From 0c20935fca0fd482b9181cdb22448211dfd12f52 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Wed, 28 Aug 2024 17:20:08 +0800 Subject: [PATCH 1/3] [fix](auth)Fix some issues with incorrect permission verification (#39726) - `show columns` do not have permission to check - `show sync job`do not have permission to check - `Show data from db.table` should be the permission to determine the table, not the admin permission - users with grant permission should not see all processes through 'SHOW PROCESS LIST' - `show tablet storage format`fix permission error prompt cases will be added uniformly in other PRs --- .../org/apache/doris/analysis/ShowColumnStmt.java | 11 +++++++++++ .../org/apache/doris/analysis/ShowSyncJobStmt.java | 9 +++++++++ .../doris/analysis/ShowTabletStorageFormatStmt.java | 6 ++---- .../java/org/apache/doris/qe/ConnectScheduler.java | 2 +- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java index e4b103b4152795..64827aa73128e9 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java @@ -18,11 +18,16 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.InfoSchemaDb; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; import org.apache.doris.common.util.Util; import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -105,6 +110,12 @@ public void analyze(Analyzer analyzer) throws AnalysisException { } else { metaData = META_DATA; } + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), + tableName.getTbl(), PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), tableName); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java index e469f32cdcd91e..297afe00d15c89 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java @@ -18,11 +18,15 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.cluster.ClusterNamespace; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -63,6 +67,11 @@ public void analyze(Analyzer analyzer) throws UserException { } else { dbName = ClusterNamespace.getFullName(getClusterName(), dbName); } + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), dbName); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java index 441f0f1d7d5288..9d0f3b88e6c3b2 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java @@ -38,10 +38,8 @@ public ShowTabletStorageFormatStmt(boolean verbose) { public void analyze(Analyzer analyzer) throws UserException { // check access first if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_ACCESS_DENIED_ERROR, - toSql(), - ConnectContext.get().getQualifiedUser(), - ConnectContext.get().getRemoteIP(), "ADMIN Privilege needed."); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } super.analyze(analyzer); diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java index b8f2c64390ffad..4000ac7b1d4f17 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java +++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java @@ -151,7 +151,7 @@ public List listConnection(String user, boolean isFul for (ConnectContext ctx : connectionMap.values()) { // Check auth if (!ctx.getQualifiedUser().equals(user) && !Env.getCurrentEnv().getAccessManager() - .checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { continue; } From c7fcabcd8e9f9063d0a1a2f1271862747b0a1165 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 5 Sep 2024 15:01:53 +0800 Subject: [PATCH 2/3] 1 --- fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index 1d417e19b1b9c0..91d9f3fbc901e0 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -70,6 +70,8 @@ public enum ErrorCode { + "resources"), ERR_TOO_MANY_USER_CONNECTIONS(1203, new byte[]{'4', '2', '0', '0', '0'}, "User %s already has more than " + "'max_user_connections' active connections"), + ERR_TABLE_ACCESS_DENIED_ERROR(1224, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + + "one of) the (%s) privilege(s) on table %s for this operation"), ERR_USER_LIMIT_REACHED(1226, new byte[]{'4', '2', '0', '0', '0'}, "User '%s' has exceeded the '%s' resource " + "(current value: %d)"), ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " From 89414a72afeedf86e45c6d39eafe2e90b27f9807 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Thu, 5 Sep 2024 16:06:56 +0800 Subject: [PATCH 3/3] 1 --- fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index 91d9f3fbc901e0..ff68a0c24f08a0 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -72,6 +72,8 @@ public enum ErrorCode { + "'max_user_connections' active connections"), ERR_TABLE_ACCESS_DENIED_ERROR(1224, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) on table %s for this operation"), + ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + + "one of) the (%s) privilege(s) on database %s for this operation"), ERR_USER_LIMIT_REACHED(1226, new byte[]{'4', '2', '0', '0', '0'}, "User '%s' has exceeded the '%s' resource " + "(current value: %d)"), ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "