seawinde opened a new pull request, #60699:
URL: https://github.com/apache/doris/pull/60699
### What problem does this PR solve?
Overview
- admin_readonly is a built‑in role created at startup. It grants global
read privileges (SELECT + SHOW VIEW) and is registered by the role manager.
- SU is implemented as a command that switches the current session user
and sets an explicit role override list. It requires the current user to be
root; otherwise it throws.
Role resolution flow
- When privileges are checked, the system builds a PrivilegeContext for
the current session. If currentRoles is set on the session and the current user
matches, that set is used for role resolution; otherwise the user’s default
roles are used.
- Role resolution can also include LDAP roles when LDAP auth is enabled.
How admin_readonly affects behavior
- If the resolved role set contains admin_readonly, some “read‑only admin”
shortcuts kick in:
- SHOW RESOURCES is allowed.
- SHOW WORKLOAD GROUP is allowed.
- Process list visibility is expanded (both local and RPC paths check
for admin_readonly).
How SU interacts with admin_readonly
- SU sets currentRoles explicitly. If admin_readonly is in that list (or
comes from LDAP/local roles depending on resolution rules), the session gains
the read‑only admin behaviors above.
- If SU specifies no roles, the current code falls back to the target
user’s local roles (and then merges LDAP roles). So “no roles” does not mean
“no privileges” by default.
Issue Number: close #xxx
Related PR: #xxx
Problem Summary:
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [x] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [ ] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR should
merge into -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
