[CP] fix: check privilege when executing show create function.

2025-03-15 15:16:16 +00:00
parent 85019efc48
commit 008d0a86de
3 changed files with 65 additions and 2 deletions
--- a/src/observer/virtual_table/ob_show_create_procedure.cpp
+++ b/src/observer/virtual_table/ob_show_create_procedure.cpp
@ -151,7 +151,13 @@ int ObShowCreateProcedure::fill_row_cells(uint64_t show_procedure_id, const ObRo
          // create_routine
          bool sql_quote_show_create = true;
          bool ansi_quotes = false;
-          if (OB_FAIL(session_->get_sql_quote_show_create(sql_quote_show_create))) {
+          bool print_column_priv = false;
+          bool is_mysql_mode = lib::is_mysql_mode();
+          if (is_mysql_mode && OB_FAIL(has_show_create_function_priv(proc_info, print_column_priv))) {
+            SERVER_LOG(WARN, "failed to check print column priv", K(ret), K(proc_info));
+          } else if (is_mysql_mode && !print_column_priv) {
+            cur_row_.cells_[cell_idx].set_null();
+          } else if (OB_FAIL(session_->get_sql_quote_show_create(sql_quote_show_create))) {
            SERVER_LOG(WARN, "failed to get sql_quote_show_create", K(ret), K(session_));
          } else if (FALSE_IT(IS_ANSI_QUOTES(session_->get_sql_mode(), ansi_quotes))) {
            // do nothing
@ -227,5 +233,44 @@ int ObShowCreateProcedure::fill_row_cells(uint64_t show_procedure_id, const ObRo
  return ret;
 }

+int ObShowCreateProcedure::has_show_create_function_priv(const ObRoutineInfo &proc_info,
+                                                         bool &print_create_function_column_priv) const {
+  int ret = OB_SUCCESS;
+  if (sql::ObSchemaChecker::is_ora_priv_check()) {
+  } else {
+    const ObString &db = session_priv_.db_;
+    const ObString &routine = proc_info.get_routine_name();
+
+    ObArenaAllocator alloc;
+    ObStmtNeedPrivs stmt_need_privs(alloc);
+
+    // check routine definer
+    ObString priv_user = proc_info.get_priv_user();
+    ObString user_name = priv_user.split_on('@');
+    if (user_name == session_priv_.user_name_) {
+      print_create_function_column_priv = true;
+    }
+
+    // check global-level select priv
+    if (!print_create_function_column_priv) {
+      stmt_need_privs.reset();
+      ObNeedPriv need_priv("", "", OB_PRIV_USER_LEVEL, OB_PRIV_SELECT, false);
+      if (OB_FAIL(stmt_need_privs.need_privs_.init(1))) {
+        SERVER_LOG(WARN, "fail to init need_privs", K(ret));
+      } else if (OB_FAIL(stmt_need_privs.need_privs_.push_back(need_priv))) {
+        SERVER_LOG(WARN, "Add need priv to stmt_need_privs error", K(ret));
+      } else if (OB_FAIL(schema_guard_->check_priv(session_priv_, enable_role_id_array_, stmt_need_privs))) {
+        SERVER_LOG(WARN, "No privilege global-level select", K(ret));
+        if (OB_ERR_NO_PRIVILEGE == ret) {
+          ret = OB_SUCCESS;
+        }
+      } else {
+        print_create_function_column_priv = true;
+      }
+    }
+  }
+  return ret;
+}
+
 }
 }
--- a/src/observer/virtual_table/ob_show_create_procedure.h
+++ b/src/observer/virtual_table/ob_show_create_procedure.h
@ -15,6 +15,7 @@

 #include "lib/container/ob_se_array.h"
 #include "share/ob_virtual_table_scanner_iterator.h"
+#include "share/schema/ob_priv_type.h"
 #include "common/ob_range.h"

 namespace oceanbase
@ -39,12 +40,23 @@ public:
  virtual ~ObShowCreateProcedure();
  virtual int inner_get_next_row(common::ObNewRow *&row);
  virtual void reset();
+
+  inline share::schema::ObSessionPrivInfo &get_session_priv()
+  { return session_priv_; }
+
+  inline common::ObIArray<uint64_t> &get_role_id_array()
+  { return enable_role_id_array_; }
+
+  int has_show_create_function_priv(const ObRoutineInfo &proc_info,
+                                    bool &print_create_function_column_priv) const;
 private:
  int calc_show_procedure_id(uint64_t &show_table_id);
  int fill_row_cells(uint64_t show_procedure_id,
                     const share::schema::ObRoutineInfo &proc_info);
 private:
  DISALLOW_COPY_AND_ASSIGN(ObShowCreateProcedure);
+  EnableRoleIdArray enable_role_id_array_;
+  share::schema::ObSessionPrivInfo session_priv_;
 };
 }// observer
 }// oceanbase
--- a/src/observer/virtual_table/ob_virtual_table_iterator_factory.cpp
+++ b/src/observer/virtual_table/ob_virtual_table_iterator_factory.cpp
@ -1210,7 +1210,13 @@ int ObVTIterCreator::create_vt_iter(ObVTableScanParam &params,
          {
            ObShowCreateProcedure *create_proc = NULL;
            if (OB_SUCC(NEW_VIRTUAL_TABLE(ObShowCreateProcedure, create_proc))) {
-              vt_iter = static_cast<ObVirtualTableIterator *>(create_proc);
+              if (OB_FAIL(session->get_session_priv_info(create_proc->get_session_priv()))) {
+                SERVER_LOG(WARN, "fail to get session priv info", K(ret));
+              } else if (OB_FAIL(create_proc->get_role_id_array().assign(session->get_enable_role_array()))) {
+                SERVER_LOG(WARN, "fail to assign role id array", K(ret));
+              } else {
+                vt_iter = static_cast<ObVirtualTableIterator *>(create_proc);
+              }
            }
            break;
          }