diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java index 328f8b5279..482656e93c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java @@ -110,7 +110,7 @@ public class GrantStmt extends DdlStmt { } @Override - public void analyze(Analyzer analyzer) throws AnalysisException, UserException { + public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); if (userIdent != null) { userIdent.analyze(analyzer.getClusterName()); @@ -214,14 +214,11 @@ public class GrantStmt extends DdlStmt { public static void checkResourcePrivileges(List privileges, String role, ResourcePattern resourcePattern) throws AnalysisException { - // Rule 1 - if (privileges.contains(Privilege.NODE_PRIV)) { - throw new AnalysisException("Can not grant/revoke NODE_PRIV to/from any other users or roles"); - } - - // Rule 2 - if (resourcePattern.getPrivLevel() != PrivLevel.GLOBAL && privileges.contains(Privilege.ADMIN_PRIV)) { - throw new AnalysisException("ADMIN_PRIV privilege can only be granted/revoked on/from resource *"); + for (int i = 0; i < Privilege.notBelongToResourcePrivileges.length; i++) { + if (privileges.contains(Privilege.notBelongToResourcePrivileges[i])) { + throw new AnalysisException(String.format("Can not grant/revoke %s to/from any other users or roles", + Privilege.notBelongToResourcePrivileges[i])); + } } if (role != null) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java index 412fd0aa56..82bb9c911f 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java @@ -44,6 +44,17 @@ public enum Privilege { USAGE_PRIV }; + // only GRANT_PRIV and USAGE_PRIV can grant on resource + public static Privilege[] notBelongToResourcePrivileges = { + NODE_PRIV, + ADMIN_PRIV, + SELECT_PRIV, + LOAD_PRIV, + ALTER_PRIV, + CREATE_PRIV, + DROP_PRIV + }; + public static Map privInDorisToMysql = ImmutableMap.builder() // No NODE_PRIV and ADMIN_PRIV in the mysql .put(SELECT_PRIV, "SELECT") diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java index c75fb797e1..8e26cac872 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java @@ -1580,7 +1580,19 @@ public class AuthTest { } Assert.assertFalse(accessManager.checkResourcePriv(userIdentity, resourceName, PrivPredicate.USAGE)); Assert.assertFalse(accessManager.checkGlobalPriv(userIdentity, PrivPredicate.USAGE)); - + // 3.1 grant 'notBelongToResourcePrivileges' on resource 'spark0' to 'testUser'@'%' + for (int i = 0; i < Privilege.notBelongToResourcePrivileges.length; i++) { + List notAllowedPrivileges = Lists + .newArrayList(AccessPrivilege.fromName(Privilege.notBelongToResourcePrivileges[i].getName())); + grantStmt = new GrantStmt(userIdentity, null, resourcePattern, notAllowedPrivileges); + try { + grantStmt.analyze(analyzer); + Assert.fail(String.format("Can not grant/revoke %s to/from any other users or roles", + Privilege.notBelongToResourcePrivileges[i])); + } catch (UserException e) { + e.printStackTrace(); + } + } // 4. drop user DropUserStmt dropUserStmt = new DropUserStmt(userIdentity); try {