This is an automated email from the ASF dual-hosted git repository.
diwu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new da21b1cb24 [Feature](Job)Allow Job to perform all insert operations,
and limit permissions to allow Admin operations (#23492)
da21b1cb24 is described below
commit da21b1cb244fb24bd48ad9b53bc4a48377862f44
Author: Calvin Kirs <[email protected]>
AuthorDate: Fri Aug 25 21:58:53 2023 +0800
[Feature](Job)Allow Job to perform all insert operations, and limit
permissions to allow Admin operations (#23492)
---
.../org/apache/doris/analysis/CreateJobStmt.java | 35 ++++++++++++++++------
.../org/apache/doris/analysis/PauseJobStmt.java | 11 +------
.../org/apache/doris/analysis/ResumeJobStmt.java | 13 ++------
.../org/apache/doris/analysis/ShowJobTaskStmt.java | 10 +------
.../org/apache/doris/analysis/StopJobStmt.java | 11 +------
5 files changed, 31 insertions(+), 49 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateJobStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateJobStmt.java
index b6736b2730..a1f9b6bd82 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateJobStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateJobStmt.java
@@ -19,8 +19,11 @@ package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.common.util.TimeUtils;
+import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.scheduler.common.IntervalUnit;
import org.apache.doris.scheduler.constants.JobCategory;
@@ -33,6 +36,8 @@ import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
+import java.util.HashSet;
+
/**
* syntax:
* CREATE
@@ -79,8 +84,10 @@ public class CreateJobStmt extends DdlStmt {
private String timezone = TimeUtils.DEFAULT_TIME_ZONE;
- private static final ImmutableSet<String> supportStmtClassName = new
ImmutableSet.Builder<String>()
- .add(NativeInsertStmt.class.getName()).build();
+ private static final ImmutableSet<Class<? extends DdlStmt>>
supportStmtSuperClass
+ = new ImmutableSet.Builder<Class<? extends
DdlStmt>>().add(InsertStmt.class).build();
+
+ private static HashSet<String> supportStmtClassNamesCache = new
HashSet<>(16);
public CreateJobStmt(LabelName labelName, String onceJobStartTimestamp,
Boolean isStreamingJob,
Long interval, String intervalTimeUnit,
@@ -134,17 +141,27 @@ public class CreateJobStmt extends DdlStmt {
analyzerSqlStmt();
}
- private void checkAuth() throws AnalysisException {
- UserIdentity userIdentity =
ConnectContext.get().getCurrentUserIdentity();
- if (!userIdentity.isRootUser()) {
- throw new AnalysisException("only root user can create job");
+ protected static void checkAuth() throws AnalysisException {
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"ADMIN");
}
}
- private void analyzerSqlStmt() throws UserException {
- if (!supportStmtClassName.contains(stmt.getClass().getName())) {
- throw new AnalysisException("Not support stmt type");
+ private void checkStmtSupport() throws AnalysisException {
+ if
(supportStmtClassNamesCache.contains(stmt.getClass().getSimpleName())) {
+ return;
+ }
+ for (Class<? extends DdlStmt> clazz : supportStmtSuperClass) {
+ if (clazz.isAssignableFrom(stmt.getClass())) {
+
supportStmtClassNamesCache.add(stmt.getClass().getSimpleName());
+ return;
+ }
}
+ throw new AnalysisException("Not support this stmt type");
+ }
+
+ private void analyzerSqlStmt() throws UserException {
+ checkStmtSupport();
stmt.analyze(analyzer);
String originStmt = getOrigStmt().originStmt;
String executeSql = parseExecuteSql(originStmt);
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/PauseJobStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/PauseJobStmt.java
index dd23e61b9a..c399fc37cc 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/PauseJobStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/PauseJobStmt.java
@@ -18,11 +18,9 @@
package org.apache.doris.analysis;
import org.apache.doris.cluster.ClusterNamespace;
-import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
-import org.apache.doris.qe.ConnectContext;
import com.google.common.base.Strings;
@@ -57,7 +55,7 @@ public class PauseJobStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
- checkAuth();
+ CreateJobStmt.checkAuth();
if (labelName != null) {
labelName.analyze(analyzer);
db = labelName.getDbName();
@@ -68,11 +66,4 @@ public class PauseJobStmt extends DdlStmt {
db = ClusterNamespace.getFullName(analyzer.getClusterName(),
analyzer.getDefaultDb());
}
}
-
- private void checkAuth() throws AnalysisException {
- UserIdentity userIdentity =
ConnectContext.get().getCurrentUserIdentity();
- if (!userIdentity.isRootUser()) {
- throw new AnalysisException("only root user can operate");
- }
- }
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ResumeJobStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ResumeJobStmt.java
index 8cc305bf84..725d24f47a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ResumeJobStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ResumeJobStmt.java
@@ -18,11 +18,9 @@
package org.apache.doris.analysis;
import org.apache.doris.cluster.ClusterNamespace;
-import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
-import org.apache.doris.qe.ConnectContext;
import com.google.common.base.Strings;
@@ -49,9 +47,9 @@ public class ResumeJobStmt extends DdlStmt {
}
@Override
- public void analyze(Analyzer analyzer) throws AnalysisException,
UserException {
+ public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
- checkAuth();
+ CreateJobStmt.checkAuth();
if (labelName != null) {
labelName.analyze(analyzer);
db = labelName.getDbName();
@@ -62,11 +60,4 @@ public class ResumeJobStmt extends DdlStmt {
db = ClusterNamespace.getFullName(analyzer.getClusterName(),
analyzer.getDefaultDb());
}
}
-
- private void checkAuth() throws AnalysisException {
- UserIdentity userIdentity =
ConnectContext.get().getCurrentUserIdentity();
- if (!userIdentity.isRootUser()) {
- throw new AnalysisException("only root user can operate");
- }
- }
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowJobTaskStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowJobTaskStmt.java
index d16fe2a9a2..1eb0241cfe 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowJobTaskStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowJobTaskStmt.java
@@ -24,7 +24,6 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
-import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.base.Strings;
@@ -66,17 +65,10 @@ public class ShowJobTaskStmt extends ShowStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
- checkAuth();
+ CreateJobStmt.checkAuth();
checkLabelName(analyzer);
}
- private void checkAuth() throws AnalysisException {
- UserIdentity userIdentity =
ConnectContext.get().getCurrentUserIdentity();
- if (!userIdentity.isRootUser()) {
- throw new AnalysisException("only root user can operate");
- }
- }
-
private void checkLabelName(Analyzer analyzer) throws AnalysisException {
String dbName = labelName == null ? null : labelName.getDbName();
if (Strings.isNullOrEmpty(dbName)) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/StopJobStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/StopJobStmt.java
index fceba0d200..afef3ef01b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/StopJobStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/StopJobStmt.java
@@ -17,9 +17,7 @@
package org.apache.doris.analysis;
-import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.UserException;
-import org.apache.doris.qe.ConnectContext;
/**
* syntax:
@@ -45,14 +43,7 @@ public class StopJobStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
- checkAuth();
+ CreateJobStmt.checkAuth();
labelName.analyze(analyzer);
}
-
- private void checkAuth() throws AnalysisException {
- UserIdentity userIdentity =
ConnectContext.get().getCurrentUserIdentity();
- if (!userIdentity.isRootUser()) {
- throw new AnalysisException("only root user can operate");
- }
- }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
