From 13f1619890fc11147aad699f9eedac3ea54f054c Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 17:08:30 +0800
Subject: [PATCH 01/21] 1

---
 .../catalog/authorizer/ranger/RangerAccessController.java     | 2 ++
 .../apache/doris/mysql/privilege/AccessControllerManager.java | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
index 41aa5213839cd1..cfa4243bf002b6 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
@@ -124,7 +124,9 @@ public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser, Str
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger request: {}", request);
         }
+        long start = System.currentTimeMillis();
         RangerAccessResult policy = getPlugin().evalDataMaskPolicies(request, getAccessResultProcessor());
+        LOG.warn("datamask for col: {} use : {}", col, System.currentTimeMillis() - start);
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger response: {}", policy);
         }
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index ba23c91e27df78..e12b0a737dc6f8 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -22,7 +22,7 @@
 import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.catalog.AuthorizationInfo;
 import org.apache.doris.catalog.Env;
-import org.apache.doris.catalog.authorizer.ranger.doris.RangerCacheDorisAccessController;
+import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController;
 import org.apache.doris.common.Config;
 import org.apache.doris.common.UserException;
 import org.apache.doris.datasource.CatalogIf;
@@ -58,7 +58,7 @@ public class AccessControllerManager {
     public AccessControllerManager(Auth auth) {
         this.auth = auth;
         if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            defaultAccessController = new RangerCacheDorisAccessController("doris");
+            defaultAccessController = new RangerDorisAccessController("doris");
         } else {
             defaultAccessController = new InternalAccessController(auth);
         }

From e90a641b50576456fde6c540bbdb8d5f1e29f9b3 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 17:24:51 +0800
Subject: [PATCH 02/21] 1

---
 .../doris/catalog/authorizer/ranger/RangerAccessController.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
index cfa4243bf002b6..95906b9651192a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
@@ -18,6 +18,7 @@
 package org.apache.doris.catalog.authorizer.ranger;
 
 import org.apache.doris.analysis.UserIdentity;
+import org.apache.doris.catalog.authorizer.ranger.doris.DorisAccessType;
 import org.apache.doris.common.AuthorizationException;
 import org.apache.doris.mysql.privilege.CatalogAccessController;
 import org.apache.doris.mysql.privilege.DataMaskPolicy;
@@ -119,6 +120,7 @@ public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser, Str
             String col) {
         RangerAccessResourceImpl resource = createResource(ctl, db, tbl, col);
         RangerAccessRequestImpl request = createRequest(currentUser);
+        request.setAccessType(DorisAccessType.SELECT.name());
         request.setResource(resource);
 
         if (LOG.isDebugEnabled()) {

From dec71666861d59cedb7129263f0615d195b43fd3 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 17:37:42 +0800
Subject: [PATCH 03/21] 1

---
 .../apache/doris/mysql/privilege/AccessControllerManager.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index e12b0a737dc6f8..ba23c91e27df78 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -22,7 +22,7 @@
 import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.catalog.AuthorizationInfo;
 import org.apache.doris.catalog.Env;
-import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController;
+import org.apache.doris.catalog.authorizer.ranger.doris.RangerCacheDorisAccessController;
 import org.apache.doris.common.Config;
 import org.apache.doris.common.UserException;
 import org.apache.doris.datasource.CatalogIf;
@@ -58,7 +58,7 @@ public class AccessControllerManager {
     public AccessControllerManager(Auth auth) {
         this.auth = auth;
         if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            defaultAccessController = new RangerDorisAccessController("doris");
+            defaultAccessController = new RangerCacheDorisAccessController("doris");
         } else {
             defaultAccessController = new InternalAccessController(auth);
         }

From 63f14c7f746f912e87cade037ec93a4f1686f49f Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 17:42:23 +0800
Subject: [PATCH 04/21] 1

---
 .../apache/doris/mysql/privilege/AccessControllerManager.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index ba23c91e27df78..e12b0a737dc6f8 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -22,7 +22,7 @@
 import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.catalog.AuthorizationInfo;
 import org.apache.doris.catalog.Env;
-import org.apache.doris.catalog.authorizer.ranger.doris.RangerCacheDorisAccessController;
+import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController;
 import org.apache.doris.common.Config;
 import org.apache.doris.common.UserException;
 import org.apache.doris.datasource.CatalogIf;
@@ -58,7 +58,7 @@ public class AccessControllerManager {
     public AccessControllerManager(Auth auth) {
         this.auth = auth;
         if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            defaultAccessController = new RangerCacheDorisAccessController("doris");
+            defaultAccessController = new RangerDorisAccessController("doris");
         } else {
             defaultAccessController = new InternalAccessController(auth);
         }

From 8b7ea3afd46ac4a51f7e9c825218e395dc258bbd Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 17:58:35 +0800
Subject: [PATCH 05/21] 1

---
 .../authorizer/ranger/doris/RangerDorisAccessController.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index b0deea1887b370..8314ece88aa884 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -30,6 +30,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest.ResourceMatchingScope;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
@@ -106,7 +107,9 @@ private boolean checkPrivilege(UserIdentity currentUser, DorisAccessType accessT
             RangerDorisResource resource) {
         RangerAccessRequestImpl request = createRequest(currentUser, accessType);
         request.setResource(resource);
-
+        if (accessType == DorisAccessType.SHOW) {
+            request.setResourceMatchingScope(ResourceMatchingScope.SELF_OR_DESCENDANTS);
+        }
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger request: {}", request);
         }

From 4d75b01e3f91541405adabd3122e70e416536bfb Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 18:01:39 +0800
Subject: [PATCH 06/21] 1

---
 .../authorizer/ranger/doris/RangerDorisAccessController.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 8314ece88aa884..640ff545c7836e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -113,8 +113,9 @@ private boolean checkPrivilege(UserIdentity currentUser, DorisAccessType accessT
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger request: {}", request);
         }
-
+        long start = System.currentTimeMillis();
         RangerAccessResult result = dorisPlugin.isAccessAllowed(request);
+        LOG.warn("checkPrivilege for resource: {} use : {}", resource, System.currentTimeMillis() - start);
         return checkRequestResult(request, result, accessType.name());
     }
 

From b0a465c575a6db53e71ce62194ff21a25bd145d8 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 18:21:51 +0800
Subject: [PATCH 07/21] 1

---
 .../authorizer/ranger/doris/RangerDorisAccessController.java | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 640ff545c7836e..8e05c2c2e69e43 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -145,11 +145,6 @@ public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, Priv
 
     @Override
     public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
-        boolean res = checkDbPriv(currentUser, ctl, db, wanted);
-        if (res) {
-            return true;
-        }
-
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.TABLE,
                 ctl, ClusterNamespace.getNameFromFullName(db), tbl);
         return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);

From 67ed015a4e535d19af0065c5baea3eb47dc15946 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Mon, 26 Aug 2024 19:01:51 +0800
Subject: [PATCH 08/21] 1

---
 .../authorizer/ranger/doris/RangerDorisAccessController.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 8e05c2c2e69e43..640ff545c7836e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -145,6 +145,11 @@ public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, Priv
 
     @Override
     public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
+        boolean res = checkDbPriv(currentUser, ctl, db, wanted);
+        if (res) {
+            return true;
+        }
+
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.TABLE,
                 ctl, ClusterNamespace.getNameFromFullName(db), tbl);
         return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);

From d205ff741b8227ac75c5e1c0aaf2db27b4e79ebc Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Wed, 28 Aug 2024 17:58:50 +0800
Subject: [PATCH 09/21] 1

---
 .../ranger/doris/DorisAccessType.java         | 79 +++++++------------
 .../ranger/doris/DorisObjectType.java         |  2 +-
 .../doris/RangerDorisAccessController.java    | 63 +++++++++++----
 .../ranger/doris/RangerDorisResource.java     |  2 +-
 4 files changed, 78 insertions(+), 68 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisAccessType.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisAccessType.java
index 259646557da1ef..77d7bfefc239d5 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisAccessType.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisAccessType.java
@@ -17,66 +17,45 @@
 
 package org.apache.doris.catalog.authorizer.ranger.doris;
 
-import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.mysql.privilege.Privilege;
 
 // Same as defined in PrivPredicate.java
 public enum DorisAccessType {
-    SHOW,
-    SHOW_VIEW,
-    SHOW_RESOURCES,
-    SHOW_WORKLOAD_GROUP,
-    GRANT,
+    NODE,
     ADMIN,
+    GRANT,
+    SELECT,
     LOAD,
     ALTER,
     CREATE,
-    ALTER_CREATE,
-    ALTER_CREATE_DROP,
     DROP,
-    SELECT,
-    OPERATOR,
     USAGE,
-    ALL,
-    NODE,
+    SHOW_VIEW,
     NONE;
-
-    public static DorisAccessType toAccessType(PrivPredicate priv) {
-        if (priv == PrivPredicate.SHOW) {
-            return SHOW;
-        } else if (priv == PrivPredicate.SHOW_VIEW) {
-            return SHOW_VIEW;
-        } else if (priv == PrivPredicate.SHOW_RESOURCES) {
-            // For Ranger, there is only USAGE priv for RESOURCE and WORKLOAD_GROUP.
-            // So when checking SHOW_XXX priv, convert it to USAGE priv and pass to Ranger.
-            return USAGE;
-        } else if (priv == PrivPredicate.SHOW_WORKLOAD_GROUP) {
-            return USAGE;
-        } else if (priv == PrivPredicate.GRANT) {
-            return GRANT;
-        } else if (priv == PrivPredicate.ADMIN) {
-            return ADMIN;
-        } else if (priv == PrivPredicate.LOAD) {
-            return LOAD;
-        } else if (priv == PrivPredicate.ALTER) {
-            return ALTER;
-        } else if (priv == PrivPredicate.CREATE) {
-            return CREATE;
-        } else if (priv == PrivPredicate.ALTER_CREATE) {
-            return ALTER_CREATE;
-        } else if (priv == PrivPredicate.ALTER_CREATE_DROP) {
-            return ALTER_CREATE_DROP;
-        } else if (priv == PrivPredicate.DROP) {
-            return DROP;
-        } else if (priv == PrivPredicate.SELECT) {
-            return SELECT;
-        } else if (priv == PrivPredicate.OPERATOR) {
-            return OPERATOR;
-        } else if (priv == PrivPredicate.USAGE) {
-            return USAGE;
-        } else if (priv == PrivPredicate.ALL) {
-            return ALL;
-        } else {
-            return NONE;
+    public static DorisAccessType toAccessType(Privilege privilege) {
+        switch (privilege) {
+            case ADMIN_PRIV:
+                return ADMIN;
+            case NODE_PRIV:
+                return NODE;
+            case GRANT_PRIV:
+                return GRANT;
+            case SELECT_PRIV:
+                return SELECT;
+            case LOAD_PRIV:
+                return LOAD;
+            case ALTER_PRIV:
+                return ALTER;
+            case CREATE_PRIV:
+                return CREATE;
+            case DROP_PRIV:
+                return DROP;
+            case USAGE_PRIV:
+                return USAGE;
+            case SHOW_VIEW_PRIV:
+                return SHOW_VIEW;
+            default:
+                return NONE;
         }
     }
 }
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisObjectType.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisObjectType.java
index dd7002117ef2c2..cafff6bd6e1747 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisObjectType.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/DorisObjectType.java
@@ -18,5 +18,5 @@
 package org.apache.doris.catalog.authorizer.ranger.doris;
 
 public enum DorisObjectType {
-    NONE, CATALOG, DATABASE, TABLE, COLUMN, RESOURCE, WORKLOAD_GROUP
+    NONE, CATALOG, DATABASE, TABLE, COLUMN, RESOURCE, WORKLOAD_GROUP, GLOBAL
 }
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 640ff545c7836e..ec750d20a22de3 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -23,14 +23,15 @@
 import org.apache.doris.catalog.authorizer.ranger.RangerAccessController;
 import org.apache.doris.cluster.ClusterNamespace;
 import org.apache.doris.common.AuthorizationException;
+import org.apache.doris.mysql.privilege.PrivBitSet;
 import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.mysql.privilege.Privilege;
 import org.apache.doris.resource.workloadgroup.WorkloadGroupMgr;
 
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest.ResourceMatchingScope;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
@@ -103,13 +104,10 @@ private void checkPrivileges(UserIdentity currentUser, DorisAccessType accessTyp
         checkRequestResults(results, accessType.name());
     }
 
-    private boolean checkPrivilege(UserIdentity currentUser, DorisAccessType accessType,
+    private boolean checkPrivilegeByPlugin(UserIdentity currentUser, DorisAccessType accessType,
             RangerDorisResource resource) {
         RangerAccessRequestImpl request = createRequest(currentUser, accessType);
         request.setResource(resource);
-        if (accessType == DorisAccessType.SHOW) {
-            request.setResourceMatchingScope(ResourceMatchingScope.SELF_OR_DESCENDANTS);
-        }
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger request: {}", request);
         }
@@ -119,17 +117,37 @@ private boolean checkPrivilege(UserIdentity currentUser, DorisAccessType accessT
         return checkRequestResult(request, result, accessType.name());
     }
 
+    private boolean checkPrivilege(UserIdentity currentUser, PrivPredicate wanted,
+            RangerDorisResource resource, PrivBitSet checkedPrivs) {
+        PrivBitSet copy = wanted.getPrivs().copy();
+        // avoid duplicate check auth at different levels
+        copy.remove(checkedPrivs);
+        for (Privilege privilege : copy.toPrivilegeList()) {
+            boolean res = checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(privilege), resource);
+            if (res) {
+                checkedPrivs.set(privilege.getIdx());
+            }
+            if (Privilege.satisfy(checkedPrivs, wanted)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     @Override
     public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) {
-        // ranger does not support global privilege,
-        // use internal privilege check instead
-        return Env.getCurrentEnv().getAuth().checkGlobalPriv(currentUser, wanted);
+        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.GLOBAL, "*");
+        return checkPrivilege(currentUser, wanted, resource);
     }
 
     @Override
     public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate wanted) {
+        boolean res = checkGlobalPriv(currentUser, wanted);
+        if (res) {
+            return true;
+        }
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.CATALOG, ctl);
-        return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
     }
 
     @Override
@@ -140,19 +158,32 @@ public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, Priv
         }
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.DATABASE, ctl,
                 ClusterNamespace.getNameFromFullName(db));
-        return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
     }
 
-    @Override
-    public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
-        boolean res = checkDbPriv(currentUser, ctl, db, wanted);
+    public boolean checkDbPrivInternal(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted,
+            PrivBitSet checkedPrivs) {
+        boolean res = checkCtlPriv(currentUser, ctl, wanted);
         if (res) {
             return true;
         }
+        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.DATABASE, ctl,
+                ClusterNamespace.getNameFromFullName(db));
+        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
+    }
+
+    @Override
+    public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        return checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs) ||
+                checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
+    }
 
+    public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl,
+            PrivPredicate wanted, PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.TABLE,
                 ctl, ClusterNamespace.getNameFromFullName(db), tbl);
-        return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override
@@ -182,7 +213,7 @@ public boolean checkCloudPriv(UserIdentity currentUser, String resourceName,
     @Override
     public boolean checkResourcePriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.RESOURCE, resourceName);
-        return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
     }
 
     @Override
@@ -192,7 +223,7 @@ public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadG
             return true;
         }
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.WORKLOAD_GROUP, workloadGroupName);
-        return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
     }
 
     @Override
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
index 648a76acdb3b30..f4ebdf42ffb2b7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
@@ -27,7 +27,7 @@ public class RangerDorisResource extends RangerAccessResourceImpl {
     public static final String KEY_RESOURCE = "resource";
     public static final String KEY_WORKLOAD_GROUP = "workload_group";
 
-    // FirstLevelResource => Catalog / Resource / WorkloadGroup
+    // FirstLevelResource => Catalog / Resource / WorkloadGroup / GLOBAL
     // SecondLevelResource => Database
     // ThirdLevelResource => Table
     // FourthLevelResource => Column

From d5ce13e384d5070cfd4b37849ed753b7e57a56d1 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Wed, 28 Aug 2024 19:10:14 +0800
Subject: [PATCH 10/21] 1

---
 .../trees/plans/commands/UpdateMvByPartitionCommand.java  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java
index ba1a054752b55a..f94913563738b6 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java
@@ -65,6 +65,8 @@
 import com.google.common.collect.Lists;
 import com.google.common.collect.Range;
 import com.google.common.collect.Sets;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -79,6 +81,8 @@
  * Update mv by partition
  */
 public class UpdateMvByPartitionCommand extends InsertOverwriteTableCommand {
+    private static final Logger LOG = LogManager.getLogger(UpdateMvByPartitionCommand.class);
+
     private UpdateMvByPartitionCommand(LogicalPlan logicalQuery) {
         super(logicalQuery, Optional.empty(), Optional.empty());
     }
@@ -104,6 +108,10 @@ public static UpdateMvByPartitionCommand from(MTMV mv, Set<String> partitionName
         }
         LogicalSink<? extends Plan> sink = UnboundTableSinkCreator.createUnboundTableSink(mv.getFullQualifiers(),
                 ImmutableList.of(), ImmutableList.of(), parts, plan);
+        if (LOG.isDebugEnabled()) {
+            LOG.warn("MTMVTask plan for mvName: {}, partitionNames: {}, plan: {}", mv.getName(), partitionNames,
+                    sink.treeString());
+        }
         return new UpdateMvByPartitionCommand(sink);
     }
 

From 607b8a7fc3761809a9e43c42c32e27b6c9faabcd Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Wed, 18 Sep 2024 16:03:41 +0800
Subject: [PATCH 11/21] 1

---
 .../ranger/RangerAccessController.java        |  3 +-
 .../doris/RangerDorisAccessController.java    | 99 ++++++++++++-------
 2 files changed, 65 insertions(+), 37 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
index 95906b9651192a..813226fd9de840 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
@@ -93,6 +93,7 @@ public List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity curren
             String tbl) {
         RangerAccessResourceImpl resource = createResource(ctl, db, tbl);
         RangerAccessRequestImpl request = createRequest(currentUser);
+        request.setAccessType(DorisAccessType.SELECT.name());
         request.setResource(resource);
 
         if (LOG.isDebugEnabled()) {
@@ -126,9 +127,7 @@ public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser, Str
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger request: {}", request);
         }
-        long start = System.currentTimeMillis();
         RangerAccessResult policy = getPlugin().evalDataMaskPolicies(request, getAccessResultProcessor());
-        LOG.warn("datamask for col: {} use : {}", col, System.currentTimeMillis() - start);
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger response: {}", policy);
         }
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index ec750d20a22de3..d97ef2d7688493 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -47,6 +47,9 @@
 
 public class RangerDorisAccessController extends RangerAccessController {
     private static final Logger LOG = LogManager.getLogger(RangerDorisAccessController.class);
+    // ranger must set name, we agreed that this name must be used
+    private static final String GLOBAL_PRIV_FIXED_NAME = "*";
+
     private RangerBasePlugin dorisPlugin;
     // private static ScheduledThreadPoolExecutor logFlushTimer = ThreadPoolManager.newDaemonScheduledThreadPool(1,
     //        "ranger-doris-audit-log-flusher-timer", true);
@@ -111,9 +114,7 @@ private boolean checkPrivilegeByPlugin(UserIdentity currentUser, DorisAccessType
         if (LOG.isDebugEnabled()) {
             LOG.debug("ranger request: {}", request);
         }
-        long start = System.currentTimeMillis();
         RangerAccessResult result = dorisPlugin.isAccessAllowed(request);
-        LOG.warn("checkPrivilege for resource: {} use : {}", resource, System.currentTimeMillis() - start);
         return checkRequestResult(request, result, accessType.name());
     }
 
@@ -136,47 +137,50 @@ private boolean checkPrivilege(UserIdentity currentUser, PrivPredicate wanted,
 
     @Override
     public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) {
-        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.GLOBAL, "*");
-        return checkPrivilege(currentUser, wanted, resource);
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs);
+    }
+
+    public boolean checkGlobalPrivInternal(UserIdentity currentUser, PrivPredicate wanted, PrivBitSet checkedPrivs) {
+        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.GLOBAL, GLOBAL_PRIV_FIXED_NAME);
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override
     public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate wanted) {
-        boolean res = checkGlobalPriv(currentUser, wanted);
-        if (res) {
-            return true;
-        }
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs);
+    }
+
+    public boolean checkCtlPrivInternal(UserIdentity currentUser, String ctl, PrivPredicate wanted,
+            PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.CATALOG, ctl);
-        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override
     public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) {
-        boolean res = checkCtlPriv(currentUser, ctl, wanted);
-        if (res) {
-            return true;
-        }
-        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.DATABASE, ctl,
-                ClusterNamespace.getNameFromFullName(db));
-        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
+                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs);
     }
 
     public boolean checkDbPrivInternal(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted,
             PrivBitSet checkedPrivs) {
-        boolean res = checkCtlPriv(currentUser, ctl, wanted);
-        if (res) {
-            return true;
-        }
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.DATABASE, ctl,
                 ClusterNamespace.getNameFromFullName(db));
-        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override
     public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
         PrivBitSet checkedPrivs = PrivBitSet.of();
-        return checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs) ||
-                checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
+        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
+                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
+                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
     }
 
     public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl,
@@ -189,19 +193,30 @@ public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String
     @Override
     public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set<String> cols,
             PrivPredicate wanted) throws AuthorizationException {
-        boolean res = checkTblPriv(currentUser, ctl, db, tbl, wanted);
-        if (res) {
-            return;
-        }
-
-        List<RangerDorisResource> resources = new ArrayList<>();
         for (String col : cols) {
-            RangerDorisResource resource = new RangerDorisResource(DorisObjectType.COLUMN,
-                    ctl, ClusterNamespace.getNameFromFullName(db), tbl, col);
-            resources.add(resource);
+            if (!checkColPriv(currentUser, ctl, db, tbl, col, wanted)) {
+                throw new AuthorizationException(String.format(
+                        "Permission denied: user [%s] does not have privilege for [%s] command on [%s].[%s].[%s].[%s]",
+                        currentUser, wanted, ctl, db, tbl, col));
+            }
         }
+    }
+
+    public boolean checkColPriv(UserIdentity currentUser, String ctl, String db, String tbl,
+            String col, PrivPredicate wanted) {
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
+                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
+                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs)
+                || checkColPrivInternal(currentUser, ctl, db, tbl, col, wanted, checkedPrivs);
+    }
 
-        checkPrivileges(currentUser, DorisAccessType.toAccessType(wanted), resources);
+    private boolean checkColPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl, String col,
+            PrivPredicate wanted, PrivBitSet checkedPrivs) {
+        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.COLUMN,
+                ctl, ClusterNamespace.getNameFromFullName(db), tbl, col);
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override
@@ -212,8 +227,15 @@ public boolean checkCloudPriv(UserIdentity currentUser, String resourceName,
 
     @Override
     public boolean checkResourcePriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted) {
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkResourcePrivInternal(currentUser, resourceName, wanted, checkedPrivs);
+    }
+
+    private boolean checkResourcePrivInternal(UserIdentity currentUser, String resourceName, PrivPredicate wanted,
+            PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.RESOURCE, resourceName);
-        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override
@@ -222,8 +244,15 @@ public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadG
         if (WorkloadGroupMgr.DEFAULT_GROUP_NAME.equals(workloadGroupName)) {
             return true;
         }
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkWorkloadGroupInternal(currentUser, workloadGroupName, wanted, checkedPrivs);
+    }
+
+    private boolean checkWorkloadGroupInternal(UserIdentity currentUser, String workloadGroupName, PrivPredicate wanted,
+            PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.WORKLOAD_GROUP, workloadGroupName);
-        return checkPrivilegeByPlugin(currentUser, DorisAccessType.toAccessType(wanted), resource);
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override

From 7d6319724060b3575b3fe11262aad5bab33c8f1b Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Wed, 18 Sep 2024 16:20:50 +0800
Subject: [PATCH 12/21] 1

---
 .../trees/plans/commands/UpdateMvByPartitionCommand.java  | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java
index f94913563738b6..ba1a054752b55a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/UpdateMvByPartitionCommand.java
@@ -65,8 +65,6 @@
 import com.google.common.collect.Lists;
 import com.google.common.collect.Range;
 import com.google.common.collect.Sets;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -81,8 +79,6 @@
  * Update mv by partition
  */
 public class UpdateMvByPartitionCommand extends InsertOverwriteTableCommand {
-    private static final Logger LOG = LogManager.getLogger(UpdateMvByPartitionCommand.class);
-
     private UpdateMvByPartitionCommand(LogicalPlan logicalQuery) {
         super(logicalQuery, Optional.empty(), Optional.empty());
     }
@@ -108,10 +104,6 @@ public static UpdateMvByPartitionCommand from(MTMV mv, Set<String> partitionName
         }
         LogicalSink<? extends Plan> sink = UnboundTableSinkCreator.createUnboundTableSink(mv.getFullQualifiers(),
                 ImmutableList.of(), ImmutableList.of(), parts, plan);
-        if (LOG.isDebugEnabled()) {
-            LOG.warn("MTMVTask plan for mvName: {}, partitionNames: {}, plan: {}", mv.getName(), partitionNames,
-                    sink.treeString());
-        }
         return new UpdateMvByPartitionCommand(sink);
     }
 

From 1794dddba0bca4017844bc96196ee65a8f8494be Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Wed, 18 Sep 2024 18:50:55 +0800
Subject: [PATCH 13/21] 1

---
 .../doris/RangerDorisAccessController.java    | 23 -------------------
 .../ranger/doris/RangerDorisResource.java     |  3 +++
 .../privilege/AccessControllerManager.java    |  6 ++++-
 3 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index d97ef2d7688493..7bb619aa4e639d 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -19,7 +19,6 @@
 
 import org.apache.doris.analysis.ResourceTypeEnum;
 import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.authorizer.ranger.RangerAccessController;
 import org.apache.doris.cluster.ClusterNamespace;
 import org.apache.doris.common.AuthorizationException;
@@ -31,19 +30,14 @@
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
 import org.apache.ranger.plugin.service.RangerAuthContextListener;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
-import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Date;
-import java.util.List;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 public class RangerDorisAccessController extends RangerAccessController {
     private static final Logger LOG = LogManager.getLogger(RangerDorisAccessController.class);
@@ -82,10 +76,6 @@ private RangerAccessRequestImpl createRequest(UserIdentity currentUser, DorisAcc
     protected RangerAccessRequestImpl createRequest(UserIdentity currentUser) {
         RangerAccessRequestImpl request = new RangerAccessRequestImpl();
         request.setUser(ClusterNamespace.getNameFromFullName(currentUser.getQualifiedUser()));
-        Set<String> roles = Env.getCurrentEnv().getAuth().getRolesByUser(currentUser, false);
-        request.setUserRoles(roles.stream().map(role -> ClusterNamespace.getNameFromFullName(role)).collect(
-                Collectors.toSet()));
-
         request.setClientIPAddress(currentUser.getHost());
         request.setClusterType(CLIENT_TYPE_DORIS);
         request.setClientType(CLIENT_TYPE_DORIS);
@@ -94,19 +84,6 @@ protected RangerAccessRequestImpl createRequest(UserIdentity currentUser) {
         return request;
     }
 
-    private void checkPrivileges(UserIdentity currentUser, DorisAccessType accessType,
-            List<RangerDorisResource> dorisResources) throws AuthorizationException {
-        List<RangerAccessRequest> requests = new ArrayList<>();
-        for (RangerDorisResource resource : dorisResources) {
-            RangerAccessRequestImpl request = createRequest(currentUser, accessType);
-            request.setResource(resource);
-            requests.add(request);
-        }
-
-        Collection<RangerAccessResult> results = dorisPlugin.isAccessAllowed(requests);
-        checkRequestResults(results, accessType.name());
-    }
-
     private boolean checkPrivilegeByPlugin(UserIdentity currentUser, DorisAccessType accessType,
             RangerDorisResource resource) {
         RangerAccessRequestImpl request = createRequest(currentUser, accessType);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
index f4ebdf42ffb2b7..02eb23301aa278 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
@@ -20,6 +20,7 @@
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 
 public class RangerDorisResource extends RangerAccessResourceImpl {
+    public static final String KEY_GLOBAL = "global";
     public static final String KEY_CATALOG = "catalog";
     public static final String KEY_DATABASE = "database";
     public static final String KEY_TABLE = "table";
@@ -48,6 +49,8 @@ public RangerDorisResource(DorisObjectType objectType, String firstLevelResource
                               String thirdLevelResource, String fourthLevelResource) {
         // set essential info according to objectType
         switch (objectType) {
+            case GLOBAL:
+                setValue(KEY_GLOBAL, firstLevelResource);
             case CATALOG:
                 setValue(KEY_CATALOG, firstLevelResource);
                 break;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index e12b0a737dc6f8..9662a0bf0a6dd4 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -178,9 +178,13 @@ public void checkColumnsPriv(UserIdentity currentUser, String
             PrivPredicate wanted) throws UserException {
         boolean hasGlobal = checkGlobalPriv(currentUser, wanted);
         CatalogAccessController accessController = getAccessControllerOrDefault(ctl);
+        long start = System.currentTimeMillis();
         accessController.checkColsPriv(hasGlobal, currentUser, ctl, qualifiedDb,
                 tbl, cols, wanted);
-
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("checkColumnsPriv use {} mills, user: {}, ctl: {}, db: {}, table: {}, cols: {}",
+                    System.currentTimeMillis() - start, currentUser, ctl, qualifiedDb, tbl, cols);
+        }
     }
 
     // ==== Resource ====

From 8dd362abb8d05f30e8e5b77b7e02388fbfd815b3 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Wed, 18 Sep 2024 19:02:39 +0800
Subject: [PATCH 14/21] 1

---
 .../catalog/authorizer/ranger/doris/RangerDorisResource.java     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
index 02eb23301aa278..db173a25354d4f 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisResource.java
@@ -51,6 +51,7 @@ public RangerDorisResource(DorisObjectType objectType, String firstLevelResource
         switch (objectType) {
             case GLOBAL:
                 setValue(KEY_GLOBAL, firstLevelResource);
+                break;
             case CATALOG:
                 setValue(KEY_CATALOG, firstLevelResource);
                 break;

From 5ae7a6ad064d7e1170f77a7cccf2c66f4171a95e Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Thu, 19 Sep 2024 11:02:47 +0800
Subject: [PATCH 15/21] 1

---
 .../doris/RangerDorisAccessController.java    | 21 +++++++++----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 7bb619aa4e639d..4f53c3cfb336ee 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -170,8 +170,17 @@ public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String
     @Override
     public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set<String> cols,
             PrivPredicate wanted) throws AuthorizationException {
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        boolean hasTablePriv = checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
+                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
+                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
+        if (hasTablePriv) {
+            return;
+        }
+
         for (String col : cols) {
-            if (!checkColPriv(currentUser, ctl, db, tbl, col, wanted)) {
+            if (!checkColPrivInternal(currentUser, ctl, db, tbl, col, wanted, checkedPrivs.copy())) {
                 throw new AuthorizationException(String.format(
                         "Permission denied: user [%s] does not have privilege for [%s] command on [%s].[%s].[%s].[%s]",
                         currentUser, wanted, ctl, db, tbl, col));
@@ -179,16 +188,6 @@ public void checkColsPriv(UserIdentity currentUser, String ctl, String db, Strin
         }
     }
 
-    public boolean checkColPriv(UserIdentity currentUser, String ctl, String db, String tbl,
-            String col, PrivPredicate wanted) {
-        PrivBitSet checkedPrivs = PrivBitSet.of();
-        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
-                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
-                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
-                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs)
-                || checkColPrivInternal(currentUser, ctl, db, tbl, col, wanted, checkedPrivs);
-    }
-
     private boolean checkColPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl, String col,
             PrivPredicate wanted, PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.COLUMN,

From dc62e0b528dcf0dae98c7a47ddd3fe8b2da336d7 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Thu, 19 Sep 2024 11:52:10 +0800
Subject: [PATCH 16/21] 1

---
 .../doris/RangerDorisAccessController.java    | 45 ++++++++++++-------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 4f53c3cfb336ee..b87619bf9be01b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -28,8 +28,10 @@
 import org.apache.doris.resource.workloadgroup.WorkloadGroupMgr;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.Lists;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
@@ -37,6 +39,7 @@
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import java.util.Date;
+import java.util.List;
 import java.util.Set;
 
 public class RangerDorisAccessController extends RangerAccessController {
@@ -170,29 +173,37 @@ public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String
     @Override
     public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set<String> cols,
             PrivPredicate wanted) throws AuthorizationException {
-        PrivBitSet checkedPrivs = PrivBitSet.of();
-        boolean hasTablePriv = checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
-                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
-                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
-                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
-        if (hasTablePriv) {
-            return;
-        }
-
+        long start = System.currentTimeMillis();
         for (String col : cols) {
-            if (!checkColPrivInternal(currentUser, ctl, db, tbl, col, wanted, checkedPrivs.copy())) {
-                throw new AuthorizationException(String.format(
-                        "Permission denied: user [%s] does not have privilege for [%s] command on [%s].[%s].[%s].[%s]",
-                        currentUser, wanted, ctl, db, tbl, col));
-            }
+            checkColPrivInternal(currentUser, ctl, db, tbl, col);
         }
+        LOG.warn("=============every============= {} ms", System.currentTimeMillis() - start);
+        long start1 = System.currentTimeMillis();
+        checkColPrivInternal2(currentUser, ctl, db, tbl, cols);
+        LOG.warn("=============batch============= {} ms", System.currentTimeMillis() - start1);
     }
 
-    private boolean checkColPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl, String col,
-            PrivPredicate wanted, PrivBitSet checkedPrivs) {
+    private boolean checkColPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl, String col) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.COLUMN,
                 ctl, ClusterNamespace.getNameFromFullName(db), tbl, col);
-        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
+        RangerAccessRequestImpl request = createRequest(currentUser, DorisAccessType.SELECT);
+        request.setResource(resource);
+        dorisPlugin.isAccessAllowed(request);
+        return true;
+    }
+
+    private boolean checkColPrivInternal2(UserIdentity currentUser, String ctl, String db, String tbl,
+            Set<String> cols) {
+        List<RangerAccessRequest> requests = Lists.newArrayList();
+        for (String col : cols) {
+            RangerDorisResource resource = new RangerDorisResource(DorisObjectType.COLUMN,
+                    ctl, ClusterNamespace.getNameFromFullName(db), tbl, col);
+            RangerAccessRequestImpl request = createRequest(currentUser, DorisAccessType.SELECT);
+            request.setResource(resource);
+            requests.add(request);
+        }
+        dorisPlugin.isAccessAllowed(requests);
+        return true;
     }
 
     @Override

From 5566d3497d0e3db99e8192102de077e97f20d9c6 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Thu, 19 Sep 2024 11:59:57 +0800
Subject: [PATCH 17/21] 1

---
 .../doris/RangerDorisAccessController.java    | 45 +++++++------------
 1 file changed, 17 insertions(+), 28 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index b87619bf9be01b..4f53c3cfb336ee 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -28,10 +28,8 @@
 import org.apache.doris.resource.workloadgroup.WorkloadGroupMgr;
 
 import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.Lists;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
@@ -39,7 +37,6 @@
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import java.util.Date;
-import java.util.List;
 import java.util.Set;
 
 public class RangerDorisAccessController extends RangerAccessController {
@@ -173,37 +170,29 @@ public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String
     @Override
     public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set<String> cols,
             PrivPredicate wanted) throws AuthorizationException {
-        long start = System.currentTimeMillis();
+        PrivBitSet checkedPrivs = PrivBitSet.of();
+        boolean hasTablePriv = checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
+                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
+                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
+        if (hasTablePriv) {
+            return;
+        }
+
         for (String col : cols) {
-            checkColPrivInternal(currentUser, ctl, db, tbl, col);
+            if (!checkColPrivInternal(currentUser, ctl, db, tbl, col, wanted, checkedPrivs.copy())) {
+                throw new AuthorizationException(String.format(
+                        "Permission denied: user [%s] does not have privilege for [%s] command on [%s].[%s].[%s].[%s]",
+                        currentUser, wanted, ctl, db, tbl, col));
+            }
         }
-        LOG.warn("=============every============= {} ms", System.currentTimeMillis() - start);
-        long start1 = System.currentTimeMillis();
-        checkColPrivInternal2(currentUser, ctl, db, tbl, cols);
-        LOG.warn("=============batch============= {} ms", System.currentTimeMillis() - start1);
     }
 
-    private boolean checkColPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl, String col) {
+    private boolean checkColPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl, String col,
+            PrivPredicate wanted, PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.COLUMN,
                 ctl, ClusterNamespace.getNameFromFullName(db), tbl, col);
-        RangerAccessRequestImpl request = createRequest(currentUser, DorisAccessType.SELECT);
-        request.setResource(resource);
-        dorisPlugin.isAccessAllowed(request);
-        return true;
-    }
-
-    private boolean checkColPrivInternal2(UserIdentity currentUser, String ctl, String db, String tbl,
-            Set<String> cols) {
-        List<RangerAccessRequest> requests = Lists.newArrayList();
-        for (String col : cols) {
-            RangerDorisResource resource = new RangerDorisResource(DorisObjectType.COLUMN,
-                    ctl, ClusterNamespace.getNameFromFullName(db), tbl, col);
-            RangerAccessRequestImpl request = createRequest(currentUser, DorisAccessType.SELECT);
-            request.setResource(resource);
-            requests.add(request);
-        }
-        dorisPlugin.isAccessAllowed(requests);
-        return true;
+        return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
     @Override

From ad89eb56dfc639ba5eace4e0ba4c1d651762a903 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Tue, 24 Sep 2024 14:46:46 +0800
Subject: [PATCH 18/21] 1

---
 .../doris/RangerDorisAccessController.java    | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 4f53c3cfb336ee..3b2a92eb150935 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -30,6 +30,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest.ResourceMatchingScope;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
@@ -126,8 +127,15 @@ public boolean checkGlobalPrivInternal(UserIdentity currentUser, PrivPredicate w
     @Override
     public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate wanted) {
         PrivBitSet checkedPrivs = PrivBitSet.of();
-        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
-                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs);
+        if (checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)) {
+            return true;
+        }
+        // if user has any privs of table in this db, and the wanted priv is SHOW, return true
+        if (wanted == PrivPredicate.SHOW && checkAnyPrivWithinCtl(currentUser, ctl)) {
+            return true;
+        }
+        return false;
     }
 
     public boolean checkCtlPrivInternal(UserIdentity currentUser, String ctl, PrivPredicate wanted,
@@ -136,6 +144,15 @@ public boolean checkCtlPrivInternal(UserIdentity currentUser, String ctl, PrivPr
         return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
+    private boolean checkAnyPrivWithinCtl(UserIdentity currentUser, String ctl) {
+        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.CATALOG, ctl);
+        RangerAccessRequestImpl request = createRequest(currentUser);
+        request.setResource(resource);
+        request.setResourceMatchingScope(ResourceMatchingScope.SELF_OR_DESCENDANTS);
+        RangerAccessResult result = dorisPlugin.isAccessAllowed(request);
+        return checkRequestResult(request, result, null);
+    }
+
     @Override
     public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) {
         PrivBitSet checkedPrivs = PrivBitSet.of();

From 3703dd766f686f418c8fb708ab09042aecff0128 Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Tue, 24 Sep 2024 15:05:21 +0800
Subject: [PATCH 19/21] 1

---
 .../doris/RangerDorisAccessController.java    | 50 +++++++++++++++----
 1 file changed, 40 insertions(+), 10 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 3b2a92eb150935..05f7b7d865d384 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -96,6 +96,17 @@ private boolean checkPrivilegeByPlugin(UserIdentity currentUser, DorisAccessType
         return checkRequestResult(request, result, accessType.name());
     }
 
+    private boolean checkShowPrivilegeByPlugin(UserIdentity currentUser, RangerDorisResource resource) {
+        RangerAccessRequestImpl request = createRequest(currentUser);
+        request.setResource(resource);
+        request.setResourceMatchingScope(ResourceMatchingScope.SELF_OR_DESCENDANTS);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("ranger request: {}", request);
+        }
+        RangerAccessResult result = dorisPlugin.isAccessAllowed(request);
+        return checkRequestResult(request, result, DorisAccessType.NONE.name());
+    }
+
     private boolean checkPrivilege(UserIdentity currentUser, PrivPredicate wanted,
             RangerDorisResource resource, PrivBitSet checkedPrivs) {
         PrivBitSet copy = wanted.getPrivs().copy();
@@ -131,7 +142,6 @@ public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate
                 || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)) {
             return true;
         }
-        // if user has any privs of table in this db, and the wanted priv is SHOW, return true
         if (wanted == PrivPredicate.SHOW && checkAnyPrivWithinCtl(currentUser, ctl)) {
             return true;
         }
@@ -146,19 +156,21 @@ public boolean checkCtlPrivInternal(UserIdentity currentUser, String ctl, PrivPr
 
     private boolean checkAnyPrivWithinCtl(UserIdentity currentUser, String ctl) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.CATALOG, ctl);
-        RangerAccessRequestImpl request = createRequest(currentUser);
-        request.setResource(resource);
-        request.setResourceMatchingScope(ResourceMatchingScope.SELF_OR_DESCENDANTS);
-        RangerAccessResult result = dorisPlugin.isAccessAllowed(request);
-        return checkRequestResult(request, result, null);
+        return checkShowPrivilegeByPlugin(currentUser, resource);
     }
 
     @Override
     public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) {
         PrivBitSet checkedPrivs = PrivBitSet.of();
-        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+        if (checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
                 || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
-                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs);
+                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)) {
+            return true;
+        }
+        if (wanted == PrivPredicate.SHOW && checkAnyPrivWithinDb(currentUser, ctl, db)) {
+            return true;
+        }
+        return false;
     }
 
     public boolean checkDbPrivInternal(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted,
@@ -168,13 +180,25 @@ public boolean checkDbPrivInternal(UserIdentity currentUser, String ctl, String
         return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
+    private boolean checkAnyPrivWithinDb(UserIdentity currentUser, String ctl, String db) {
+        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.DATABASE, ctl,
+                ClusterNamespace.getNameFromFullName(db));
+        return checkShowPrivilegeByPlugin(currentUser, resource);
+    }
+
     @Override
     public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
         PrivBitSet checkedPrivs = PrivBitSet.of();
-        return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
+        if (checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
                 || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
                 || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
-                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
+                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs)) {
+            return true;
+        }
+        if (wanted == PrivPredicate.SHOW && checkAnyPrivWithinTbl(currentUser, ctl, db, tbl)) {
+            return true;
+        }
+        return false;
     }
 
     public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl,
@@ -184,6 +208,12 @@ public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String
         return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
 
+    private boolean checkAnyPrivWithinTbl(UserIdentity currentUser, String ctl, String db, String tbl) {
+        RangerDorisResource resource = new RangerDorisResource(DorisObjectType.TABLE,
+                ctl, ClusterNamespace.getNameFromFullName(db), tbl);
+        return checkShowPrivilegeByPlugin(currentUser, resource);
+    }
+
     @Override
     public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set<String> cols,
             PrivPredicate wanted) throws AuthorizationException {

From 9d8feaf783ab51149e3b66d6bf1052dd964c4ffd Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Tue, 24 Sep 2024 15:50:47 +0800
Subject: [PATCH 20/21] 1

---
 .../ranger/doris/RangerDorisAccessController.java         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 05f7b7d865d384..8a7bea57534f6e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -130,7 +130,7 @@ public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) {
         return checkGlobalPrivInternal(currentUser, wanted, checkedPrivs);
     }
 
-    public boolean checkGlobalPrivInternal(UserIdentity currentUser, PrivPredicate wanted, PrivBitSet checkedPrivs) {
+    private boolean checkGlobalPrivInternal(UserIdentity currentUser, PrivPredicate wanted, PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.GLOBAL, GLOBAL_PRIV_FIXED_NAME);
         return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
     }
@@ -148,7 +148,7 @@ public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate
         return false;
     }
 
-    public boolean checkCtlPrivInternal(UserIdentity currentUser, String ctl, PrivPredicate wanted,
+    private boolean checkCtlPrivInternal(UserIdentity currentUser, String ctl, PrivPredicate wanted,
             PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.CATALOG, ctl);
         return checkPrivilege(currentUser, wanted, resource, checkedPrivs);
@@ -173,7 +173,7 @@ public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, Priv
         return false;
     }
 
-    public boolean checkDbPrivInternal(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted,
+    private boolean checkDbPrivInternal(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted,
             PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.DATABASE, ctl,
                 ClusterNamespace.getNameFromFullName(db));
@@ -201,7 +201,7 @@ public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, Str
         return false;
     }
 
-    public boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl,
+    private boolean checkTblPrivInternal(UserIdentity currentUser, String ctl, String db, String tbl,
             PrivPredicate wanted, PrivBitSet checkedPrivs) {
         RangerDorisResource resource = new RangerDorisResource(DorisObjectType.TABLE,
                 ctl, ClusterNamespace.getNameFromFullName(db), tbl);

From ea7e63ae2e8ee494eb0b43357c1cb7f0a7813b6d Mon Sep 17 00:00:00 2001
From: zhangdong <493738387@qq.com>
Date: Tue, 8 Oct 2024 17:46:07 +0800
Subject: [PATCH 21/21] comment

---
 .../ranger/RangerAccessController.java        |   4 +
 .../cache/CatalogCacheAccessController.java   |  91 ---------------
 .../ranger/cache/DatamaskCacheKey.java        |  89 ---------------
 .../authorizer/ranger/cache/RangerCache.java  | 107 ------------------
 .../cache/RangerCacheInvalidateListener.java  |  41 -------
 .../ranger/cache/RowFilterCacheKey.java       |  82 --------------
 .../RangerCacheDorisAccessController.java     |  44 -------
 .../hive/RangerCacheHiveAccessController.java |  47 --------
 8 files changed, 4 insertions(+), 501 deletions(-)
 delete mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java
 delete mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java
 delete mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java
 delete mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java
 delete mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java
 delete mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java
 delete mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java

diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
index 813226fd9de840..7a2779b43b1c6b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
@@ -93,6 +93,10 @@ public List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity curren
             String tbl) {
         RangerAccessResourceImpl resource = createResource(ctl, db, tbl);
         RangerAccessRequestImpl request = createRequest(currentUser);
+        // If the access type is not set here, it defaults to ANY1 ACCESS.
+        // The internal logic of the ranger is to traverse all permission items.
+        // Since the ranger UI will set the access type to 'SELECT',
+        // we will keep it consistent with the UI here to avoid performance issues
         request.setAccessType(DorisAccessType.SELECT.name());
         request.setResource(resource);
 
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java
deleted file mode 100644
index 4b2aca0628a59a..00000000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java
+++ /dev/null
@@ -1,91 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.catalog.authorizer.ranger.cache;
-
-import org.apache.doris.analysis.ResourceTypeEnum;
-import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.common.AuthorizationException;
-import org.apache.doris.mysql.privilege.CatalogAccessController;
-import org.apache.doris.mysql.privilege.DataMaskPolicy;
-import org.apache.doris.mysql.privilege.PrivPredicate;
-import org.apache.doris.mysql.privilege.RowFilterPolicy;
-
-import java.util.List;
-import java.util.Optional;
-import java.util.Set;
-
-public abstract class CatalogCacheAccessController implements CatalogAccessController {
-    public abstract CatalogAccessController getProxyController();
-
-    public abstract RangerCache getCache();
-
-
-    @Override
-    public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) {
-        return getProxyController().checkGlobalPriv(currentUser, wanted);
-    }
-
-    @Override
-    public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate wanted) {
-        return getProxyController().checkCtlPriv(currentUser, ctl, wanted);
-    }
-
-    @Override
-    public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) {
-        return getProxyController().checkDbPriv(currentUser, ctl, db, wanted);
-    }
-
-    @Override
-    public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
-        return getProxyController().checkTblPriv(currentUser, ctl, db, tbl, wanted);
-    }
-
-    @Override
-    public boolean checkResourcePriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted) {
-        return getProxyController().checkResourcePriv(currentUser, resourceName, wanted);
-    }
-
-    @Override
-    public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadGroupName, PrivPredicate wanted) {
-        return getProxyController().checkWorkloadGroupPriv(currentUser, workloadGroupName, wanted);
-    }
-
-    @Override
-    public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set<String> cols,
-            PrivPredicate wanted) throws AuthorizationException {
-        getProxyController().checkColsPriv(currentUser, ctl, db, tbl, cols, wanted);
-    }
-
-    @Override
-    public boolean checkCloudPriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted,
-            ResourceTypeEnum type) {
-        return getProxyController().checkCloudPriv(currentUser, resourceName, wanted, type);
-    }
-
-    @Override
-    public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser, String ctl, String db, String tbl,
-            String col) {
-        return getCache().getDataMask(new DatamaskCacheKey(currentUser, ctl, db, tbl, col));
-    }
-
-    @Override
-    public List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity currentUser, String ctl, String db,
-            String tbl) {
-        return getCache().getRowFilters(new RowFilterCacheKey(currentUser, ctl, db, tbl));
-    }
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java
deleted file mode 100644
index d2262d094f9cef..00000000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java
+++ /dev/null
@@ -1,89 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.catalog.authorizer.ranger.cache;
-
-import org.apache.doris.analysis.UserIdentity;
-
-import com.google.common.base.Objects;
-
-public class DatamaskCacheKey {
-    private UserIdentity userIdentity;
-    private String ctl;
-    private String db;
-    private String tbl;
-    private String col;
-
-    public DatamaskCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl, String col) {
-        this.userIdentity = userIdentity;
-        this.ctl = ctl;
-        this.db = db;
-        this.tbl = tbl;
-        this.col = col;
-    }
-
-    public UserIdentity getUserIdentity() {
-        return userIdentity;
-    }
-
-    public String getCtl() {
-        return ctl;
-    }
-
-    public String getDb() {
-        return db;
-    }
-
-    public String getTbl() {
-        return tbl;
-    }
-
-    public String getCol() {
-        return col;
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) {
-            return true;
-        }
-        if (o == null || getClass() != o.getClass()) {
-            return false;
-        }
-        DatamaskCacheKey that = (DatamaskCacheKey) o;
-        return Objects.equal(userIdentity, that.userIdentity)
-                && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db)
-                && Objects.equal(tbl, that.tbl) && Objects.equal(col,
-                that.col);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hashCode(userIdentity, ctl, db, tbl, col);
-    }
-
-    @Override
-    public String toString() {
-        return "DatamaskCacheKey{"
-                + "userIdentity=" + userIdentity
-                + ", ctl='" + ctl + '\''
-                + ", db='" + db + '\''
-                + ", tbl='" + tbl + '\''
-                + ", col='" + col + '\''
-                + '}';
-    }
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java
deleted file mode 100644
index 29c068b1aff991..00000000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java
+++ /dev/null
@@ -1,107 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.catalog.authorizer.ranger.cache;
-
-import org.apache.doris.common.Config;
-import org.apache.doris.datasource.CacheException;
-import org.apache.doris.mysql.privilege.CatalogAccessController;
-import org.apache.doris.mysql.privilege.DataMaskPolicy;
-import org.apache.doris.mysql.privilege.RowFilterPolicy;
-
-import com.google.common.cache.CacheBuilder;
-import com.google.common.cache.CacheLoader;
-import com.google.common.cache.LoadingCache;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.List;
-import java.util.Objects;
-import java.util.Optional;
-import java.util.concurrent.ExecutionException;
-
-public class RangerCache {
-    private static final Logger LOG = LoggerFactory.getLogger(RangerCache.class);
-
-    private CatalogAccessController controller;
-    private LoadingCache<DatamaskCacheKey, Optional<DataMaskPolicy>> datamaskCache = CacheBuilder.newBuilder()
-            .maximumSize(Config.ranger_cache_size)
-            .build(new CacheLoader<DatamaskCacheKey, Optional<DataMaskPolicy>>() {
-                @Override
-                public Optional<DataMaskPolicy> load(DatamaskCacheKey key) {
-                    return loadDataMask(key);
-                }
-            });
-
-    private LoadingCache<RowFilterCacheKey, List<? extends RowFilterPolicy>> rowFilterCache = CacheBuilder.newBuilder()
-            .maximumSize(Config.ranger_cache_size)
-            .build(new CacheLoader<RowFilterCacheKey, List<? extends RowFilterPolicy>>() {
-                @Override
-                public List<? extends RowFilterPolicy> load(RowFilterCacheKey key) {
-                    return loadRowFilter(key);
-                }
-            });
-
-    public RangerCache() {
-    }
-
-    public void init(CatalogAccessController controller) {
-        this.controller = controller;
-    }
-
-    private Optional<DataMaskPolicy> loadDataMask(DatamaskCacheKey key) {
-        Objects.requireNonNull(controller, "controller can not be null");
-        if (LOG.isDebugEnabled()) {
-            LOG.debug("load datamask: {}", key);
-        }
-        return controller.evalDataMaskPolicy(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl(),
-                key.getCol());
-    }
-
-    private List<? extends RowFilterPolicy> loadRowFilter(RowFilterCacheKey key) {
-        Objects.requireNonNull(controller, "controller can not be null");
-        if (LOG.isDebugEnabled()) {
-            LOG.debug("load row filter: {}", key);
-        }
-        return controller.evalRowFilterPolicies(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl());
-    }
-
-    public void invalidateDataMaskCache() {
-        datamaskCache.invalidateAll();
-    }
-
-    public void invalidateRowFilterCache() {
-        rowFilterCache.invalidateAll();
-    }
-
-    public Optional<DataMaskPolicy> getDataMask(DatamaskCacheKey key) {
-        try {
-            return datamaskCache.get(key);
-        } catch (ExecutionException e) {
-            throw new CacheException("failed to get datamask for:" + key, e);
-        }
-    }
-
-    public List<? extends RowFilterPolicy> getRowFilters(RowFilterCacheKey key) {
-        try {
-            return rowFilterCache.get(key);
-        } catch (ExecutionException e) {
-            throw new CacheException("failed to get row filter for:" + key, e);
-        }
-    }
-
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java
deleted file mode 100644
index 4af56a8ff1bacf..00000000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.catalog.authorizer.ranger.cache;
-
-import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController;
-
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-import org.apache.ranger.plugin.service.RangerAuthContextListener;
-
-public class RangerCacheInvalidateListener implements RangerAuthContextListener {
-    private static final Logger LOG = LogManager.getLogger(RangerDorisAccessController.class);
-
-    private RangerCache cache;
-
-    public RangerCacheInvalidateListener(RangerCache cache) {
-        this.cache = cache;
-    }
-
-    @Override
-    public void contextChanged() {
-        LOG.info("ranger context changed");
-        cache.invalidateDataMaskCache();
-        cache.invalidateRowFilterCache();
-    }
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java
deleted file mode 100644
index 08afcb40fcb59b..00000000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java
+++ /dev/null
@@ -1,82 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.catalog.authorizer.ranger.cache;
-
-import org.apache.doris.analysis.UserIdentity;
-
-import com.google.common.base.Objects;
-
-public class RowFilterCacheKey {
-    private UserIdentity userIdentity;
-    private String ctl;
-    private String db;
-    private String tbl;
-
-    public RowFilterCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl) {
-        this.userIdentity = userIdentity;
-        this.ctl = ctl;
-        this.db = db;
-        this.tbl = tbl;
-    }
-
-    public UserIdentity getUserIdentity() {
-        return userIdentity;
-    }
-
-    public String getCtl() {
-        return ctl;
-    }
-
-    public String getDb() {
-        return db;
-    }
-
-    public String getTbl() {
-        return tbl;
-    }
-
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) {
-            return true;
-        }
-        if (o == null || getClass() != o.getClass()) {
-            return false;
-        }
-        RowFilterCacheKey that = (RowFilterCacheKey) o;
-        return Objects.equal(userIdentity, that.userIdentity)
-                && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db)
-                && Objects.equal(tbl, that.tbl);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hashCode(userIdentity, ctl, db, tbl);
-    }
-
-    @Override
-    public String toString() {
-        return "DatamaskCacheKey{"
-                + "userIdentity=" + userIdentity
-                + ", ctl='" + ctl + '\''
-                + ", db='" + db + '\''
-                + ", tbl='" + tbl + '\''
-                + '}';
-    }
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java
deleted file mode 100644
index 2cbc8111d52c9c..00000000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java
+++ /dev/null
@@ -1,44 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.catalog.authorizer.ranger.doris;
-
-import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController;
-import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache;
-import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener;
-import org.apache.doris.mysql.privilege.CatalogAccessController;
-
-public class RangerCacheDorisAccessController extends CatalogCacheAccessController {
-    private CatalogAccessController proxyController;
-    private RangerCache cache;
-
-    public RangerCacheDorisAccessController(String serviceName) {
-        this.cache = new RangerCache();
-        this.proxyController = new RangerDorisAccessController(serviceName, new RangerCacheInvalidateListener(cache));
-        this.cache.init(proxyController);
-    }
-
-    @Override
-    public CatalogAccessController getProxyController() {
-        return proxyController;
-    }
-
-    @Override
-    public RangerCache getCache() {
-        return cache;
-    }
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java
deleted file mode 100644
index f4f510a12e641c..00000000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java
+++ /dev/null
@@ -1,47 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.catalog.authorizer.ranger.hive;
-
-import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController;
-import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache;
-import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener;
-import org.apache.doris.mysql.privilege.CatalogAccessController;
-
-import java.util.Map;
-
-public class RangerCacheHiveAccessController extends CatalogCacheAccessController {
-
-    private CatalogAccessController proxyController;
-    private RangerCache cache;
-
-    public RangerCacheHiveAccessController(Map<String, String> properties) {
-        this.cache = new RangerCache();
-        this.proxyController = new RangerHiveAccessController(properties, new RangerCacheInvalidateListener(cache));
-        this.cache.init(proxyController);
-    }
-
-    @Override
-    public CatalogAccessController getProxyController() {
-        return proxyController;
-    }
-
-    @Override
-    public RangerCache getCache() {
-        return cache;
-    }
-}