From 0081a07d524718f384ccf3901ecd20781c4af18e Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Tue, 26 Nov 2024 17:17:14 +0800
Subject: [PATCH 1/5] 1

---
 .../org/apache/doris/nereids/StatementContext.java     | 10 ++++++++++
 .../doris/nereids/rules/rewrite/CheckPrivileges.java   |  6 +++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
index 69848ca8f04da2..a2bfdb3df9b2b2 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
@@ -174,6 +174,8 @@ public class StatementContext implements Closeable {
 
     private Backend groupCommitMergeBackend;
 
+    private boolean viewPrivChecked;
+
     public StatementContext() {
         this(ConnectContext.get(), null, 0);
     }
@@ -580,4 +582,12 @@ public void setGroupCommitMergeBackend(
             Backend groupCommitMergeBackend) {
         this.groupCommitMergeBackend = groupCommitMergeBackend;
     }
+
+    public boolean isViewPrivChecked() {
+        return viewPrivChecked;
+    }
+
+    public void setViewPrivChecked(boolean viewPrivChecked) {
+        this.viewPrivChecked = viewPrivChecked;
+    }
 }
diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
index 74609694431e33..2f381813c54080 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
@@ -49,6 +49,10 @@ public class CheckPrivileges extends ColumnPruning {
 
     @Override
     public Plan rewriteRoot(Plan plan, JobContext jobContext) {
+        // Only enter once, if repeated, the permissions of the table in the view will be checked
+        if (jobContext.getCascadesContext().getStatementContext().isViewPrivChecked()) {
+            return plan;
+        }
         this.jobContext = jobContext;
         super.rewriteRoot(plan, jobContext);
 
@@ -59,7 +63,7 @@ public Plan rewriteRoot(Plan plan, JobContext jobContext) {
     @Override
     public Plan visitLogicalView(LogicalView<? extends Plan> view, PruneContext context) {
         checkColumnPrivileges(view.getView(), computeUsedColumns(view, context.requiredSlots));
-
+        jobContext.getCascadesContext().getStatementContext().setViewPrivChecked(true);
         // stop check privilege in the view
         return view;
     }

From b3e51ad6dd1ac8d2cfbe4fe937e044bf2a608907 Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Tue, 26 Nov 2024 17:34:33 +0800
Subject: [PATCH 2/5] 1

---
 .../auth_p0/test_select_view_auth.groovy      | 89 +++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 regression-test/suites/auth_p0/test_select_view_auth.groovy

diff --git a/regression-test/suites/auth_p0/test_select_view_auth.groovy b/regression-test/suites/auth_p0/test_select_view_auth.groovy
new file mode 100644
index 00000000000000..87ec8cf0aeb758
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_select_view_auth.groovy
@@ -0,0 +1,89 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("test_select_view_auth","p0,auth") {
+    String suiteName = "test_select_view_auth"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    String dbName = "${suiteName}_db"
+    String tableName1 = "${suiteName}_table1"
+    String tableName2 = "${suiteName}_table2"
+    String viewName = "${suiteName}_view"
+
+    try_sql("drop user ${user}")
+    try_sql """drop table if exists ${dbName}.${tableName1}"""
+    try_sql """drop table if exists ${dbName}.${tableName2}"""
+    try_sql """drop view if exists ${dbName}.${viewName}"""
+    sql """drop database if exists ${dbName}"""
+
+    sql """create user '${user}' IDENTIFIED by '${pwd}'"""
+
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+    }
+    sql """create database ${dbName}"""
+    sql("""use ${dbName}""")
+    sql """
+        CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName1}` (
+            id BIGINT,
+            username VARCHAR(20)
+        )
+        DISTRIBUTED BY HASH(id) BUCKETS 2
+        PROPERTIES (
+            "replication_num" = "1"
+        );
+        """
+
+    sql """
+        CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName2}` (
+            id BIGINT,
+            username VARCHAR(20)
+        )
+        DISTRIBUTED BY HASH(id) BUCKETS 2
+        PROPERTIES (
+            "replication_num" = "1"
+        );
+        """
+
+    sql """create view ${dbName}.${viewName} as select * from ${dbName}.${tableName1} union select * from ${dbName}.${tableName2};"""
+
+    sql """grant select_priv on regression_test to ${user}"""
+
+    // table column
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        try {
+            sql "select * from ${dbName}.${viewName}"
+        } catch (Exception e) {
+            log.info(e.getMessage())
+            assertTrue(e.getMessage().contains("denied"))
+        }
+    }
+    sql """grant select_priv on ${dbName}.${viewName} to ${user}"""
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        sql "select * from ${dbName}.${viewName}"
+    }
+
+    try_sql("drop user ${user}")
+    try_sql """drop table if exists ${dbName}.${tableName1}"""
+    try_sql """drop table if exists ${dbName}.${tableName2}"""
+    try_sql """drop view if exists ${dbName}.${viewName}"""
+    sql """drop database if exists ${dbName}"""
+}

From 1dee2801e8a5144d2dc3a30750990a15a4a9222e Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Tue, 26 Nov 2024 18:02:07 +0800
Subject: [PATCH 3/5] 1

---
 .../apache/doris/nereids/rules/rewrite/CheckPrivileges.java    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
index 2f381813c54080..b1750032274d69 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
@@ -55,7 +55,7 @@ public Plan rewriteRoot(Plan plan, JobContext jobContext) {
         }
         this.jobContext = jobContext;
         super.rewriteRoot(plan, jobContext);
-
+        jobContext.getCascadesContext().getStatementContext().setViewPrivChecked(true);
         // don't rewrite plan
         return plan;
     }
@@ -63,7 +63,6 @@ public Plan rewriteRoot(Plan plan, JobContext jobContext) {
     @Override
     public Plan visitLogicalView(LogicalView<? extends Plan> view, PruneContext context) {
         checkColumnPrivileges(view.getView(), computeUsedColumns(view, context.requiredSlots));
-        jobContext.getCascadesContext().getStatementContext().setViewPrivChecked(true);
         // stop check privilege in the view
         return view;
     }

From 797da1312cd6cb13f7298a290f51b19ae919092b Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Tue, 26 Nov 2024 18:03:01 +0800
Subject: [PATCH 4/5] 1

---
 .../org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
index b1750032274d69..f40a8a1839f2ae 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
@@ -63,6 +63,7 @@ public Plan rewriteRoot(Plan plan, JobContext jobContext) {
     @Override
     public Plan visitLogicalView(LogicalView<? extends Plan> view, PruneContext context) {
         checkColumnPrivileges(view.getView(), computeUsedColumns(view, context.requiredSlots));
+
         // stop check privilege in the view
         return view;
     }

From 21ad0358f460dda22c37ee9ac248e2fdf618634b Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Tue, 26 Nov 2024 18:17:11 +0800
Subject: [PATCH 5/5] 1

---
 .../org/apache/doris/nereids/StatementContext.java     | 10 +++++-----
 .../doris/nereids/rules/rewrite/CheckPrivileges.java   |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
index a2bfdb3df9b2b2..6b6e335b74a676 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
@@ -174,7 +174,7 @@ public class StatementContext implements Closeable {
 
     private Backend groupCommitMergeBackend;
 
-    private boolean viewPrivChecked;
+    private boolean privChecked;
 
     public StatementContext() {
         this(ConnectContext.get(), null, 0);
@@ -583,11 +583,11 @@ public void setGroupCommitMergeBackend(
         this.groupCommitMergeBackend = groupCommitMergeBackend;
     }
 
-    public boolean isViewPrivChecked() {
-        return viewPrivChecked;
+    public boolean isPrivChecked() {
+        return privChecked;
     }
 
-    public void setViewPrivChecked(boolean viewPrivChecked) {
-        this.viewPrivChecked = viewPrivChecked;
+    public void setPrivChecked(boolean privChecked) {
+        this.privChecked = privChecked;
     }
 }
diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
index f40a8a1839f2ae..ebef2ecea21207 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
@@ -50,12 +50,12 @@ public class CheckPrivileges extends ColumnPruning {
     @Override
     public Plan rewriteRoot(Plan plan, JobContext jobContext) {
         // Only enter once, if repeated, the permissions of the table in the view will be checked
-        if (jobContext.getCascadesContext().getStatementContext().isViewPrivChecked()) {
+        if (jobContext.getCascadesContext().getStatementContext().isPrivChecked()) {
             return plan;
         }
         this.jobContext = jobContext;
         super.rewriteRoot(plan, jobContext);
-        jobContext.getCascadesContext().getStatementContext().setViewPrivChecked(true);
+        jobContext.getCascadesContext().getStatementContext().setPrivChecked(true);
         // don't rewrite plan
         return plan;
     }