bp #33347 Co-authored-by: zhangdong <493738387@qq.com>
This commit is contained in:
Mingyu Chen
@ -71,8 +71,9 @@ public class AdminCopyTabletStmt extends ShowStmt {
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException {
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.OPERATOR)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "NODE");
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
if (properties == null) {
|
||||
|
||||
@ -53,8 +53,10 @@ public class AlterPolicyStmt extends DdlStmt {
|
||||
super.analyze(analyzer);
|
||||
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN");
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
if (properties == null || properties.isEmpty()) {
|
||||
|
||||
@ -62,9 +62,8 @@ public class AlterViewStmt extends BaseViewStmt {
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), tableName.getTbl(),
|
||||
PrivPredicate.ALTER)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "ALTER VIEW",
|
||||
ConnectContext.get().getQualifiedUser(), ConnectContext.get().getRemoteIP(),
|
||||
tableName.getDb() + ": " + tableName.getTbl());
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ALTER.getPrivs().toString(), tableName.getTbl());
|
||||
}
|
||||
|
||||
if (cols != null) {
|
||||
@ -74,7 +73,7 @@ public class AlterViewStmt extends BaseViewStmt {
|
||||
viewDefStmt.setNeedToSql(true);
|
||||
Analyzer viewAnalyzer = new Analyzer(analyzer);
|
||||
viewDefStmt.analyze(viewAnalyzer);
|
||||
|
||||
checkQueryAuth();
|
||||
createColumnAndViewDefs(analyzer);
|
||||
}
|
||||
|
||||
|
||||
@ -18,15 +18,20 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.Type;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.common.util.ToSqlContext;
|
||||
import org.apache.doris.datasource.InternalCatalog;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Sets;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
|
||||
@ -72,6 +77,28 @@ public class BaseViewStmt extends DdlStmt {
|
||||
return inlineViewDef;
|
||||
}
|
||||
|
||||
protected void checkQueryAuth() throws UserException {
|
||||
for (int i = 0; i < viewDefStmt.getBaseTblResultExprs().size(); ++i) {
|
||||
Expr expr = viewDefStmt.getBaseTblResultExprs().get(i);
|
||||
if (!(expr instanceof SlotRef)) {
|
||||
continue;
|
||||
}
|
||||
SlotRef slotRef = (SlotRef) expr;
|
||||
TableName queryTableName = slotRef.getTableName();
|
||||
if (queryTableName == null) {
|
||||
continue;
|
||||
}
|
||||
String queryColumnName = slotRef.getColumnName();
|
||||
String ctlName = StringUtils.isEmpty(queryTableName.getCtl()) ? InternalCatalog.INTERNAL_CATALOG_NAME
|
||||
: queryTableName.getCtl();
|
||||
// check privilege
|
||||
Env.getCurrentEnv().getAccessManager()
|
||||
.checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), ctlName,
|
||||
queryTableName.getDb(), queryTableName.getTbl(), Sets.newHashSet(queryColumnName),
|
||||
PrivPredicate.SELECT);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the originalViewDef and the expanded inlineViewDef based on viewDefStmt.
|
||||
* If columnNames were given, checks that they do not contain duplicate column names
|
||||
|
||||
@ -17,7 +17,12 @@
|
||||
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.system.SystemInfoService;
|
||||
import org.apache.doris.system.SystemInfoService.HostInfo;
|
||||
|
||||
@ -44,6 +49,10 @@ public class CancelAlterSystemStmt extends CancelStmt {
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException {
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.OPERATOR)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.OPERATOR.getPrivs().toString());
|
||||
}
|
||||
for (String param : params) {
|
||||
if (!param.contains(":")) {
|
||||
ids.add(param);
|
||||
|
||||
@ -101,6 +101,12 @@ public class CreatePolicyStmt extends DdlStmt {
|
||||
throw new UserException("storage policy feature is disabled by default. "
|
||||
+ "Enable it by setting 'enable_storage_policy=true' in fe.conf");
|
||||
}
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
break;
|
||||
case ROW:
|
||||
default:
|
||||
@ -112,10 +118,12 @@ public class CreatePolicyStmt extends DdlStmt {
|
||||
user.getQualifiedUser(), user.getHost(), tableName.getTbl());
|
||||
}
|
||||
}
|
||||
}
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN");
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.GRANT.getPrivs().toString());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -67,7 +67,8 @@ public class CreateViewStmt extends BaseViewStmt {
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(),
|
||||
tableName.getTbl(), PrivPredicate.CREATE)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "CREATE");
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.CREATE.getPrivs().toString(), tableName.getTbl());
|
||||
}
|
||||
|
||||
// Do not rewrite nondeterministic functions to constant in create view's def stmt
|
||||
@ -84,7 +85,7 @@ public class CreateViewStmt extends BaseViewStmt {
|
||||
Analyzer viewAnalyzer = new Analyzer(analyzer);
|
||||
viewDefStmt.forbiddenMVRewrite();
|
||||
viewDefStmt.analyze(viewAnalyzer);
|
||||
|
||||
checkQueryAuth();
|
||||
createColumnAndViewDefs(viewAnalyzer);
|
||||
} finally {
|
||||
// must reset this flag, otherwise, all following query statement in this connection
|
||||
|
||||
@ -73,8 +73,9 @@ public class DropMaterializedViewStmt extends DdlStmt {
|
||||
// check access
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(),
|
||||
tableName.getTbl(), PrivPredicate.DROP)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "DROP");
|
||||
tableName.getTbl(), PrivPredicate.ALTER)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ALTER.getPrivs().toString(), tableName.getTbl());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -60,6 +60,12 @@ public class DropPolicyStmt extends DdlStmt {
|
||||
super.analyze(analyzer);
|
||||
switch (type) {
|
||||
case STORAGE:
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
break;
|
||||
case ROW:
|
||||
default:
|
||||
@ -67,10 +73,12 @@ public class DropPolicyStmt extends DdlStmt {
|
||||
if (user != null) {
|
||||
user.analyze();
|
||||
}
|
||||
}
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN");
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.GRANT.getPrivs().toString());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -17,8 +17,11 @@
|
||||
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.mysql.privilege.Auth;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
|
||||
public class SetLdapPassVar extends SetVar {
|
||||
@ -35,11 +38,10 @@ public class SetLdapPassVar extends SetVar {
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException {
|
||||
if (!ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ROOT_USER)
|
||||
&& !ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ADMIN_USER)) {
|
||||
throw new AnalysisException("Only root and admin user can set ldap admin password.");
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
if (!passVar.isPlain()) {
|
||||
throw new AnalysisException("Only support set ldap password with plain text");
|
||||
}
|
||||
|
||||
@ -18,12 +18,17 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.CaseSensibility;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.PatternMatcher;
|
||||
import org.apache.doris.common.PatternMatcherWrapper;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
@ -52,6 +57,12 @@ public class ShowCatalogRecycleBinStmt extends ShowStmt {
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
if (where == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
@ -24,7 +24,6 @@ import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.datasource.InternalCatalog;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
@ -67,11 +66,10 @@ public class ShowCreateDbStmt extends ShowStmt {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_WRONG_DB_NAME, db);
|
||||
}
|
||||
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, db,
|
||||
PrivPredicate.ALTER_CREATE_DROP)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
|
||||
ConnectContext.get().getQualifiedUser(), db);
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), ctl, db,
|
||||
PrivPredicate.SHOW)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.SHOW.getPrivs().toString(), db);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -18,8 +18,13 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
// SHOW CREATE REPOSITORY statement
|
||||
@ -43,7 +48,11 @@ public class ShowCreateRepositoryStmt extends ShowStmt {
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException {
|
||||
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -435,7 +435,12 @@ public class ShowDataStmt extends ShowStmt {
|
||||
return toSql();
|
||||
}
|
||||
|
||||
private void getAllDbStats() {
|
||||
private void getAllDbStats() throws AnalysisException {
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
List<String> dbNames = Env.getCurrentInternalCatalog().getDbNames();
|
||||
if (dbNames == null || dbNames.isEmpty()) {
|
||||
return;
|
||||
|
||||
@ -24,7 +24,6 @@ import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.datasource.InternalCatalog;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
@ -64,14 +63,11 @@ public class ShowEncryptKeysStmt extends ShowStmt {
|
||||
}
|
||||
}
|
||||
|
||||
// must check after analyze dbName, for case dbName is null.
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
|
||||
PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(
|
||||
ErrorCode.ERR_DBACCESS_DENIED_ERROR, ConnectContext.get().getQualifiedUser(), dbName);
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public boolean like(String str) {
|
||||
|
||||
@ -18,7 +18,13 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
// Show plugins statement.
|
||||
@ -39,7 +45,12 @@ public class ShowPluginsStmt extends ShowStmt {
|
||||
.build();
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) {
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException {
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -18,7 +18,13 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
import com.google.common.collect.ImmutableList;
|
||||
@ -33,6 +39,15 @@ public class ShowRepositoriesStmt extends ShowStmt {
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException {
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public ShowResultSetMetaData getMetaData() {
|
||||
ShowResultSetMetaData.Builder builder = ShowResultSetMetaData.builder();
|
||||
|
||||
@ -19,9 +19,14 @@ package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.analysis.CompoundPredicate.Operator;
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
@ -55,6 +60,12 @@ public class ShowSnapshotStmt extends ShowStmt {
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
// analyze where clause if not null
|
||||
if (where != null) {
|
||||
// eg: WHERE snapshot="snapshot_label" [and timestamp="2018-04-19-11-11:11"];
|
||||
|
||||
@ -18,8 +18,13 @@
|
||||
package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
|
||||
import com.google.common.collect.ImmutableList;
|
||||
@ -54,6 +59,11 @@ public class ShowTabletsBelongStmt extends ShowStmt {
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
if (tabletIds == null || tabletIds.isEmpty()) {
|
||||
throw new UserException("Please supply at least one tablet id");
|
||||
}
|
||||
|
||||
@ -19,12 +19,15 @@ package org.apache.doris.analysis;
|
||||
|
||||
import org.apache.doris.analysis.BinaryPredicate.Operator;
|
||||
import org.apache.doris.catalog.Column;
|
||||
import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.catalog.ScalarType;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.UserException;
|
||||
import org.apache.doris.common.proc.TransProcDir;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.qe.ShowResultSetMetaData;
|
||||
import org.apache.doris.transaction.TransactionStatus;
|
||||
|
||||
@ -70,9 +73,15 @@ public class ShowTransactionStmt extends ShowStmt {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void analyze(Analyzer analyzer) throws AnalysisException, UserException {
|
||||
public void analyze(Analyzer analyzer) throws UserException {
|
||||
super.analyze(analyzer);
|
||||
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.ADMIN.getPrivs().toString());
|
||||
}
|
||||
|
||||
if (Strings.isNullOrEmpty(dbName)) {
|
||||
dbName = analyzer.getDefaultDb();
|
||||
if (Strings.isNullOrEmpty(dbName)) {
|
||||
|
||||
@ -75,8 +75,10 @@ public enum ErrorCode {
|
||||
ERR_USER_LIMIT_REACHED(1226, new byte[]{'4', '2', '0', '0', '0'}, "User '%s' has exceeded the '%s' resource "
|
||||
+ "(current value: %d)"),
|
||||
ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "
|
||||
+ "one of) the %s privilege(s) for this operation"),
|
||||
ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1227, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all "
|
||||
+ "one of) the (%s) privilege(s) for this operation"),
|
||||
ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least "
|
||||
+ "one of) the (%s) privilege(s) on database %s for this operation"),
|
||||
ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1223, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all "
|
||||
+ " %s privilege(s) for this operation"),
|
||||
ERR_LOCAL_VARIABLE(1228, new byte[]{'H', 'Y', '0', '0', '0'}, "Variable '%s' is a SESSION variable and can't be "
|
||||
+ "used with SET GLOBAL"),
|
||||
@ -1021,6 +1023,8 @@ public enum ErrorCode {
|
||||
+ "DISCARD the tablespace before IMPORT."),
|
||||
ERR_TABLESPACE_DISCARDED(1814, new byte[]{'H', 'Y', '0', '0', '0'}, "Tablespace has been discarded for table '%s'"),
|
||||
ERR_INTERNAL_ERROR(1815, new byte[]{'H', 'Y', '0', '0', '0'}, "Internal error: %s"),
|
||||
|
||||
|
||||
ERR_MUST_CHANGE_PASSWORD_LOGIN(1862, new byte[]{'H', 'Y', '0', '0', '0'}, "Your password has expired. To log in "
|
||||
+ "you must change it using a client that supports expired passwords."),
|
||||
ERR_CREDENTIALS_CONTRADICT_TO_HISTORY(3638, new byte[] {'H', 'Y', '0', '0', '0'},
|
||||
|
||||
@ -24,11 +24,14 @@ import org.apache.doris.catalog.Env;
|
||||
import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.CaseSensibility;
|
||||
import org.apache.doris.common.DdlException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.PatternMatcher;
|
||||
import org.apache.doris.common.PatternMatcherWrapper;
|
||||
import org.apache.doris.common.io.Writable;
|
||||
import org.apache.doris.common.util.LogBuilder;
|
||||
import org.apache.doris.common.util.LogKey;
|
||||
import org.apache.doris.datasource.InternalCatalog;
|
||||
import org.apache.doris.job.base.AbstractJob;
|
||||
import org.apache.doris.job.common.JobStatus;
|
||||
import org.apache.doris.job.common.JobType;
|
||||
@ -37,6 +40,8 @@ import org.apache.doris.job.exception.JobException;
|
||||
import org.apache.doris.job.extensions.insert.InsertJob;
|
||||
import org.apache.doris.job.scheduler.JobScheduler;
|
||||
import org.apache.doris.load.loadv2.JobState;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import lombok.extern.log4j.Log4j2;
|
||||
@ -48,6 +53,7 @@ import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.ConcurrentHashMap;
|
||||
import java.util.concurrent.locks.ReentrantReadWriteLock;
|
||||
import java.util.stream.Collectors;
|
||||
@ -341,7 +347,7 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
|
||||
public List<List<Comparable>> getLoadJobInfosByDb(long dbId, String dbName,
|
||||
String labelValue,
|
||||
boolean accurateMatch,
|
||||
JobState jobState) throws AnalysisException {
|
||||
JobState jobState, String catalogName) throws AnalysisException {
|
||||
LinkedList<List<Comparable>> loadJobInfos = new LinkedList<>();
|
||||
if (!Env.getCurrentEnv().getLabelProcessor().existJobs(dbId)) {
|
||||
return loadJobInfos;
|
||||
@ -356,6 +362,12 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
|
||||
if (jobState != null && !validState(jobState, loadJob)) {
|
||||
continue;
|
||||
}
|
||||
// check auth
|
||||
try {
|
||||
checkJobAuth(catalogName, dbName, loadJob.getTableNames());
|
||||
} catch (AnalysisException e) {
|
||||
continue;
|
||||
}
|
||||
// add load job info, convert String list to Comparable list
|
||||
loadJobInfos.add(new ArrayList<>(loadJob.getShowInfo()));
|
||||
} catch (RuntimeException e) {
|
||||
@ -369,6 +381,27 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
|
||||
}
|
||||
}
|
||||
|
||||
public void checkJobAuth(String ctlName, String dbName, Set<String> tableNames) throws AnalysisException {
|
||||
if (tableNames.isEmpty()) {
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkDbPriv(ConnectContext.get(), ctlName, dbName,
|
||||
PrivPredicate.LOAD)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.LOAD.getPrivs().toString(), dbName);
|
||||
}
|
||||
} else {
|
||||
for (String tblName : tableNames) {
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), ctlName, dbName,
|
||||
tblName, PrivPredicate.LOAD)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.LOAD.getPrivs().toString(), tblName);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean validState(JobState jobState, InsertJob loadJob) {
|
||||
JobStatus status = loadJob.getJobStatus();
|
||||
switch (status) {
|
||||
@ -412,6 +445,27 @@ public class JobManager<T extends AbstractJob<?, C>, C> implements Writable {
|
||||
} finally {
|
||||
readUnlock();
|
||||
}
|
||||
// check auth
|
||||
if (unfinishedLoadJob.size() > 1 || unfinishedLoadJob.get(0).getTableNames().isEmpty()) {
|
||||
if (Env.getCurrentEnv().getAccessManager()
|
||||
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
|
||||
PrivPredicate.LOAD)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, "LOAD",
|
||||
ConnectContext.get().getQualifiedUser(),
|
||||
ConnectContext.get().getRemoteIP(), dbName);
|
||||
}
|
||||
} else {
|
||||
for (String tableName : unfinishedLoadJob.get(0).getTableNames()) {
|
||||
if (Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
|
||||
tableName,
|
||||
PrivPredicate.LOAD)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR, "LOAD",
|
||||
ConnectContext.get().getQualifiedUser(),
|
||||
ConnectContext.get().getRemoteIP(), dbName + ":" + tableName);
|
||||
}
|
||||
}
|
||||
}
|
||||
for (InsertJob loadJob : unfinishedLoadJob) {
|
||||
try {
|
||||
alterJobStatus(loadJob.getJobId(), JobStatus.STOPPED);
|
||||
|
||||
@ -26,6 +26,8 @@ import org.apache.doris.common.AnalysisException;
|
||||
import org.apache.doris.common.CaseSensibility;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.DdlException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.FeConstants;
|
||||
import org.apache.doris.common.LabelAlreadyUsedException;
|
||||
import org.apache.doris.common.PatternMatcher;
|
||||
@ -123,6 +125,9 @@ public class ExportMgr {
|
||||
if (matchExportJobs.isEmpty()) {
|
||||
throw new DdlException("All export job(s) are at final state (CANCELLED/FINISHED)");
|
||||
}
|
||||
|
||||
// check auth
|
||||
checkCancelExportJobAuth(InternalCatalog.INTERNAL_CATALOG_NAME, stmt.getDbName(), matchExportJobs);
|
||||
try {
|
||||
for (ExportJob exportJob : matchExportJobs) {
|
||||
// exportJob.cancel(ExportFailMsg.CancelType.USER_CANCEL, "user cancel");
|
||||
@ -134,6 +139,29 @@ public class ExportMgr {
|
||||
}
|
||||
}
|
||||
|
||||
public void checkCancelExportJobAuth(String ctlName, String dbName, List<ExportJob> jobs) throws AnalysisException {
|
||||
if (jobs.size() > 1) {
|
||||
if (Env.getCurrentEnv().getAccessManager()
|
||||
.checkDbPriv(ConnectContext.get(), ctlName, dbName,
|
||||
PrivPredicate.SELECT)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.SELECT.getPrivs().toString(), dbName);
|
||||
}
|
||||
} else {
|
||||
TableName tableName = jobs.get(0).getTableName();
|
||||
if (tableName == null) {
|
||||
return;
|
||||
}
|
||||
if (Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), ctlName, dbName,
|
||||
tableName.getTbl(),
|
||||
PrivPredicate.SELECT)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.SELECT.getPrivs().toString(), tableName.getTbl());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void unprotectAddJob(ExportJob job) {
|
||||
exportIdToJob.put(job.getId(), job);
|
||||
dbTolabelToExportJobId.computeIfAbsent(job.getDbId(),
|
||||
@ -395,7 +423,7 @@ public class ExportMgr {
|
||||
ExportJob job = entry.getValue();
|
||||
if ((currentTimeMs - job.getCreateTimeMs()) / 1000 > Config.history_job_keep_max_second
|
||||
&& (job.getState() == ExportJobState.CANCELLED
|
||||
|| job.getState() == ExportJobState.FINISHED)) {
|
||||
|| job.getState() == ExportJobState.FINISHED)) {
|
||||
iter.remove();
|
||||
Map<String, Long> labelJobs = dbTolabelToExportJobId.get(job.getDbId());
|
||||
if (labelJobs != null) {
|
||||
|
||||
@ -93,4 +93,12 @@ public class StreamLoadRecord {
|
||||
public String getFinishTime() {
|
||||
return this.finishTime;
|
||||
}
|
||||
|
||||
public String getDb() {
|
||||
return db;
|
||||
}
|
||||
|
||||
public String getTable() {
|
||||
return table;
|
||||
}
|
||||
}
|
||||
|
||||
@ -27,10 +27,13 @@ import org.apache.doris.common.io.Text;
|
||||
import org.apache.doris.common.io.Writable;
|
||||
import org.apache.doris.common.util.MasterDaemon;
|
||||
import org.apache.doris.common.util.TimeUtils;
|
||||
import org.apache.doris.datasource.InternalCatalog;
|
||||
import org.apache.doris.mysql.privilege.PrivPredicate;
|
||||
import org.apache.doris.persist.gson.GsonUtils;
|
||||
import org.apache.doris.plugin.audit.AuditEvent;
|
||||
import org.apache.doris.plugin.audit.AuditEvent.EventType;
|
||||
import org.apache.doris.plugin.audit.StreamLoadAuditEvent;
|
||||
import org.apache.doris.qe.ConnectContext;
|
||||
import org.apache.doris.system.Backend;
|
||||
import org.apache.doris.thrift.BackendService;
|
||||
import org.apache.doris.thrift.TNetworkAddress;
|
||||
@ -186,6 +189,13 @@ public class StreamLoadRecordMgr extends MasterDaemon {
|
||||
if (state != null && !String.valueOf(state).equalsIgnoreCase(streamLoadRecord.getStatus())) {
|
||||
continue;
|
||||
}
|
||||
// check auth
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME,
|
||||
streamLoadRecord.getDb(), streamLoadRecord.getTable(),
|
||||
PrivPredicate.LOAD)) {
|
||||
continue;
|
||||
}
|
||||
streamLoadRecords.add(streamLoadRecord.getStreamLoadInfo());
|
||||
} catch (Exception e) {
|
||||
continue;
|
||||
|
||||
@ -31,6 +31,8 @@ import org.apache.doris.common.CaseSensibility;
|
||||
import org.apache.doris.common.Config;
|
||||
import org.apache.doris.common.DataQualityException;
|
||||
import org.apache.doris.common.DdlException;
|
||||
import org.apache.doris.common.ErrorCode;
|
||||
import org.apache.doris.common.ErrorReport;
|
||||
import org.apache.doris.common.LabelAlreadyUsedException;
|
||||
import org.apache.doris.common.MetaNotFoundException;
|
||||
import org.apache.doris.common.Pair;
|
||||
@ -617,9 +619,16 @@ public class LoadManager implements Writable {
|
||||
if (!states.contains(loadJob.getState())) {
|
||||
continue;
|
||||
}
|
||||
// check auth
|
||||
try {
|
||||
checkJobAuth(loadJob.getDb().getCatalog().getName(), loadJob.getDb().getFullName(),
|
||||
loadJob.getTableNames());
|
||||
} catch (AnalysisException e) {
|
||||
continue;
|
||||
}
|
||||
// add load job info
|
||||
loadJobInfos.add(loadJob.getShowInfo());
|
||||
} catch (RuntimeException | DdlException e) {
|
||||
} catch (RuntimeException | DdlException | MetaNotFoundException e) {
|
||||
// ignore this load job
|
||||
LOG.warn("get load job info failed. job id: {}", loadJob.getId(), e);
|
||||
}
|
||||
@ -630,6 +639,27 @@ public class LoadManager implements Writable {
|
||||
}
|
||||
}
|
||||
|
||||
public void checkJobAuth(String ctlName, String dbName, Set<String> tableNames) throws AnalysisException {
|
||||
if (tableNames.isEmpty()) {
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkDbPriv(ConnectContext.get(), ctlName, dbName,
|
||||
PrivPredicate.LOAD)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.LOAD.getPrivs().toString(), dbName);
|
||||
}
|
||||
} else {
|
||||
for (String tblName : tableNames) {
|
||||
if (!Env.getCurrentEnv().getAccessManager()
|
||||
.checkTblPriv(ConnectContext.get(), ctlName, dbName,
|
||||
tblName, PrivPredicate.LOAD)) {
|
||||
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
|
||||
PrivPredicate.LOAD.getPrivs().toString(), tblName);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public List<List<Comparable>> getAllLoadJobInfos() {
|
||||
LinkedList<List<Comparable>> loadJobInfos = new LinkedList<List<Comparable>>();
|
||||
|
||||
|
||||
@ -155,10 +155,15 @@ public class PrivBitSet implements Writable {
|
||||
StringBuilder sb = new StringBuilder();
|
||||
for (int i = 0; i < Privilege.privileges.length; i++) {
|
||||
if (get(i)) {
|
||||
sb.append(Privilege.getPriv(i)).append(" ");
|
||||
sb.append(Privilege.getPriv(i)).append(",");
|
||||
}
|
||||
}
|
||||
return sb.toString();
|
||||
String res = sb.toString();
|
||||
if (res.length() > 0) {
|
||||
return res.substring(0, res.length() - 1);
|
||||
} else {
|
||||
return res;
|
||||
}
|
||||
}
|
||||
|
||||
public static PrivBitSet read(DataInput in) throws IOException {
|
||||
|
||||
@ -1241,7 +1241,7 @@ public class ShowExecutor {
|
||||
// add the nerieds load info
|
||||
JobManager loadMgr = env.getJobManager();
|
||||
loadInfos.addAll(loadMgr.getLoadJobInfosByDb(dbId, db.getFullName(), showStmt.getLabelValue(),
|
||||
showStmt.isAccurateMatch(), showStmt.getStateV2()));
|
||||
showStmt.isAccurateMatch(), showStmt.getStateV2(), db.getCatalog().getName()));
|
||||
|
||||
// order the result of List<LoadInfo> by orderByPairs in show stmt
|
||||
List<OrderByPair> orderByPairs = showStmt.getOrderByPairs();
|
||||
|
||||
Reference in New Issue
Block a user