[fix](auth)Fix use encryptkey should check auth (#41791) (#42105)

pick from master #41791
2024-10-25 14:32:42 +08:00
parent 120bf28d1e
commit b88d4db6e7
3 changed files with 80 additions and 0 deletions
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java
@ -19,10 +19,14 @@ package org.apache.doris.analysis;

 import org.apache.doris.catalog.Database;
 import org.apache.doris.catalog.EncryptKey;
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.Type;
 import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
 import org.apache.doris.thrift.TExprNode;

 import com.google.common.base.Strings;
@ -55,6 +59,13 @@ public class EncryptKeyRef extends Expr {
        if ("".equals(dbName)) {
            ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
        } else {
+            if (!Env.getCurrentEnv().getAccessManager()
+                    .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME,
+                            dbName, PrivPredicate.SHOW)) {
+                String message = ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg(
+                        PrivPredicate.SHOW.getPrivs().toString(), dbName);
+                throw new AnalysisException(message);
+            }
            Database database = analyzer.getEnv().getInternalCatalog().getDbOrAnalysisException(dbName);

            EncryptKey encryptKey = database.getEncryptKey(encryptKeyName.getKeyName());
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
@ -20,7 +20,10 @@ package org.apache.doris.nereids.rules.expression.rules;
 import org.apache.doris.catalog.EncryptKey;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.cluster.ClusterNamespace;
+import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.util.DebugUtil;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.nereids.exceptions.AnalysisException;
 import org.apache.doris.nereids.rules.expression.AbstractExpressionRewriteRule;
 import org.apache.doris.nereids.rules.expression.ExpressionListenerMatcher;
@ -216,6 +219,13 @@ public class FoldConstantRuleOnFE extends AbstractExpressionRewriteRule
        if ("".equals(dbName)) {
            throw new AnalysisException("DB " + dbName + "not found");
        }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME,
+                        dbName, PrivPredicate.SHOW)) {
+            String message = ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg(
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
+            throw new AnalysisException(message);
+        }
        org.apache.doris.catalog.Database database =
                Env.getCurrentEnv().getInternalCatalog().getDbNullable(dbName);
        if (database == null) {
--- a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy
+++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy
@ -0,0 +1,59 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_use_encryptkey_auth","p0,auth") {
+    multi_sql """
+        SET enable_nereids_planner=true;
+        SET enable_fallback_to_original_planner=false;
+    """
+    String suiteName = "test_version_info_mtmv"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String user = "${suiteName}_user"
+    String key = "${suiteName}_key"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """grant select_priv on regression_test to ${user}"""
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+    }
+    sql """CREATE ENCRYPTKEY ${key} AS 'ABCD123456789'"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        test {
+              sql """
+                  SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));
+              """
+              exception "denied"
+          }
+    }
+    sql """grant select_priv on ${dbName} to ${user}"""
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+          sql """
+              SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));
+          """
+    }
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+}