database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
25e475898e8a8a183badf52c11c415e881987323
doris/be/src/exec/schema_scanner.h
Mingyu Chen a46bf1ada3 [Authorization] Modify the authorization checking logic (#2372) 
**Authorization checking logic**

There are some problems with the current password and permission checking logic. For example:
First, we create a user by:
`create user cmy@"%" identified by "12345";`

And then 'cmy' can login with password '12345' from any hosts.

Second, we create another user by:
`create user cmy@"192.168.%" identified by "abcde";`

Because "192.168.%" has a higher priority in the permission table than "%". So when "cmy" try
to login in by password "12345" from host "192.168.1.1", it should match the second permission
entry, and will be rejected because of invalid password.
But in current implementation, Doris will continue to check password on first entry, than let it pass. So we should change it.

**Permission checking logic**

After a user login, it should has a unique identity which is got from permission table. For example,
when "cmy" from host "192.168.1.1" login, it's identity should be `cmy@"192.168.%"`. And Doris
should use this identity to check other permission, not by using the user's real identity, which is
`cmy@"192.168.1.1"`.

**Black list**
Functionally speaking, Doris only support adding WHITE LIST, which is to allow user to login from
those hosts in the white list. But is some cases, we do need a BLACK LIST function.
Fortunately, by changing the logic described above, we can simulate the effect of the BLACK LIST.

For example, First we add a user by:
`create user cmy@'%' identified by '12345';`

And now user 'cmy' can login from any hosts. and if we don't want 'cmy' to login from host A, we
can add a new user by:
`create user cmy@'A' identified by 'other_passwd';`

Because "A" has a higher priority in the permission table than "%". If 'cmy' try to login from A using password '12345', it will be rejected.
2019-12-06 17:45:56 +08:00

99 lines
2.9 KiB
C++
Raw Blame History

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
#ifndef DORIS_BE_SRC_QUERY_EXEC_SCHEMA_SCANNER_H
#define DORIS_BE_SRC_QUERY_EXEC_SCHEMA_SCANNER_H
#include <string>
#include "common/status.h"
#include "common/object_pool.h"
#include "gen_cpp/Descriptors_types.h"
#include "gen_cpp/Types_types.h"
#include "runtime/tuple.h"
#include "runtime/mem_pool.h"
namespace doris {
// forehead declar class, because jni function init in DorisServer.
class DorisServer;
class RuntimeState;
// scanner parameter from frontend
struct SchemaScannerParam {
const std::string* db;
const std::string* table;
const std::string* wild;
const std::string* user; // deprecated
const std::string* user_ip; // deprecated
const TUserIdentity* current_user_ident; // to replace the user and user ip
const std::string* ip; // frontend ip
int32_t port; // frontend thrift port
int64_t thread_id;
SchemaScannerParam()
: db(NULL), table(NULL), wild(NULL), user(NULL), user_ip(NULL), current_user_ident(NULL), ip(NULL), port(0) { }
};
// virtual scanner for all schema table
class SchemaScanner {
public:
struct ColumnDesc {
const char* name;
PrimitiveType type;
int size;
bool is_null;
};
SchemaScanner(ColumnDesc* columns, int column_num);
virtual ~SchemaScanner();
// init object need infomation, schema etc.
virtual Status init(SchemaScannerParam* param, ObjectPool* pool);
// Start to work
virtual Status start(RuntimeState* state);
virtual Status get_next_row(Tuple* tuple, MemPool* pool, bool* eos);
// factory function
static SchemaScanner* create(TSchemaTableType::type type);
const TupleDescriptor* tuple_desc() const {
return _tuple_desc;
}
static void set_doris_server(DorisServer* doris_server) {
_s_doris_server = doris_server;
}
protected:
Status create_tuple_desc(ObjectPool* pool);
bool _is_init;
// this is used for sub class
SchemaScannerParam* _param;
// pointer to schema table's column desc
ColumnDesc* _columns;
// num of columns
int _column_num;
TupleDescriptor* _tuple_desc;
static DorisServer* _s_doris_server;
};
}
#endif
Reference in New Issue View Git Blame Copy Permalink