From 93b9bedaf0409d338b00618b2e4e833e97927f1a Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 14 Oct 2024 11:14:05 +0800 Subject: [PATCH 1/6] 1 --- .../java/org/apache/doris/analysis/EncryptKeyRef.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java index 7950fe37c4b304..e4d904aad75547 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java @@ -19,10 +19,14 @@ import org.apache.doris.catalog.Database; import org.apache.doris.catalog.EncryptKey; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.Type; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.thrift.TExprNode; import com.google.common.base.Strings; @@ -62,6 +66,12 @@ private void analyzeEncryptKey(Analyzer analyzer) throws AnalysisException { if ("".equals(dbName)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR); } else { + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, + dbName, PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), dbName); + } Database database = analyzer.getEnv().getInternalCatalog().getDbOrAnalysisException(dbName); EncryptKey encryptKey = database.getEncryptKey(encryptKeyName.getKeyName()); From 88d89966f24572a7e6b176d9f66c3abac7c75e1a Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 14 Oct 2024 11:44:41 +0800 Subject: [PATCH 2/6] 1 --- .../auth_p0/test_use_encryptkey_auth.groovy | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy diff --git a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy new file mode 100644 index 00000000000000..0ccbd2b7dec267 --- /dev/null +++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy @@ -0,0 +1,48 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_use_encryptkey_auth","p0,auth") { + String suiteName = "test_version_info_mtmv" + String dbName = context.config.getDbNameByFile(context.file) + String user = "${suiteName}_user" + String key = "${suiteName}_key" + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + try_sql("DROP ENCRYPTKEY ${key}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + sql """CREATE ENCRYPTKEY '${key}' AS 'ABCD123456789'""" + + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + test { + sql """ + sql "SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));" + """ + exception "denied" + } + } + sql """grant select_priv on ${dbName} to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + sql """ + sql "SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));" + """ + } + try_sql("DROP USER ${user}") + try_sql("DROP ENCRYPTKEY ${key}") +} From db5f72db8c3fe31d8d154fd72cad3eb2dc514e87 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 14 Oct 2024 11:47:34 +0800 Subject: [PATCH 3/6] 1 --- regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy index 0ccbd2b7dec267..5b912352416220 100644 --- a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy +++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy @@ -27,7 +27,7 @@ suite("test_use_encryptkey_auth","p0,auth") { try_sql("DROP ENCRYPTKEY ${key}") sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """grant select_priv on regression_test to ${user}""" - sql """CREATE ENCRYPTKEY '${key}' AS 'ABCD123456789'""" + sql """CREATE ENCRYPTKEY ${key} AS 'ABCD123456789'""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { test { From 9644ada312fb1317648a3b447f821d53dfae7b3c Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 14 Oct 2024 11:59:34 +0800 Subject: [PATCH 4/6] 1 --- .../java/org/apache/doris/analysis/EncryptKeyRef.java | 10 ---------- .../rules/expression/rules/FoldConstantRuleOnFE.java | 10 ++++++++++ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java index e4d904aad75547..7950fe37c4b304 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java @@ -19,14 +19,10 @@ import org.apache.doris.catalog.Database; import org.apache.doris.catalog.EncryptKey; -import org.apache.doris.catalog.Env; import org.apache.doris.catalog.Type; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; -import org.apache.doris.datasource.InternalCatalog; -import org.apache.doris.mysql.privilege.PrivPredicate; -import org.apache.doris.qe.ConnectContext; import org.apache.doris.thrift.TExprNode; import com.google.common.base.Strings; @@ -66,12 +62,6 @@ private void analyzeEncryptKey(Analyzer analyzer) throws AnalysisException { if ("".equals(dbName)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR); } else { - if (!Env.getCurrentEnv().getAccessManager() - .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, - dbName, PrivPredicate.SHOW)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, - PrivPredicate.SHOW.getPrivs().toString(), dbName); - } Database database = analyzer.getEnv().getInternalCatalog().getDbOrAnalysisException(dbName); EncryptKey encryptKey = database.getEncryptKey(encryptKeyName.getKeyName()); diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java index b29694d5440e6c..5f3fd857faf0e4 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java @@ -20,7 +20,10 @@ import org.apache.doris.catalog.EncryptKey; import org.apache.doris.catalog.Env; import org.apache.doris.cluster.ClusterNamespace; +import org.apache.doris.common.ErrorCode; import org.apache.doris.common.util.DebugUtil; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.nereids.exceptions.AnalysisException; import org.apache.doris.nereids.rules.expression.AbstractExpressionRewriteRule; import org.apache.doris.nereids.rules.expression.ExpressionListenerMatcher; @@ -220,6 +223,13 @@ public Expression visitEncryptKeyRef(EncryptKeyRef encryptKeyRef, ExpressionRewr if ("".equals(dbName)) { throw new AnalysisException("DB " + dbName + "not found"); } + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, + dbName, PrivPredicate.SHOW)) { + String message = ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg( + PrivPredicate.SHOW.getPrivs().toString(), dbName); + throw new AnalysisException(message); + } org.apache.doris.catalog.Database database = Env.getCurrentEnv().getInternalCatalog().getDbNullable(dbName); if (database == null) { From 0fb22079cb7a9d9ed83586a8cebb276406120aa8 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 14 Oct 2024 15:02:39 +0800 Subject: [PATCH 5/6] 1 --- .../suites/auth_p0/test_use_encryptkey_auth.groovy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy index 5b912352416220..e4d4da98980b5b 100644 --- a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy +++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy @@ -32,7 +32,7 @@ suite("test_use_encryptkey_auth","p0,auth") { connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { test { sql """ - sql "SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));" + SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key})); """ exception "denied" } @@ -40,7 +40,7 @@ suite("test_use_encryptkey_auth","p0,auth") { sql """grant select_priv on ${dbName} to ${user}""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { sql """ - sql "SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));" + SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key})); """ } try_sql("DROP USER ${user}") From 1007ac2ce3163984fe87a67a39b4ef319e73625e Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 14 Oct 2024 16:34:10 +0800 Subject: [PATCH 6/6] 1 --- .../suites/auth_p0/test_use_encryptkey_auth.groovy | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy index e4d4da98980b5b..78fc2e4c8a8caa 100644 --- a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy +++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy @@ -27,6 +27,13 @@ suite("test_use_encryptkey_auth","p0,auth") { try_sql("DROP ENCRYPTKEY ${key}") sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" sql """grant select_priv on regression_test to ${user}""" + //cloud-mode + if (isCloudMode()) { + def clusters = sql " SHOW CLUSTERS; " + assertTrue(!clusters.isEmpty()) + def validCluster = clusters[0][0] + sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}"""; + } sql """CREATE ENCRYPTKEY ${key} AS 'ABCD123456789'""" connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {