apache · CalvinKirs · Nov 11, 2024
diff --git a/...in/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/...in/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -218,14 +218,6 @@ private boolean checkAnyPrivWithinTbl(UserIdentity currentUser, String ctl, Stri
     public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set<String> cols,
             PrivPredicate wanted) throws AuthorizationException {
         PrivBitSet checkedPrivs = PrivBitSet.of();
-        boolean hasTablePriv = checkGlobalPrivInternal(currentUser, wanted, checkedPrivs)
-                || checkCtlPrivInternal(currentUser, ctl, wanted, checkedPrivs)
-                || checkDbPrivInternal(currentUser, ctl, db, wanted, checkedPrivs)
-                || checkTblPrivInternal(currentUser, ctl, db, tbl, wanted, checkedPrivs);
-        if (hasTablePriv) {
-            return;
-        }
-
         for (String col : cols) {
             if (!checkColPrivInternal(currentUser, ctl, db, tbl, col, wanted, checkedPrivs.copy())) {
                 throw new AuthorizationException(String.format(

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
@@ -28,8 +28,10 @@
 public interface CatalogAccessController {
     // ==== Catalog ====
     default boolean checkCtlPriv(boolean hasGlobal, UserIdentity currentUser, String ctl, PrivPredicate wanted) {
-        boolean res = checkCtlPriv(currentUser, ctl, wanted);
-        return hasGlobal || res;
+        if (hasGlobal) {
+            return true;
+        }
+        return checkCtlPriv(currentUser, ctl, wanted);
     }
 
     // ==== Global ====
@@ -40,26 +42,34 @@ default boolean checkCtlPriv(boolean hasGlobal, UserIdentity currentUser, String
 
     // ==== Database ====
     default boolean checkDbPriv(boolean hasGlobal, UserIdentity currentUser, String ctl, String db,
-            PrivPredicate wanted) {
-        boolean res = checkDbPriv(currentUser, ctl, db, wanted);
-        return hasGlobal || res;
+                                PrivPredicate wanted) {
+        if (hasGlobal) {
+            return true;
+        }
+        return checkDbPriv(currentUser, ctl, db, wanted);
     }
 
     boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted);
 
     // ==== Table ====
     default boolean checkTblPriv(boolean hasGlobal, UserIdentity currentUser, String ctl, String db, String tbl,
-            PrivPredicate wanted) {
-        boolean res = checkTblPriv(currentUser, ctl, db, tbl, wanted);
-        return hasGlobal || res;
+                                 PrivPredicate wanted) {
+        if (hasGlobal) {
+            return true;
+        }
+        return checkTblPriv(currentUser, ctl, db, tbl, wanted);
     }
 
     boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted);
 
     // ==== Column ====
     default void checkColsPriv(boolean hasGlobal, UserIdentity currentUser, String ctl, String db, String tbl,
-            Set<String> cols, PrivPredicate wanted) throws AuthorizationException {
+                               Set<String> cols, PrivPredicate wanted) throws AuthorizationException {
         try {
+            boolean hasTablePriv = checkTblPriv(hasGlobal, currentUser, ctl, db, tbl, wanted);
+            if (hasTablePriv) {
+                return;
+            }
             checkColsPriv(currentUser, ctl, db, tbl, cols, wanted);
         } catch (AuthorizationException e) {
             if (!hasGlobal) {

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
@@ -473,7 +473,7 @@ public boolean checkColPriv(String ctl, String db, String tbl, String col, PrivP
         if (!colPrivilege.isPresent()) {
             throw new IllegalStateException("this privPredicate should not use checkColPriv:" + wanted);
         }
-        return checkTblPriv(ctl, db, tbl, wanted) || onlyCheckColPriv(ctl, db, tbl, col, colPrivilege.get());
+        return onlyCheckColPriv(ctl, db, tbl, col, colPrivilege.get());
     }
 
     private boolean onlyCheckColPriv(String ctl, String db, String tbl, String col,