This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.1 by this push:
new 98e90dd47ef [fix](auth)fix missing authentication (#33347) (#33956)
98e90dd47ef is described below
commit 98e90dd47eff4a98a08e233bd3cd94ebc3312bd1
Author: Mingyu Chen <[email protected]>
AuthorDate: Mon Apr 22 13:52:36 2024 +0800
[fix](auth)fix missing authentication (#33347) (#33956)
bp #33347
Co-authored-by: zhangdong <[email protected]>
---
.../apache/doris/analysis/AdminCopyTabletStmt.java | 5 +-
.../org/apache/doris/analysis/AlterPolicyStmt.java | 6 +-
.../org/apache/doris/analysis/AlterViewStmt.java | 7 +-
.../org/apache/doris/analysis/BaseViewStmt.java | 27 ++++++++
.../doris/analysis/CancelAlterSystemStmt.java | 9 +++
.../apache/doris/analysis/CreatePolicyStmt.java | 16 +++--
.../org/apache/doris/analysis/CreateViewStmt.java | 5 +-
.../doris/analysis/DropMaterializedViewStmt.java | 5 +-
.../org/apache/doris/analysis/DropPolicyStmt.java | 16 +++--
.../org/apache/doris/analysis/SetLdapPassVar.java | 12 ++--
.../doris/analysis/ShowCatalogRecycleBinStmt.java | 11 ++++
.../apache/doris/analysis/ShowCreateDbStmt.java | 10 ++-
.../doris/analysis/ShowCreateRepositoryStmt.java | 11 +++-
.../org/apache/doris/analysis/ShowDataStmt.java | 7 +-
.../apache/doris/analysis/ShowEncryptKeysStmt.java | 12 ++--
.../org/apache/doris/analysis/ShowPluginsStmt.java | 13 +++-
.../doris/analysis/ShowRepositoriesStmt.java | 15 +++++
.../apache/doris/analysis/ShowSnapshotStmt.java | 11 ++++
.../doris/analysis/ShowTabletsBelongStmt.java | 10 +++
.../apache/doris/analysis/ShowTransactionStmt.java | 11 +++-
.../java/org/apache/doris/common/ErrorCode.java | 8 ++-
.../org/apache/doris/job/manager/JobManager.java | 56 +++++++++++++++-
.../main/java/org/apache/doris/load/ExportMgr.java | 30 ++++++++-
.../org/apache/doris/load/StreamLoadRecord.java | 8 +++
.../org/apache/doris/load/StreamLoadRecordMgr.java | 10 +++
.../org/apache/doris/load/loadv2/LoadManager.java | 32 ++++++++-
.../apache/doris/mysql/privilege/PrivBitSet.java | 9 ++-
.../java/org/apache/doris/qe/ShowExecutor.java | 2 +-
.../doris/analysis/CancelExportStmtTest.java | 28 +++++++-
.../analysis/DropMaterializedViewStmtTest.java | 2 +-
.../org/apache/doris/catalog/RefreshTableTest.java | 2 +-
.../apache/doris/job/manager/JobManagerTest.java | 65 +++++++++++++++++++
.../apache/doris/load/loadv2/LoadManagerTest.java | 38 +++++++++++
.../java/org/apache/doris/planner/PlannerTest.java | 2 +-
.../apache/doris/utframe/TestWithFeService.java | 2 +-
regression-test/data/auth_p0/test_strict_mode.csv | 2 +
.../auth_p0/test_admin_copy_tablet_auth.groovy | 35 ++++++++++
.../suites/auth_p0/test_alter_policy_auth.groovy | 37 +++++++++++
.../suites/auth_p0/test_alter_view_auth.groovy | 66 +++++++++++++++++++
.../auth_p0/test_cancel_alter_system_auth.groovy | 35 ++++++++++
.../suites/auth_p0/test_create_policy_auth.groovy | 47 ++++++++++++++
.../suites/auth_p0/test_create_view_auth.groovy | 62 ++++++++++++++++++
.../test_drop_materialized_view_auth.groovy | 35 ++++++++++
.../suites/auth_p0/test_drop_policy_auth.groovy | 43 +++++++++++++
.../test_set_ldap_admin_password_auth.groovy | 35 ++++++++++
.../test_show_catalog_recycle_bin_auth.groovy | 35 ++++++++++
.../auth_p0/test_show_create_database_auth.groovy | 35 ++++++++++
.../test_show_create_repository_auth.groovy | 35 ++++++++++
.../suites/auth_p0/test_show_data_auth.groovy | 35 ++++++++++
.../auth_p0/test_show_encryptkeys_auth.groovy | 36 +++++++++++
.../suites/auth_p0/test_show_plugins_auth.groovy | 35 ++++++++++
.../auth_p0/test_show_repositories_auth.groovy | 35 ++++++++++
.../suites/auth_p0/test_show_snapshot_auth.groovy | 35 ++++++++++
.../auth_p0/test_show_stream_load_auth.groovy | 75 ++++++++++++++++++++++
.../auth_p0/test_show_tablets_belong_auth.groovy | 35 ++++++++++
.../auth_p0/test_show_transaction_auth.groovy | 35 ++++++++++
56 files changed, 1280 insertions(+), 56 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java
index 63832d9cd65..475219ca343 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/AdminCopyTabletStmt.java
@@ -71,8 +71,9 @@ public class AdminCopyTabletStmt extends ShowStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
- if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.OPERATOR)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"NODE");
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
}
if (properties == null) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java
index 91a5f143752..c8128e2bcbd 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterPolicyStmt.java
@@ -53,8 +53,10 @@ public class AlterPolicyStmt extends DdlStmt {
super.analyze(analyzer);
// check auth
- if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"ADMIN");
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
}
if (properties == null || properties.isEmpty()) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
index 6e0da716b07..355c9723c8b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
@@ -62,9 +62,8 @@ public class AlterViewStmt extends BaseViewStmt {
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), tableName.getCtl(),
tableName.getDb(), tableName.getTbl(),
PrivPredicate.ALTER)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR,
"ALTER VIEW",
- ConnectContext.get().getQualifiedUser(),
ConnectContext.get().getRemoteIP(),
- tableName.getDb() + ": " + tableName.getTbl());
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.ALTER.getPrivs().toString(),
tableName.getTbl());
}
if (cols != null) {
@@ -74,7 +73,7 @@ public class AlterViewStmt extends BaseViewStmt {
viewDefStmt.setNeedToSql(true);
Analyzer viewAnalyzer = new Analyzer(analyzer);
viewDefStmt.analyze(viewAnalyzer);
-
+ checkQueryAuth();
createColumnAndViewDefs(analyzer);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
index d8740f03f52..545d7c1c57a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
@@ -18,15 +18,20 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.Type;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.common.util.ToSqlContext;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
+import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@@ -72,6 +77,28 @@ public class BaseViewStmt extends DdlStmt {
return inlineViewDef;
}
+ protected void checkQueryAuth() throws UserException {
+ for (int i = 0; i < viewDefStmt.getBaseTblResultExprs().size(); ++i) {
+ Expr expr = viewDefStmt.getBaseTblResultExprs().get(i);
+ if (!(expr instanceof SlotRef)) {
+ continue;
+ }
+ SlotRef slotRef = (SlotRef) expr;
+ TableName queryTableName = slotRef.getTableName();
+ if (queryTableName == null) {
+ continue;
+ }
+ String queryColumnName = slotRef.getColumnName();
+ String ctlName = StringUtils.isEmpty(queryTableName.getCtl()) ?
InternalCatalog.INTERNAL_CATALOG_NAME
+ : queryTableName.getCtl();
+ // check privilege
+ Env.getCurrentEnv().getAccessManager()
+
.checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), ctlName,
+ queryTableName.getDb(), queryTableName.getTbl(),
Sets.newHashSet(queryColumnName),
+ PrivPredicate.SELECT);
+ }
+ }
+
/**
* Sets the originalViewDef and the expanded inlineViewDef based on
viewDefStmt.
* If columnNames were given, checks that they do not contain duplicate
column names
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java
index 9b547a4de53..e3a465d2d90 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CancelAlterSystemStmt.java
@@ -17,7 +17,12 @@
package org.apache.doris.analysis;
+import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.system.SystemInfoService;
import org.apache.doris.system.SystemInfoService.HostInfo;
@@ -44,6 +49,10 @@ public class CancelAlterSystemStmt extends CancelStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.OPERATOR)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.OPERATOR.getPrivs().toString());
+ }
for (String param : params) {
if (!param.contains(":")) {
ids.add(param);
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java
index 4d8527c0f79..8aedccb6e75 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreatePolicyStmt.java
@@ -101,6 +101,12 @@ public class CreatePolicyStmt extends DdlStmt {
throw new UserException("storage policy feature is
disabled by default. "
+ "Enable it by setting
'enable_storage_policy=true' in fe.conf");
}
+ // check auth
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
break;
case ROW:
default:
@@ -112,10 +118,12 @@ public class CreatePolicyStmt extends DdlStmt {
user.getQualifiedUser(), user.getHost(),
tableName.getTbl());
}
}
- }
- // check auth
- if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"ADMIN");
+ // check auth
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.GRANT.getPrivs().toString());
+ }
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
index 8b53d18fd9b..2029b464100 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
@@ -67,7 +67,8 @@ public class CreateViewStmt extends BaseViewStmt {
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), tableName.getCtl(),
tableName.getDb(),
tableName.getTbl(), PrivPredicate.CREATE)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"CREATE");
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.CREATE.getPrivs().toString(),
tableName.getTbl());
}
// Do not rewrite nondeterministic functions to constant in create
view's def stmt
@@ -84,7 +85,7 @@ public class CreateViewStmt extends BaseViewStmt {
Analyzer viewAnalyzer = new Analyzer(analyzer);
viewDefStmt.forbiddenMVRewrite();
viewDefStmt.analyze(viewAnalyzer);
-
+ checkQueryAuth();
createColumnAndViewDefs(viewAnalyzer);
} finally {
// must reset this flag, otherwise, all following query statement
in this connection
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java
index 9fe01f20a06..377cdcf4152 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropMaterializedViewStmt.java
@@ -73,8 +73,9 @@ public class DropMaterializedViewStmt extends DdlStmt {
// check access
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), tableName.getCtl(),
tableName.getDb(),
- tableName.getTbl(), PrivPredicate.DROP)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"DROP");
+ tableName.getTbl(), PrivPredicate.ALTER)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.ALTER.getPrivs().toString(),
tableName.getTbl());
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java
index 2a3e3a2bf5c..4bd20fe8c9b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropPolicyStmt.java
@@ -60,6 +60,12 @@ public class DropPolicyStmt extends DdlStmt {
super.analyze(analyzer);
switch (type) {
case STORAGE:
+ // check auth
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
break;
case ROW:
default:
@@ -67,10 +73,12 @@ public class DropPolicyStmt extends DdlStmt {
if (user != null) {
user.analyze();
}
- }
- // check auth
- if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"ADMIN");
+ // check auth
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.GRANT.getPrivs().toString());
+ }
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java
index c4eed0e5b26..5f33c171a81 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/SetLdapPassVar.java
@@ -17,8 +17,11 @@
package org.apache.doris.analysis;
+import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
-import org.apache.doris.mysql.privilege.Auth;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
public class SetLdapPassVar extends SetVar {
@@ -35,11 +38,10 @@ public class SetLdapPassVar extends SetVar {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
- if
(!ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ROOT_USER)
- &&
!ConnectContext.get().getCurrentUserIdentity().getQualifiedUser().equals(Auth.ADMIN_USER))
{
- throw new AnalysisException("Only root and admin user can set ldap
admin password.");
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
}
-
if (!passVar.isPlain()) {
throw new AnalysisException("Only support set ldap password with
plain text");
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java
index fe241acf047..f15c3657240 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCatalogRecycleBinStmt.java
@@ -18,12 +18,17 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.CaseSensibility;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.PatternMatcher;
import org.apache.doris.common.PatternMatcherWrapper;
import org.apache.doris.common.UserException;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.base.Strings;
@@ -52,6 +57,12 @@ public class ShowCatalogRecycleBinStmt extends ShowStmt {
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
+
if (where == null) {
return;
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java
index d6c00c959ee..b709be8d7e9 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateDbStmt.java
@@ -24,7 +24,6 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
-import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
@@ -67,11 +66,10 @@ public class ShowCreateDbStmt extends ShowStmt {
ErrorReport.reportAnalysisException(ErrorCode.ERR_WRONG_DB_NAME,
db);
}
- if (!Env.getCurrentEnv().getAccessManager()
- .checkDbPriv(ConnectContext.get(),
InternalCatalog.INTERNAL_CATALOG_NAME, db,
- PrivPredicate.ALTER_CREATE_DROP)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
- ConnectContext.get().getQualifiedUser(), db);
+ if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), ctl,
db,
+ PrivPredicate.SHOW)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+ PrivPredicate.SHOW.getPrivs().toString(), db);
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java
index f11a0225369..9de7dd0e9ee 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowCreateRepositoryStmt.java
@@ -18,8 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
// SHOW CREATE REPOSITORY statement
@@ -43,7 +48,11 @@ public class ShowCreateRepositoryStmt extends ShowStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
-
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
}
@Override
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
index eed7073965b..dd2053750ba 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
@@ -435,7 +435,12 @@ public class ShowDataStmt extends ShowStmt {
return toSql();
}
- private void getAllDbStats() {
+ private void getAllDbStats() throws AnalysisException {
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
List<String> dbNames = Env.getCurrentInternalCatalog().getDbNames();
if (dbNames == null || dbNames.isEmpty()) {
return;
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java
index f72c972c6e1..83358209c23 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowEncryptKeysStmt.java
@@ -24,7 +24,6 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
-import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
@@ -64,14 +63,11 @@ public class ShowEncryptKeysStmt extends ShowStmt {
}
}
- // must check after analyze dbName, for case dbName is null.
- if (!Env.getCurrentEnv().getAccessManager()
- .checkDbPriv(ConnectContext.get(),
InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
- PrivPredicate.ADMIN)) {
- ErrorReport.reportAnalysisException(
- ErrorCode.ERR_DBACCESS_DENIED_ERROR,
ConnectContext.get().getQualifiedUser(), dbName);
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
}
-
}
public boolean like(String str) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java
index 65ffa65622a..249e49da28d 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowPluginsStmt.java
@@ -18,7 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
// Show plugins statement.
@@ -39,7 +45,12 @@ public class ShowPluginsStmt extends ShowStmt {
.build();
@Override
- public void analyze(Analyzer analyzer) {
+ public void analyze(Analyzer analyzer) throws AnalysisException {
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
}
@Override
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java
index dbbd5d7b36f..6e5166a5c87 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRepositoriesStmt.java
@@ -18,7 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.collect.ImmutableList;
@@ -33,6 +39,15 @@ public class ShowRepositoriesStmt extends ShowStmt {
}
+ @Override
+ public void analyze(Analyzer analyzer) throws AnalysisException {
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
+ }
+
@Override
public ShowResultSetMetaData getMetaData() {
ShowResultSetMetaData.Builder builder =
ShowResultSetMetaData.builder();
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java
index d10d216b120..83465a34600 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSnapshotStmt.java
@@ -19,9 +19,14 @@ package org.apache.doris.analysis;
import org.apache.doris.analysis.CompoundPredicate.Operator;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.base.Strings;
@@ -55,6 +60,12 @@ public class ShowSnapshotStmt extends ShowStmt {
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
+
// analyze where clause if not null
if (where != null) {
// eg: WHERE snapshot="snapshot_label" [and
timestamp="2018-04-19-11-11:11"];
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java
index b321dace7f5..3819541fea9 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletsBelongStmt.java
@@ -18,8 +18,13 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import com.google.common.collect.ImmutableList;
@@ -54,6 +59,11 @@ public class ShowTabletsBelongStmt extends ShowStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
if (tabletIds == null || tabletIds.isEmpty()) {
throw new UserException("Please supply at least one tablet id");
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
index f34c0e5e336..3d5d03bdf8f 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTransactionStmt.java
@@ -19,12 +19,15 @@ package org.apache.doris.analysis;
import org.apache.doris.analysis.BinaryPredicate.Operator;
import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.common.proc.TransProcDir;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
import org.apache.doris.transaction.TransactionStatus;
@@ -70,9 +73,15 @@ public class ShowTransactionStmt extends ShowStmt {
}
@Override
- public void analyze(Analyzer analyzer) throws AnalysisException,
UserException {
+ public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
+ // check auth
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.ADMIN)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+ PrivPredicate.ADMIN.getPrivs().toString());
+ }
+
if (Strings.isNullOrEmpty(dbName)) {
dbName = analyzer.getDefaultDb();
if (Strings.isNullOrEmpty(dbName)) {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
index 5a348278a15..fbaf11cf181 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
@@ -75,8 +75,10 @@ public enum ErrorCode {
ERR_USER_LIMIT_REACHED(1226, new byte[]{'4', '2', '0', '0', '0'}, "User
'%s' has exceeded the '%s' resource "
+ "(current value: %d)"),
ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0',
'0'}, "Access denied; you need (at least "
- + "one of) the %s privilege(s) for this operation"),
- ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1227, new byte[] {'4', '2', '0', '0',
'0'}, "Access denied; you need all "
+ + "one of) the (%s) privilege(s) for this operation"),
+ ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'},
"Access denied; you need (at least "
+ + "one of) the (%s) privilege(s) on database %s for this
operation"),
+ ERR_SPECIFIC_ALL_ACCESS_DENIED_ERROR(1223, new byte[] {'4', '2', '0', '0',
'0'}, "Access denied; you need all "
+ " %s privilege(s) for this operation"),
ERR_LOCAL_VARIABLE(1228, new byte[]{'H', 'Y', '0', '0', '0'}, "Variable
'%s' is a SESSION variable and can't be "
+ "used with SET GLOBAL"),
@@ -1021,6 +1023,8 @@ public enum ErrorCode {
+ "DISCARD the tablespace before IMPORT."),
ERR_TABLESPACE_DISCARDED(1814, new byte[]{'H', 'Y', '0', '0', '0'},
"Tablespace has been discarded for table '%s'"),
ERR_INTERNAL_ERROR(1815, new byte[]{'H', 'Y', '0', '0', '0'}, "Internal
error: %s"),
+
+
ERR_MUST_CHANGE_PASSWORD_LOGIN(1862, new byte[]{'H', 'Y', '0', '0', '0'},
"Your password has expired. To log in "
+ "you must change it using a client that supports expired
passwords."),
ERR_CREDENTIALS_CONTRADICT_TO_HISTORY(3638, new byte[] {'H', 'Y', '0',
'0', '0'},
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java
b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java
index 7e8b01ce287..d8a30a968a6 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/job/manager/JobManager.java
@@ -24,11 +24,14 @@ import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.CaseSensibility;
import org.apache.doris.common.DdlException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.PatternMatcher;
import org.apache.doris.common.PatternMatcherWrapper;
import org.apache.doris.common.io.Writable;
import org.apache.doris.common.util.LogBuilder;
import org.apache.doris.common.util.LogKey;
+import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.job.base.AbstractJob;
import org.apache.doris.job.common.JobStatus;
import org.apache.doris.job.common.JobType;
@@ -37,6 +40,8 @@ import org.apache.doris.job.exception.JobException;
import org.apache.doris.job.extensions.insert.InsertJob;
import org.apache.doris.job.scheduler.JobScheduler;
import org.apache.doris.load.loadv2.JobState;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
import com.google.common.collect.Lists;
import lombok.extern.log4j.Log4j2;
@@ -48,6 +53,7 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
+import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.stream.Collectors;
@@ -341,7 +347,7 @@ public class JobManager<T extends AbstractJob<?, C>, C>
implements Writable {
public List<List<Comparable>> getLoadJobInfosByDb(long dbId, String dbName,
String labelValue,
boolean accurateMatch,
- JobState jobState)
throws AnalysisException {
+ JobState jobState,
String catalogName) throws AnalysisException {
LinkedList<List<Comparable>> loadJobInfos = new LinkedList<>();
if (!Env.getCurrentEnv().getLabelProcessor().existJobs(dbId)) {
return loadJobInfos;
@@ -356,6 +362,12 @@ public class JobManager<T extends AbstractJob<?, C>, C>
implements Writable {
if (jobState != null && !validState(jobState, loadJob)) {
continue;
}
+ // check auth
+ try {
+ checkJobAuth(catalogName, dbName,
loadJob.getTableNames());
+ } catch (AnalysisException e) {
+ continue;
+ }
// add load job info, convert String list to Comparable
list
loadJobInfos.add(new ArrayList<>(loadJob.getShowInfo()));
} catch (RuntimeException e) {
@@ -369,6 +381,27 @@ public class JobManager<T extends AbstractJob<?, C>, C>
implements Writable {
}
}
+ public void checkJobAuth(String ctlName, String dbName, Set<String>
tableNames) throws AnalysisException {
+ if (tableNames.isEmpty()) {
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkDbPriv(ConnectContext.get(), ctlName, dbName,
+ PrivPredicate.LOAD)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+ PrivPredicate.LOAD.getPrivs().toString(), dbName);
+ }
+ } else {
+ for (String tblName : tableNames) {
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkTblPriv(ConnectContext.get(), ctlName, dbName,
+ tblName, PrivPredicate.LOAD)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.LOAD.getPrivs().toString(), tblName);
+ return;
+ }
+ }
+ }
+ }
+
private static boolean validState(JobState jobState, InsertJob loadJob) {
JobStatus status = loadJob.getJobStatus();
switch (status) {
@@ -412,6 +445,27 @@ public class JobManager<T extends AbstractJob<?, C>, C>
implements Writable {
} finally {
readUnlock();
}
+ // check auth
+ if (unfinishedLoadJob.size() > 1 ||
unfinishedLoadJob.get(0).getTableNames().isEmpty()) {
+ if (Env.getCurrentEnv().getAccessManager()
+ .checkDbPriv(ConnectContext.get(),
InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
+ PrivPredicate.LOAD)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, "LOAD",
+ ConnectContext.get().getQualifiedUser(),
+ ConnectContext.get().getRemoteIP(), dbName);
+ }
+ } else {
+ for (String tableName : unfinishedLoadJob.get(0).getTableNames()) {
+ if (Env.getCurrentEnv().getAccessManager()
+ .checkTblPriv(ConnectContext.get(),
InternalCatalog.INTERNAL_CATALOG_NAME, dbName,
+ tableName,
+ PrivPredicate.LOAD)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLEACCESS_DENIED_ERROR,
"LOAD",
+ ConnectContext.get().getQualifiedUser(),
+ ConnectContext.get().getRemoteIP(), dbName + ":" +
tableName);
+ }
+ }
+ }
for (InsertJob loadJob : unfinishedLoadJob) {
try {
alterJobStatus(loadJob.getJobId(), JobStatus.STOPPED);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java
b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java
index 4702dd7a9ae..afc7ea51984 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/load/ExportMgr.java
@@ -26,6 +26,8 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.CaseSensibility;
import org.apache.doris.common.Config;
import org.apache.doris.common.DdlException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeConstants;
import org.apache.doris.common.LabelAlreadyUsedException;
import org.apache.doris.common.PatternMatcher;
@@ -123,6 +125,9 @@ public class ExportMgr {
if (matchExportJobs.isEmpty()) {
throw new DdlException("All export job(s) are at final state
(CANCELLED/FINISHED)");
}
+
+ // check auth
+ checkCancelExportJobAuth(InternalCatalog.INTERNAL_CATALOG_NAME,
stmt.getDbName(), matchExportJobs);
try {
for (ExportJob exportJob : matchExportJobs) {
// exportJob.cancel(ExportFailMsg.CancelType.USER_CANCEL,
"user cancel");
@@ -134,6 +139,29 @@ public class ExportMgr {
}
}
+ public void checkCancelExportJobAuth(String ctlName, String dbName,
List<ExportJob> jobs) throws AnalysisException {
+ if (jobs.size() > 1) {
+ if (Env.getCurrentEnv().getAccessManager()
+ .checkDbPriv(ConnectContext.get(), ctlName, dbName,
+ PrivPredicate.SELECT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+ PrivPredicate.SELECT.getPrivs().toString(), dbName);
+ }
+ } else {
+ TableName tableName = jobs.get(0).getTableName();
+ if (tableName == null) {
+ return;
+ }
+ if (Env.getCurrentEnv().getAccessManager()
+ .checkTblPriv(ConnectContext.get(), ctlName, dbName,
+ tableName.getTbl(),
+ PrivPredicate.SELECT)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.SELECT.getPrivs().toString(),
tableName.getTbl());
+ }
+ }
+ }
+
public void unprotectAddJob(ExportJob job) {
exportIdToJob.put(job.getId(), job);
dbTolabelToExportJobId.computeIfAbsent(job.getDbId(),
@@ -395,7 +423,7 @@ public class ExportMgr {
ExportJob job = entry.getValue();
if ((currentTimeMs - job.getCreateTimeMs()) / 1000 >
Config.history_job_keep_max_second
&& (job.getState() == ExportJobState.CANCELLED
- || job.getState() == ExportJobState.FINISHED)) {
+ || job.getState() == ExportJobState.FINISHED)) {
iter.remove();
Map<String, Long> labelJobs =
dbTolabelToExportJobId.get(job.getDbId());
if (labelJobs != null) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java
b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java
index ecbaa2f48ee..6ce8be66bbe 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecord.java
@@ -93,4 +93,12 @@ public class StreamLoadRecord {
public String getFinishTime() {
return this.finishTime;
}
+
+ public String getDb() {
+ return db;
+ }
+
+ public String getTable() {
+ return table;
+ }
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java
b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java
index 488e73f3ab4..3ceeaa1f38a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/load/StreamLoadRecordMgr.java
@@ -27,10 +27,13 @@ import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
import org.apache.doris.common.util.MasterDaemon;
import org.apache.doris.common.util.TimeUtils;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.persist.gson.GsonUtils;
import org.apache.doris.plugin.audit.AuditEvent;
import org.apache.doris.plugin.audit.AuditEvent.EventType;
import org.apache.doris.plugin.audit.StreamLoadAuditEvent;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.system.Backend;
import org.apache.doris.thrift.BackendService;
import org.apache.doris.thrift.TNetworkAddress;
@@ -186,6 +189,13 @@ public class StreamLoadRecordMgr extends MasterDaemon {
if (state != null &&
!String.valueOf(state).equalsIgnoreCase(streamLoadRecord.getStatus())) {
continue;
}
+ // check auth
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkTblPriv(ConnectContext.get(),
InternalCatalog.INTERNAL_CATALOG_NAME,
+ streamLoadRecord.getDb(),
streamLoadRecord.getTable(),
+ PrivPredicate.LOAD)) {
+ continue;
+ }
streamLoadRecords.add(streamLoadRecord.getStreamLoadInfo());
} catch (Exception e) {
continue;
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java
b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java
index 410cb62fbc7..f5aa1317e59 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/load/loadv2/LoadManager.java
@@ -31,6 +31,8 @@ import org.apache.doris.common.CaseSensibility;
import org.apache.doris.common.Config;
import org.apache.doris.common.DataQualityException;
import org.apache.doris.common.DdlException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.LabelAlreadyUsedException;
import org.apache.doris.common.MetaNotFoundException;
import org.apache.doris.common.Pair;
@@ -617,9 +619,16 @@ public class LoadManager implements Writable {
if (!states.contains(loadJob.getState())) {
continue;
}
+ // check auth
+ try {
+ checkJobAuth(loadJob.getDb().getCatalog().getName(),
loadJob.getDb().getFullName(),
+ loadJob.getTableNames());
+ } catch (AnalysisException e) {
+ continue;
+ }
// add load job info
loadJobInfos.add(loadJob.getShowInfo());
- } catch (RuntimeException | DdlException e) {
+ } catch (RuntimeException | DdlException |
MetaNotFoundException e) {
// ignore this load job
LOG.warn("get load job info failed. job id: {}",
loadJob.getId(), e);
}
@@ -630,6 +639,27 @@ public class LoadManager implements Writable {
}
}
+ public void checkJobAuth(String ctlName, String dbName, Set<String>
tableNames) throws AnalysisException {
+ if (tableNames.isEmpty()) {
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkDbPriv(ConnectContext.get(), ctlName, dbName,
+ PrivPredicate.LOAD)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+ PrivPredicate.LOAD.getPrivs().toString(), dbName);
+ }
+ } else {
+ for (String tblName : tableNames) {
+ if (!Env.getCurrentEnv().getAccessManager()
+ .checkTblPriv(ConnectContext.get(), ctlName, dbName,
+ tblName, PrivPredicate.LOAD)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.LOAD.getPrivs().toString(), tblName);
+ return;
+ }
+ }
+ }
+ }
+
public List<List<Comparable>> getAllLoadJobInfos() {
LinkedList<List<Comparable>> loadJobInfos = new
LinkedList<List<Comparable>>();
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java
index 58ad92fbadb..b6ae71e2641 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivBitSet.java
@@ -155,10 +155,15 @@ public class PrivBitSet implements Writable {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < Privilege.privileges.length; i++) {
if (get(i)) {
- sb.append(Privilege.getPriv(i)).append(" ");
+ sb.append(Privilege.getPriv(i)).append(",");
}
}
- return sb.toString();
+ String res = sb.toString();
+ if (res.length() > 0) {
+ return res.substring(0, res.length() - 1);
+ } else {
+ return res;
+ }
}
public static PrivBitSet read(DataInput in) throws IOException {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
index 388cfd00a96..37cc697491b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
@@ -1241,7 +1241,7 @@ public class ShowExecutor {
// add the nerieds load info
JobManager loadMgr = env.getJobManager();
loadInfos.addAll(loadMgr.getLoadJobInfosByDb(dbId, db.getFullName(),
showStmt.getLabelValue(),
- showStmt.isAccurateMatch(), showStmt.getStateV2()));
+ showStmt.isAccurateMatch(), showStmt.getStateV2(),
db.getCatalog().getName()));
// order the result of List<LoadInfo> by orderByPairs in show stmt
List<OrderByPair> orderByPairs = showStmt.getOrderByPairs();
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java
b/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java
index a5cff4fca1a..0b4ecad12e2 100644
---
a/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/analysis/CancelExportStmtTest.java
@@ -28,9 +28,9 @@ import org.apache.doris.load.ExportMgr;
import org.apache.doris.utframe.TestWithFeService;
import com.google.common.collect.Lists;
+import org.junit.Assert;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
-import org.wildfly.common.Assert;
import java.lang.reflect.Method;
import java.util.List;
@@ -350,4 +350,30 @@ public class CancelExportStmtTest extends
TestWithFeService {
exportMgr.cancelExportJob(stmt);
Assert.assertTrue(job8.getState() == ExportJobState.CANCELLED);
}
+
+ @Test
+ public void testCancelAuth() {
+ ExportMgr exportMgr = new ExportMgr();
+ List<ExportJob> jobs = Lists.newArrayList();
+ ExportJob job1 = new ExportJob();
+ job1.setTableName(new TableName("ctl1", "db1", "table1"));
+ jobs.add(job1);
+ try {
+ // should check table auth
+ exportMgr.checkCancelExportJobAuth("ctl1", "db1", jobs);
+ throw new RuntimeException("should exception");
+ } catch (AnalysisException e) {
+
Assert.assertTrue(e.getMessage().contains("Admin_priv,Select_priv"));
+ Assert.assertTrue(e.getMessage().contains("table1"));
+ }
+ jobs.add(new ExportJob());
+ try {
+ // should check db auth
+ exportMgr.checkCancelExportJobAuth("ctl1", "db1", jobs);
+ throw new RuntimeException("should exception");
+ } catch (AnalysisException e) {
+
Assert.assertTrue(e.getMessage().contains("Admin_priv,Select_priv"));
+ Assert.assertTrue(e.getMessage().contains("db1"));
+ }
+ }
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java
b/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java
index 617f6bf512e..b43fa6a5ad4 100644
---
a/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/analysis/DropMaterializedViewStmtTest.java
@@ -51,7 +51,7 @@ public class DropMaterializedViewStmtTest {
new Expectations() {
{
accessManager.checkTblPriv(ConnectContext.get(),
tableName.getCtl(), tableName.getDb(),
- tableName.getTbl(), PrivPredicate.DROP);
+ tableName.getTbl(), PrivPredicate.ALTER);
result = false;
}
};
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
index d37058c20cd..aee15abd278 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
@@ -138,7 +138,7 @@ public class RefreshTableTest extends TestWithFeService {
user1.analyze();
ConnectContext user1Ctx = createCtx(user1, "127.0.0.1");
ExceptionChecker.expectThrowsWithMsg(AnalysisException.class,
- "Access denied; you need (at least one of) the DROP
privilege(s) for this operation",
+ "Access denied",
() -> parseAndAnalyzeStmt("refresh table test1.db1.tbl11",
user1Ctx));
ConnectContext.remove();
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java
b/fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java
new file mode 100644
index 00000000000..9e3aa386cd0
--- /dev/null
+++ b/fe/fe-core/src/test/java/org/apache/doris/job/manager/JobManagerTest.java
@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.job.manager;
+
+import org.apache.doris.analysis.UserIdentity;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.qe.ConnectContext;
+import org.apache.doris.utframe.TestWithFeService;
+
+import com.google.common.collect.Sets;
+import mockit.Expectations;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.util.HashSet;
+
+public class JobManagerTest {
+ @Test
+ public void testJobAuth() throws IOException, AnalysisException {
+ UserIdentity user1 = new UserIdentity("testJobAuthUser", "%");
+ user1.analyze();
+ new Expectations() {
+ {
+ ConnectContext.get();
+ minTimes = 0;
+ result = TestWithFeService.createCtx(user1, "%");
+ }
+ };
+ JobManager manager = new JobManager();
+ HashSet<String> tableNames = Sets.newHashSet();
+ try {
+ // should check db auth
+ manager.checkJobAuth("ctl1", "db1", tableNames);
+ throw new RuntimeException("should exception");
+ } catch (AnalysisException e) {
+ Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
+ Assert.assertTrue(e.getMessage().contains("db1"));
+ }
+ tableNames.add("table1");
+ try {
+ // should check db auth
+ manager.checkJobAuth("ctl1", "db1", tableNames);
+ throw new RuntimeException("should exception");
+ } catch (AnalysisException e) {
+ Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
+ Assert.assertTrue(e.getMessage().contains("table1"));
+ }
+ }
+}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java
b/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java
index e9b3278cfd0..9c09c72bd79 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/load/loadv2/LoadManagerTest.java
@@ -21,12 +21,16 @@ import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Database;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.Table;
+import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.Config;
import org.apache.doris.common.FeMetaVersion;
import org.apache.doris.common.jmockit.Deencapsulation;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.meta.MetaContext;
+import org.apache.doris.qe.ConnectContext;
+import org.apache.doris.utframe.TestWithFeService;
+import com.google.common.collect.Sets;
import mockit.Expectations;
import mockit.Injectable;
import mockit.Mocked;
@@ -40,6 +44,8 @@ import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
+import java.io.IOException;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
@@ -195,4 +201,36 @@ public class LoadManagerTest {
loadManager.readFields(dis);
return loadManager;
}
+
+ @Test
+ public void testJobAuth() throws IOException, AnalysisException {
+ UserIdentity user1 = new UserIdentity("testJobAuthUser", "%");
+ user1.analyze();
+ new Expectations() {
+ {
+ ConnectContext.get();
+ minTimes = 0;
+ result = TestWithFeService.createCtx(user1, "%");
+ }
+ };
+ LoadManager manager = new LoadManager(new LoadJobScheduler());
+ HashSet<String> tableNames = Sets.newHashSet();
+ try {
+ // should check db auth
+ manager.checkJobAuth("ctl1", "db1", tableNames);
+ throw new RuntimeException("should exception");
+ } catch (AnalysisException e) {
+ Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
+ Assert.assertTrue(e.getMessage().contains("db1"));
+ }
+ tableNames.add("table1");
+ try {
+ // should check db auth
+ manager.checkJobAuth("ctl1", "db1", tableNames);
+ throw new RuntimeException("should exception");
+ } catch (AnalysisException e) {
+ Assert.assertTrue(e.getMessage().contains("Admin_priv,Load_priv"));
+ Assert.assertTrue(e.getMessage().contains("table1"));
+ }
+ }
}
diff --git a/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java
b/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java
index 41f21110330..de9e828bacb 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/planner/PlannerTest.java
@@ -497,7 +497,7 @@ public class PlannerTest extends TestWithFeService {
QueryState state = connectContext.getState();
Assertions.assertEquals(MysqlStateType.ERR, state.getStateType());
Assertions.assertTrue(state.getErrorMessage()
- .contains("you need (at least one of) the LOAD privilege(s)
for this operation"));
+ .contains("you need (at least one of) the (LOAD) privilege(s)
for this operation"));
// set to admin user
connectContext.setCurrentUserIdentity(UserIdentity.ADMIN);
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java
b/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java
index 8b06b7a2633..37bc5f431f8 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/utframe/TestWithFeService.java
@@ -278,7 +278,7 @@ public abstract class TestWithFeService {
return adapter;
}
- protected static ConnectContext createCtx(UserIdentity user, String host)
throws IOException {
+ public static ConnectContext createCtx(UserIdentity user, String host)
throws IOException {
ConnectContext ctx = new ConnectContext();
ctx.setCurrentUserIdentity(user);
ctx.setQualifiedUser(user.getQualifiedUser());
diff --git a/regression-test/data/auth_p0/test_strict_mode.csv
b/regression-test/data/auth_p0/test_strict_mode.csv
new file mode 100644
index 00000000000..fbad74eb481
--- /dev/null
+++ b/regression-test/data/auth_p0/test_strict_mode.csv
@@ -0,0 +1,2 @@
+1,1
+1,2
diff --git a/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy
b/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy
new file mode 100644
index 00000000000..c040dfb8e95
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_admin_copy_tablet_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_admin_copy_tablet_auth","p0,auth") {
+ String user = 'test_admin_copy_tablet_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "ADMIN COPY TABLET 10010 PROPERTIES('backend_id' = '10001');"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_alter_policy_auth.groovy
b/regression-test/suites/auth_p0/test_alter_policy_auth.groovy
new file mode 100644
index 00000000000..3b1e9af6e2c
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_alter_policy_auth.groovy
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_alter_policy_auth","p0,auth") {
+ String user = 'test_alter_policy_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql """
+ ALTER STORAGE POLICY has_test_policy_to_alter
PROPERTIES("cooldown_datetime" = "2023-06-08 00:00:00");
+ """
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_alter_view_auth.groovy
b/regression-test/suites/auth_p0/test_alter_view_auth.groovy
new file mode 100644
index 00000000000..52bf8ac75c7
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy
@@ -0,0 +1,66 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_alter_view_auth","p0,auth") {
+ String user = 'test_alter_view_auth_user'
+ String pwd = 'C123_567p'
+ String dbName = 'test_alter_view_auth_db'
+ String tableName = 'test_alter_view_auth_table'
+ String viewName = 'test_alter_view_auth_view'
+ try_sql("DROP USER ${user}")
+ try_sql """drop table if exists ${dbName}.${tableName}"""
+ try_sql """drop view if exists ${dbName}.${viewName}"""
+ sql """drop database if exists ${dbName}"""
+
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """create database ${dbName}"""
+ sql """
+ CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName}` (
+ id BIGINT,
+ username VARCHAR(20)
+ )
+ DISTRIBUTED BY HASH(id) BUCKETS 2
+ PROPERTIES (
+ "replication_num" = "1"
+ );
+ """
+ sql """grant select_priv on regression_test to ${user}"""
+ sql """create view ${dbName}.${viewName} as select * from
${dbName}.${tableName};"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "alter view ${dbName}.${viewName} as select * from
${dbName}.${tableName};"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv,Alter_priv"))
+ }
+ }
+ sql """grant Alter_priv on ${dbName}.${viewName} to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "alter view ${dbName}.${viewName} as select * from
${dbName}.${tableName};"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
+ }
+ }
+ try_sql """drop table if exists ${dbName}.${tableName}"""
+ try_sql """drop view if exists ${dbName}.${viewName}"""
+ sql """drop database if exists ${dbName}"""
+ try_sql("DROP USER ${user}")
+}
diff --git
a/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy
b/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy
new file mode 100644
index 00000000000..0e630fdae8e
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_cancel_alter_system_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_cancel_alter_system_auth","p0,auth") {
+ String user = 'test_cancel_alter_system_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "CANCEL DECOMMISSION BACKEND 'id1';"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Node_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_create_policy_auth.groovy
b/regression-test/suites/auth_p0/test_create_policy_auth.groovy
new file mode 100644
index 00000000000..8debfaedb27
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_create_policy_auth.groovy
@@ -0,0 +1,47 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_create_policy_auth","p0,auth") {
+ String user = 'test_create_policy_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "CREATE ROW POLICY test_create_policy_auth ON test.table1 AS
RESTRICTIVE TO test USING (c1 = 'a');"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv,Grant_priv"))
+ }
+ try {
+ sql """
+ CREATE STORAGE POLICY testPolicy
+ PROPERTIES(
+ "storage_resource" = "s3",
+ "cooldown_datetime" = "2022-06-08 00:00:00"
+ );
+ """
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy
b/regression-test/suites/auth_p0/test_create_view_auth.groovy
new file mode 100644
index 00000000000..124d3f96014
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy
@@ -0,0 +1,62 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_create_view_auth","p0,auth") {
+ String user = 'test_create_view_auth_user'
+ String pwd = 'C123_567p'
+ String dbName = 'test_create_view_auth_db'
+ String tableName = 'test_create_view_auth_table'
+ try_sql("DROP USER ${user}")
+ try_sql """drop table if exists ${dbName}.${tableName}"""
+ sql """drop database if exists ${dbName}"""
+
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """create database ${dbName}"""
+ sql """
+ CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName}` (
+ id BIGINT,
+ username VARCHAR(20)
+ )
+ DISTRIBUTED BY HASH(id) BUCKETS 2
+ PROPERTIES (
+ "replication_num" = "1"
+ );
+ """
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "create view ${dbName}.v1 as select * from ${dbName}.t1;"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv,Create_priv"))
+ }
+ }
+ sql """grant create_priv on ${dbName}.v1 to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "create view ${dbName}.v1 as select * from
${dbName}.${tableName};"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
+ }
+ }
+ sql """drop table if exists ${dbName}.${tableName}"""
+ sql """drop database if exists ${dbName}"""
+ try_sql("DROP USER ${user}")
+}
diff --git
a/regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy
b/regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy
new file mode 100644
index 00000000000..4d55b1482cf
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_drop_materialized_view_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_drop_materialized_view_auth","p0,auth") {
+ String user = 'test_drop_materialized_view_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "DROP MATERIALIZED VIEW mv_name ON table_name;"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv,Alter_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_drop_policy_auth.groovy
b/regression-test/suites/auth_p0/test_drop_policy_auth.groovy
new file mode 100644
index 00000000000..0d6a9e103d1
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_drop_policy_auth.groovy
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_drop_policy_auth","p0,auth") {
+ String user = 'test_drop_policy_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "DROP ROW POLICY test_row_policy_1 on table1;"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv,Grant_priv"))
+ }
+ try {
+ sql """
+ DROP STORAGE POLICY policy_name1
+ """
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git
a/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy
b/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy
new file mode 100644
index 00000000000..6c5032f7ef9
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_set_ldap_admin_password_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_set_ldap_admin_password_auth","p0,auth") {
+ String user = 'test_set_ldap_admin_password_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SET LDAP_ADMIN_PASSWORD = PASSWORD('plain password')"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git
a/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy
b/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy
new file mode 100644
index 00000000000..aa3ba7f8e2b
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_catalog_recycle_bin_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_catalog_recycle_bin_auth","p0,auth") {
+ String user = 'test_show_catalog_recycle_bin_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW CATALOG RECYCLE BIN WHERE NAME = 'test'"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git
a/regression-test/suites/auth_p0/test_show_create_database_auth.groovy
b/regression-test/suites/auth_p0/test_show_create_database_auth.groovy
new file mode 100644
index 00000000000..c4efff7d662
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_create_database_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_create_database_auth","p0,auth") {
+ String user = 'test_show_create_database_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW CREATE DATABASE db_name"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+
assertTrue(e.getMessage().contains("Admin_priv,Select_priv,Load_priv,Alter_priv,Create_priv,Drop_priv,Show_view_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git
a/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy
b/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy
new file mode 100644
index 00000000000..5e787aead25
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_create_repository_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_create_repository_auth","p0,auth") {
+ String user = 'test_show_create_repository_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW CREATE REPOSITORY for repository_name"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_show_data_auth.groovy
b/regression-test/suites/auth_p0/test_show_data_auth.groovy
new file mode 100644
index 00000000000..fdd42d27596
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_data_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_data_auth","p0,auth") {
+ String user = 'test_show_data_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW DATA"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy
b/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy
new file mode 100644
index 00000000000..1e2cf4c27fd
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_encryptkeys_auth.groovy
@@ -0,0 +1,36 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_encryptkeys_auth","p0,auth") {
+ String user = 'test_show_encryptkeys_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "use regression_test"
+ sql "SHOW ENCRYPTKEYS"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_show_plugins_auth.groovy
b/regression-test/suites/auth_p0/test_show_plugins_auth.groovy
new file mode 100644
index 00000000000..b5b4de84265
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_plugins_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_plugins_auth","p0,auth") {
+ String user = 'test_show_plugins_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW PLUGINS"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_show_repositories_auth.groovy
b/regression-test/suites/auth_p0/test_show_repositories_auth.groovy
new file mode 100644
index 00000000000..507d8768669
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_repositories_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_repositories_auth","p0,auth") {
+ String user = 'test_show_repositories_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW REPOSITORIES"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy
b/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy
new file mode 100644
index 00000000000..f90e1fdc57a
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_snapshot_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_snapshot_auth","p0,auth") {
+ String user = 'test_show_snapshot_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW SNAPSHOT ON example_repo"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy
b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy
new file mode 100644
index 00000000000..cb2446f0440
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_stream_load_auth.groovy
@@ -0,0 +1,75 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_stream_load_auth","p0,auth") {
+ String tableName = "test_show_stream_load_auth_table"
+ String label = "test_show_stream_load_auth_label" +
System.currentTimeMillis();
+ String user = 'test_show_stream_load_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """ DROP TABLE IF EXISTS ${tableName} """
+
+
+ sql """
+ CREATE TABLE IF NOT EXISTS ${tableName} (
+ `k1` bigint(20) NULL,
+ `k2` bigint(20) NULL
+ ) ENGINE=OLAP
+ COMMENT 'OLAP'
+ DISTRIBUTED BY HASH(`k1`) BUCKETS 2
+ PROPERTIES ("replication_allocation" = "tag.location.default: 1");
+ """
+
+ streamLoad {
+ table "${tableName}"
+
+ set 'column_separator', ','
+ set 'columns', 'k1, k2'
+ set 'label', label
+ set 'strict_mode', 'true'
+
+ file 'test_strict_mode.csv'
+ time 10000 // limit inflight 10s
+ }
+
+ Thread.sleep(60000);
+ def res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label =
'${label}'"
+ log.info(res.toString())
+ if(res.size() == 0) {
+ // `show stream load` has some delay, and need be config
`enable_stream_load_record=true`
+ // we not sure when can has result, so if `admin` can not get res,
ignore this case.
+ return;
+ }
+
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label =
'${label}'"
+ log.info(res.toString())
+ assertFalse(res.toString().contains("${label}"))
+ }
+ sql """grant load_priv on regression_test_auth_p0.${tableName} to
${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ res = sql "SHOW STREAM LOAD from regression_test_auth_p0 where label =
'${label}'"
+ log.info(res.toString())
+ assertTrue(res.toString().contains("${label}"))
+ }
+ try_sql("DROP USER ${user}")
+ sql """ DROP TABLE IF EXISTS ${tableName} """
+}
diff --git
a/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy
b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy
new file mode 100644
index 00000000000..b7d66af9348
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_tablets_belong_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_tablets_belong_auth","p0,auth") {
+ String user = 'test_show_tablets_belong_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW TABLETS BELONG 27028"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
diff --git a/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
new file mode 100644
index 00000000000..f4e564c5288
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_show_transaction_auth.groovy
@@ -0,0 +1,35 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_show_transaction_auth","p0,auth") {
+ String user = 'test_show_transaction_auth_user'
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """grant select_priv on regression_test to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "SHOW TRANSACTION WHERE ID=4005;"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("Admin_priv"))
+ }
+ }
+ try_sql("DROP USER ${user}")
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
