From 7db3f09925df556cab946adc78fb18815e039fce Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Wed, 13 Aug 2025 17:05:38 +0800
Subject: [PATCH] [enhance](auth)support ldap user show grants (#54087)

The LDAP user does not exist in Doris, so a "user does not exist" prompt
will appear when executing the "show grants" command.

It is a reasonable requirement for users to check their own permissions
after logging in. Therefore, this PR enables LDAP users to view their
own permissions when executing `show grants` themselves. However, others
are still unable to do so, whether by specifying a particular username
or checking all users.

# Conflicts:
#	fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/ShowGrantsCommand.java
#	fe/fe-core/src/test/java/org/apache/doris/nereids/trees/plans/commands/ShowGrantsCommandTest.java
---
 .../java/org/apache/doris/analysis/ShowGrantsStmt.java   | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowGrantsStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowGrantsStmt.java
index 0439544ae0e3a1..b6e473c4f0e466 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowGrantsStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowGrantsStmt.java
@@ -80,16 +80,17 @@ public void analyze(Analyzer analyzer) throws AnalysisException {
                 userIdent = ConnectContext.get().getCurrentUserIdentity();
             }
         }
+        boolean isSelf = userIdent != null && ConnectContext.get().getCurrentUserIdentity().equals(userIdent);
         Preconditions.checkState(isAll || userIdent != null);
-        UserIdentity self = ConnectContext.get().getCurrentUserIdentity();
-
         // if show all grants, or show other user's grants, need global GRANT priv.
-        if (isAll || !self.equals(userIdent)) {
+        if (isAll || !isSelf) {
             if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
                 ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT");
             }
         }
-        if (userIdent != null && !Env.getCurrentEnv().getAccessManager().getAuth().doesUserExist(userIdent)) {
+        // ldap user not exist in userManager, so should not check
+        if (userIdent != null && !isSelf && !Env.getCurrentEnv().getAccessManager().getAuth()
+                .doesUserExist(userIdent)) {
             throw new AnalysisException(String.format("User: %s does not exist", userIdent));
         }
     }