(doris) branch master updated: [fix](auth)Fix some issues with incorrect permission verification (#39726)

morningman Wed, 28 Aug 2024 02:21:39 -0700

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git



The following commit(s) were added to refs/heads/master by this push:
     new 603d1e0cb65 [fix](auth)Fix some issues with incorrect permission 
verification (#39726)
603d1e0cb65 is described below

commit 603d1e0cb65b1f37126330fbd3ea5e4a55aa1a78
Author: zhangdong <[email protected]>
AuthorDate: Wed Aug 28 17:20:08 2024 +0800

    [fix](auth)Fix some issues with incorrect permission verification (#39726)
    
    - `show columns` do not have permission to check
    - `show sync job`do not have permission to check
    - `Show data from db.table` should be the permission to determine the
    table, not the admin permission
    - users with grant permission should not see all processes through 'SHOW
    PROCESS LIST'
    - `show tablet storage format`fix permission error prompt
    
    cases will be added uniformly in other PRs
---
 .../main/java/org/apache/doris/analysis/ShowColumnStmt.java   | 11 +++++++++++
 .../src/main/java/org/apache/doris/analysis/ShowDataStmt.java |  2 +-
 .../main/java/org/apache/doris/analysis/ShowSyncJobStmt.java  |  9 +++++++++
 .../apache/doris/analysis/ShowTabletStorageFormatStmt.java    |  6 ++----
 .../src/main/java/org/apache/doris/qe/ConnectScheduler.java   |  2 +-
 5 files changed, 24 insertions(+), 6 deletions(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java
index eb7fcaf0285..9af269104cc 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java
@@ -18,9 +18,14 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.InfoSchemaDb;
 import org.apache.doris.catalog.ScalarType;
 import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
 import org.apache.doris.qe.ShowResultSetMetaData;
 
 import com.google.common.base.Strings;
@@ -103,6 +108,12 @@ public class ShowColumnStmt extends ShowStmt {
         } else {
             metaData = META_DATA;
         }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkTblPriv(ConnectContext.get(), tableName.getCtl(), 
tableName.getDb(),
+                        tableName.getTbl(), PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), tableName);
+        }
     }
 
     @Override
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
index c8d37a4b33d..84ce67283ac 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
@@ -127,7 +127,7 @@ public class ShowDataStmt extends ShowStmt {
             return;
         }
         dbName = analyzer.getDefaultDb();
-        if (Strings.isNullOrEmpty(dbName)) {
+        if (Strings.isNullOrEmpty(dbName) && tableName == null) {
             getAllDbStats();
             return;
         }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java
index 25980ea16a8..f0671f8afe0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java
@@ -18,10 +18,14 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.ScalarType;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.UserException;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
 import org.apache.doris.qe.ShowResultSetMetaData;
 
 import com.google.common.base.Strings;
@@ -60,6 +64,11 @@ public class ShowSyncJobStmt extends ShowStmt {
                 ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
             }
         }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkDbPriv(ConnectContext.get(), 
InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
+        }
     }
 
     @Override
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
index 441f0f1d7d5..9d0f3b88e6c 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
@@ -38,10 +38,8 @@ public class ShowTabletStorageFormatStmt extends ShowStmt {
     public void analyze(Analyzer analyzer) throws UserException {
         // check access first
         if 
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_ACCESS_DENIED_ERROR,
-                    toSql(),
-                    ConnectContext.get().getQualifiedUser(),
-                    ConnectContext.get().getRemoteIP(), "ADMIN Privilege 
needed.");
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+                    PrivPredicate.ADMIN.getPrivs().toString());
         }
 
         super.analyze(analyzer);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java 
b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
index a71a221f6a3..dfd6f0ebdae 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
@@ -163,7 +163,7 @@ public class ConnectScheduler {
         for (ConnectContext ctx : connectionMap.values()) {
             // Check auth
             if (!ctx.getQualifiedUser().equals(user) && 
!Env.getCurrentEnv().getAccessManager()
-                    .checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.GRANT)) {
+                    .checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)) {
                 continue;
             }
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(doris) branch master updated: [fix](auth)Fix some issues with incorrect permission verification (#39726)

Reply via email to