This is an automated email from the ASF dual-hosted git repository.
dataroaring pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-3.0 by this push:
new 238979cd5b9 branch-3.0: [fix](auth)Privatize the authentication
methods in the Auth class to avoid being called incorrectly #48033 (#48394)
238979cd5b9 is described below
commit 238979cd5b9989a5046b10c4f4f2a2765cd4e657
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Fri Feb 28 17:18:22 2025 +0800
branch-3.0: [fix](auth)Privatize the authentication methods in the Auth
class to avoid being called incorrectly #48033 (#48394)
Cherry-picked from #48033
Co-authored-by: zhangdong <[email protected]>
---
.../org/apache/doris/analysis/ShowClusterStmt.java | 2 +-
.../ranger/doris/RangerDorisAccessController.java | 7 ++++++-
.../ranger/hive/RangerHiveAccessController.java | 7 ++++++-
.../doris/cloud/analysis/UseCloudClusterStmt.java | 2 +-
.../java/org/apache/doris/cloud/catalog/CloudEnv.java | 2 +-
.../org/apache/doris/datasource/InternalCatalog.java | 2 +-
.../doris/mysql/privilege/AccessControllerManager.java | 7 +++++++
.../java/org/apache/doris/mysql/privilege/Auth.java | 18 +++++++++---------
.../doris/mysql/privilege/CatalogAccessController.java | 4 +++-
.../mysql/privilege/InternalAccessController.java | 9 +++++++--
.../org/apache/doris/mysql/privilege/UserProperty.java | 2 +-
.../trees/plans/commands/call/CallExecuteStmtFunc.java | 2 +-
.../plans/commands/call/CallFlushAuditLogFunc.java | 2 +-
.../main/java/org/apache/doris/qe/ConnectContext.java | 2 +-
.../main/java/org/apache/doris/qe/ShowExecutor.java | 9 +++++----
.../main/java/org/apache/doris/qe/StmtExecutor.java | 2 +-
.../doris/tablefunction/QueryTableValueFunction.java | 2 +-
.../org/apache/doris/datasource/ColumnPrivTest.java | 8 +++++++-
.../doris/nereids/privileges/TestCheckPrivileges.java | 7 ++++++-
19 files changed, 66 insertions(+), 30 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowClusterStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowClusterStmt.java
index c29978267a3..d1a0486d686 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowClusterStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowClusterStmt.java
@@ -72,7 +72,7 @@ public class ShowClusterStmt extends ShowStmt implements
NotFallbackInParser {
public void analyze(Analyzer analyzer) throws AnalysisException {
if (Config.isNotCloudMode()) {
// just user admin
- if
(!Env.getCurrentEnv().getAuth().checkGlobalPriv(ConnectContext.get().getCurrentUserIdentity(),
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get().getCurrentUserIdentity(),
PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV,
Privilege.NODE_PRIV), Operator.OR))) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"ADMIN");
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index 8a7bea57534..f9f571c0d0d 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -243,11 +243,16 @@ public class RangerDorisAccessController extends
RangerAccessController {
}
@Override
- public boolean checkCloudPriv(UserIdentity currentUser, String
resourceName,
+ public boolean checkCloudPriv(UserIdentity currentUser, String cloudName,
PrivPredicate wanted, ResourceTypeEnum type) {
return false;
}
+ @Override
+ public boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted) {
+ return false;
+ }
+
@Override
public boolean checkResourcePriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted) {
PrivBitSet checkedPrivs = PrivBitSet.of();
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
index 5ca0589aefb..74be9f24bfe 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
@@ -177,11 +177,16 @@ public class RangerHiveAccessController extends
RangerAccessController {
}
@Override
- public boolean checkCloudPriv(UserIdentity currentUser, String
resourceName,
+ public boolean checkCloudPriv(UserIdentity currentUser, String cloudName,
PrivPredicate wanted, ResourceTypeEnum type) {
return false;
}
+ @Override
+ public boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted) {
+ return false;
+ }
+
@Override
public boolean checkResourcePriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted) {
return false;
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/cloud/analysis/UseCloudClusterStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/cloud/analysis/UseCloudClusterStmt.java
index e35d337ef35..0fab5c8e046 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/cloud/analysis/UseCloudClusterStmt.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/cloud/analysis/UseCloudClusterStmt.java
@@ -89,7 +89,7 @@ public class UseCloudClusterStmt extends StatementBase
implements NotFallbackInP
if (Strings.isNullOrEmpty(cluster)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_CLUSTER_ERROR);
}
- if
(!Env.getCurrentEnv().getAuth().checkCloudPriv(ConnectContext.get().getCurrentUserIdentity(),
+ if
(!Env.getCurrentEnv().getAccessManager().checkCloudPriv(ConnectContext.get().getCurrentUserIdentity(),
cluster, PrivPredicate.USAGE, ResourceTypeEnum.CLUSTER)) {
throw new AnalysisException("USAGE denied to user '" +
ConnectContext.get().getQualifiedUser()
+ "'@'" + ConnectContext.get().getRemoteIP()
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/cloud/catalog/CloudEnv.java
b/fe/fe-core/src/main/java/org/apache/doris/cloud/catalog/CloudEnv.java
index 7aeb35ede68..e7fbbb5118f 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/cloud/catalog/CloudEnv.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/cloud/catalog/CloudEnv.java
@@ -269,7 +269,7 @@ public class CloudEnv extends Env {
public void checkCloudClusterPriv(String clusterName) throws DdlException {
// check resource usage privilege
- if
(!Env.getCurrentEnv().getAuth().checkCloudPriv(ConnectContext.get().getCurrentUserIdentity(),
+ if
(!Env.getCurrentEnv().getAccessManager().checkCloudPriv(ConnectContext.get().getCurrentUserIdentity(),
clusterName, PrivPredicate.USAGE, ResourceTypeEnum.CLUSTER)) {
throw new DdlException("USAGE denied to user "
+ ConnectContext.get().getQualifiedUser() + "'@'" +
ConnectContext.get().getRemoteIP()
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/InternalCatalog.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/InternalCatalog.java
index 92a40fe6857..08f8de3bfb7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/datasource/InternalCatalog.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/datasource/InternalCatalog.java
@@ -2741,7 +2741,7 @@ public class InternalCatalog implements
CatalogIf<Database> {
Pair<String, String> storageVaultInfoPair =
PropertyAnalyzer.analyzeStorageVault(properties);
// Check if user has storage vault usage privilege
- if (ConnectContext.get() != null && !env.getAuth()
+ if (ConnectContext.get() != null && !env.getAccessManager()
.checkStorageVaultPriv(ctx.getCurrentUserIdentity(),
storageVaultInfoPair.first, PrivPredicate.USAGE)) {
throw new DdlException("USAGE denied to user '" +
ConnectContext.get().getQualifiedUser()
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index ab43108290f..439a7e5a760 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -215,6 +215,13 @@ public class AccessControllerManager {
return defaultAccessController.checkCloudPriv(currentUser, cloudName,
wanted, type);
}
+ public boolean checkStorageVaultPriv(ConnectContext ctx, String
storageVaultName, PrivPredicate wanted) {
+ return checkStorageVaultPriv(ctx.getCurrentUserIdentity(),
storageVaultName, wanted);
+ }
+
+ public boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted) {
+ return defaultAccessController.checkStorageVaultPriv(currentUser,
storageVaultName, wanted);
+ }
public boolean checkWorkloadGroupPriv(ConnectContext ctx, String
workloadGroupName, PrivPredicate wanted) {
return checkWorkloadGroupPriv(ctx.getCurrentUserIdentity(),
workloadGroupName, wanted);
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index b6a57b56c44..9c898338358 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -266,7 +266,7 @@ public class Auth implements Writable {
}
// ==== Global ====
- public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate
wanted) {
+ protected boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate
wanted) {
readLock();
try {
Set<Role> roles = getRolesByUserWithLdap(currentUser);
@@ -282,7 +282,7 @@ public class Auth implements Writable {
}
// ==== Catalog ====
- public boolean checkCtlPriv(UserIdentity currentUser, String ctl,
PrivPredicate wanted) {
+ protected boolean checkCtlPriv(UserIdentity currentUser, String ctl,
PrivPredicate wanted) {
if (wanted.getPrivs().containsNodePriv()) {
if (LOG.isDebugEnabled()) {
LOG.debug("should not check NODE priv in catalog level. user:
{}, catalog: {}",
@@ -305,7 +305,7 @@ public class Auth implements Writable {
}
// ==== Database ====
- public boolean checkDbPriv(UserIdentity currentUser, String ctl, String
db, PrivPredicate wanted) {
+ protected boolean checkDbPriv(UserIdentity currentUser, String ctl, String
db, PrivPredicate wanted) {
if (wanted.getPrivs().containsNodePriv()) {
if (LOG.isDebugEnabled()) {
LOG.debug("should not check NODE priv in Database level. user:
{}, db: {}",
@@ -329,7 +329,7 @@ public class Auth implements Writable {
}
// ==== Table ====
- public boolean checkTblPriv(UserIdentity currentUser, String ctl, String
db, String tbl, PrivPredicate wanted) {
+ protected boolean checkTblPriv(UserIdentity currentUser, String ctl,
String db, String tbl, PrivPredicate wanted) {
if (wanted.getPrivs().containsNodePriv()) {
if (LOG.isDebugEnabled()) {
LOG.debug("should check NODE priv in GLOBAL level. user: {},
db: {}, tbl: {}", currentUser, db, tbl);
@@ -353,7 +353,7 @@ public class Auth implements Writable {
// ==== Column ====
// The reason why this method throws an exception instead of returning a
boolean is to
// indicate which col does not have permission
- public void checkColsPriv(UserIdentity currentUser, String ctl, String db,
String tbl, Set<String> cols,
+ protected void checkColsPriv(UserIdentity currentUser, String ctl, String
db, String tbl, Set<String> cols,
PrivPredicate wanted) throws AuthorizationException {
Set<Role> roles = getRolesByUserWithLdap(currentUser);
for (String col : cols) {
@@ -376,7 +376,7 @@ public class Auth implements Writable {
}
// ==== Resource ====
- public boolean checkResourcePriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted) {
+ protected boolean checkResourcePriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted) {
readLock();
try {
Set<Role> roles = getRolesByUserWithLdap(currentUser);
@@ -392,7 +392,7 @@ public class Auth implements Writable {
}
// ==== Storage Vault ====
- public boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted) {
+ protected boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted) {
readLock();
try {
Set<Role> roles = getRolesByUserWithLdap(currentUser);
@@ -408,7 +408,7 @@ public class Auth implements Writable {
}
// ==== Workload Group ====
- public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String
workloadGroupName, PrivPredicate wanted) {
+ protected boolean checkWorkloadGroupPriv(UserIdentity currentUser, String
workloadGroupName, PrivPredicate wanted) {
readLock();
try {
// currently stream load not support ip based auth, so normal
should not auth temporary
@@ -430,7 +430,7 @@ public class Auth implements Writable {
}
// ==== cloud ====
- public boolean checkCloudPriv(UserIdentity currentUser, String cloudName,
+ protected boolean checkCloudPriv(UserIdentity currentUser, String
cloudName,
PrivPredicate wanted, ResourceTypeEnum type) {
readLock();
try {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
index 74d136c4665..0538e52c287 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
@@ -78,7 +78,9 @@ public interface CatalogAccessController {
Set<String> cols, PrivPredicate wanted) throws
AuthorizationException;
// ==== Cloud ====
- boolean checkCloudPriv(UserIdentity currentUser, String resourceName,
PrivPredicate wanted, ResourceTypeEnum type);
+ boolean checkCloudPriv(UserIdentity currentUser, String cloudName,
PrivPredicate wanted, ResourceTypeEnum type);
+
+ boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted);
Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser,
String ctl, String db, String tbl,
String col);
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
index 72424f5738e..65a40ae1361 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
@@ -70,9 +70,14 @@ public class InternalAccessController implements
CatalogAccessController {
}
@Override
- public boolean checkCloudPriv(UserIdentity currentUser, String
resourceName,
+ public boolean checkCloudPriv(UserIdentity currentUser, String cloudName,
PrivPredicate wanted, ResourceTypeEnum type) {
- return auth.checkResourcePriv(currentUser, resourceName, wanted);
+ return auth.checkCloudPriv(currentUser, cloudName, wanted, type);
+ }
+
+ @Override
+ public boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted) {
+ return auth.checkStorageVaultPriv(currentUser, storageVaultName,
wanted);
}
@Override
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserProperty.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserProperty.java
index e4a76b23820..a637fb6c182 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserProperty.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserProperty.java
@@ -397,7 +397,7 @@ public class UserProperty implements Writable {
return value;
}
// check cluster auth
- if (!Strings.isNullOrEmpty(value) &&
!Env.getCurrentEnv().getAuth().checkCloudPriv(
+ if (!Strings.isNullOrEmpty(value) &&
!Env.getCurrentEnv().getAccessManager().checkCloudPriv(
new UserIdentity(qualifiedUser, "%"), value, PrivPredicate.USAGE,
ResourceTypeEnum.CLUSTER)) {
throw new ComputeGroupException(String.format("set default compute
group failed, "
+ "user %s has no permission to use compute group '%s', please
grant use privilege first ",
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
index 1e36915c111..4302d277708 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
@@ -92,7 +92,7 @@ public class CallExecuteStmtFunc extends CallFunc {
}
// check priv
- if (!Env.getCurrentEnv().getAuth().checkCtlPriv(user, catalogName,
PrivPredicate.LOAD)) {
+ if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(user,
catalogName, PrivPredicate.LOAD)) {
throw new AnalysisException("user " + user + " has no privilege to
execute stmt in catalog " + catalogName);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
index 60cae55e7f5..8d0beef4e67 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
@@ -48,7 +48,7 @@ public class CallFlushAuditLogFunc extends CallFunc {
@Override
public void run() {
// check priv
- if (!Env.getCurrentEnv().getAuth().checkGlobalPriv(user,
PrivPredicate.ADMIN)) {
+ if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(user,
PrivPredicate.ADMIN)) {
throw new AnalysisException("Only admin can flush audit log");
}
// flush audit log
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
index 77dd72ee363..c160d7e77b9 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
@@ -1180,7 +1180,7 @@ public class ConnectContext {
List<String> hasAuthCluster = new ArrayList<>();
// get all available cluster of the user
for (String cloudClusterName : cloudClusterNames) {
- if
(Env.getCurrentEnv().getAuth().checkCloudPriv(getCurrentUserIdentity(),
+ if
(Env.getCurrentEnv().getAccessManager().checkCloudPriv(getCurrentUserIdentity(),
cloudClusterName, PrivPredicate.USAGE,
ResourceTypeEnum.CLUSTER)) {
hasAuthCluster.add(cloudClusterName);
// find a cluster has more than one alive be
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
index 0fda1f4e5c2..3d37c7a2fa4 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
@@ -215,6 +215,7 @@ import org.apache.doris.load.LoadJob;
import org.apache.doris.load.LoadJob.JobState;
import org.apache.doris.load.loadv2.LoadManager;
import org.apache.doris.load.routineload.RoutineLoadJob;
+import org.apache.doris.mysql.privilege.AccessControllerManager;
import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.mysql.privilege.PrivBitSet;
import org.apache.doris.mysql.privilege.PrivPredicate;
@@ -810,7 +811,7 @@ public class ShowExecutor {
for (String clusterName : clusterNameSet) {
ArrayList<String> row = Lists.newArrayList(clusterName);
// current_used, users
- if (!Env.getCurrentEnv().getAuth()
+ if (!Env.getCurrentEnv().getAccessManager()
.checkCloudPriv(ConnectContext.get().getCurrentUserIdentity(), clusterName,
PrivPredicate.USAGE, ResourceTypeEnum.CLUSTER)) {
continue;
@@ -828,7 +829,7 @@ public class ShowExecutor {
users.remove(Auth.ROOT_USER);
}
// common user, not admin
- if
(!Env.getCurrentEnv().getAuth().checkGlobalPriv(ConnectContext.get().currentUserIdentity,
+ if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get().currentUserIdentity,
PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV),
Operator.OR))) {
users.removeIf(user ->
!user.equals(ClusterNamespace.getNameFromFullName(ctx.getQualifiedUser())));
}
@@ -3410,10 +3411,10 @@ public class ShowExecutor {
try {
Cloud.GetObjStoreInfoResponse resp = MetaServiceProxy.getInstance()
.getObjStoreInfo(Cloud.GetObjStoreInfoRequest.newBuilder().build());
- Auth auth = Env.getCurrentEnv().getAuth();
+ AccessControllerManager accessManager =
Env.getCurrentEnv().getAccessManager();
UserIdentity user = ctx.getCurrentUserIdentity();
rows = resp.getStorageVaultList().stream()
- .filter(storageVault -> auth.checkStorageVaultPriv(user,
storageVault.getName(),
+ .filter(storageVault ->
accessManager.checkStorageVaultPriv(user, storageVault.getName(),
PrivPredicate.USAGE))
.map(StorageVault::convertToShowStorageVaultProperties)
.collect(Collectors.toList());
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java
b/fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java
index 6405cac49d6..35451af7a12 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java
@@ -1290,7 +1290,7 @@ public class StmtExecutor {
if (ConnectContext.get() == null ||
Strings.isNullOrEmpty(clusterName)) {
return false;
}
- return
Env.getCurrentEnv().getAuth().checkCloudPriv(ConnectContext.get().getCurrentUserIdentity(),
+ return
Env.getCurrentEnv().getAccessManager().checkCloudPriv(ConnectContext.get().getCurrentUserIdentity(),
clusterName, PrivPredicate.USAGE, ResourceTypeEnum.CLUSTER);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
index 07a125836b7..269ebdeab42 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
@@ -62,7 +62,7 @@ public abstract class QueryTableValueFunction extends
TableValuedFunctionIf {
// check priv
UserIdentity userIdentity =
ConnectContext.get().getCurrentUserIdentity();
- if (!Env.getCurrentEnv().getAuth().checkCtlPriv(userIdentity,
catalogName, PrivPredicate.SELECT)) {
+ if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(userIdentity,
catalogName, PrivPredicate.SELECT)) {
throw new org.apache.doris.nereids.exceptions.AnalysisException(
"user " + userIdentity + " has no privilege to query in
catalog " + catalogName);
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
b/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
index 94ffedb8d13..b37f7571d35 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
@@ -320,7 +320,13 @@ public class ColumnPrivTest extends TestWithFeService {
}
@Override
- public boolean checkCloudPriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted, ResourceTypeEnum type) {
+ public boolean checkCloudPriv(UserIdentity currentUser, String
cloudName, PrivPredicate wanted, ResourceTypeEnum type) {
+ return false;
+ }
+
+ @Override
+ public boolean checkStorageVaultPriv(UserIdentity currentUser,
String storageVaultName,
+ PrivPredicate wanted) {
return false;
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
b/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
index 5ad41d7e6b3..dafc33a64af 100644
---
a/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
@@ -400,11 +400,16 @@ public class TestCheckPrivileges extends
TestWithFeService implements GeneratedM
}
@Override
- public boolean checkCloudPriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted,
+ public boolean checkCloudPriv(UserIdentity currentUser, String
cloudName, PrivPredicate wanted,
ResourceTypeEnum type) {
return true;
}
+ @Override
+ public boolean checkStorageVaultPriv(UserIdentity currentUser, String
storageVaultName, PrivPredicate wanted) {
+ return true;
+ }
+
@Override
public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity
currentUser, String ctl, String db, String tbl,
String col) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
