This is an automated email from the ASF dual-hosted git repository. dataroaring pushed a commit to branch branch-3.0 in repository https://gitbox.apache.org/repos/asf/doris.git
commit 8b827089e3b86fda81ee5bcb7de2c4a045aa9cc8 Author: zhangdong <[email protected]> AuthorDate: Wed Aug 28 17:20:08 2024 +0800 [fix](auth)Fix some issues with incorrect permission verification (#39726) - `show columns` do not have permission to check - `show sync job`do not have permission to check - `Show data from db.table` should be the permission to determine the table, not the admin permission - users with grant permission should not see all processes through 'SHOW PROCESS LIST' - `show tablet storage format`fix permission error prompt cases will be added uniformly in other PRs --- .../main/java/org/apache/doris/analysis/ShowColumnStmt.java | 11 +++++++++++ .../src/main/java/org/apache/doris/analysis/ShowDataStmt.java | 2 +- .../main/java/org/apache/doris/analysis/ShowSyncJobStmt.java | 9 +++++++++ .../apache/doris/analysis/ShowTabletStorageFormatStmt.java | 6 ++---- .../src/main/java/org/apache/doris/qe/ConnectScheduler.java | 2 +- 5 files changed, 24 insertions(+), 6 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java index eb7fcaf0285..9af269104cc 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java @@ -18,9 +18,14 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.InfoSchemaDb; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -103,6 +108,12 @@ public class ShowColumnStmt extends ShowStmt { } else { metaData = META_DATA; } + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), + tableName.getTbl(), PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), tableName); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java index c8d37a4b33d..84ce67283ac 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java @@ -127,7 +127,7 @@ public class ShowDataStmt extends ShowStmt { return; } dbName = analyzer.getDefaultDb(); - if (Strings.isNullOrEmpty(dbName)) { + if (Strings.isNullOrEmpty(dbName) && tableName == null) { getAllDbStats(); return; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java index 25980ea16a8..f0671f8afe0 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java @@ -18,10 +18,14 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -60,6 +64,11 @@ public class ShowSyncJobStmt extends ShowStmt { ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR); } } + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), dbName); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java index 441f0f1d7d5..9d0f3b88e6c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java @@ -38,10 +38,8 @@ public class ShowTabletStorageFormatStmt extends ShowStmt { public void analyze(Analyzer analyzer) throws UserException { // check access first if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_ACCESS_DENIED_ERROR, - toSql(), - ConnectContext.get().getQualifiedUser(), - ConnectContext.get().getRemoteIP(), "ADMIN Privilege needed."); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } super.analyze(analyzer); diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java index 97d47340194..05864211245 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java +++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java @@ -163,7 +163,7 @@ public class ConnectScheduler { for (ConnectContext ctx : connectionMap.values()) { // Check auth if (!ctx.getQualifiedUser().equals(user) && !Env.getCurrentEnv().getAccessManager() - .checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { continue; } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
