[fix](auth)create view check select_priv of table instead of column (#49268)

2025-03-20 23:08:58 +08:00
parent 2560a8ec56
commit 54b3000de5
6 changed files with 28 additions and 56 deletions
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
@ -74,7 +74,7 @@ public class AlterViewStmt extends BaseViewStmt {
        viewDefStmt.setNeedToSql(true);
        Analyzer viewAnalyzer = new Analyzer(analyzer);
        viewDefStmt.analyze(viewAnalyzer);
-        checkQueryAuth();
+        checkQueryAuth(viewAnalyzer);
        createColumnAndViewDefs(analyzer);
    }

--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
@ -18,7 +18,7 @@
 package org.apache.doris.analysis;

 import org.apache.doris.catalog.Column;
-import org.apache.doris.catalog.Env;
+import org.apache.doris.catalog.TableIf;
 import org.apache.doris.catalog.Type;
 import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.DdlException;
@ -27,19 +27,18 @@ import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.UserException;
 import org.apache.doris.common.util.SqlParserUtils;
 import org.apache.doris.common.util.ToSqlContext;
-import org.apache.doris.datasource.InternalCatalog;
-import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.qe.ConnectContext;

 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;

 import java.io.StringReader;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;

@ -92,26 +91,11 @@ public class BaseViewStmt extends DdlStmt {
        return inlineViewDef;
    }

-    protected void checkQueryAuth() throws UserException {
-        for (int i = 0; i < viewDefStmt.getBaseTblResultExprs().size(); ++i) {
-            Expr expr = viewDefStmt.getBaseTblResultExprs().get(i);
-            if (!(expr instanceof SlotRef)) {
-                continue;
-            }
-            SlotRef slotRef = (SlotRef) expr;
-            TableName queryTableName = slotRef.getTableName();
-            if (queryTableName == null) {
-                continue;
-            }
-            String queryColumnName = slotRef.getColumnName();
-            String ctlName = StringUtils.isEmpty(queryTableName.getCtl()) ? InternalCatalog.INTERNAL_CATALOG_NAME
-                    : queryTableName.getCtl();
-            // check privilege
-            Env.getCurrentEnv().getAccessManager()
-                    .checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), ctlName,
-                            queryTableName.getDb(), queryTableName.getTbl(), Sets.newHashSet(queryColumnName),
-                            PrivPredicate.SELECT);
-        }
+    protected void checkQueryAuth(Analyzer analyzer) throws UserException {
+        Map<Long, TableIf> tableMap = Maps.newTreeMap();
+        Set<String> parentViewNameSet = Sets.newHashSet();
+        // not really want to obtain tables, but rather use the authentication logic in this method
+        viewDefStmt.getTables(analyzer, false, tableMap, parentViewNameSet);
    }

    /**
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
@ -96,7 +96,7 @@ public class CreateViewStmt extends BaseViewStmt {
            Analyzer viewAnalyzer = new Analyzer(analyzer);
            viewDefStmt.forbiddenMVRewrite();
            viewDefStmt.analyze(viewAnalyzer);
-            checkQueryAuth();
+            checkQueryAuth(viewAnalyzer);
            createColumnAndViewDefs(viewAnalyzer);
        } finally {
            // must reset this flag, otherwise, all following query statement in this connection
--- a/regression-test/suites/auth_call/test_ddl_view_auth.groovy
+++ b/regression-test/suites/auth_call/test_ddl_view_auth.groovy
@ -66,24 +66,22 @@ suite("test_ddl_view_auth","p0,auth_call") {
            exception 'denied'
        }
    }
-    sql """grant select_priv(id) on ${dbName}.${tableName} to ${user}"""
-    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
-        test {
-            sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
-                AS
-                SELECT id as k1, SUM(id) FROM ${dbName}.${tableName}
-                WHERE id = 1 GROUP BY k1;"""
-            exception 'denied'
-        }
-        def res = sql """SHOW VIEW from ${tableName} from ${dbName}"""
-        assertTrue(res.size() == 0)
-    }
-    sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
-            AS
-            SELECT id as k1, SUM(id) FROM ${dbName}.${tableName}
-            WHERE id = 1 GROUP BY k1;"""
-    sql """grant Create_priv on ${dbName}.${viewName} to ${user}"""
-    sql """drop view ${dbName}.${viewName}"""
+     sql """grant Create_priv on ${dbName}.${viewName} to ${user}"""
+     connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+             test {
+                 sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
+                     AS
+                     SELECT id as k1, SUM(id) FROM ${dbName}.${tableName}
+                     WHERE id = 1 GROUP BY k1;"""
+                 exception "denied"
+             }
+             test {
+                 sql """SHOW VIEW from ${tableName} from ${dbName}"""
+                 exception 'denied'
+             }
+         }
+    sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
        sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
            AS
@ -93,16 +91,6 @@ suite("test_ddl_view_auth","p0,auth_call") {
        def res = sql """SHOW VIEW from ${tableName} from ${dbName}"""
        assertTrue(res.size() == 1)
    }
-    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
-        sql """set enable_fallback_to_original_planner=false;"""
-        test {
-            sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
-                AS
-                SELECT username as k1, SUM(id) FROM ${dbName}.${tableName}
-                WHERE id = 1 GROUP BY k1;"""
-            exception 'denied'
-        }
-    }

    // ddl alter
    // user alter
--- a/regression-test/suites/auth_p0/test_alter_view_auth.groovy
+++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy
@ -56,7 +56,7 @@ suite("test_alter_view_auth","p0,auth") {
            sql "alter view ${dbName}.${viewName} as select * from ${dbName}.${tableName};"
        } catch (Exception e) {
            log.info(e.getMessage())
-            assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
+            assertTrue(e.getMessage().contains("denied"))
        }
    }
    try_sql """drop table if exists ${dbName}.${tableName}"""
--- a/regression-test/suites/auth_p0/test_create_view_auth.groovy
+++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy
@ -53,7 +53,7 @@ suite("test_create_view_auth","p0,auth") {
            sql "create view ${dbName}.v1 as select * from ${dbName}.${tableName};"
        } catch (Exception e) {
            log.info(e.getMessage())
-            assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
+            assertTrue(e.getMessage().contains("denied"))
        }
    }
    sql """drop table if exists ${dbName}.${tableName}"""