From 188cbabb586b1360310b917c81e7deee44842ed4 Mon Sep 17 00:00:00 2001 From: zhangdong Date: Mon, 21 Apr 2025 14:15:07 +0800 Subject: [PATCH] [enhance](auth)Remove restrictions on user creation and other operations when enabling ranger/LDAP (#50137) ### What problem does this PR solve? - In version 2.1, the global permission check still calls the internal permission interface. If grant is not allowed, it will be impossible to assign admin and other permissions to users - According to the current design of LDAP, if there is no user in LDAP, Doris will check again to see if the user exists internally. If there is, login will also be allowed. Therefore, creating users should not be prohibited --- .../java/org/apache/doris/analysis/CreateRoleStmt.java | 6 ------ .../java/org/apache/doris/analysis/CreateUserStmt.java | 8 -------- .../main/java/org/apache/doris/analysis/DropRoleStmt.java | 6 ------ .../main/java/org/apache/doris/analysis/DropUserStmt.java | 7 ------- .../main/java/org/apache/doris/analysis/GrantStmt.java | 5 ----- .../main/java/org/apache/doris/analysis/RevokeStmt.java | 5 ----- 6 files changed, 37 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java index 9021402d48..f98e60dcff 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java @@ -18,8 +18,6 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Env; -import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeNameFormat; @@ -63,10 +61,6 @@ public class CreateRoleStmt extends DdlStmt { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) { - throw new AnalysisException("Create role is prohibited when Ranger is enabled."); - } - FeNameFormat.checkRoleName(role, false /* can not be admin */, "Can not create role"); // check if current user has GRANT priv on GLOBAL level. diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java index 9c07b7aee1..03ecb13adf 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java @@ -18,13 +18,10 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Env; -import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeNameFormat; import org.apache.doris.common.UserException; -import org.apache.doris.mysql.authenticate.AuthenticateType; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.mysql.privilege.Role; import org.apache.doris.qe.ConnectContext; @@ -119,11 +116,6 @@ public class CreateUserStmt extends DdlStmt { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") - && AuthenticateType.getAuthTypeConfig() == AuthenticateType.LDAP) { - throw new AnalysisException("Create user is prohibited when Ranger and LDAP are enabled at same time."); - } - userIdent.analyze(); if (userIdent.isRootUser()) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java index 468b86579f..5bdbb45e51 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java @@ -18,8 +18,6 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Env; -import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeNameFormat; @@ -53,10 +51,6 @@ public class DropRoleStmt extends DdlStmt { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) { - throw new AnalysisException("Drop role is prohibited when Ranger is enabled."); - } - FeNameFormat.checkRoleName(role, false /* can not be superuser */, "Can not drop role"); // check if current user has GRANT priv on GLOBAL level. diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java index cd98feeefe..f9097900c5 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java @@ -19,11 +19,9 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Env; import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; -import org.apache.doris.mysql.authenticate.AuthenticateType; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; @@ -56,11 +54,6 @@ public class DropUserStmt extends DdlStmt { public void analyze(Analyzer analyzer) throws AnalysisException, UserException { super.analyze(analyzer); - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") - && AuthenticateType.getAuthTypeConfig() == AuthenticateType.LDAP) { - throw new AnalysisException("Drop user is prohibited when Ranger and LDAP are enabled at same time."); - } - userIdent.analyze(); if (userIdent.isSystemUser()) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java index 883a8edafc..411f8c6fca 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java @@ -21,7 +21,6 @@ import org.apache.doris.analysis.CompoundPredicate.Operator; import org.apache.doris.catalog.AccessPrivilegeWithCols; import org.apache.doris.catalog.Env; import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeNameFormat; @@ -139,10 +138,6 @@ public class GrantStmt extends DdlStmt { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) { - throw new AnalysisException("Grant is prohibited when Ranger is enabled."); - } - if (userIdent != null) { userIdent.analyze(); } else { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java index 3b2dd7167a..9c1eb4ef1c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java @@ -19,7 +19,6 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.AccessPrivilegeWithCols; import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeNameFormat; import org.apache.doris.mysql.privilege.ColPrivilegeKey; @@ -119,10 +118,6 @@ public class RevokeStmt extends DdlStmt { @Override public void analyze(Analyzer analyzer) throws AnalysisException { - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) { - throw new AnalysisException("Revoke is prohibited when Ranger is enabled."); - } - if (userIdent != null) { userIdent.analyze(); } else {