This is an automated email from the ASF dual-hosted git repository.
dataroaring pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new ef9cbc4c64e [enhancement](priv) Clarify ccr releated
FrontendServiceImpl call privs (#25530)
ef9cbc4c64e is described below
commit ef9cbc4c64efdc339aa55e42f84453f60f33e6a5
Author: Jack Drogon <[email protected]>
AuthorDate: Tue Oct 17 21:51:55 2023 -0500
[enhancement](priv) Clarify ccr releated FrontendServiceImpl call privs
(#25530)
Signed-off-by: Jack Drogon <[email protected]>
---
.../apache/doris/service/FrontendServiceImpl.java | 92 ++++++++++++++--------
1 file changed, 57 insertions(+), 35 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
index 2cb8337db72..7d8626c1ea0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
@@ -525,7 +525,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
// index id -> index schema
Map<Long, LinkedList<Column>> indexSchemaMap = new
HashMap<>();
- //index id -> index col_unique_id supplier
+ // index id -> index col_unique_id supplier
Map<Long, IntSupplier> colUniqueIdSupplierMap = new
HashMap<>();
for (Map.Entry<Long, List<Column>> entry :
olapTable.getIndexIdToSchema(true).entrySet()) {
indexSchemaMap.put(entry.getKey(), new
LinkedList<>(entry.getValue()));
@@ -544,13 +544,13 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
colUniqueIdSupplierMap.put(entry.getKey(),
colUniqueIdSupplier);
}
- //4. call schame change function, only for dynamic table
feature.
+ // 4. call schame change function, only for dynamic table
feature.
SchemaChangeHandler schemaChangeHandler = new
SchemaChangeHandler();
boolean lightSchemaChange =
schemaChangeHandler.processAddColumns(
addColumnsClause, olapTable, indexSchemaMap, true,
colUniqueIdSupplierMap);
if (lightSchemaChange) {
- //for schema change add column optimize, direct modify
table meta.
+ // for schema change add column optimize, direct
modify table meta.
List<Index> newIndexes = olapTable.getCopiedIndexes();
long jobId = Env.getCurrentEnv().getNextId();
Env.getCurrentEnv().getSchemaChangeHandler().modifyTableLightSchemaChange(
@@ -562,7 +562,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
}
- //5. build all columns
+ // 5. build all columns
for (Column column : olapTable.getBaseSchema()) {
allColumns.add(column.toThrift());
}
@@ -756,7 +756,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
if (params.isSetPattern()) {
try {
matcher =
PatternMatcher.createMysqlPattern(params.getPattern(),
- CaseSensibility.TABLE.getCaseSensibility());
+ CaseSensibility.TABLE.getCaseSensibility());
} catch (PatternMatcherException e) {
throw new TException("Pattern is in bad format " +
params.getPattern());
}
@@ -1095,13 +1095,18 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
return tableNames;
}
- private void checkPasswordAndPrivs(String cluster, String user, String
passwd, String db, String tbl,
- String clientIp, PrivPredicate
predicate) throws AuthenticationException {
+ private void checkSingleTablePasswordAndPrivs(String cluster, String user,
String passwd, String db, String tbl,
+ String clientIp, PrivPredicate predicate) throws
AuthenticationException {
checkPasswordAndPrivs(cluster, user, passwd, db,
Lists.newArrayList(tbl), clientIp, predicate);
}
+ private void checkDbPasswordAndPrivs(String cluster, String user, String
passwd, String db, String clientIp,
+ PrivPredicate predicate) throws AuthenticationException {
+ checkPasswordAndPrivs(cluster, user, passwd, db, null, clientIp,
predicate);
+ }
+
private void checkPasswordAndPrivs(String cluster, String user, String
passwd, String db, List<String> tables,
- String clientIp, PrivPredicate
predicate) throws AuthenticationException {
+ String clientIp, PrivPredicate predicate) throws
AuthenticationException {
final String fullUserName = ClusterNamespace.getFullName(cluster,
user);
final String fullDbName = ClusterNamespace.getFullName(cluster, db);
@@ -1109,10 +1114,20 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
Env.getCurrentEnv().getAuth().checkPlainPassword(fullUserName,
clientIp, passwd, currentUser);
Preconditions.checkState(currentUser.size() == 1);
+ if (tables == null || tables.isEmpty()) {
+ if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(currentUser.get(0),
fullDbName, predicate)) {
+ throw new AuthenticationException(
+ "Access denied; you need (at least one of) the (" +
predicate.toString()
+ + ") privilege(s) for this operation");
+ }
+ return;
+ }
+
for (String tbl : tables) {
if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(currentUser.get(0),
fullDbName, tbl, predicate)) {
throw new AuthenticationException(
- "Access denied; you need (at least one of) the LOAD
privilege(s) for this operation");
+ "Access denied; you need (at least one of) the (" +
predicate.toString()
+ + ") privilege(s) for this operation");
}
}
}
@@ -1184,7 +1199,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
if (request.isSetAuthCode()) {
// TODO(cmy): find a way to check
} else if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), request.getTbl(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -1363,7 +1379,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
List<String> tbNames;
- //check has multi table
+ // check has multi table
if (CollectionUtils.isNotEmpty(request.getTbls())) {
tbNames = request.getTbls();
} else {
@@ -1374,7 +1390,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
OlapTable table = (OlapTable) db.getTableOrMetaException(tbl,
TableType.OLAP);
tables.add(table);
}
- //if it has multi table, use multi table and update multi table
running transaction table ids
+ // if it has multi table, use multi table and update multi table
running transaction table ids
if (CollectionUtils.isNotEmpty(request.getTbls())) {
List<Long> multiTableIds =
tables.stream().map(Table::getId).collect(Collectors.toList());
Env.getCurrentGlobalTransactionMgr().getDatabaseTransactionMgr(db.getId())
@@ -1398,11 +1414,12 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
// refactoring it
if (CollectionUtils.isNotEmpty(request.getTbls())) {
for (String tbl : request.getTbls()) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), tbl,
+ checkSingleTablePasswordAndPrivs(cluster,
request.getUser(), request.getPasswd(), request.getDb(),
+ tbl,
request.getUserIp(), PrivPredicate.LOAD);
}
} else {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -1510,7 +1527,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
for (Table table : tableList) {
// check auth
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), table.getName(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ table.getName(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -1578,7 +1596,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbls(), request.getUserIp(),
PrivPredicate.LOAD);
} else {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbl(), request.getUserIp(),
PrivPredicate.LOAD);
}
}
@@ -1763,14 +1781,15 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
} else if (request.isSetToken()) {
checkToken(request.getToken());
} else {
- //multi table load
+ // multi table load
if (CollectionUtils.isNotEmpty(request.getTbls())) {
for (String tbl : request.getTbls()) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), tbl,
+ checkSingleTablePasswordAndPrivs(cluster,
request.getUser(), request.getPasswd(), request.getDb(),
+ tbl,
request.getUserIp(), PrivPredicate.LOAD);
}
} else {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -2054,7 +2073,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
if (request.isSetAuthCode()) {
// TODO(cmy): find a way to check
} else if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), request.getTbl(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
ctx.setEnv(Env.getCurrentEnv());
@@ -2131,15 +2151,15 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
private TExecPlanFragmentParams
generatePlanFragmentParams(TStreamLoadPutRequest request, Database db,
- String
fullDbName, OlapTable table,
- long timeoutMs)
throws UserException {
+ String fullDbName, OlapTable table,
+ long timeoutMs) throws UserException {
return generatePlanFragmentParams(request, db, fullDbName, table,
timeoutMs, 1, false);
}
private TExecPlanFragmentParams
generatePlanFragmentParams(TStreamLoadPutRequest request, Database db,
- String
fullDbName, OlapTable table,
- long timeoutMs,
int multiTableFragmentInstanceIdIndex,
- boolean
isMultiTableRequest)
+ String fullDbName, OlapTable table,
+ long timeoutMs, int multiTableFragmentInstanceIdIndex,
+ boolean isMultiTableRequest)
throws UserException {
if (!table.tryReadLock(timeoutMs, TimeUnit.MILLISECONDS)) {
throw new UserException(
@@ -2191,10 +2211,10 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
private TPipelineFragmentParams
generatePipelineStreamLoadPut(TStreamLoadPutRequest request, Database db,
- String
fullDbName, OlapTable table,
- long
timeoutMs,
- int
multiTableFragmentInstanceIdIndex,
- boolean
isMultiTableRequest)
+ String fullDbName, OlapTable table,
+ long timeoutMs,
+ int multiTableFragmentInstanceIdIndex,
+ boolean isMultiTableRequest)
throws UserException {
if (db == null) {
String dbName = fullDbName;
@@ -2746,7 +2766,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
cluster = SystemInfoService.DEFAULT_CLUSTER;
}
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), request.getTable(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTable(),
request.getUserIp(), PrivPredicate.SELECT);
}
@@ -2867,8 +2888,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
request.getUser(), request.getDb(), request.getLabelName(),
request.getSnapshotName(),
request.getSnapshotType());
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
- request.getTable(), clientIp, PrivPredicate.LOAD);
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTable(), clientIp, PrivPredicate.SELECT);
}
// Step 3: get snapshot
@@ -2952,8 +2973,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
- request.getTable(), clientIp, PrivPredicate.LOAD);
+ checkDbPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), clientIp,
+ PrivPredicate.LOAD);
}
// Step 3: get snapshot
@@ -3085,7 +3106,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
cluster = SystemInfoService.DEFAULT_CLUSTER;
}
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), request.getTable(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTable(),
request.getUserIp(), PrivPredicate.SELECT);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
