[Enhancement](ranger) Disable some permission operations when Ranger or LDAP are enabled (#32538) (#33957)
bp #32538 Co-authored-by: yongjinhou <109586248+yongjinhou@users.noreply.github.com>
This commit is contained in:
Mingyu Chen
@ -18,6 +18,8 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.FeNameFormat;
|
||||
@ -60,6 +62,11 @@ public class CreateRoleStmt extends DdlStmt {
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
|
||||
throw new AnalysisException("Create role is prohibited when Ranger is enabled.");
|
||||
}
|
||||
|
||||
FeNameFormat.checkRoleName(role, false /* can not be admin */, "Can not create role");
|
||||
|
||||
// check if current user has GRANT priv on GLOBAL level.
|
||||
|
||||
@ -18,9 +18,12 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.FeNameFormat;
|
||||
import org.apache.doris.common.LdapConfig;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.mysql.privilege.Role;
|
||||
@ -115,6 +118,11 @@ public class CreateUserStmt extends DdlStmt {
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") && LdapConfig.ldap_authentication_enabled) {
|
||||
throw new AnalysisException("Create user is prohibited when Ranger and LDAP are enabled at same time.");
|
||||
}
|
||||
|
||||
userIdent.analyze();
|
||||
|
||||
if (userIdent.isRootUser()) {
|
||||
|
||||
@ -18,6 +18,8 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.FeNameFormat;
|
||||
@ -50,6 +52,11 @@ public class DropRoleStmt extends DdlStmt {
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
|
||||
throw new AnalysisException("Drop role is prohibited when Ranger is enabled.");
|
||||
}
|
||||
|
||||
FeNameFormat.checkRoleName(role, false /* can not be superuser */, "Can not drop role");
|
||||
|
||||
// check if current user has GRANT priv on GLOBAL level.
|
||||
|
||||
@ -19,8 +19,10 @@ package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.LdapConfig;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
@ -53,6 +55,11 @@ public class DropUserStmt extends DdlStmt {
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException, UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") && LdapConfig.ldap_authentication_enabled) {
|
||||
throw new AnalysisException("Drop user is prohibited when Ranger and LDAP are enabled at same time.");
|
||||
}
|
||||
|
||||
userIdent.analyze();
|
||||
|
||||
if (userIdent.isRootUser()) {
|
||||
|
||||
@ -21,6 +21,7 @@ import org.apache.doris.analysis.CompoundPredicate.Operator;
|
||||
import org.apache.doris.catalog.AccessPrivilegeWithCols;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.FeNameFormat;
|
||||
@ -137,6 +138,11 @@ public class GrantStmt extends DdlStmt {
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
|
||||
throw new AnalysisException("Grant is prohibited when Ranger is enabled.");
|
||||
}
|
||||
|
||||
if (userIdent != null) {
|
||||
userIdent.analyze();
|
||||
} else {
|
||||
|
||||
@ -19,6 +19,7 @@ package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.AccessPrivilegeWithCols;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.FeNameFormat;
|
||||
import org.apache.doris.mysql.privilege.ColPrivilegeKey;
|
||||
import org.apache.doris.mysql.privilege.Privilege;
|
||||
@ -116,6 +117,10 @@ public class RevokeStmt extends DdlStmt {
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException {
|
||||
if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
|
||||
throw new AnalysisException("Revoke is prohibited when Ranger is enabled.");
|
||||
}
|
||||
|
||||
if (userIdent != null) {
|
||||
userIdent.analyze();
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user