[fix](auth)Fix some issues with incorrect permission verification (#3… (#40410)
…9726) pick: https://github.com/apache/doris/pull/39726
This commit is contained in:
zhangdong
@ -18,9 +18,14 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.InfoSchemaDb;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
@ -103,6 +108,12 @@ public class ShowColumnStmt extends ShowStmt {
|
||||
} else {
|
||||
metaData = META_DATA;
|
||||
}
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(),
|
||||
tableName.getTbl(), PrivPredicate.SHOW)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.SHOW.getPrivs().toString(), tableName);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -115,7 +115,7 @@ public class ShowDataStmt extends ShowStmt {
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
dbName = analyzer.getDefaultDb();
|
||||
if (Strings.isNullOrEmpty(dbName)) {
|
||||
if (Strings.isNullOrEmpty(dbName) && tableName == null) {
|
||||
getAllDbStats();
|
||||
return;
|
||||
}
|
||||
|
||||
@ -18,10 +18,14 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.datasource.InternalCatalog;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
@ -60,6 +64,11 @@ public class ShowSyncJobStmt extends ShowStmt {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
|
||||
}
|
||||
}
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SHOW)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.SHOW.getPrivs().toString(), dbName);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -38,10 +38,8 @@ public class ShowTabletStorageFormatStmt extends ShowStmt {
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
// check access first
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_ACCESS_DENIED_ERROR,
|
||||
toSql(),
|
||||
ConnectContext.get().getQualifiedUser(),
|
||||
ConnectContext.get().getRemoteIP(), "ADMIN Privilege needed.");
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
super.analyze(analyzer);
|
||||
|
||||
@ -163,7 +163,7 @@ public class ConnectScheduler {
|
||||
for (ConnectContext ctx : connectionMap.values()) {
|
||||
// Check auth
|
||||
if (!ctx.getQualifiedUser().equals(user) && !Env.getCurrentEnv().getAccessManager()
|
||||
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
|
||||
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user