database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[fix](auth)fix missing authentication (#33347) (#33956)

Browse Source 
bp #33347

Co-authored-by: zhangdong <493738387@qq.com>
This commit is contained in:
Mingyu Chen
2024-04-22 13:52:36 +08:00
committed by GitHub
parent f2b8ef53c4
commit 98e90dd47e
56 changed files with 1280 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java
View File

@ -71,8 +71,9 @@ public class AdminCopyTabletStmt extends ShowStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.OPERATOR)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "NODE");
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
if (properties == null) {

6
fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java
View File

@ -53,8 +53,10 @@ public class AlterPolicyStmt extends DdlStmt {
super.analyze(analyzer);
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN");
if (!Env.getCurrentEnv().getAccessManager()
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
if (properties == null || properties.isEmpty()) {

7
fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
View File

@ -62,9 +62,8 @@ public class AlterViewStmt extends BaseViewStmt {
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), tableName.getTbl(),
PrivPredicate.ALTER)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "ALTER VIEW",
ConnectContext.get().getQualifiedUser(), ConnectContext.get().getRemoteIP(),
tableName.getDb() + ": " + tableName.getTbl());
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
PrivPredicate.ALTER.getPrivs().toString(), tableName.getTbl());
}
if (cols != null) {
@ -74,7 +73,7 @@ public class AlterViewStmt extends BaseViewStmt {
viewDefStmt.setNeedToSql(true);
Analyzer viewAnalyzer = new Analyzer(analyzer);
viewDefStmt.analyze(viewAnalyzer);
checkQueryAuth();
createColumnAndViewDefs(analyzer);
}

27
fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
View File

@ -18,15 +18,20 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.Type;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.common.util.ToSqlContext;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@ -72,6 +77,28 @@ public class BaseViewStmt extends DdlStmt {
return inlineViewDef;
}
protected void checkQueryAuth() throws UserException {
for (int i = 0; i < viewDefStmt.getBaseTblResultExprs().size(); ++i) {
Expr expr = viewDefStmt.getBaseTblResultExprs().get(i);
if (!(expr instanceof SlotRef)) {
continue;
}
SlotRef slotRef = (SlotRef) expr;
TableName queryTableName = slotRef.getTableName();
if (queryTableName == null) {
continue;
}
String queryColumnName = slotRef.getColumnName();
String ctlName = StringUtils.isEmpty(queryTableName.getCtl()) ? InternalCatalog.INTERNAL_CATALOG_NAME
: queryTableName.getCtl();
// check privilege
Env.getCurrentEnv().getAccessManager()
.checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), ctlName,
queryTableName.getDb(), queryTableName.getTbl(), Sets.newHashSet(queryColumnName),
PrivPredicate.SELECT);
}
}
/**
* Sets the originalViewDef and the expanded inlineViewDef based on viewDefStmt.
* If columnNames were given, checks that they do not contain duplicate column names

9
fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java
View File

@ -17,7 +17,12 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.system.SystemInfoService;
import org.apache.doris.system.SystemInfoService.HostInfo;
@ -44,6 +49,10 @@ public class CancelAlterSystemStmt extends CancelStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.OPERATOR)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.OPERATOR.getPrivs().toString());
}
for (String param : params) {
if (!param.contains(":")) {
ids.add(param);

16
fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java
View File

@ -101,6 +101,12 @@ public class CreatePolicyStmt extends DdlStmt {
throw new UserException("storage policy feature is disabled by default. "
+ "Enable it by setting 'enable_storage_policy=true' in fe.conf");
}
// check auth
if (!Env.getCurrentEnv().getAccessManager()
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
break;
case ROW:
default:
@ -112,10 +118,12 @@ public class CreatePolicyStmt extends DdlStmt {
user.getQualifiedUser(), user.getHost(), tableName.getTbl());
}
}
}
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN");
// check auth
if (!Env.getCurrentEnv().getAccessManager()
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.GRANT.getPrivs().toString());
}
}
}

5
fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
View File

@ -67,7 +67,8 @@ public class CreateViewStmt extends BaseViewStmt {
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(),
tableName.getTbl(), PrivPredicate.CREATE)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "CREATE");
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
PrivPredicate.CREATE.getPrivs().toString(), tableName.getTbl());
}
// Do not rewrite nondeterministic functions to constant in create view's def stmt
@ -84,7 +85,7 @@ public class CreateViewStmt extends BaseViewStmt {
Analyzer viewAnalyzer = new Analyzer(analyzer);
viewDefStmt.forbiddenMVRewrite();
viewDefStmt.analyze(viewAnalyzer);
checkQueryAuth();
createColumnAndViewDefs(viewAnalyzer);
} finally {
// must reset this flag, otherwise, all following query statement in this connection

5
fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java
View File

@ -73,8 +73,9 @@ public class DropMaterializedViewStmt extends DdlStmt {
// check access
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(),
tableName.getTbl(), PrivPredicate.DROP)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "DROP");
tableName.getTbl(), PrivPredicate.ALTER)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
PrivPredicate.ALTER.getPrivs().toString(), tableName.getTbl());
}
}

16
fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java
View File

@ -60,6 +60,12 @@ public class DropPolicyStmt extends DdlStmt {
super.analyze(analyzer);
switch (type) {
case STORAGE:
// check auth
if (!Env.getCurrentEnv().getAccessManager()
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
break;
case ROW:
default:
@ -67,10 +73,12 @@ public class DropPolicyStmt extends DdlStmt {
if (user != null) {
user.analyze();
}
}
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN");
// check auth
if (!Env.getCurrentEnv().getAccessManager()
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.GRANT.getPrivs().toString());
}
}
}

12
fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java
View File

@ -17,8 +17,11 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
public class SetLdapPassVar extends SetVar {
@ -35,11 +38,10 @@ public class SetLdapPassVar extends SetVar {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
if (!ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ROOT_USER)
&& !ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ADMIN_USER)) {
throw new AnalysisException("Only root and admin user can set ldap admin password.");
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
if (!passVar.isPlain()) {
throw new AnalysisException("Only support set ldap password with plain text");
}

11
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java
View File

@ -18,12 +18,17 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.CaseSensibility;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.PatternMatcher;
import org.apache.doris.common.PatternMatcherWrapper;
import org.apache.doris.common.UserException;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.base.Strings;
@ -52,6 +57,12 @@ public class ShowCatalogRecycleBinStmt extends ShowStmt {
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
if (where == null) {
return;
}

10
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java
View File

@ -24,7 +24,6 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
@ -67,11 +66,10 @@ public class ShowCreateDbStmt extends ShowStmt {
ErrorReport.reportAnalysisException(ErrorCode.ERR_WRONG_DB_NAME, db);
}
if (!Env.getCurrentEnv().getAccessManager()
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, db,
PrivPredicate.ALTER_CREATE_DROP)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
ConnectContext.get().getQualifiedUser(), db);
if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), ctl, db,
PrivPredicate.SHOW)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
PrivPredicate.SHOW.getPrivs().toString(), db);
}
}

11
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java
View File

@ -18,8 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
// SHOW CREATE REPOSITORY statement
@ -43,7 +48,11 @@ public class ShowCreateRepositoryStmt extends ShowStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
}
@Override

7
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
View File

@ -435,7 +435,12 @@ public class ShowDataStmt extends ShowStmt {
return toSql();
}
private void getAllDbStats() {
private void getAllDbStats() throws AnalysisException {
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
List<String> dbNames = Env.getCurrentInternalCatalog().getDbNames();
if (dbNames == null || dbNames.isEmpty()) {
return;

12
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java
View File

@ -24,7 +24,6 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
@ -64,14 +63,11 @@ public class ShowEncryptKeysStmt extends ShowStmt {
}
}
// must check after analyze dbName, for case dbName is null.
if (!Env.getCurrentEnv().getAccessManager()
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(
ErrorCode.ERR_DBACCESS_DENIED_ERROR, ConnectContext.get().getQualifiedUser(), dbName);
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
}
public boolean like(String str) {

13
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java
View File

@ -18,7 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
// Show plugins statement.
@ -39,7 +45,12 @@ public class ShowPluginsStmt extends ShowStmt {
.build();
@Override
public void analyze(Analyzer analyzer) {
public void analyze(Analyzer analyzer) throws AnalysisException {
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
}
@Override

15
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java
View File

@ -18,7 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.collect.ImmutableList;
@ -33,6 +39,15 @@ public class ShowRepositoriesStmt extends ShowStmt {
}
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
}
@Override
public ShowResultSetMetaData getMetaData() {
ShowResultSetMetaData.Builder builder = ShowResultSetMetaData.builder();

11
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java
View File

@ -19,9 +19,14 @@ package org.apache.doris.analysis;
import org.apache.doris.analysis.CompoundPredicate.Operator;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.base.Strings;
@ -55,6 +60,12 @@ public class ShowSnapshotStmt extends ShowStmt {
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
// analyze where clause if not null
if (where != null) {
// eg: WHERE snapshot="snapshot_label" [and timestamp="2018-04-19-11-11:11"];

10
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java
View File

@ -18,8 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.collect.ImmutableList;
@ -54,6 +59,11 @@ public class ShowTabletsBelongStmt extends ShowStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
if (tabletIds == null || tabletIds.isEmpty()) {
throw new UserException("Please supply at least one tablet id");
}

11
fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
View File

@ -19,12 +19,15 @@ package org.apache.doris.analysis;
import org.apache.doris.analysis.BinaryPredicate.Operator;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.common.proc.TransProcDir;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import org.apache.doris.transaction.TransactionStatus;
@ -70,9 +73,15 @@ public class ShowTransactionStmt extends ShowStmt {
}
@Override
public void analyze(Analyzer analyzer) throws AnalysisException, UserException {
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
// check auth
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}
if (Strings.isNullOrEmpty(dbName)) {
dbName = analyzer.getDefaultDb();
if (Strings.isNullOrEmpty(dbName)) {

8
fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
View File

@ -75,8 +75,10 @@ public enum ErrorCode {
ERR_USER_LIMIT_REACHED(1226, new byte[]{'4', '2', '0', '0', '0'}, "User '%s' has exceeded the '%s' resource "
+ "(current value: %d)"),
ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "
+ "one of) the %s privilege(s) for this operation"),
ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1227, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all "
+ "one of) the (%s) privilege(s) for this operation"),
ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "
+ "one of) the (%s) privilege(s) on database %s for this operation"),
ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1223, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all "
+ " %s privilege(s) for this operation"),
ERR_LOCAL_VARIABLE(1228, new byte[]{'H', 'Y', '0', '0', '0'}, "Variable '%s' is a SESSION variable and can't be "
+ "used with SET GLOBAL"),
@ -1021,6 +1023,8 @@ public enum ErrorCode {
+ "DISCARD the tablespace before IMPORT."),
ERR_TABLESPACE_DISCARDED(1814, new byte[]{'H', 'Y', '0', '0', '0'}, "Tablespace has been discarded for table '%s'"),
ERR_INTERNAL_ERROR(1815, new byte[]{'H', 'Y', '0', '0', '0'}, "Internal error: %s"),
ERR_MUST_CHANGE_PASSWORD_LOGIN(1862, new byte[]{'H', 'Y', '0', '0', '0'}, "Your password has expired. To log in "
+ "you must change it using a client that supports expired passwords."),
ERR_CREDENTIALS_CONTRADICT_TO_HISTORY(3638, new byte[] {'H', 'Y', '0', '0', '0'},

56
fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java
View File

@ -24,11 +24,14 @@ import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.CaseSensibility;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.PatternMatcher;
import org.apache.doris.common.PatternMatcherWrapper;
import org.apache.doris.common.io.Writable;
import org.apache.doris.common.util.LogBuilder;
import org.apache.doris.common.util.LogKey;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.job.base.AbstractJob;
import org.apache.doris.job.common.JobStatus;
import org.apache.doris.job.common.JobType;
@ -37,6 +40,8 @@ import org.apache.doris.job.exception.JobException;
import org.apache.doris.job.extensions.insert.InsertJob;
import org.apache.doris.job.scheduler.JobScheduler;
import org.apache.doris.load.loadv2.JobState;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import com.google.common.collect.Lists;
import lombok.extern.log4j.Log4j2;
@ -48,6 +53,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.stream.Collectors;
@ -341,7 +347,7 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
public List<List<Comparable>> getLoadJobInfosByDb(long dbId, String dbName,
String labelValue,
boolean accurateMatch,
JobState jobState) throws AnalysisException {
JobState jobState, String catalogName) throws AnalysisException {
LinkedList<List<Comparable>> loadJobInfos = new LinkedList<>();
if (!Env.getCurrentEnv().getLabelProcessor().existJobs(dbId)) {
return loadJobInfos;
@ -356,6 +362,12 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
if (jobState != null && !validState(jobState, loadJob)) {
continue;
}
// check auth
try {
checkJobAuth(catalogName, dbName, loadJob.getTableNames());
} catch (AnalysisException e) {
continue;
}
// add load job info, convert String list to Comparable list
loadJobInfos.add(new ArrayList<>(loadJob.getShowInfo()));
} catch (RuntimeException e) {
@ -369,6 +381,27 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
}
}
public void checkJobAuth(String ctlName, String dbName, Set<String> tableNames) throws AnalysisException {
if (tableNames.isEmpty()) {
if (!Env.getCurrentEnv().getAccessManager()
.checkDbPriv(ConnectContext.get(), ctlName, dbName,
PrivPredicate.LOAD)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
PrivPredicate.LOAD.getPrivs().toString(), dbName);
}
} else {
for (String tblName : tableNames) {
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), ctlName, dbName,
tblName, PrivPredicate.LOAD)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
PrivPredicate.LOAD.getPrivs().toString(), tblName);
return;
}
}
}
}
private static boolean validState(JobState jobState, InsertJob loadJob) {
JobStatus status = loadJob.getJobStatus();
switch (status) {
@ -412,6 +445,27 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
} finally {
readUnlock();
}
// check auth
if (unfinishedLoadJob.size() > 1 || unfinishedLoadJob.get(0).getTableNames().isEmpty()) {
if (Env.getCurrentEnv().getAccessManager()
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
PrivPredicate.LOAD)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, "LOAD",
ConnectContext.get().getQualifiedUser(),
ConnectContext.get().getRemoteIP(), dbName);
}
} else {
for (String tableName : unfinishedLoadJob.get(0).getTableNames()) {
if (Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
tableName,
PrivPredicate.LOAD)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "LOAD",
ConnectContext.get().getQualifiedUser(),
ConnectContext.get().getRemoteIP(), dbName + ":" + tableName);
}
}
}
for (InsertJob loadJob : unfinishedLoadJob) {
try {
alterJobStatus(loadJob.getJobId(), JobStatus.STOPPED);

30
fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java
View File

@ -26,6 +26,8 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.CaseSensibility;
import org.apache.doris.common.Config;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeConstants;
import org.apache.doris.common.LabelAlreadyUsedException;
import org.apache.doris.common.PatternMatcher;
@ -123,6 +125,9 @@ public class ExportMgr {
if (matchExportJobs.isEmpty()) {
throw new DdlException("All export job(s) are at final state (CANCELLED/FINISHED)");
}
// check auth
checkCancelExportJobAuth(InternalCatalog.INTERNAL_CATALOG_NAME, stmt.getDbName(), matchExportJobs);
try {
for (ExportJob exportJob : matchExportJobs) {
// exportJob.cancel(ExportFailMsg.CancelType.USER_CANCEL, "user cancel");
@ -134,6 +139,29 @@ public class ExportMgr {
}
}
public void checkCancelExportJobAuth(String ctlName, String dbName, List<ExportJob> jobs) throws AnalysisException {
if (jobs.size() > 1) {
if (Env.getCurrentEnv().getAccessManager()
.checkDbPriv(ConnectContext.get(), ctlName, dbName,
PrivPredicate.SELECT)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
PrivPredicate.SELECT.getPrivs().toString(), dbName);
}
} else {
TableName tableName = jobs.get(0).getTableName();
if (tableName == null) {
return;
}
if (Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), ctlName, dbName,
tableName.getTbl(),
PrivPredicate.SELECT)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
PrivPredicate.SELECT.getPrivs().toString(), tableName.getTbl());
}
}
}
public void unprotectAddJob(ExportJob job) {
exportIdToJob.put(job.getId(), job);
dbTolabelToExportJobId.computeIfAbsent(job.getDbId(),
@ -395,7 +423,7 @@ public class ExportMgr {
ExportJob job = entry.getValue();
if ((currentTimeMs - job.getCreateTimeMs()) / 1000 > Config.history_job_keep_max_second
&& (job.getState() == ExportJobState.CANCELLED
|| job.getState() == ExportJobState.FINISHED)) {
|| job.getState() == ExportJobState.FINISHED)) {
iter.remove();
Map<String, Long> labelJobs = dbTolabelToExportJobId.get(job.getDbId());
if (labelJobs != null) {

8
fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java
View File

@ -93,4 +93,12 @@ public class StreamLoadRecord {
public String getFinishTime() {
return this.finishTime;
}
public String getDb() {
return db;
}
public String getTable() {
return table;
}
}

10
fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java
View File

@ -27,10 +27,13 @@ import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
import org.apache.doris.common.util.MasterDaemon;
import org.apache.doris.common.util.TimeUtils;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.persist.gson.GsonUtils;
import org.apache.doris.plugin.audit.AuditEvent;
import org.apache.doris.plugin.audit.AuditEvent.EventType;
import org.apache.doris.plugin.audit.StreamLoadAuditEvent;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.system.Backend;
import org.apache.doris.thrift.BackendService;
import org.apache.doris.thrift.TNetworkAddress;
@ -186,6 +189,13 @@ public class StreamLoadRecordMgr extends MasterDaemon {
if (state != null && !String.valueOf(state).equalsIgnoreCase(streamLoadRecord.getStatus())) {
continue;
}
// check auth
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME,
streamLoadRecord.getDb(), streamLoadRecord.getTable(),
PrivPredicate.LOAD)) {
continue;
}
streamLoadRecords.add(streamLoadRecord.getStreamLoadInfo());
} catch (Exception e) {
continue;

32
fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java
View File

@ -31,6 +31,8 @@ import org.apache.doris.common.CaseSensibility;
import org.apache.doris.common.Config;
import org.apache.doris.common.DataQualityException;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.LabelAlreadyUsedException;
import org.apache.doris.common.MetaNotFoundException;
import org.apache.doris.common.Pair;
@ -617,9 +619,16 @@ public class LoadManager implements Writable {
if (!states.contains(loadJob.getState())) {
continue;
}
// check auth
try {
checkJobAuth(loadJob.getDb().getCatalog().getName(), loadJob.getDb().getFullName(),
loadJob.getTableNames());
} catch (AnalysisException e) {
continue;
}
// add load job info
loadJobInfos.add(loadJob.getShowInfo());
} catch (RuntimeException | DdlException e) {
} catch (RuntimeException | DdlException | MetaNotFoundException e) {
// ignore this load job
LOG.warn("get load job info failed. job id: {}", loadJob.getId(), e);
}
@ -630,6 +639,27 @@ public class LoadManager implements Writable {
}
}
public void checkJobAuth(String ctlName, String dbName, Set<String> tableNames) throws AnalysisException {
if (tableNames.isEmpty()) {
if (!Env.getCurrentEnv().getAccessManager()
.checkDbPriv(ConnectContext.get(), ctlName, dbName,
PrivPredicate.LOAD)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
PrivPredicate.LOAD.getPrivs().toString(), dbName);
}
} else {
for (String tblName : tableNames) {
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), ctlName, dbName,
tblName, PrivPredicate.LOAD)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
PrivPredicate.LOAD.getPrivs().toString(), tblName);
return;
}
}
}
}
public List<List<Comparable>> getAllLoadJobInfos() {
LinkedList<List<Comparable>> loadJobInfos = new LinkedList<List<Comparable>>();

9
fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java
View File

@ -155,10 +155,15 @@ public class PrivBitSet implements Writable {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < Privilege.privileges.length; i++) {
if (get(i)) {
sb.append(Privilege.getPriv(i)).append(" ");
sb.append(Privilege.getPriv(i)).append(",");
}
}
return sb.toString();
String res = sb.toString();
if (res.length() > 0) {
return res.substring(0, res.length() - 1);
} else {
return res;
}
}
public static PrivBitSet read(DataInput in) throws IOException {

2
fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
View File

@ -1241,7 +1241,7 @@ public class ShowExecutor {
// add the nerieds load info
JobManager loadMgr = env.getJobManager();
loadInfos.addAll(loadMgr.getLoadJobInfosByDb(dbId, db.getFullName(), showStmt.getLabelValue(),
showStmt.isAccurateMatch(), showStmt.getStateV2()));
showStmt.isAccurateMatch(), showStmt.getStateV2(), db.getCatalog().getName()));
// order the result of List<LoadInfo> by orderByPairs in show stmt
List<OrderByPair> orderByPairs = showStmt.getOrderByPairs();

28
fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java
View File

@ -28,9 +28,9 @@ import org.apache.doris.load.ExportMgr;
import org.apache.doris.utframe.TestWithFeService;
import com.google.common.collect.Lists;
import org.junit.Assert;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.wildfly.common.Assert;
import java.lang.reflect.Method;
import java.util.List;
@ -350,4 +350,30 @@ public class CancelExportStmtTest extends TestWithFeService {
exportMgr.cancelExportJob(stmt);
Assert.assertTrue(job8.getState() == ExportJobState.CANCELLED);
}
@Test
public void testCancelAuth() {
ExportMgr exportMgr = new ExportMgr();
List<ExportJob> jobs = Lists.newArrayList();
ExportJob job1 = new ExportJob();
job1.setTableName(new TableName("ctl1", "db1", "table1"));
jobs.add(job1);
try {
// should check table auth
exportMgr.checkCancelExportJobAuth("ctl1", "db1", jobs);
throw new RuntimeException("should exception");
} catch (AnalysisException e) {
Assert.assertTrue(e.getMessage().contains("Admin_priv,Select_priv"));
Assert.assertTrue(e.getMessage().contains("table1"));
}
jobs.add(new ExportJob());
try {
// should check db auth
exportMgr.checkCancelExportJobAuth("ctl1", "db1", jobs);
throw new RuntimeException("should exception");
} catch (AnalysisException e) {
Assert.assertTrue(e.getMessage().contains("Admin_priv,Select_priv"));
Assert.assertTrue(e.getMessage().contains("db1"));
}
}
}

2
fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java
View File

@ -51,7 +51,7 @@ public class DropMaterializedViewStmtTest {
new Expectations() {
{
accessManager.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(),
tableName.getTbl(), PrivPredicate.DROP);
tableName.getTbl(), PrivPredicate.ALTER);
result = false;
}
};

2
fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
View File

@ -138,7 +138,7 @@ public class RefreshTableTest extends TestWithFeService {
user1.analyze();
ConnectContext user1Ctx = createCtx(user1, "127.0.0.1");
ExceptionChecker.expectThrowsWithMsg(AnalysisException.class,
"Access denied; you need (at least one of) the DROP privilege(s) for this operation",
"Access denied",
() -> parseAndAnalyzeStmt("refresh table test1.db1.tbl11", user1Ctx));
ConnectContext.remove();

65
fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java Normal file
View File

@ -0,0 +1,65 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.doris.job.manager;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.utframe.TestWithFeService;
import com.google.common.collect.Sets;
import mockit.Expectations;
import org.junit.Assert;
import org.junit.Test;
import java.io.IOException;
import java.util.HashSet;
public class JobManagerTest {
@Test
public void testJobAuth() throws IOException, AnalysisException {
UserIdentity user1 = new UserIdentity("testJobAuthUser", "%");
user1.analyze();
new Expectations() {
{
ConnectContext.get();
minTimes = 0;
result = TestWithFeService.createCtx(user1, "%");
}
};
JobManager manager = new JobManager();
HashSet<String> tableNames = Sets.newHashSet();
try {
// should check db auth
manager.checkJobAuth("ctl1", "db1", tableNames);
throw new RuntimeException("should exception");
} catch (AnalysisException e) {
Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
Assert.assertTrue(e.getMessage().contains("db1"));
}
tableNames.add("table1");
try {
// should check db auth
manager.checkJobAuth("ctl1", "db1", tableNames);
throw new RuntimeException("should exception");
} catch (AnalysisException e) {
Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
Assert.assertTrue(e.getMessage().contains("table1"));
}
}
}

38
fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java
View File

@ -21,12 +21,16 @@ import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Database;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.Table;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.Config;
import org.apache.doris.common.FeMetaVersion;
import org.apache.doris.common.jmockit.Deencapsulation;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.meta.MetaContext;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.utframe.TestWithFeService;
import com.google.common.collect.Sets;
import mockit.Expectations;
import mockit.Injectable;
import mockit.Mocked;
@ -40,6 +44,8 @@ import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
@ -195,4 +201,36 @@ public class LoadManagerTest {
loadManager.readFields(dis);
return loadManager;
}
@Test
public void testJobAuth() throws IOException, AnalysisException {
UserIdentity user1 = new UserIdentity("testJobAuthUser", "%");
user1.analyze();
new Expectations() {
{
ConnectContext.get();
minTimes = 0;
result = TestWithFeService.createCtx(user1, "%");
}
};
LoadManager manager = new LoadManager(new LoadJobScheduler());
HashSet<String> tableNames = Sets.newHashSet();
try {
// should check db auth
manager.checkJobAuth("ctl1", "db1", tableNames);
throw new RuntimeException("should exception");
} catch (AnalysisException e) {
Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
Assert.assertTrue(e.getMessage().contains("db1"));
}
tableNames.add("table1");
try {
// should check db auth
manager.checkJobAuth("ctl1", "db1", tableNames);
throw new RuntimeException("should exception");
} catch (AnalysisException e) {
Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
Assert.assertTrue(e.getMessage().contains("table1"));
}
}
}

2
fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java
View File

@ -497,7 +497,7 @@ public class PlannerTest extends TestWithFeService {
QueryState state = connectContext.getState();
Assertions.assertEquals(MysqlStateType.ERR, state.getStateType());
Assertions.assertTrue(state.getErrorMessage()
.contains("you need (at least one of) the LOAD privilege(s) for this operation"));
.contains("you need (at least one of) the (LOAD) privilege(s) for this operation"));
// set to admin user
connectContext.setCurrentUserIdentity(UserIdentity.ADMIN);
}

2
fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java
View File

@ -278,7 +278,7 @@ public abstract class TestWithFeService {
return adapter;
}
protected static ConnectContext createCtx(UserIdentity user, String host) throws IOException {
public static ConnectContext createCtx(UserIdentity user, String host) throws IOException {
ConnectContext ctx = new ConnectContext();
ctx.setCurrentUserIdentity(user);
ctx.setQualifiedUser(user.getQualifiedUser());

2
regression-test/data/auth_p0/test_strict_mode.csv Normal file
View File

@ -0,0 +1,2 @@
1,1
1,2
1 1 1
2 1 2

35
regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_admin_copy_tablet_auth","p0,auth") {
String user = 'test_admin_copy_tablet_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "ADMIN COPY TABLET 10010 PROPERTIES('backend_id' = '10001');"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

37
regression-test/suites/auth_p0/test_alter_policy_auth.groovy Normal file
View File

@ -0,0 +1,37 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_alter_policy_auth","p0,auth") {
String user = 'test_alter_policy_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql """
ALTER STORAGE POLICY has_test_policy_to_alter PROPERTIES("cooldown_datetime" = "2023-06-08 00:00:00");
"""
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

66
regression-test/suites/auth_p0/test_alter_view_auth.groovy Normal file
View File

@ -0,0 +1,66 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_alter_view_auth","p0,auth") {
String user = 'test_alter_view_auth_user'
String pwd = 'C123_567p'
String dbName = 'test_alter_view_auth_db'
String tableName = 'test_alter_view_auth_table'
String viewName = 'test_alter_view_auth_view'
try_sql("DROP USER ${user}")
try_sql """drop table if exists ${dbName}.${tableName}"""
try_sql """drop view if exists ${dbName}.${viewName}"""
sql """drop database if exists ${dbName}"""
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """create database ${dbName}"""
sql """
CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName}` (
id BIGINT,
username VARCHAR(20)
)
DISTRIBUTED BY HASH(id) BUCKETS 2
PROPERTIES (
"replication_num" = "1"
);
"""
sql """grant select_priv on regression_test to ${user}"""
sql """create view ${dbName}.${viewName} as select * from ${dbName}.${tableName};"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "alter view ${dbName}.${viewName} as select * from ${dbName}.${tableName};"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Alter_priv"))
}
}
sql """grant Alter_priv on ${dbName}.${viewName} to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "alter view ${dbName}.${viewName} as select * from ${dbName}.${tableName};"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
}
}
try_sql """drop table if exists ${dbName}.${tableName}"""
try_sql """drop view if exists ${dbName}.${viewName}"""
sql """drop database if exists ${dbName}"""
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_cancel_alter_system_auth","p0,auth") {
String user = 'test_cancel_alter_system_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "CANCEL DECOMMISSION BACKEND 'id1';"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Node_priv"))
}
}
try_sql("DROP USER ${user}")
}

47
regression-test/suites/auth_p0/test_create_policy_auth.groovy Normal file
View File

@ -0,0 +1,47 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_create_policy_auth","p0,auth") {
String user = 'test_create_policy_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "CREATE ROW POLICY test_create_policy_auth ON test.table1 AS RESTRICTIVE TO test USING (c1 = 'a');"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Grant_priv"))
}
try {
sql """
CREATE STORAGE POLICY testPolicy
PROPERTIES(
"storage_resource" = "s3",
"cooldown_datetime" = "2022-06-08 00:00:00"
);
"""
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

62
regression-test/suites/auth_p0/test_create_view_auth.groovy Normal file
View File

@ -0,0 +1,62 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_create_view_auth","p0,auth") {
String user = 'test_create_view_auth_user'
String pwd = 'C123_567p'
String dbName = 'test_create_view_auth_db'
String tableName = 'test_create_view_auth_table'
try_sql("DROP USER ${user}")
try_sql """drop table if exists ${dbName}.${tableName}"""
sql """drop database if exists ${dbName}"""
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """create database ${dbName}"""
sql """
CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName}` (
id BIGINT,
username VARCHAR(20)
)
DISTRIBUTED BY HASH(id) BUCKETS 2
PROPERTIES (
"replication_num" = "1"
);
"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "create view ${dbName}.v1 as select * from ${dbName}.t1;"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Create_priv"))
}
}
sql """grant create_priv on ${dbName}.v1 to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "create view ${dbName}.v1 as select * from ${dbName}.${tableName};"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
}
}
sql """drop table if exists ${dbName}.${tableName}"""
sql """drop database if exists ${dbName}"""
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_drop_materialized_view_auth","p0,auth") {
String user = 'test_drop_materialized_view_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "DROP MATERIALIZED VIEW mv_name ON table_name;"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Alter_priv"))
}
}
try_sql("DROP USER ${user}")
}

43
regression-test/suites/auth_p0/test_drop_policy_auth.groovy Normal file
View File

@ -0,0 +1,43 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_drop_policy_auth","p0,auth") {
String user = 'test_drop_policy_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "DROP ROW POLICY test_row_policy_1 on table1;"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Grant_priv"))
}
try {
sql """
DROP STORAGE POLICY policy_name1
"""
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_set_ldap_admin_password_auth","p0,auth") {
String user = 'test_set_ldap_admin_password_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SET LDAP_ADMIN_PASSWORD = PASSWORD('plain password')"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_catalog_recycle_bin_auth","p0,auth") {
String user = 'test_show_catalog_recycle_bin_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW CATALOG RECYCLE BIN WHERE NAME = 'test'"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_create_database_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_create_database_auth","p0,auth") {
String user = 'test_show_create_database_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW CREATE DATABASE db_name"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv,Select_priv,Load_priv,Alter_priv,Create_priv,Drop_priv,Show_view_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_create_repository_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_create_repository_auth","p0,auth") {
String user = 'test_show_create_repository_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW CREATE REPOSITORY for repository_name"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_data_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_data_auth","p0,auth") {
String user = 'test_show_data_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW DATA"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

36
regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy Normal file
View File

@ -0,0 +1,36 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_encryptkeys_auth","p0,auth") {
String user = 'test_show_encryptkeys_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "use regression_test"
sql "SHOW ENCRYPTKEYS"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_plugins_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_plugins_auth","p0,auth") {
String user = 'test_show_plugins_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW PLUGINS"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_repositories_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_repositories_auth","p0,auth") {
String user = 'test_show_repositories_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW REPOSITORIES"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_snapshot_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_snapshot_auth","p0,auth") {
String user = 'test_show_snapshot_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW SNAPSHOT ON example_repo"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

75
regression-test/suites/auth_p0/test_show_stream_load_auth.groovy Normal file
View File

@ -0,0 +1,75 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_stream_load_auth","p0,auth") {
String tableName = "test_show_stream_load_auth_table"
String label = "test_show_stream_load_auth_label" + System.currentTimeMillis();
String user = 'test_show_stream_load_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """ DROP TABLE IF EXISTS ${tableName} """
sql """
CREATE TABLE IF NOT EXISTS ${tableName} (
`k1` bigint(20) NULL,
`k2` bigint(20) NULL
) ENGINE=OLAP
COMMENT 'OLAP'
DISTRIBUTED BY HASH(`k1`) BUCKETS 2
PROPERTIES ("replication_allocation" = "tag.location.default: 1");
"""
streamLoad {
table "${tableName}"
set 'column_separator', ','
set 'columns', 'k1, k2'
set 'label', label
set 'strict_mode', 'true'
file 'test_strict_mode.csv'
time 10000 // limit inflight 10s
}
Thread.sleep(60000);
def res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'"
log.info(res.toString())
if(res.size() == 0) {
// `show stream load` has some delay, and need be config `enable_stream_load_record=true`
// we not sure when can has result, so if `admin` can not get res, ignore this case.
return;
}
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'"
log.info(res.toString())
assertFalse(res.toString().contains("${label}"))
}
sql """grant load_priv on regression_test_auth_p0.${tableName} to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label = '${label}'"
log.info(res.toString())
assertTrue(res.toString().contains("${label}"))
}
try_sql("DROP USER ${user}")
sql """ DROP TABLE IF EXISTS ${tableName} """
}

35
regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_tablets_belong_auth","p0,auth") {
String user = 'test_show_tablets_belong_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW TABLETS BELONG 27028"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}

35
regression-test/suites/auth_p0/test_show_transaction_auth.groovy Normal file
View File

@ -0,0 +1,35 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
import org.junit.Assert;
suite("test_show_transaction_auth","p0,auth") {
String user = 'test_show_transaction_auth_user'
String pwd = 'C123_567p'
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
sql """grant select_priv on regression_test to ${user}"""
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
try {
sql "SHOW TRANSACTION WHERE ID=4005;"
} catch (Exception e) {
log.info(e.getMessage())
assertTrue(e.getMessage().contains("Admin_priv"))
}
}
try_sql("DROP USER ${user}")
}