From ef9cbc4c64efdc339aa55e42f84453f60f33e6a5 Mon Sep 17 00:00:00 2001 From: Jack Drogon Date: Tue, 17 Oct 2023 21:51:55 -0500 Subject: [PATCH] [enhancement](priv) Clarify ccr releated FrontendServiceImpl call privs (#25530) Signed-off-by: Jack Drogon --- .../doris/service/FrontendServiceImpl.java | 92 ++++++++++++------- 1 file changed, 57 insertions(+), 35 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java index 2cb8337db7..7d8626c1ea 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java +++ b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java @@ -525,7 +525,7 @@ public class FrontendServiceImpl implements FrontendService.Iface { // index id -> index schema Map> indexSchemaMap = new HashMap<>(); - //index id -> index col_unique_id supplier + // index id -> index col_unique_id supplier Map colUniqueIdSupplierMap = new HashMap<>(); for (Map.Entry> entry : olapTable.getIndexIdToSchema(true).entrySet()) { indexSchemaMap.put(entry.getKey(), new LinkedList<>(entry.getValue())); @@ -544,13 +544,13 @@ public class FrontendServiceImpl implements FrontendService.Iface { } colUniqueIdSupplierMap.put(entry.getKey(), colUniqueIdSupplier); } - //4. call schame change function, only for dynamic table feature. + // 4. call schame change function, only for dynamic table feature. SchemaChangeHandler schemaChangeHandler = new SchemaChangeHandler(); boolean lightSchemaChange = schemaChangeHandler.processAddColumns( addColumnsClause, olapTable, indexSchemaMap, true, colUniqueIdSupplierMap); if (lightSchemaChange) { - //for schema change add column optimize, direct modify table meta. + // for schema change add column optimize, direct modify table meta. List newIndexes = olapTable.getCopiedIndexes(); long jobId = Env.getCurrentEnv().getNextId(); Env.getCurrentEnv().getSchemaChangeHandler().modifyTableLightSchemaChange( @@ -562,7 +562,7 @@ public class FrontendServiceImpl implements FrontendService.Iface { } } - //5. build all columns + // 5. build all columns for (Column column : olapTable.getBaseSchema()) { allColumns.add(column.toThrift()); } @@ -756,7 +756,7 @@ public class FrontendServiceImpl implements FrontendService.Iface { if (params.isSetPattern()) { try { matcher = PatternMatcher.createMysqlPattern(params.getPattern(), - CaseSensibility.TABLE.getCaseSensibility()); + CaseSensibility.TABLE.getCaseSensibility()); } catch (PatternMatcherException e) { throw new TException("Pattern is in bad format " + params.getPattern()); } @@ -1095,13 +1095,18 @@ public class FrontendServiceImpl implements FrontendService.Iface { return tableNames; } - private void checkPasswordAndPrivs(String cluster, String user, String passwd, String db, String tbl, - String clientIp, PrivPredicate predicate) throws AuthenticationException { + private void checkSingleTablePasswordAndPrivs(String cluster, String user, String passwd, String db, String tbl, + String clientIp, PrivPredicate predicate) throws AuthenticationException { checkPasswordAndPrivs(cluster, user, passwd, db, Lists.newArrayList(tbl), clientIp, predicate); } + private void checkDbPasswordAndPrivs(String cluster, String user, String passwd, String db, String clientIp, + PrivPredicate predicate) throws AuthenticationException { + checkPasswordAndPrivs(cluster, user, passwd, db, null, clientIp, predicate); + } + private void checkPasswordAndPrivs(String cluster, String user, String passwd, String db, List tables, - String clientIp, PrivPredicate predicate) throws AuthenticationException { + String clientIp, PrivPredicate predicate) throws AuthenticationException { final String fullUserName = ClusterNamespace.getFullName(cluster, user); final String fullDbName = ClusterNamespace.getFullName(cluster, db); @@ -1109,10 +1114,20 @@ public class FrontendServiceImpl implements FrontendService.Iface { Env.getCurrentEnv().getAuth().checkPlainPassword(fullUserName, clientIp, passwd, currentUser); Preconditions.checkState(currentUser.size() == 1); + if (tables == null || tables.isEmpty()) { + if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(currentUser.get(0), fullDbName, predicate)) { + throw new AuthenticationException( + "Access denied; you need (at least one of) the (" + predicate.toString() + + ") privilege(s) for this operation"); + } + return; + } + for (String tbl : tables) { if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(currentUser.get(0), fullDbName, tbl, predicate)) { throw new AuthenticationException( - "Access denied; you need (at least one of) the LOAD privilege(s) for this operation"); + "Access denied; you need (at least one of) the (" + predicate.toString() + + ") privilege(s) for this operation"); } } } @@ -1184,7 +1199,8 @@ public class FrontendServiceImpl implements FrontendService.Iface { if (request.isSetAuthCode()) { // TODO(cmy): find a way to check } else if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } @@ -1363,7 +1379,7 @@ public class FrontendServiceImpl implements FrontendService.Iface { } List tbNames; - //check has multi table + // check has multi table if (CollectionUtils.isNotEmpty(request.getTbls())) { tbNames = request.getTbls(); } else { @@ -1374,7 +1390,7 @@ public class FrontendServiceImpl implements FrontendService.Iface { OlapTable table = (OlapTable) db.getTableOrMetaException(tbl, TableType.OLAP); tables.add(table); } - //if it has multi table, use multi table and update multi table running transaction table ids + // if it has multi table, use multi table and update multi table running transaction table ids if (CollectionUtils.isNotEmpty(request.getTbls())) { List multiTableIds = tables.stream().map(Table::getId).collect(Collectors.toList()); Env.getCurrentGlobalTransactionMgr().getDatabaseTransactionMgr(db.getId()) @@ -1398,11 +1414,12 @@ public class FrontendServiceImpl implements FrontendService.Iface { // refactoring it if (CollectionUtils.isNotEmpty(request.getTbls())) { for (String tbl : request.getTbls()) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), tbl, + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + tbl, request.getUserIp(), PrivPredicate.LOAD); } } else { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } @@ -1510,7 +1527,8 @@ public class FrontendServiceImpl implements FrontendService.Iface { } for (Table table : tableList) { // check auth - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), table.getName(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + table.getName(), request.getUserIp(), PrivPredicate.LOAD); } @@ -1578,7 +1596,7 @@ public class FrontendServiceImpl implements FrontendService.Iface { checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbls(), request.getUserIp(), PrivPredicate.LOAD); } else { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } } @@ -1763,14 +1781,15 @@ public class FrontendServiceImpl implements FrontendService.Iface { } else if (request.isSetToken()) { checkToken(request.getToken()); } else { - //multi table load + // multi table load if (CollectionUtils.isNotEmpty(request.getTbls())) { for (String tbl : request.getTbls()) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), tbl, + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + tbl, request.getUserIp(), PrivPredicate.LOAD); } } else { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } @@ -2054,7 +2073,8 @@ public class FrontendServiceImpl implements FrontendService.Iface { if (request.isSetAuthCode()) { // TODO(cmy): find a way to check } else if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } ctx.setEnv(Env.getCurrentEnv()); @@ -2131,15 +2151,15 @@ public class FrontendServiceImpl implements FrontendService.Iface { } private TExecPlanFragmentParams generatePlanFragmentParams(TStreamLoadPutRequest request, Database db, - String fullDbName, OlapTable table, - long timeoutMs) throws UserException { + String fullDbName, OlapTable table, + long timeoutMs) throws UserException { return generatePlanFragmentParams(request, db, fullDbName, table, timeoutMs, 1, false); } private TExecPlanFragmentParams generatePlanFragmentParams(TStreamLoadPutRequest request, Database db, - String fullDbName, OlapTable table, - long timeoutMs, int multiTableFragmentInstanceIdIndex, - boolean isMultiTableRequest) + String fullDbName, OlapTable table, + long timeoutMs, int multiTableFragmentInstanceIdIndex, + boolean isMultiTableRequest) throws UserException { if (!table.tryReadLock(timeoutMs, TimeUnit.MILLISECONDS)) { throw new UserException( @@ -2191,10 +2211,10 @@ public class FrontendServiceImpl implements FrontendService.Iface { } private TPipelineFragmentParams generatePipelineStreamLoadPut(TStreamLoadPutRequest request, Database db, - String fullDbName, OlapTable table, - long timeoutMs, - int multiTableFragmentInstanceIdIndex, - boolean isMultiTableRequest) + String fullDbName, OlapTable table, + long timeoutMs, + int multiTableFragmentInstanceIdIndex, + boolean isMultiTableRequest) throws UserException { if (db == null) { String dbName = fullDbName; @@ -2746,7 +2766,8 @@ public class FrontendServiceImpl implements FrontendService.Iface { cluster = SystemInfoService.DEFAULT_CLUSTER; } if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTable(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTable(), request.getUserIp(), PrivPredicate.SELECT); } @@ -2867,8 +2888,8 @@ public class FrontendServiceImpl implements FrontendService.Iface { request.getUser(), request.getDb(), request.getLabelName(), request.getSnapshotName(), request.getSnapshotType()); if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), - request.getTable(), clientIp, PrivPredicate.LOAD); + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTable(), clientIp, PrivPredicate.SELECT); } // Step 3: get snapshot @@ -2952,8 +2973,8 @@ public class FrontendServiceImpl implements FrontendService.Iface { } if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), - request.getTable(), clientIp, PrivPredicate.LOAD); + checkDbPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), clientIp, + PrivPredicate.LOAD); } // Step 3: get snapshot @@ -3085,7 +3106,8 @@ public class FrontendServiceImpl implements FrontendService.Iface { cluster = SystemInfoService.DEFAULT_CLUSTER; } if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTable(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTable(), request.getUserIp(), PrivPredicate.SELECT); }