[improvement](auth) support show view priv (#25370)

Issue Number: close #xxx current ,if user has select_priv or load_priv,he can show create table view_name, but this is not safe，so add show_view_priv for show create table view_name mysql SHOW VIEW description: https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_show-view
2023-10-14 22:37:51 +08:00
parent ed3e8f9355
commit 471cf2c48b
8 changed files with 197 additions and 7 deletions
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateTableStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateTableStmt.java
@ -20,6 +20,8 @@ package org.apache.doris.analysis;
 import org.apache.doris.catalog.Column;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.ScalarType;
+import org.apache.doris.catalog.TableIf;
+import org.apache.doris.catalog.View;
 import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
@ -103,8 +105,19 @@ public class ShowCreateTableStmt extends ShowStmt {
        }
        tbl.analyze(analyzer);

+        TableIf tableIf = Env.getCurrentEnv().getCatalogMgr()
+                .getCatalogOrAnalysisException(tbl.getCtl())
+                .getDbOrAnalysisException(tbl.getDb()).getTableOrAnalysisException(tbl.getTbl());
+
+        PrivPredicate wanted;
+        if (tableIf instanceof View) {
+            wanted = PrivPredicate.SHOW_VIEW;
+        } else {
+            wanted = PrivPredicate.SHOW;
+        }
+
        if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), tbl.getCtl(), tbl.getDb(),
-                tbl.getTbl(), PrivPredicate.SHOW)) {
+                tbl.getTbl(), wanted)) {
            ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "SHOW CREATE TABLE",
                                                ConnectContext.get().getQualifiedUser(),
                                                ConnectContext.get().getRemoteIP(),
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/AccessPrivilege.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/AccessPrivilege.java
@ -38,7 +38,8 @@ public enum AccessPrivilege {
    CREATE_PRIV(9, "Privilege for creating database or table"),
    DROP_PRIV(10, "Privilege for dropping database or table"),
    ADMIN_PRIV(11, "All privileges except NODE_PRIV"),
-    USAGE_PRIV(12, "Privilege for use resource");
+    USAGE_PRIV(12, "Privilege for use resource"),
+    SHOW_VIEW_PRIV(13, "Privilege for show view");

    private int flag;
    private String desc;
@ -49,7 +50,7 @@ public enum AccessPrivilege {
    }

    public List<Privilege> toDorisPrivilege() {
-        Preconditions.checkState(flag > 0 && flag < 13);
+        Preconditions.checkState(flag > 0 && flag < 14);
        switch (flag) {
            case 1:
            case 6:
@ -75,6 +76,8 @@ public enum AccessPrivilege {
                return Lists.newArrayList(Privilege.ADMIN_PRIV);
            case 12:
                return Lists.newArrayList(Privilege.USAGE_PRIV);
+            case 13:
+                return Lists.newArrayList(Privilege.SHOW_VIEW_PRIV);
            default:
                return null;
        }
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
@ -29,8 +29,16 @@ public class PrivPredicate {
            Privilege.LOAD_PRIV,
            Privilege.ALTER_PRIV,
            Privilege.CREATE_PRIV,
+            Privilege.SHOW_VIEW_PRIV,
            Privilege.DROP_PRIV),
            Operator.OR);
+    // show create table 'view'
+    public static final PrivPredicate SHOW_VIEW = PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV,
+            Privilege.CREATE_PRIV,
+            Privilege.ALTER_PRIV,
+            Privilege.DROP_PRIV,
+            Privilege.SHOW_VIEW_PRIV),
+            Operator.OR);
    // show resources
    public static final PrivPredicate SHOW_RESOURCES = PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV,
            Privilege.USAGE_PRIV),
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Privilege.java
@ -30,7 +30,8 @@ public enum Privilege {
    ALTER_PRIV("Alter_priv", 5, "Privilege for alter database or table"),
    CREATE_PRIV("Create_priv", 6, "Privilege for creating database or table"),
    DROP_PRIV("Drop_priv", 7, "Privilege for dropping database or table"),
-    USAGE_PRIV("Usage_priv", 8, "Privilege for using resource or workloadGroup");
+    USAGE_PRIV("Usage_priv", 8, "Privilege for using resource or workloadGroup"),
+    SHOW_VIEW_PRIV("Show_view_priv", 9, "Privilege for show create view");

    public static Privilege[] privileges = {
            NODE_PRIV,
@ -41,7 +42,8 @@ public enum Privilege {
            ALTER_PRIV,
            CREATE_PRIV,
            DROP_PRIV,
-            USAGE_PRIV
+            USAGE_PRIV,
+            SHOW_VIEW_PRIV
    };

    // only GRANT_PRIV and USAGE_PRIV can grant on resource
@ -52,7 +54,8 @@ public enum Privilege {
            LOAD_PRIV,
            ALTER_PRIV,
            CREATE_PRIV,
-            DROP_PRIV
+            DROP_PRIV,
+            SHOW_VIEW_PRIV
    };

    // only GRANT_PRIV and USAGE_PRIV can grant on workloadGroup
@ -63,7 +66,8 @@ public enum Privilege {
            LOAD_PRIV,
            ALTER_PRIV,
            CREATE_PRIV,
-            DROP_PRIV
+            DROP_PRIV,
+            SHOW_VIEW_PRIV
    };

    public static Map<Privilege, String> privInDorisToMysql =
@ -74,6 +78,7 @@ public enum Privilege {
                    .put(CREATE_PRIV, "CREATE")
                    .put(DROP_PRIV, "DROP")
                    .put(USAGE_PRIV, "USAGE")
+                    .put(SHOW_VIEW_PRIV, "SHOW VIEW")
                    .build();

    private String name;