This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-3.0 by this push:
new e9a60c4acf0 [fix](auth)Fix the need for low-level table permissions
when querying views in certain situations (#44621) (#44841)
e9a60c4acf0 is described below
commit e9a60c4acf0c36827e857298ddd99d064cafd61c
Author: zhangdong <[email protected]>
AuthorDate: Mon Dec 9 02:34:57 2024 +0800
[fix](auth)Fix the need for low-level table permissions when querying views
in certain situations (#44621) (#44841)
pick: https://github.com/apache/doris/pull/44621
---
.../org/apache/doris/nereids/StatementContext.java | 10 +++
.../nereids/rules/rewrite/CheckPrivileges.java | 6 +-
.../suites/auth_p0/test_select_view_auth.groovy | 89 ++++++++++++++++++++++
3 files changed, 104 insertions(+), 1 deletion(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
index ce897adf79c..175b623467a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/StatementContext.java
@@ -174,6 +174,8 @@ public class StatementContext implements Closeable {
private String disableJoinReorderReason;
+ private boolean privChecked;
+
private final Map<MvccTableInfo, MvccSnapshot> snapshots =
Maps.newHashMap();
public StatementContext() {
@@ -599,4 +601,12 @@ public class StatementContext implements Closeable {
public void setDisableJoinReorderReason(String disableJoinReorderReason) {
this.disableJoinReorderReason = disableJoinReorderReason;
}
+
+ public boolean isPrivChecked() {
+ return privChecked;
+ }
+
+ public void setPrivChecked(boolean privChecked) {
+ this.privChecked = privChecked;
+ }
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
index 74609694431..ebef2ecea21 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
@@ -49,9 +49,13 @@ public class CheckPrivileges extends ColumnPruning {
@Override
public Plan rewriteRoot(Plan plan, JobContext jobContext) {
+ // Only enter once, if repeated, the permissions of the table in the
view will be checked
+ if
(jobContext.getCascadesContext().getStatementContext().isPrivChecked()) {
+ return plan;
+ }
this.jobContext = jobContext;
super.rewriteRoot(plan, jobContext);
-
+
jobContext.getCascadesContext().getStatementContext().setPrivChecked(true);
// don't rewrite plan
return plan;
}
diff --git a/regression-test/suites/auth_p0/test_select_view_auth.groovy
b/regression-test/suites/auth_p0/test_select_view_auth.groovy
new file mode 100644
index 00000000000..87ec8cf0aeb
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_select_view_auth.groovy
@@ -0,0 +1,89 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("test_select_view_auth","p0,auth") {
+ String suiteName = "test_select_view_auth"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ String dbName = "${suiteName}_db"
+ String tableName1 = "${suiteName}_table1"
+ String tableName2 = "${suiteName}_table2"
+ String viewName = "${suiteName}_view"
+
+ try_sql("drop user ${user}")
+ try_sql """drop table if exists ${dbName}.${tableName1}"""
+ try_sql """drop table if exists ${dbName}.${tableName2}"""
+ try_sql """drop view if exists ${dbName}.${viewName}"""
+ sql """drop database if exists ${dbName}"""
+
+ sql """create user '${user}' IDENTIFIED by '${pwd}'"""
+
+ //cloud-mode
+ if (isCloudMode()) {
+ def clusters = sql " SHOW CLUSTERS; "
+ assertTrue(!clusters.isEmpty())
+ def validCluster = clusters[0][0]
+ sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+ }
+ sql """create database ${dbName}"""
+ sql("""use ${dbName}""")
+ sql """
+ CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName1}` (
+ id BIGINT,
+ username VARCHAR(20)
+ )
+ DISTRIBUTED BY HASH(id) BUCKETS 2
+ PROPERTIES (
+ "replication_num" = "1"
+ );
+ """
+
+ sql """
+ CREATE TABLE IF NOT EXISTS ${dbName}.`${tableName2}` (
+ id BIGINT,
+ username VARCHAR(20)
+ )
+ DISTRIBUTED BY HASH(id) BUCKETS 2
+ PROPERTIES (
+ "replication_num" = "1"
+ );
+ """
+
+ sql """create view ${dbName}.${viewName} as select * from
${dbName}.${tableName1} union select * from ${dbName}.${tableName2};"""
+
+ sql """grant select_priv on regression_test to ${user}"""
+
+ // table column
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ try {
+ sql "select * from ${dbName}.${viewName}"
+ } catch (Exception e) {
+ log.info(e.getMessage())
+ assertTrue(e.getMessage().contains("denied"))
+ }
+ }
+ sql """grant select_priv on ${dbName}.${viewName} to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ sql "select * from ${dbName}.${viewName}"
+ }
+
+ try_sql("drop user ${user}")
+ try_sql """drop table if exists ${dbName}.${tableName1}"""
+ try_sql """drop table if exists ${dbName}.${tableName2}"""
+ try_sql """drop view if exists ${dbName}.${viewName}"""
+ sql """drop database if exists ${dbName}"""
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
