[improvement](auth)only GRANT_PRIV and USAGE_PRIV can GRANT for RESOURCE (#19547)

only GRANT_PRIV and USAGE_PRIV can GRANT for RESOURCE

fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java

@@ -110,7 +110,7 @@ public class GrantStmt extends DdlStmt {
     }
 
     @Override
-    public void analyze(Analyzer analyzer) throws AnalysisException, UserException {
+    public void analyze(Analyzer analyzer) throws UserException {
         super.analyze(analyzer);
         if (userIdent != null) {
             userIdent.analyze(analyzer.getClusterName());
@@ -214,14 +214,11 @@ public class GrantStmt extends DdlStmt {
 
     public static void checkResourcePrivileges(List<Privilege> privileges, String role,
             ResourcePattern resourcePattern) throws AnalysisException {
-        // Rule 1
-        if (privileges.contains(Privilege.NODE_PRIV)) {
-            throw new AnalysisException("Can not grant/revoke NODE_PRIV to/from any other users or roles");
-        }
-
-        // Rule 2
-        if (resourcePattern.getPrivLevel() != PrivLevel.GLOBAL && privileges.contains(Privilege.ADMIN_PRIV)) {
-            throw new AnalysisException("ADMIN_PRIV privilege can only be granted/revoked on/from resource *");
+        for (int i = 0; i < Privilege.notBelongToResourcePrivileges.length; i++) {
+            if (privileges.contains(Privilege.notBelongToResourcePrivileges[i])) {
+                throw new AnalysisException(String.format("Can not grant/revoke %s to/from any other users or roles",
+                        Privilege.notBelongToResourcePrivileges[i]));
+            }
         }
 
         if (role != null) {

fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java

@@ -44,6 +44,17 @@ public enum Privilege {
             USAGE_PRIV
     };
 
+    // only GRANT_PRIV and USAGE_PRIV can grant on resource
+    public static Privilege[] notBelongToResourcePrivileges = {
+            NODE_PRIV,
+            ADMIN_PRIV,
+            SELECT_PRIV,
+            LOAD_PRIV,
+            ALTER_PRIV,
+            CREATE_PRIV,
+            DROP_PRIV
+    };
+
     public static Map<Privilege, String> privInDorisToMysql =
             ImmutableMap.<Privilege, String>builder() // No NODE_PRIV and ADMIN_PRIV in the mysql
                     .put(SELECT_PRIV, "SELECT")

fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java

@@ -1580,7 +1580,19 @@ public class AuthTest {
         }
         Assert.assertFalse(accessManager.checkResourcePriv(userIdentity, resourceName, PrivPredicate.USAGE));
         Assert.assertFalse(accessManager.checkGlobalPriv(userIdentity, PrivPredicate.USAGE));
-
+        // 3.1 grant 'notBelongToResourcePrivileges' on resource 'spark0' to 'testUser'@'%'
+        for (int i = 0; i < Privilege.notBelongToResourcePrivileges.length; i++) {
+            List<AccessPrivilege> notAllowedPrivileges = Lists
+                    .newArrayList(AccessPrivilege.fromName(Privilege.notBelongToResourcePrivileges[i].getName()));
+            grantStmt = new GrantStmt(userIdentity, null, resourcePattern, notAllowedPrivileges);
+            try {
+                grantStmt.analyze(analyzer);
+                Assert.fail(String.format("Can not grant/revoke %s to/from any other users or roles",
+                        Privilege.notBelongToResourcePrivileges[i]));
+            } catch (UserException e) {
+                e.printStackTrace();
+            }
+        }
         // 4. drop user
         DropUserStmt dropUserStmt = new DropUserStmt(userIdentity);
         try {