(doris) branch master updated: [enhance](auth)modify priv of refresh catalog/db/table (#39008)

Sun, 11 Aug 2024 20:35:33 -0700 

This is an automated email from the ASF dual-hosted git repository.

morrysnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new d91a7adb142 [enhance](auth)modify priv of refresh catalog/db/table 
(#39008)
d91a7adb142 is described below

commit d91a7adb1422c2d067c5f4b0f170734f9eb22398
Author: zhangdong <[email protected]>
AuthorDate: Mon Aug 12 11:35:22 2024 +0800

    [enhance](auth)modify priv of refresh catalog/db/table (#39008)
    
    change priv of refresh catalog/db/table to `PrivPredicate.SHOW`
---
 .../java/org/apache/doris/analysis/RefreshCatalogStmt.java    |  6 +++---
 .../main/java/org/apache/doris/analysis/RefreshDbStmt.java    | 11 +++--------
 .../main/java/org/apache/doris/analysis/RefreshTableStmt.java | 11 +++--------
 .../src/main/java/org/apache/doris/common/ErrorCode.java      |  2 ++
 .../src/test/java/org/apache/doris/catalog/RefreshDbTest.java |  8 ++------
 .../test/java/org/apache/doris/catalog/RefreshTableTest.java  |  6 +-----
 6 files changed, 14 insertions(+), 30 deletions(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java
index 060807b7919..7f72a25b7b7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java
@@ -67,9 +67,9 @@ public class RefreshCatalogStmt extends DdlStmt {
         }
 
         if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(
-                ConnectContext.get(), catalogName, PrivPredicate.ALTER)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED,
-                    analyzer.getQualifiedUser(), catalogName);
+                ConnectContext.get(), catalogName, PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), catalogName);
         }
 
         // Set to false only if user set the property "invalid_cache"="false"
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
index 091d55eafe0..69b312455a0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
@@ -87,14 +87,9 @@ public class RefreshDbStmt extends DdlStmt {
         }
         // check access
         if 
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), 
catalogName,
-                dbName, PrivPredicate.DROP)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
-                    ConnectContext.get().getQualifiedUser(), dbName);
-        }
-        if 
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(), 
catalogName,
-                dbName, PrivPredicate.CREATE)) {
-            ErrorReport.reportAnalysisException(
-                    ErrorCode.ERR_DBACCESS_DENIED_ERROR, 
analyzer.getQualifiedUser(), dbName);
+                dbName, PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
         }
         String invalidConfig = properties == null ? null : 
properties.get(INVALID_CACHE);
         // Default is to invalid cache.
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
index 9755e91dadf..7d872f70a94 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
@@ -60,14 +60,9 @@ public class RefreshTableStmt extends DdlStmt {
         // check access
         if 
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
                 tableName.getCtl(), tableName.getDb(),
-                tableName.getTbl(), PrivPredicate.DROP)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, 
"DROP");
-        }
-
-        if 
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
-                tableName.getCtl(), tableName.getDb(),
-                tableName.getTbl(), PrivPredicate.CREATE)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, 
"CREATE");
+                tableName.getTbl(), PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), 
tableName.getTbl());
         }
     }
 
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java 
b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
index 6b12532b2e6..c65116dcc83 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
@@ -75,6 +75,8 @@ public enum ErrorCode {
             + "(current value: %d)"),
     ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0', 
'0'}, "Access denied; you need (at least "
             + "one of) the (%s) privilege(s) for this operation"),
+    ERR_CATALOG_ACCESS_DENIED_ERROR(1221, new byte[]{'4', '2', '0', '0', '0'}, 
"Access denied; you need (at least "
+            + "one of) the (%s) privilege(s) on catalog %s for this 
operation"),
     ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'}, 
"Access denied; you need (at least "
             + "one of) the (%s) privilege(s) on database %s for this 
operation"),
 
diff --git 
a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java 
b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
index fd7a6b1a24b..a18c41edc92 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
@@ -120,23 +120,19 @@ public class RefreshDbTest extends TestWithFeService {
         // create user1
         auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
                 "create user 'user1'@'%' identified by 'pwd1';", rootCtx));
-        // grant only create_priv to user1 on test1.db1.tbl11
-        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
-                "grant create_priv on test1.db1.* to 'user1'@'%';", rootCtx);
-        auth.grant(grantStmt);
 
         // mock login user1
         UserIdentity user1 = new UserIdentity("user1", "%");
         user1.analyze();
         ConnectContext user1Ctx = createCtx(user1, "127.0.0.1");
         ExceptionChecker.expectThrowsWithMsg(AnalysisException.class,
-                "Access denied for user 'user1' to database 'db1'",
+                "Access denied",
                 () -> parseAndAnalyzeStmt("refresh database test1.db1", 
user1Ctx));
         ConnectContext.remove();
 
         // add drop priv to user1
         rootCtx.setThreadLocalInfo();
-        grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
                 "grant drop_priv on test1.db1.* to 'user1'@'%';", rootCtx);
         auth.grant(grantStmt);
         ConnectContext.remove();
diff --git 
a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java 
b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
index aee15abd278..45878b6001e 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
@@ -128,10 +128,6 @@ public class RefreshTableTest extends TestWithFeService {
         // create user1
         auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
                 "create user 'user1'@'%' identified by 'pwd1';", rootCtx));
-        // grant only create_priv to user1 on test1.db1.tbl11
-        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
-                "grant create_priv on test1.db1.tbl11 to 'user1'@'%';", 
rootCtx);
-        auth.grant(grantStmt);
 
         // mock login user1
         UserIdentity user1 = new UserIdentity("user1", "%");
@@ -144,7 +140,7 @@ public class RefreshTableTest extends TestWithFeService {
 
         // add drop priv to user1
         rootCtx.setThreadLocalInfo();
-        grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+        GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
                 "grant drop_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx);
         auth.grant(grantStmt);
         ConnectContext.remove();


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to