafa5370959d..0624565e0b368c 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -49,7 +49,7 @@ suite("test_show_stream_load_auth","p0,auth") { } sql "sync" - String aa = sql "SHOW STREAM LOAD where label = ${label}" + String aa = sql "SHOW STREAM LOAD where label = '${label}'" log.info(aa) sql """ DROP TABLE IF EXISTS ${tableName} """ } From a5d11f49b1daff73d654ed0f6e7b1b7131688a32 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 18:45:35 +0800 Subject: [PATCH 54/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 0624565e0b368c..6dcf740335ab27 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -19,7 +19,7 @@ import org.junit.Assert; suite("test_show_stream_load_auth","p0,auth") { String tableName = "test_show_stream_load_auth_table" - String label = "test_show_stream_load_auth_label" + String label = "test_show_stream_load_auth_label" + System.currentTimeMillis(); String user = 'test_show_stream_load_auth_user' String pwd = 'C123_567p' try_sql("DROP USER ${user}") From 3f6e50387432e3b9cfa528afba23559415f2be9d Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:14:08 +0800 Subject: [PATCH 55/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 6dcf740335ab27..cf7919d28f0bee 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -49,7 +49,7 @@ suite("test_show_stream_load_auth","p0,auth") { } sql "sync" - String aa = sql "SHOW STREAM LOAD where label = '${label}'" + String aa = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(aa) sql """ DROP TABLE IF EXISTS ${tableName} """ } From a33d5fcbd4ee07b2a59e187249b7202a15e10914 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:19:34 +0800 Subject: [PATCH 56/68] 1 --- regression-test/suites/auth_p0/test_show_stream_load_auth.groovy | 1 + 1 file changed, 1 insertion(+) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index cf7919d28f0bee..4e2af92e9ef2b2 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -49,6 +49,7 @@ suite("test_show_stream_load_auth","p0,auth") { } sql "sync" + Thread.sleep(30000); String aa = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(aa) sql """ DROP TABLE IF EXISTS ${tableName} """ From 4efaf37217c9884c0b36e9776e141c4ea9c347c9 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:24:51 +0800 Subject: [PATCH 57/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 4e2af92e9ef2b2..7c1a78c1b2cb40 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -37,20 +37,21 @@ suite("test_show_stream_load_auth","p0,auth") { """ streamLoad { - table "${tableName}" + table "${tableName1}" set 'column_separator', ',' set 'columns', 'k1, k2' set 'label', label set 'strict_mode', 'true' - file 'test_strict_mode.csv' + file 'test_strict_mode1.csv' time 10000 // limit inflight 10s } - sql "sync" Thread.sleep(30000); - String aa = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" - log.info(aa) + String res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" + assertTrue(res.contains(${label})) + + sql """ DROP TABLE IF EXISTS ${tableName} """ } From 9ed69c9a23f23eef9f5d81d315e9acd6033d12e5 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:30:43 +0800 Subject: [PATCH 58/68] 1 --- .../doris/analysis/ShowStreamLoadStmt.java | 8 -------- .../apache/doris/load/StreamLoadRecord.java | 8 ++++++++ .../doris/load/StreamLoadRecordMgr.java | 10 ++++++++++ .../auth_p0/test_show_stream_load_auth.groovy | 20 ++++++++++++++++--- 4 files changed, 35 insertions(+), 11 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java index 6969eeb9302e1c..7fc77779b98934 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java @@ -19,15 +19,12 @@ import org.apache.doris.analysis.BinaryPredicate.Operator; import org.apache.doris.catalog.Column; -import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; import org.apache.doris.common.util.OrderByPair; -import org.apache.doris.mysql.privilege.PrivPredicate; -import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -143,11 +140,6 @@ public boolean isAccurateMatch() { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); - // check auth - if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN"); - } - if (Strings.isNullOrEmpty(dbName)) { dbName = analyzer.getDefaultDb(); if (Strings.isNullOrEmpty(dbName)) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java index ecbaa2f48eefe2..6ce8be66bbe50b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java @@ -93,4 +93,12 @@ public String getStatus() { public String getFinishTime() { return this.finishTime; } + + public String getDb() { + return db; + } + + public String getTable() { + return table; + } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java index 488e73f3ab43c7..3ceeaa1f38a421 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java @@ -27,10 +27,13 @@ import org.apache.doris.common.io.Writable; import org.apache.doris.common.util.MasterDaemon; import org.apache.doris.common.util.TimeUtils; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.persist.gson.GsonUtils; import org.apache.doris.plugin.audit.AuditEvent; import org.apache.doris.plugin.audit.AuditEvent.EventType; import org.apache.doris.plugin.audit.StreamLoadAuditEvent; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.system.Backend; import org.apache.doris.thrift.BackendService; import org.apache.doris.thrift.TNetworkAddress; @@ -186,6 +189,13 @@ public List> getStreamLoadRecordByDb( if (state != null && !String.valueOf(state).equalsIgnoreCase(streamLoadRecord.getStatus())) { continue; } + // check auth + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, + streamLoadRecord.getDb(), streamLoadRecord.getTable(), + PrivPredicate.LOAD)) { + continue; + } streamLoadRecords.add(streamLoadRecord.getStreamLoadInfo()); } catch (Exception e) { continue; diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 7c1a78c1b2cb40..e17181e618faf2 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -37,21 +37,35 @@ suite("test_show_stream_load_auth","p0,auth") { """ streamLoad { - table "${tableName1}" + table "${tableName}" set 'column_separator', ',' set 'columns', 'k1, k2' set 'label', label set 'strict_mode', 'true' - file 'test_strict_mode1.csv' + file 'test_strict_mode.csv' time 10000 // limit inflight 10s } Thread.sleep(30000); String res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" + log.info(res) assertTrue(res.contains(${label})) - + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" + log.info(res) + assertFalse(res.contains(${label})) + } + sql """grant load_priv on regression_test_auth_p0.${tableName} to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" + log.info(res) + assertTrue(res.contains(${label})) + } + try_sql("DROP USER ${user}") sql """ DROP TABLE IF EXISTS ${tableName} """ } From b4a6ec174f98d3c37537d76df105f402e9bc5bec Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:37:13 +0800 Subject: [PATCH 59/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index e17181e618faf2..ab8f7af6bf3945 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -48,7 +48,7 @@ suite("test_show_stream_load_auth","p0,auth") { time 10000 // limit inflight 10s } - Thread.sleep(30000); + Thread.sleep(90000); String res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res) assertTrue(res.contains(${label})) From fd694daeb71cb3fd9d47a2fab088b2de1077fb93 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:42:16 +0800 Subject: [PATCH 60/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index ab8f7af6bf3945..5470fbfc23edce 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -49,22 +49,22 @@ suite("test_show_stream_load_auth","p0,auth") { } Thread.sleep(90000); - String res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" + def res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res) - assertTrue(res.contains(${label})) + assertTrue(res.toString().contains(${label})) sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """grant select_priv on regression_test to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res) - assertFalse(res.contains(${label})) + assertFalse(res.toString().contains(${label})) } sql """grant load_priv on regression_test_auth_p0.${tableName} to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res) - assertTrue(res.contains(${label})) + assertTrue(res.toString().contains(${label})) } try_sql("DROP USER ${user}") sql """ DROP TABLE IF EXISTS ${tableName} """ From e154617f172eab69a76a8481394dedcded34116b Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:46:00 +0800 Subject: [PATCH 61/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 5470fbfc23edce..c361883533f3bf 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -50,20 +50,20 @@ suite("test_show_stream_load_auth","p0,auth") { Thread.sleep(90000); def res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" - log.info(res) + log.info(res.toString()) assertTrue(res.toString().contains(${label})) sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """grant select_priv on regression_test to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" - log.info(res) + log.info(res.toString()) assertFalse(res.toString().contains(${label})) } sql """grant load_priv on regression_test_auth_p0.${tableName} to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" - log.info(res) + log.info(res.toString()) assertTrue(res.toString().contains(${label})) } try_sql("DROP USER ${user}") From a0fee0dffcabea5a1f0e9d613340b95a4c8d0cd0 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:50:36 +0800 Subject: [PATCH 62/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index c361883533f3bf..14210d1489b1a8 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -51,20 +51,20 @@ suite("test_show_stream_load_auth","p0,auth") { Thread.sleep(90000); def res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res.toString()) - assertTrue(res.toString().contains(${label})) + assertTrue(res.toString().contains("${label}")) sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """grant select_priv on regression_test to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res.toString()) - assertFalse(res.toString().contains(${label})) + assertFalse(res.toString().contains("${label}")) } sql """grant load_priv on regression_test_auth_p0.${tableName} to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res.toString()) - assertTrue(res.toString().contains(${label})) + assertTrue(res.toString().contains("${label}")) } try_sql("DROP USER ${user}") sql """ DROP TABLE IF EXISTS ${tableName} """ From d53481d7ea2d648963564db279ed43db3748f452 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 19:56:39 +0800 Subject: [PATCH 63/68] 1 --- .../suites/auth_p0/test_show_stream_load_auth.groovy | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 14210d1489b1a8..5ee06bdc8ee00e 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -48,10 +48,14 @@ suite("test_show_stream_load_auth","p0,auth") { time 10000 // limit inflight 10s } - Thread.sleep(90000); + Thread.sleep(30000); def res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res.toString()) - assertTrue(res.toString().contains("${label}")) + if(res.size() == 0) { + // `show stream load` has some delay, and need be config `enable_stream_load_record=true` + // we not sure when can has result, so if `admin` can not get res, ignore this case. + return; + } sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """grant select_priv on regression_test to ${user}""" From d848ef5835f8d87464bbc1bf15b1a2886880b826 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 20:01:07 +0800 Subject: [PATCH 64/68] 1 --- .../main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java | 1 - .../suites/auth_p0/test_show_stream_load_auth.groovy | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java index 7fc77779b98934..ae133aa2a23e9e 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowStreamLoadStmt.java @@ -139,7 +139,6 @@ public boolean isAccurateMatch() { @Override public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); - if (Strings.isNullOrEmpty(dbName)) { dbName = analyzer.getDefaultDb(); if (Strings.isNullOrEmpty(dbName)) { diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy index 5ee06bdc8ee00e..cb2446f04405f3 100644 --- a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy +++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy @@ -48,7 +48,7 @@ suite("test_show_stream_load_auth","p0,auth") { time 10000 // limit inflight 10s } - Thread.sleep(30000); + Thread.sleep(60000); def res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'" log.info(res.toString()) if(res.size() == 0) { From a279382fc44c28e38cbc036828f545f5a2306646 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 11 Apr 2024 20:48:09 +0800 Subject: [PATCH 65/68] 1 --- .../doris/analysis/CancelExportStmt.java | 14 -------- .../java/org/apache/doris/load/ExportMgr.java | 10 +++--- .../auth_p0/test_cancel_export_auth.groovy | 35 ------------------- 3 files changed, 4 insertions(+), 55 deletions(-) delete mode 100644 regression-test/suites/auth_p0/test_cancel_export_auth.groovy diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java index 8db97f35ab7b08..ebdd7997d416b6 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelExportStmt.java @@ -18,15 +18,9 @@ package org.apache.doris.analysis; import org.apache.doris.analysis.BinaryPredicate.Operator; -import org.apache.doris.catalog.Env; import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.ErrorCode; -import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; -import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.load.ExportJobState; -import org.apache.doris.mysql.privilege.PrivPredicate; -import org.apache.doris.qe.ConnectContext; import com.google.common.base.Strings; import com.google.common.collect.ImmutableSet; @@ -143,14 +137,6 @@ public void analyze(Analyzer analyzer) throws UserException { } } - // check auth - if (!Env.getCurrentEnv().getAccessManager() - .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, - PrivPredicate.SELECT)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, - PrivPredicate.SELECT.getPrivs().toString(), dbName); - } - if (null == whereClause) { throw new AnalysisException("Where clause can't be null"); } else if (whereClause instanceof LikePredicate) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java index 256895b6c50e2d..e9ba50299bd61d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java @@ -132,9 +132,8 @@ public void cancelExportJob(CancelExportStmt stmt) throws DdlException, Analysis if (Env.getCurrentEnv().getAccessManager() .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SELECT)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, "SELECT", - ConnectContext.get().getQualifiedUser(), - ConnectContext.get().getRemoteIP(), dbName); + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SELECT.getPrivs().toString(), dbName); } } else { String tableName = matchExportJobs.get(0).getTableName().getTbl(); @@ -142,9 +141,8 @@ public void cancelExportJob(CancelExportStmt stmt) throws DdlException, Analysis .checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, tableName, PrivPredicate.SELECT)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "SELECT", - ConnectContext.get().getQualifiedUser(), - ConnectContext.get().getRemoteIP(), dbName + ":" + tableName); + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.SELECT.getPrivs().toString(), tableName); } } diff --git a/regression-test/suites/auth_p0/test_cancel_export_auth.groovy b/regression-test/suites/auth_p0/test_cancel_export_auth.groovy deleted file mode 100644 index 9c3214b141a6bb..00000000000000 --- a/regression-test/suites/auth_p0/test_cancel_export_auth.groovy +++ /dev/null @@ -1,35 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -import org.junit.Assert; - -suite("test_cancel_export_auth","p0,auth") { - String user = 'test_cancel_export_auth_user' - String pwd = 'C123_567p' - try_sql("DROP USER ${user}") - sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" - sql """grant select_priv on regression_test to ${user}""" - connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { - try { - sql "CANCEL EXPORT FROM example_db WHERE STATE = 'PENDING';" - } catch (Exception e) { - log.info(e.getMessage()) - assertTrue(e.getMessage().contains("Admin_priv,Select_priv")) - } - } - try_sql("DROP USER ${user}") -} From 4571255693ea624a6c27bae3aba335dc402d20e6 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Fri, 12 Apr 2024 11:53:24 +0800 Subject: [PATCH 66/68] 1 --- .../apache/doris/analysis/BaseViewStmt.java | 19 ++++-- .../apache/doris/job/manager/JobManager.java | 47 +++++++------- .../java/org/apache/doris/load/ExportMgr.java | 41 +++++++----- .../apache/doris/load/loadv2/LoadManager.java | 50 +++++++------- .../doris/analysis/CancelExportStmtTest.java | 28 +++++++- .../DropMaterializedViewStmtTest.java | 2 +- .../doris/catalog/RefreshTableTest.java | 2 +- .../doris/job/manager/JobManagerTest.java | 65 +++++++++++++++++++ .../doris/load/loadv2/LoadManagerTest.java | 38 +++++++++++ .../doris/utframe/TestWithFeService.java | 2 +- 10 files changed, 224 insertions(+), 70 deletions(-) create mode 100644 fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java index 1e0a7774a09a3f..7a823e7aa4a6ae 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java @@ -25,12 +25,14 @@ import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; import org.apache.doris.common.util.ToSqlContext; +import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; import com.google.common.base.Preconditions; import com.google.common.collect.Lists; import com.google.common.collect.Sets; +import org.apache.commons.lang3.StringUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -79,12 +81,21 @@ public String getInlineViewDef() { protected void checkQueryAuth() throws UserException { for (int i = 0; i < viewDefStmt.getBaseTblResultExprs().size(); ++i) { - SlotRef expr = (SlotRef) viewDefStmt.getBaseTblResultExprs().get(i); - TableName queryTableName = expr.getTableName(); - String queryColumnName = expr.getColumnName(); + Expr expr = viewDefStmt.getBaseTblResultExprs().get(i); + if (!(expr instanceof SlotRef)) { + continue; + } + SlotRef slotRef = (SlotRef) expr; + TableName queryTableName = slotRef.getTableName(); + if (queryTableName == null) { + continue; + } + String queryColumnName = slotRef.getColumnName(); + String ctlName = StringUtils.isEmpty(queryTableName.getCtl()) ? InternalCatalog.INTERNAL_CATALOG_NAME + : queryTableName.getCtl(); // check privilege Env.getCurrentEnv().getAccessManager() - .checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), queryTableName.getCtl(), + .checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), ctlName, queryTableName.getDb(), queryTableName.getTbl(), Sets.newHashSet(queryColumnName), PrivPredicate.SELECT); } diff --git a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java index fceeb13a1d7cbd..d8a30a968a6716 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java @@ -363,28 +363,10 @@ public List> getLoadJobInfosByDb(long dbId, String dbName, continue; } // check auth - Set tableNames = loadJob.getTableNames(); - // check auth - if (tableNames.isEmpty()) { - // forward compatibility - if (!Env.getCurrentEnv().getAccessManager() - .checkDbPriv(ConnectContext.get(), catalogName, dbName, - PrivPredicate.LOAD)) { - continue; - } - } else { - boolean auth = true; - for (String tblName : tableNames) { - if (!Env.getCurrentEnv().getAccessManager() - .checkTblPriv(ConnectContext.get(), catalogName, dbName, - tblName, PrivPredicate.LOAD)) { - auth = false; - break; - } - } - if (!auth) { - continue; - } + try { + checkJobAuth(catalogName, dbName, loadJob.getTableNames()); + } catch (AnalysisException e) { + continue; } // add load job info, convert String list to Comparable list loadJobInfos.add(new ArrayList<>(loadJob.getShowInfo())); @@ -399,6 +381,27 @@ public List> getLoadJobInfosByDb(long dbId, String dbName, } } + public void checkJobAuth(String ctlName, String dbName, Set tableNames) throws AnalysisException { + if (tableNames.isEmpty()) { + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), ctlName, dbName, + PrivPredicate.LOAD)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.LOAD.getPrivs().toString(), dbName); + } + } else { + for (String tblName : tableNames) { + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), ctlName, dbName, + tblName, PrivPredicate.LOAD)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.LOAD.getPrivs().toString(), tblName); + return; + } + } + } + } + private static boolean validState(JobState jobState, InsertJob loadJob) { JobStatus status = loadJob.getJobStatus(); switch (status) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java index e9ba50299bd61d..afc7ea51984475 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java @@ -127,34 +127,39 @@ public void cancelExportJob(CancelExportStmt stmt) throws DdlException, Analysis } // check auth - String dbName = stmt.getDbName(); - if (matchExportJobs.size() > 1) { + checkCancelExportJobAuth(InternalCatalog.INTERNAL_CATALOG_NAME, stmt.getDbName(), matchExportJobs); + try { + for (ExportJob exportJob : matchExportJobs) { + // exportJob.cancel(ExportFailMsg.CancelType.USER_CANCEL, "user cancel"); + exportJob.updateExportJobState(ExportJobState.CANCELLED, 0L, null, + ExportFailMsg.CancelType.USER_CANCEL, "user cancel"); + } + } catch (JobException e) { + throw new AnalysisException(e.getMessage()); + } + } + + public void checkCancelExportJobAuth(String ctlName, String dbName, List jobs) throws AnalysisException { + if (jobs.size() > 1) { if (Env.getCurrentEnv().getAccessManager() - .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, + .checkDbPriv(ConnectContext.get(), ctlName, dbName, PrivPredicate.SELECT)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, PrivPredicate.SELECT.getPrivs().toString(), dbName); } } else { - String tableName = matchExportJobs.get(0).getTableName().getTbl(); + TableName tableName = jobs.get(0).getTableName(); + if (tableName == null) { + return; + } if (Env.getCurrentEnv().getAccessManager() - .checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, - tableName, + .checkTblPriv(ConnectContext.get(), ctlName, dbName, + tableName.getTbl(), PrivPredicate.SELECT)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, - PrivPredicate.SELECT.getPrivs().toString(), tableName); + PrivPredicate.SELECT.getPrivs().toString(), tableName.getTbl()); } } - - try { - for (ExportJob exportJob : matchExportJobs) { - // exportJob.cancel(ExportFailMsg.CancelType.USER_CANCEL, "user cancel"); - exportJob.updateExportJobState(ExportJobState.CANCELLED, 0L, null, - ExportFailMsg.CancelType.USER_CANCEL, "user cancel"); - } - } catch (JobException e) { - throw new AnalysisException(e.getMessage()); - } } public void unprotectAddJob(ExportJob job) { @@ -418,7 +423,7 @@ public void removeOldExportJobs() { ExportJob job = entry.getValue(); if ((currentTimeMs - job.getCreateTimeMs()) / 1000 > Config.history_job_keep_max_second && (job.getState() == ExportJobState.CANCELLED - || job.getState() == ExportJobState.FINISHED)) { + || job.getState() == ExportJobState.FINISHED)) { iter.remove(); Map labelJobs = dbTolabelToExportJobId.get(job.getDbId()); if (labelJobs != null) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java index a07f109c35b44d..0b67ba544c6bbe 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java @@ -31,6 +31,8 @@ import org.apache.doris.common.Config; import org.apache.doris.common.DataQualityException; import org.apache.doris.common.DdlException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.LabelAlreadyUsedException; import org.apache.doris.common.MetaNotFoundException; import org.apache.doris.common.Pair; @@ -613,29 +615,12 @@ public List> getLoadJobInfosByDb(long dbId, String labelValue, if (!states.contains(loadJob.getState())) { continue; } - String dbName = loadJob.getDb().getName(); - Set tableNames = loadJob.getTableNames(); // check auth - if (tableNames.isEmpty()) { - // forward compatibility - if (!Env.getCurrentEnv().getAccessManager() - .checkDbPriv(ConnectContext.get(), loadJob.getDb().getCatalog().getName(), dbName, - PrivPredicate.LOAD)) { - continue; - } - } else { - boolean auth = true; - for (String tblName : tableNames) { - if (!Env.getCurrentEnv().getAccessManager() - .checkTblPriv(ConnectContext.get(), loadJob.getDb().getCatalog().getName(), dbName, - tblName, PrivPredicate.LOAD)) { - auth = false; - break; - } - } - if (!auth) { - continue; - } + try { + checkJobAuth(loadJob.getDb().getCatalog().getName(), loadJob.getDb().getName(), + loadJob.getTableNames()); + } catch (AnalysisException e) { + continue; } // add load job info loadJobInfos.add(loadJob.getShowInfo()); @@ -650,6 +635,27 @@ public List> getLoadJobInfosByDb(long dbId, String labelValue, } } + public void checkJobAuth(String ctlName, String dbName, Set tableNames) throws AnalysisException { + if (tableNames.isEmpty()) { + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), ctlName, dbName, + PrivPredicate.LOAD)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.LOAD.getPrivs().toString(), dbName); + } + } else { + for (String tblName : tableNames) { + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), ctlName, dbName, + tblName, PrivPredicate.LOAD)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.LOAD.getPrivs().toString(), tblName); + return; + } + } + } + } + public List> getAllLoadJobInfos() { LinkedList> loadJobInfos = new LinkedList>(); diff --git a/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java b/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java index a5cff4fca1aa2a..0b4ecad12e23bd 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java @@ -28,9 +28,9 @@ import org.apache.doris.utframe.TestWithFeService; import com.google.common.collect.Lists; +import org.junit.Assert; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; -import org.wildfly.common.Assert; import java.lang.reflect.Method; import java.util.List; @@ -350,4 +350,30 @@ public void testExportMgrCancelJob() throws UserException { exportMgr.cancelExportJob(stmt); Assert.assertTrue(job8.getState() == ExportJobState.CANCELLED); } + + @Test + public void testCancelAuth() { + ExportMgr exportMgr = new ExportMgr(); + List jobs = Lists.newArrayList(); + ExportJob job1 = new ExportJob(); + job1.setTableName(new TableName("ctl1", "db1", "table1")); + jobs.add(job1); + try { + // should check table auth + exportMgr.checkCancelExportJobAuth("ctl1", "db1", jobs); + throw new RuntimeException("should exception"); + } catch (AnalysisException e) { + Assert.assertTrue(e.getMessage().contains("Admin_priv,Select_priv")); + Assert.assertTrue(e.getMessage().contains("table1")); + } + jobs.add(new ExportJob()); + try { + // should check db auth + exportMgr.checkCancelExportJobAuth("ctl1", "db1", jobs); + throw new RuntimeException("should exception"); + } catch (AnalysisException e) { + Assert.assertTrue(e.getMessage().contains("Admin_priv,Select_priv")); + Assert.assertTrue(e.getMessage().contains("db1")); + } + } } diff --git a/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java b/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java index 617f6bf512e769..b43fa6a5ad48d1 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java @@ -51,7 +51,7 @@ public void testNoPermission(@Injectable TableName tableName) { new Expectations() { { accessManager.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), - tableName.getTbl(), PrivPredicate.DROP); + tableName.getTbl(), PrivPredicate.ALTER); result = false; } }; diff --git a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java index d37058c20cd67d..aee15abd27884b 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java @@ -138,7 +138,7 @@ public void testRefreshPriv() throws Exception { user1.analyze(); ConnectContext user1Ctx = createCtx(user1, "127.0.0.1"); ExceptionChecker.expectThrowsWithMsg(AnalysisException.class, - "Access denied; you need (at least one of) the DROP privilege(s) for this operation", + "Access denied", () -> parseAndAnalyzeStmt("refresh table test1.db1.tbl11", user1Ctx)); ConnectContext.remove(); diff --git a/fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java b/fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java new file mode 100644 index 00000000000000..9e3aa386cd06e7 --- /dev/null +++ b/fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java @@ -0,0 +1,65 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.job.manager; + +import org.apache.doris.analysis.UserIdentity; +import org.apache.doris.common.AnalysisException; +import org.apache.doris.qe.ConnectContext; +import org.apache.doris.utframe.TestWithFeService; + +import com.google.common.collect.Sets; +import mockit.Expectations; +import org.junit.Assert; +import org.junit.Test; + +import java.io.IOException; +import java.util.HashSet; + +public class JobManagerTest { + @Test + public void testJobAuth() throws IOException, AnalysisException { + UserIdentity user1 = new UserIdentity("testJobAuthUser", "%"); + user1.analyze(); + new Expectations() { + { + ConnectContext.get(); + minTimes = 0; + result = TestWithFeService.createCtx(user1, "%"); + } + }; + JobManager manager = new JobManager(); + HashSet tableNames = Sets.newHashSet(); + try { + // should check db auth + manager.checkJobAuth("ctl1", "db1", tableNames); + throw new RuntimeException("should exception"); + } catch (AnalysisException e) { + Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv")); + Assert.assertTrue(e.getMessage().contains("db1")); + } + tableNames.add("table1"); + try { + // should check db auth + manager.checkJobAuth("ctl1", "db1", tableNames); + throw new RuntimeException("should exception"); + } catch (AnalysisException e) { + Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv")); + Assert.assertTrue(e.getMessage().contains("table1")); + } + } +} diff --git a/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java b/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java index e9b3278cfd08fa..9c09c72bd79a56 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java @@ -21,12 +21,16 @@ import org.apache.doris.catalog.Database; import org.apache.doris.catalog.Env; import org.apache.doris.catalog.Table; +import org.apache.doris.common.AnalysisException; import org.apache.doris.common.Config; import org.apache.doris.common.FeMetaVersion; import org.apache.doris.common.jmockit.Deencapsulation; import org.apache.doris.datasource.InternalCatalog; import org.apache.doris.meta.MetaContext; +import org.apache.doris.qe.ConnectContext; +import org.apache.doris.utframe.TestWithFeService; +import com.google.common.collect.Sets; import mockit.Expectations; import mockit.Injectable; import mockit.Mocked; @@ -40,6 +44,8 @@ import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; +import java.io.IOException; +import java.util.HashSet; import java.util.List; import java.util.Map; @@ -195,4 +201,36 @@ private LoadManager deserializeFromFile(File file) throws Exception { loadManager.readFields(dis); return loadManager; } + + @Test + public void testJobAuth() throws IOException, AnalysisException { + UserIdentity user1 = new UserIdentity("testJobAuthUser", "%"); + user1.analyze(); + new Expectations() { + { + ConnectContext.get(); + minTimes = 0; + result = TestWithFeService.createCtx(user1, "%"); + } + }; + LoadManager manager = new LoadManager(new LoadJobScheduler()); + HashSet tableNames = Sets.newHashSet(); + try { + // should check db auth + manager.checkJobAuth("ctl1", "db1", tableNames); + throw new RuntimeException("should exception"); + } catch (AnalysisException e) { + Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv")); + Assert.assertTrue(e.getMessage().contains("db1")); + } + tableNames.add("table1"); + try { + // should check db auth + manager.checkJobAuth("ctl1", "db1", tableNames); + throw new RuntimeException("should exception"); + } catch (AnalysisException e) { + Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv")); + Assert.assertTrue(e.getMessage().contains("table1")); + } + } } diff --git a/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java b/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java index 8b06b7a2633a2c..37bc5f431f8257 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java +++ b/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java @@ -278,7 +278,7 @@ public StatementBase analyzeAndGetStmtByNereids(String sql, ConnectContext ctx) return adapter; } - protected static ConnectContext createCtx(UserIdentity user, String host) throws IOException { + public static ConnectContext createCtx(UserIdentity user, String host) throws IOException { ConnectContext ctx = new ConnectContext(); ctx.setCurrentUserIdentity(user); ctx.setQualifiedUser(user.getQualifiedUser()); From d45cddea2289253df60d064d276b316dd99c3300 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Fri, 12 Apr 2024 14:14:58 +0800 Subject: [PATCH 67/68] 1 --- .../src/test/java/org/apache/doris/planner/PlannerTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java b/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java index 41f21110330478..de9e828bacb90c 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java @@ -497,7 +497,7 @@ public void testUpdateUnique() throws Exception { QueryState state = connectContext.getState(); Assertions.assertEquals(MysqlStateType.ERR, state.getStateType()); Assertions.assertTrue(state.getErrorMessage() - .contains("you need (at least one of) the LOAD privilege(s) for this operation")); + .contains("you need (at least one of) the (LOAD) privilege(s) for this operation")); // set to admin user connectContext.setCurrentUserIdentity(UserIdentity.ADMIN); } From c7ced180439c77551e8fdc3abf1f55e8c08a2798 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Fri, 12 Apr 2024 18:17:19 +0800 Subject: [PATCH 68/68] 1 --- .../src/main/java/org/apache/doris/common/ErrorCode.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index 0ddd5ddc15301b..6474f208c6d958 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -74,13 +74,13 @@ public enum ErrorCode { + "(current value: %d)"), ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) for this operation"), - ERR_DB_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) on database %s for this operation"), - ERR_TABLE_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + ERR_TABLE_ACCESS_DENIED_ERROR(1224, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) on table %s for this operation"), - ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1227, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all " + ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1223, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all " + " %s privilege(s) for this operation"), ERR_LOCAL_VARIABLE(1228, new byte[]{'H', 'Y', '0', '0', '0'}, "Variable '%s' is a SESSION variable and can't be " + "used with SET GLOBAL"), @@ -1025,6 +1025,8 @@ public enum ErrorCode { + "DISCARD the tablespace before IMPORT."), ERR_TABLESPACE_DISCARDED(1814, new byte[]{'H', 'Y', '0', '0', '0'}, "Tablespace has been discarded for table '%s'"), ERR_INTERNAL_ERROR(1815, new byte[]{'H', 'Y', '0', '0', '0'}, "Internal error: %s"), + + ERR_MUST_CHANGE_PASSWORD_LOGIN(1862, new byte[]{'H', 'Y', '0', '0', '0'}, "Your password has expired. To log in " + "you must change it using a client that supports expired passwords."), ERR_CREDENTIALS_CONTRADICT_TO_HISTORY(3638, new byte[] {'H', 'Y', '0', '0', '0'},