From f203ee82247f91d5b1e0205965162207091d0bf2 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Fri, 16 Aug 2024 17:31:58 +0800 Subject: [PATCH] [enhance](auth)modify priv of refresh catalog/db/table (#39008) (#39475) pick from master #39008 --- .../org/apache/doris/analysis/RefreshCatalogStmt.java | 6 +++--- .../java/org/apache/doris/analysis/RefreshDbStmt.java | 11 +++-------- .../org/apache/doris/analysis/RefreshTableStmt.java | 11 +++-------- .../main/java/org/apache/doris/common/ErrorCode.java | 2 ++ .../java/org/apache/doris/catalog/RefreshDbTest.java | 8 ++------ .../org/apache/doris/catalog/RefreshTableTest.java | 6 +----- 6 files changed, 14 insertions(+), 30 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java index a2e5930d14..dd3f3b6d72 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java @@ -67,9 +67,9 @@ public class RefreshCatalogStmt extends DdlStmt { } if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv( - ConnectContext.get(), catalogName, PrivPredicate.ALTER)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED, - analyzer.getQualifiedUser(), catalogName); + ConnectContext.get(), catalogName, PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), catalogName); } // Set to false only if user set the property "invalid_cache"="false" diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java index e8bdc168dd..1bfe609836 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java @@ -87,14 +87,9 @@ public class RefreshDbStmt extends DdlStmt { } // check access if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), catalogName, - dbName, PrivPredicate.DROP)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, - ConnectContext.get().getQualifiedUser(), dbName); - } - if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), catalogName, - dbName, PrivPredicate.CREATE)) { - ErrorReport.reportAnalysisException( - ErrorCode.ERR_DBACCESS_DENIED_ERROR, analyzer.getQualifiedUser(), dbName); + dbName, PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), dbName); } String invalidConfig = properties == null ? null : properties.get(INVALID_CACHE); // Default is to invalid cache. diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java index 65bf35f305..138400d18d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java @@ -60,14 +60,9 @@ public class RefreshTableStmt extends DdlStmt { // check access if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), - tableName.getTbl(), PrivPredicate.DROP)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "DROP"); - } - - if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(), - tableName.getCtl(), tableName.getDb(), - tableName.getTbl(), PrivPredicate.CREATE)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "CREATE"); + tableName.getTbl(), PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), tableName.getTbl()); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java index cbdaf8ddf7..e2e65a2453 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java +++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java @@ -77,6 +77,8 @@ public enum ErrorCode { + "(current value: %d)"), ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) for this operation"), + ERR_CATALOG_ACCESS_DENIED_ERROR(1221, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + + "one of) the (%s) privilege(s) on catalog %s for this operation"), ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'}, "Access denied; you need (at least " + "one of) the (%s) privilege(s) on database %s for this operation"), ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1223, new byte[] {'4', '2', '0', '0', '0'}, "Access denied; you need all " diff --git a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java index fd7a6b1a24..a18c41edc9 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java @@ -120,23 +120,19 @@ public class RefreshDbTest extends TestWithFeService { // create user1 auth.createUser((CreateUserStmt) parseAndAnalyzeStmt( "create user 'user1'@'%' identified by 'pwd1';", rootCtx)); - // grant only create_priv to user1 on test1.db1.tbl11 - GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt( - "grant create_priv on test1.db1.* to 'user1'@'%';", rootCtx); - auth.grant(grantStmt); // mock login user1 UserIdentity user1 = new UserIdentity("user1", "%"); user1.analyze(); ConnectContext user1Ctx = createCtx(user1, "127.0.0.1"); ExceptionChecker.expectThrowsWithMsg(AnalysisException.class, - "Access denied for user 'user1' to database 'db1'", + "Access denied", () -> parseAndAnalyzeStmt("refresh database test1.db1", user1Ctx)); ConnectContext.remove(); // add drop priv to user1 rootCtx.setThreadLocalInfo(); - grantStmt = (GrantStmt) parseAndAnalyzeStmt( + GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt( "grant drop_priv on test1.db1.* to 'user1'@'%';", rootCtx); auth.grant(grantStmt); ConnectContext.remove(); diff --git a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java index aee15abd27..45878b6001 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java @@ -128,10 +128,6 @@ public class RefreshTableTest extends TestWithFeService { // create user1 auth.createUser((CreateUserStmt) parseAndAnalyzeStmt( "create user 'user1'@'%' identified by 'pwd1';", rootCtx)); - // grant only create_priv to user1 on test1.db1.tbl11 - GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt( - "grant create_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx); - auth.grant(grantStmt); // mock login user1 UserIdentity user1 = new UserIdentity("user1", "%"); @@ -144,7 +140,7 @@ public class RefreshTableTest extends TestWithFeService { // add drop priv to user1 rootCtx.setThreadLocalInfo(); - grantStmt = (GrantStmt) parseAndAnalyzeStmt( + GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt( "grant drop_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx); auth.grant(grantStmt); ConnectContext.remove();