database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[enhancement](priv) Clarify ccr releated FrontendServiceImpl call privs (#25530)

Browse Source 
Signed-off-by: Jack Drogon <jack.xsuperman@gmail.com>
This commit is contained in:
Jack Drogon
2023-10-17 21:51:55 -05:00
committed by GitHub
parent 6f6264693f
commit ef9cbc4c64
1 changed files with 57 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
View File

@ -525,7 +525,7 @@ public class FrontendServiceImpl implements FrontendService.Iface {
// index id -> index schema
Map<Long, LinkedList<Column>> indexSchemaMap = new HashMap<>();
//index id -> index col_unique_id supplier
// index id -> index col_unique_id supplier
Map<Long, IntSupplier> colUniqueIdSupplierMap = new HashMap<>();
for (Map.Entry<Long, List<Column>> entry : olapTable.getIndexIdToSchema(true).entrySet()) {
indexSchemaMap.put(entry.getKey(), new LinkedList<>(entry.getValue()));
@ -544,13 +544,13 @@ public class FrontendServiceImpl implements FrontendService.Iface {
}
colUniqueIdSupplierMap.put(entry.getKey(), colUniqueIdSupplier);
}
//4. call schame change function, only for dynamic table feature.
// 4. call schame change function, only for dynamic table feature.
SchemaChangeHandler schemaChangeHandler = new SchemaChangeHandler();
boolean lightSchemaChange = schemaChangeHandler.processAddColumns(
addColumnsClause, olapTable, indexSchemaMap, true, colUniqueIdSupplierMap);
if (lightSchemaChange) {
//for schema change add column optimize, direct modify table meta.
// for schema change add column optimize, direct modify table meta.
List<Index> newIndexes = olapTable.getCopiedIndexes();
long jobId = Env.getCurrentEnv().getNextId();
Env.getCurrentEnv().getSchemaChangeHandler().modifyTableLightSchemaChange(
@ -562,7 +562,7 @@ public class FrontendServiceImpl implements FrontendService.Iface {
}
}
//5. build all columns
// 5. build all columns
for (Column column : olapTable.getBaseSchema()) {
allColumns.add(column.toThrift());
}
@ -756,7 +756,7 @@ public class FrontendServiceImpl implements FrontendService.Iface {
if (params.isSetPattern()) {
try {
matcher = PatternMatcher.createMysqlPattern(params.getPattern(),
CaseSensibility.TABLE.getCaseSensibility());
CaseSensibility.TABLE.getCaseSensibility());
} catch (PatternMatcherException e) {
throw new TException("Pattern is in bad format " + params.getPattern());
}
@ -1095,13 +1095,18 @@ public class FrontendServiceImpl implements FrontendService.Iface {
return tableNames;
}
private void checkPasswordAndPrivs(String cluster, String user, String passwd, String db, String tbl,
String clientIp, PrivPredicate predicate) throws AuthenticationException {
private void checkSingleTablePasswordAndPrivs(String cluster, String user, String passwd, String db, String tbl,
String clientIp, PrivPredicate predicate) throws AuthenticationException {
checkPasswordAndPrivs(cluster, user, passwd, db, Lists.newArrayList(tbl), clientIp, predicate);
}
private void checkDbPasswordAndPrivs(String cluster, String user, String passwd, String db, String clientIp,
PrivPredicate predicate) throws AuthenticationException {
checkPasswordAndPrivs(cluster, user, passwd, db, null, clientIp, predicate);
}
private void checkPasswordAndPrivs(String cluster, String user, String passwd, String db, List<String> tables,
String clientIp, PrivPredicate predicate) throws AuthenticationException {
String clientIp, PrivPredicate predicate) throws AuthenticationException {
final String fullUserName = ClusterNamespace.getFullName(cluster, user);
final String fullDbName = ClusterNamespace.getFullName(cluster, db);
@ -1109,10 +1114,20 @@ public class FrontendServiceImpl implements FrontendService.Iface {
Env.getCurrentEnv().getAuth().checkPlainPassword(fullUserName, clientIp, passwd, currentUser);
Preconditions.checkState(currentUser.size() == 1);
if (tables == null || tables.isEmpty()) {
if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(currentUser.get(0), fullDbName, predicate)) {
throw new AuthenticationException(
"Access denied; you need (at least one of) the (" + predicate.toString()
+ ") privilege(s) for this operation");
}
return;
}
for (String tbl : tables) {
if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(currentUser.get(0), fullDbName, tbl, predicate)) {
throw new AuthenticationException(
"Access denied; you need (at least one of) the LOAD privilege(s) for this operation");
"Access denied; you need (at least one of) the (" + predicate.toString()
+ ") privilege(s) for this operation");
}
}
}
@ -1184,7 +1199,8 @@ public class FrontendServiceImpl implements FrontendService.Iface {
if (request.isSetAuthCode()) {
// TODO(cmy): find a way to check
} else if (Strings.isNullOrEmpty(request.getToken())) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@ -1363,7 +1379,7 @@ public class FrontendServiceImpl implements FrontendService.Iface {
}
List<String> tbNames;
//check has multi table
// check has multi table
if (CollectionUtils.isNotEmpty(request.getTbls())) {
tbNames = request.getTbls();
} else {
@ -1374,7 +1390,7 @@ public class FrontendServiceImpl implements FrontendService.Iface {
OlapTable table = (OlapTable) db.getTableOrMetaException(tbl, TableType.OLAP);
tables.add(table);
}
//if it has multi table, use multi table and update multi table running transaction table ids
// if it has multi table, use multi table and update multi table running transaction table ids
if (CollectionUtils.isNotEmpty(request.getTbls())) {
List<Long> multiTableIds = tables.stream().map(Table::getId).collect(Collectors.toList());
Env.getCurrentGlobalTransactionMgr().getDatabaseTransactionMgr(db.getId())
@ -1398,11 +1414,12 @@ public class FrontendServiceImpl implements FrontendService.Iface {
// refactoring it
if (CollectionUtils.isNotEmpty(request.getTbls())) {
for (String tbl : request.getTbls()) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), tbl,
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
tbl,
request.getUserIp(), PrivPredicate.LOAD);
}
} else {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@ -1510,7 +1527,8 @@ public class FrontendServiceImpl implements FrontendService.Iface {
}
for (Table table : tableList) {
// check auth
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), table.getName(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
table.getName(),
request.getUserIp(), PrivPredicate.LOAD);
}
@ -1578,7 +1596,7 @@ public class FrontendServiceImpl implements FrontendService.Iface {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTbls(), request.getUserIp(), PrivPredicate.LOAD);
} else {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTbl(), request.getUserIp(), PrivPredicate.LOAD);
}
}
@ -1763,14 +1781,15 @@ public class FrontendServiceImpl implements FrontendService.Iface {
} else if (request.isSetToken()) {
checkToken(request.getToken());
} else {
//multi table load
// multi table load
if (CollectionUtils.isNotEmpty(request.getTbls())) {
for (String tbl : request.getTbls()) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), tbl,
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
tbl,
request.getUserIp(), PrivPredicate.LOAD);
}
} else {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@ -2054,7 +2073,8 @@ public class FrontendServiceImpl implements FrontendService.Iface {
if (request.isSetAuthCode()) {
// TODO(cmy): find a way to check
} else if (Strings.isNullOrEmpty(request.getToken())) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
ctx.setEnv(Env.getCurrentEnv());
@ -2131,15 +2151,15 @@ public class FrontendServiceImpl implements FrontendService.Iface {
}
private TExecPlanFragmentParams generatePlanFragmentParams(TStreamLoadPutRequest request, Database db,
String fullDbName, OlapTable table,
long timeoutMs) throws UserException {
String fullDbName, OlapTable table,
long timeoutMs) throws UserException {
return generatePlanFragmentParams(request, db, fullDbName, table, timeoutMs, 1, false);
}
private TExecPlanFragmentParams generatePlanFragmentParams(TStreamLoadPutRequest request, Database db,
String fullDbName, OlapTable table,
long timeoutMs, int multiTableFragmentInstanceIdIndex,
boolean isMultiTableRequest)
String fullDbName, OlapTable table,
long timeoutMs, int multiTableFragmentInstanceIdIndex,
boolean isMultiTableRequest)
throws UserException {
if (!table.tryReadLock(timeoutMs, TimeUnit.MILLISECONDS)) {
throw new UserException(
@ -2191,10 +2211,10 @@ public class FrontendServiceImpl implements FrontendService.Iface {
}
private TPipelineFragmentParams generatePipelineStreamLoadPut(TStreamLoadPutRequest request, Database db,
String fullDbName, OlapTable table,
long timeoutMs,
int multiTableFragmentInstanceIdIndex,
boolean isMultiTableRequest)
String fullDbName, OlapTable table,
long timeoutMs,
int multiTableFragmentInstanceIdIndex,
boolean isMultiTableRequest)
throws UserException {
if (db == null) {
String dbName = fullDbName;
@ -2746,7 +2766,8 @@ public class FrontendServiceImpl implements FrontendService.Iface {
cluster = SystemInfoService.DEFAULT_CLUSTER;
}
if (Strings.isNullOrEmpty(request.getToken())) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTable(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTable(),
request.getUserIp(), PrivPredicate.SELECT);
}
@ -2867,8 +2888,8 @@ public class FrontendServiceImpl implements FrontendService.Iface {
request.getUser(), request.getDb(), request.getLabelName(), request.getSnapshotName(),
request.getSnapshotType());
if (Strings.isNullOrEmpty(request.getToken())) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTable(), clientIp, PrivPredicate.LOAD);
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTable(), clientIp, PrivPredicate.SELECT);
}
// Step 3: get snapshot
@ -2952,8 +2973,8 @@ public class FrontendServiceImpl implements FrontendService.Iface {
}
if (Strings.isNullOrEmpty(request.getToken())) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTable(), clientIp, PrivPredicate.LOAD);
checkDbPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), clientIp,
PrivPredicate.LOAD);
}
// Step 3: get snapshot
@ -3085,7 +3106,8 @@ public class FrontendServiceImpl implements FrontendService.Iface {
cluster = SystemInfoService.DEFAULT_CLUSTER;
}
if (Strings.isNullOrEmpty(request.getToken())) {
checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTable(),
checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(),
request.getTable(),
request.getUserIp(), PrivPredicate.SELECT);
}