This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 7e9e02a173 [Enhancement](auth)Desc table check col auth (#18114)
7e9e02a173 is described below
commit 7e9e02a1739bd4c4e9ae5c9ddd4098fd53f7afa5
Author: zhangdong <[email protected]>
AuthorDate: Wed Mar 29 10:42:18 2023 +0800
[Enhancement](auth)Desc table check col auth (#18114)
1.Change permission exception format
2.when desc table ,we show different cols by auth
3.delete unused code
---
.../org/apache/doris/analysis/DescribeStmt.java | 21 +++++++-
.../authorizer/RangerHiveAccessController.java | 2 +-
.../apache/doris/common/util/PropertyAnalyzer.java | 2 +-
.../apache/doris/datasource/ExternalCatalog.java | 2 +-
.../mysql/privilege/AccessControllerManager.java | 23 ++++-----
.../mysql/privilege/RangerAccessController.java | 57 ----------------------
.../privilege/RangerAccessControllerFactory.java | 27 ----------
.../apache/doris/service/FrontendServiceImpl.java | 9 ++--
8 files changed, 41 insertions(+), 102 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DescribeStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DescribeStmt.java
index 5922427bc3..c03e58e966 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DescribeStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DescribeStmt.java
@@ -28,6 +28,7 @@ import org.apache.doris.catalog.OlapTable;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.catalog.TableIf;
import org.apache.doris.catalog.TableIf.TableType;
+import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
@@ -42,10 +43,14 @@ import org.apache.doris.datasource.CatalogIf;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;
+import org.apache.doris.system.SystemInfoService;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
import java.util.ArrayList;
import java.util.Arrays;
@@ -55,6 +60,7 @@ import java.util.Map;
import java.util.Set;
public class DescribeStmt extends ShowStmt {
+ private static final Logger LOG = LogManager.getLogger(DescribeStmt.class);
private static final ShowResultSetMetaData DESC_OLAP_TABLE_ALL_META_DATA =
ShowResultSetMetaData.builder()
.addColumn(new Column("IndexName",
ScalarType.createVarchar(20)))
@@ -277,7 +283,20 @@ public class DescribeStmt extends ShowStmt {
return totalRows;
}
Preconditions.checkNotNull(node);
- return node.fetchResult().getRows();
+ List<List<String>> rows = node.fetchResult().getRows();
+ List<List<String>> res = new ArrayList<>();
+ for (List<String> row : rows) {
+ try {
+ Env.getCurrentEnv().getAccessManager()
+
.checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(),
dbTableName.getCtl(),
+
ClusterNamespace.getFullName(SystemInfoService.DEFAULT_CLUSTER, getDb()),
+ getTableName(),
Sets.newHashSet(row.get(0)), PrivPredicate.SHOW);
+ res.add(row);
+ } catch (UserException e) {
+ LOG.debug(e.getMessage());
+ }
+ }
+ return res;
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java
index cacf8043db..bd7abe652d 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java
@@ -98,7 +98,7 @@ public class RangerHiveAccessController implements
CatalogAccessController {
throw new AuthorizationException(String.format(
"Permission denied: user [%s] does not have privilege
for [%s] command on [%s]",
result.getAccessRequest().getUser(), accessType.name(),
-
result.getAccessRequest().getResource().getAsString()));
+
result.getAccessRequest().getResource().getAsString().replaceAll("/", ".")));
}
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/common/util/PropertyAnalyzer.java
b/fe/fe-core/src/main/java/org/apache/doris/common/util/PropertyAnalyzer.java
index 143ae00980..1a4d212059 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/common/util/PropertyAnalyzer.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/common/util/PropertyAnalyzer.java
@@ -817,7 +817,7 @@ public class PropertyAnalyzer {
// validate access controller properties
// eg:
// (
- // "access_controller.class" =
"org.apache.doris.mysql.privilege.RangerAccessControllerFactory",
+ // "access_controller.class" =
"org.apache.doris.mysql.privilege.RangerHiveAccessControllerFactory",
// "access_controller.properties.prop1" = "xxx",
// "access_controller.properties.prop2" = "yyy",
// )
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/ExternalCatalog.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/ExternalCatalog.java
index 504624e062..2271af1913 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/datasource/ExternalCatalog.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/datasource/ExternalCatalog.java
@@ -160,7 +160,7 @@ public abstract class ExternalCatalog implements
CatalogIf<ExternalDatabase>, Wr
/**
* eg:
* (
- * ""access_controller.class" =
"org.apache.doris.mysql.privilege.RangerAccessControllerFactory",
+ * ""access_controller.class" =
"org.apache.doris.mysql.privilege.RangerHiveAccessControllerFactory",
* "access_controller.properties.prop1" = "xxx",
* "access_controller.properties.prop2" = "yyy",
* )
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index 2096cb39e2..278ba3456f 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -22,7 +22,6 @@ import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.AuthorizationInfo;
import org.apache.doris.catalog.Env;
import org.apache.doris.cluster.ClusterNamespace;
-import org.apache.doris.common.AuthorizationException;
import org.apache.doris.common.UserException;
import org.apache.doris.datasource.CatalogIf;
import org.apache.doris.datasource.ExternalCatalog;
@@ -189,17 +188,19 @@ public class AccessControllerManager {
}
}
- public boolean checkColumnsPriv(UserIdentity currentUser, String
qualifiedDb, String tbl, Set<String> cols,
- PrivPredicate wanted) {
+ public void checkColumnsPriv(UserIdentity currentUser, String
+ ctl, String qualifiedDb, String tbl, Set<String> cols,
+ PrivPredicate wanted) throws UserException {
boolean hasGlobal = sysAccessController.checkGlobalPriv(currentUser,
wanted);
- CatalogAccessController accessController =
getAccessControllerOrDefault(Auth.DEFAULT_CATALOG);
- try {
- accessController
- .checkColsPriv(hasGlobal, currentUser,
Auth.DEFAULT_CATALOG, qualifiedDb, tbl, cols, wanted);
- return true;
- } catch (AuthorizationException e) {
- return false;
- }
+ CatalogAccessController accessController =
getAccessControllerOrDefault(ctl);
+ accessController.checkColsPriv(hasGlobal, currentUser, ctl,
qualifiedDb,
+ tbl, cols, wanted);
+
+ }
+
+ public void checkColumnsPriv(UserIdentity currentUser, String qualifiedDb,
String tbl, Set<String> cols,
+ PrivPredicate wanted) throws UserException {
+ checkColumnsPriv(currentUser, Auth.DEFAULT_CATALOG, qualifiedDb, tbl,
cols, wanted);
}
// ==== Resource ====
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RangerAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RangerAccessController.java
deleted file mode 100644
index 02152f4fa8..0000000000
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RangerAccessController.java
+++ /dev/null
@@ -1,57 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.mysql.privilege;
-
-import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.common.AuthorizationException;
-
-import java.util.Map;
-import java.util.Set;
-
-public class RangerAccessController implements CatalogAccessController {
-
- public RangerAccessController(Map<String, String> properties) {
-
- }
-
- @Override
- public boolean checkCtlPriv(UserIdentity currentUser, String ctl,
PrivPredicate wanted) {
- // TODO
- return false;
- }
-
- @Override
- public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db,
- PrivPredicate wanted) {
- // TODO
- return false;
- }
-
- @Override
- public boolean checkTblPriv(UserIdentity currentUser, String ctl, String
db, String tbl, PrivPredicate wanted) {
- // TODO
- return false;
- }
-
- @Override
- public void checkColsPriv(UserIdentity currentUser, String ctl, String db,
String tbl, Set<String> cols,
- PrivPredicate wanted) throws AuthorizationException {
- // TODO
- throw new AuthorizationException("not implemented");
- }
-}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RangerAccessControllerFactory.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RangerAccessControllerFactory.java
deleted file mode 100644
index e5674491c5..0000000000
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RangerAccessControllerFactory.java
+++ /dev/null
@@ -1,27 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.mysql.privilege;
-
-import java.util.Map;
-
-public class RangerAccessControllerFactory implements AccessControllerFactory {
- @Override
- public CatalogAccessController createAccessController(Map<String, String>
prop) {
- return new RangerAccessController(prop);
- }
-}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
index ce502cb767..4b9bd2cc2d 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
@@ -1502,10 +1502,13 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
} else if (privHier == TPrivilegeHier.COLUMNS) {
String fullDbName = ClusterNamespace.getFullName(cluster,
privCtrl.getDb());
- if (!accessManager.checkColumnsPriv(currentUser.get(0),
fullDbName, privCtrl.getTbl(), privCtrl.getCols(),
- predicate)) {
+
+ try {
+ accessManager.checkColumnsPriv(currentUser.get(0), fullDbName,
privCtrl.getTbl(), privCtrl.getCols(),
+ predicate);
+ } catch (UserException e) {
status.setStatusCode(TStatusCode.ANALYSIS_ERROR);
- status.addToErrorMsgs("Columns permissions error");
+ status.addToErrorMsgs("Columns permissions error:" +
e.getMessage());
}
} else if (privHier == TPrivilegeHier.RESOURSE) {
if (!accessManager.checkResourcePriv(currentUser.get(0),
privCtrl.getRes(), predicate)) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
