diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java index ad5b15014f..01e6ffcc8e 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/EncryptKeyRef.java @@ -19,10 +19,14 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Database; import org.apache.doris.catalog.EncryptKey; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.Type; import org.apache.doris.common.AnalysisException; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.thrift.TExprNode; import com.google.common.base.Strings; @@ -55,6 +59,13 @@ public class EncryptKeyRef extends Expr { if ("".equals(dbName)) { ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR); } else { + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, + dbName, PrivPredicate.SHOW)) { + String message = ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg( + PrivPredicate.SHOW.getPrivs().toString(), dbName); + throw new AnalysisException(message); + } Database database = analyzer.getEnv().getInternalCatalog().getDbOrAnalysisException(dbName); EncryptKey encryptKey = database.getEncryptKey(encryptKeyName.getKeyName()); diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java index 552e3fe5cf..5a5eef482a 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java @@ -20,7 +20,10 @@ package org.apache.doris.nereids.rules.expression.rules; import org.apache.doris.catalog.EncryptKey; import org.apache.doris.catalog.Env; import org.apache.doris.cluster.ClusterNamespace; +import org.apache.doris.common.ErrorCode; import org.apache.doris.common.util.DebugUtil; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.nereids.exceptions.AnalysisException; import org.apache.doris.nereids.rules.expression.AbstractExpressionRewriteRule; import org.apache.doris.nereids.rules.expression.ExpressionListenerMatcher; @@ -216,6 +219,13 @@ public class FoldConstantRuleOnFE extends AbstractExpressionRewriteRule if ("".equals(dbName)) { throw new AnalysisException("DB " + dbName + "not found"); } + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, + dbName, PrivPredicate.SHOW)) { + String message = ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg( + PrivPredicate.SHOW.getPrivs().toString(), dbName); + throw new AnalysisException(message); + } org.apache.doris.catalog.Database database = Env.getCurrentEnv().getInternalCatalog().getDbNullable(dbName); if (database == null) { diff --git a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy new file mode 100644 index 0000000000..8245486d66 --- /dev/null +++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy @@ -0,0 +1,59 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +import org.junit.Assert; + +suite("test_use_encryptkey_auth","p0,auth") { + multi_sql """ + SET enable_nereids_planner=true; + SET enable_fallback_to_original_planner=false; + """ + String suiteName = "test_version_info_mtmv" + String dbName = context.config.getDbNameByFile(context.file) + String user = "${suiteName}_user" + String key = "${suiteName}_key" + String pwd = 'C123_567p' + try_sql("DROP USER ${user}") + try_sql("DROP ENCRYPTKEY ${key}") + sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'""" + sql """grant select_priv on regression_test to ${user}""" + //cloud-mode + if (isCloudMode()) { + def clusters = sql " SHOW CLUSTERS; " + assertTrue(!clusters.isEmpty()) + def validCluster = clusters[0][0] + sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}"""; + } + sql """CREATE ENCRYPTKEY ${key} AS 'ABCD123456789'""" + + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + test { + sql """ + SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key})); + """ + exception "denied" + } + } + sql """grant select_priv on ${dbName} to ${user}""" + connect(user=user, password="${pwd}", url=context.config.jdbcUrl) { + sql """ + SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key})); + """ + } + try_sql("DROP USER ${user}") + try_sql("DROP ENCRYPTKEY ${key}") +}