This is an automated email from the ASF dual-hosted git repository. spricoder pushed a commit to branch refactor/new_auth in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 1617f32579455e8fe7137f1cf8f48241160bcff8 Author: spricoder <[email protected]> AuthorDate: Sat Jun 24 22:56:12 2023 +0800 Merge Privilege --- .../request/ConfigPhysicalPlanSerDeTest.java | 3 +- .../confignode/persistence/AuthorInfoTest.java | 23 ++-- .../confignode/it/IoTDBClusterAuthorityIT.java | 13 +-- .../iotdb/commons/auth/entity/PrivilegeType.java | 55 ++-------- .../org/apache/iotdb/commons/utils/AuthUtils.java | 36 ++----- .../org/apache/iotdb/db/auth/AuthorityChecker.java | 118 ++++++++------------- .../iotdb/db/mpp/plan/parser/ASTVisitor.java | 2 +- .../iotdb/db/auth/AuthorizerManagerTest.java | 12 +-- 8 files changed, 84 insertions(+), 178 deletions(-) diff --git a/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java b/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java index a60b8605d0e..359128e256b 100644 --- a/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java +++ b/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java @@ -533,8 +533,7 @@ public class ConfigPhysicalPlanSerDeTest { AuthorPlan req0; AuthorPlan req1; Set<Integer> permissions = new HashSet<>(); - permissions.add(PrivilegeType.GRANT_USER_PRIVILEGE.ordinal()); - permissions.add(PrivilegeType.REVOKE_USER_ROLE.ordinal()); + permissions.add(PrivilegeType.GRANT_PRIVILEGE.ordinal()); // create user req0 = diff --git a/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java b/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java index 2d9802444f2..c7188b49bc9 100644 --- a/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java +++ b/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java @@ -89,16 +89,13 @@ public class AuthorInfoTest { TCheckUserPrivilegesReq checkUserPrivilegesReq; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.DELETE_USER.ordinal()); - privilegeList.add(PrivilegeType.CREATE_USER.ordinal()); + privilegeList.add(PrivilegeType.USER.ordinal()); Set<Integer> revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal()); + revokePrivilege.add(PrivilegeType.USER.ordinal()); - Map<String, List<String>> permissionInfo; List<String> privilege = new ArrayList<>(); - privilege.add("root.** : CREATE_USER"); - privilege.add("root.** : CREATE_USER"); + privilege.add("root.** : USER"); List<PartialPath> paths = new ArrayList<>(); paths.add(new PartialPath("root.ln")); @@ -124,9 +121,7 @@ public class AuthorInfoTest { // check user privileges status = - authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.DELETE_USER.ordinal()) - .getStatus(); + authorInfo.checkUserPrivileges("user0", paths, PrivilegeType.USER.ordinal()).getStatus(); Assert.assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); // drop user @@ -217,9 +212,7 @@ public class AuthorInfoTest { // check user privileges status = - authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.DELETE_USER.ordinal()) - .getStatus(); + authorInfo.checkUserPrivileges("user0", paths, PrivilegeType.USER.ordinal()).getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); // grant role @@ -513,8 +506,8 @@ public class AuthorInfoTest { AuthorPlan authorPlan; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.INSERT_TIMESERIES.ordinal()); - privilegeList.add(PrivilegeType.READ_TIMESERIES.ordinal()); + privilegeList.add(PrivilegeType.WRITE_DATA.ordinal()); + privilegeList.add(PrivilegeType.READ_DATA.ordinal()); Map<String, List<String>> permissionInfo; List<String> userPrivilege = new ArrayList<>(); @@ -579,7 +572,7 @@ public class AuthorInfoTest { // check user privileges status = authorInfo - .checkUserPrivileges("user0", userPaths, PrivilegeType.INSERT_TIMESERIES.ordinal()) + .checkUserPrivileges("user0", userPaths, PrivilegeType.WRITE_DATA.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java index 41119bd73e2..88a977ae76c 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java @@ -121,11 +121,10 @@ public class IoTDBClusterAuthorityIT { TCheckUserPrivilegesReq checkUserPrivilegesReq; Set<Integer> privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.DELETE_USER.ordinal()); - privilegeList.add(PrivilegeType.CREATE_USER.ordinal()); + privilegeList.add(PrivilegeType.USER.ordinal()); Set<Integer> revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal()); + revokePrivilege.add(PrivilegeType.USER.ordinal()); List<String> privilege = new ArrayList<>(); privilege.add("root.** : CREATE_USER"); @@ -157,9 +156,7 @@ public class IoTDBClusterAuthorityIT { // check user privileges checkUserPrivilegesReq = new TCheckUserPrivilegesReq( - "tempuser0", - AuthUtils.serializePartialPathList(paths), - PrivilegeType.DELETE_USER.ordinal()); + "tempuser0", AuthUtils.serializePartialPathList(paths), PrivilegeType.USER.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); @@ -268,9 +265,7 @@ public class IoTDBClusterAuthorityIT { // check user privileges checkUserPrivilegesReq = new TCheckUserPrivilegesReq( - "tempuser0", - AuthUtils.serializePartialPathList(paths), - PrivilegeType.DELETE_USER.ordinal()); + "tempuser0", AuthUtils.serializePartialPathList(paths), PrivilegeType.USER.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); diff --git a/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java b/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java index 4eee79a52f3..6805f9e2e01 100644 --- a/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java +++ b/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java @@ -21,54 +21,19 @@ package org.apache.iotdb.commons.auth.entity; /** This enum class contains all available privileges in IoTDB. */ public enum PrivilegeType { - // create or delete database CREATE_DATABASE(true), - // create or drop function TODO select data and show function READ_DATA(true), - INSERT_TIMESERIES(true), - @Deprecated - UPDATE_TIMESERIES(true), - READ_TIMESERIES(true), - CREATE_TIMESERIES(true), - DELETE_TIMESERIES(true), - CREATE_USER, - DELETE_USER, - MODIFY_PASSWORD, - LIST_USER, - GRANT_USER_PRIVILEGE, - REVOKE_USER_PRIVILEGE, - GRANT_USER_ROLE, - REVOKE_USER_ROLE, - CREATE_ROLE, - DELETE_ROLE, - LIST_ROLE, - GRANT_ROLE_PRIVILEGE, - REVOKE_ROLE_PRIVILEGE, - CREATE_TRIGGER(true), - DROP_TRIGGER(true), - START_TRIGGER(true), - STOP_TRIGGER(true), - CREATE_CONTINUOUS_QUERY, - DROP_CONTINUOUS_QUERY, + WRITE_DATA(true), + READ_SCHEMA(true), + WRITE_SCHEMA(true), + USER, + ROLE, + GRANT_PRIVILEGE, + ALTER_PASSWORD, + TRIGGER(true), + CONTINUOUS_QUERY, + PIPE, ALL, - ALTER_TIMESERIES(true), - UPDATE_TEMPLATE, - READ_TEMPLATE, - APPLY_TEMPLATE(true), - READ_TEMPLATE_APPLICATION, - SHOW_CONTINUOUS_QUERIES, - CREATE_PIPEPLUGIN, - DROP_PIPEPLUGIN, - SHOW_PIPEPLUGINS, - CREATE_PIPE, - START_PIPE, - STOP_PIPE, - DROP_PIPE, - SHOW_PIPES, - CREATE_VIEW(true), - ALTER_VIEW(true), - RENAME_VIEW(true), - DELETE_VIEW(true), ; private static final int PRIVILEGE_COUNT = values().length; diff --git a/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index b12ba85be19..aa88beefcc4 100644 --- a/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -196,21 +196,11 @@ public class AuthUtils { if (!path.equals(ROOT_PATH_PRIVILEGE_PATH)) { validatePath(path); switch (type) { - case READ_TIMESERIES: - case CREATE_DATABASE: - case CREATE_TIMESERIES: - case DELETE_TIMESERIES: - case INSERT_TIMESERIES: - case ALTER_TIMESERIES: - case CREATE_TRIGGER: - case DROP_TRIGGER: - case START_TRIGGER: - case STOP_TRIGGER: - case APPLY_TEMPLATE: - case CREATE_VIEW: - case ALTER_VIEW: - case RENAME_VIEW: - case DELETE_VIEW: + case READ_SCHEMA: + case WRITE_SCHEMA: + case READ_DATA: + case WRITE_DATA: + case TRIGGER: return; default: throw new AuthException( @@ -219,16 +209,10 @@ public class AuthUtils { } } else { switch (type) { - case READ_TIMESERIES: - case CREATE_DATABASE: - case CREATE_TIMESERIES: - case DELETE_TIMESERIES: - case INSERT_TIMESERIES: - case ALTER_TIMESERIES: - case CREATE_VIEW: - case ALTER_VIEW: - case RENAME_VIEW: - case DELETE_VIEW: + case READ_SCHEMA: + case WRITE_SCHEMA: + case READ_DATA: + case WRITE_DATA: validatePath(path); return; default: @@ -419,7 +403,7 @@ public class AuthUtils { boolean legal = false; if ("SET_STORAGE_GROUP".equalsIgnoreCase(authorization) || "DELETE_STORAGE_GROUP".equalsIgnoreCase(authorization)) { - authorization = PrivilegeType.CREATE_DATABASE.name(); + authorization = PrivilegeType.WRITE_SCHEMA.name(); } for (PrivilegeType privilegeType : types) { if (authorization.equalsIgnoreCase(privilegeType.name())) { diff --git a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java index 7e8cb9a1309..9f2c3801d52 100644 --- a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java +++ b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java @@ -74,7 +74,7 @@ public class AuthorityChecker { int permission = translateToPermissionId(type); if (permission == -1) { return false; - } else if (permission == PrivilegeType.MODIFY_PASSWORD.ordinal() + } else if (permission == PrivilegeType.ALTER_PASSWORD.ordinal() && username.equals(targetUser)) { // a user can modify his own password return true; @@ -146,42 +146,31 @@ public class AuthorityChecker { private static int translateToPermissionId(StatementType type) { switch (type) { - case CREATE_ROLE: - return PrivilegeType.CREATE_ROLE.ordinal(); - case CREATE_USER: - return PrivilegeType.CREATE_USER.ordinal(); - case DELETE_USER: - return PrivilegeType.DELETE_USER.ordinal(); - case DELETE_ROLE: - return PrivilegeType.DELETE_ROLE.ordinal(); - case MODIFY_PASSWORD: - return PrivilegeType.MODIFY_PASSWORD.ordinal(); - case GRANT_USER_PRIVILEGE: - return PrivilegeType.GRANT_USER_PRIVILEGE.ordinal(); - case GRANT_ROLE_PRIVILEGE: - return PrivilegeType.GRANT_ROLE_PRIVILEGE.ordinal(); - case REVOKE_USER_PRIVILEGE: - return PrivilegeType.REVOKE_USER_PRIVILEGE.ordinal(); - case REVOKE_ROLE_PRIVILEGE: - return PrivilegeType.REVOKE_ROLE_PRIVILEGE.ordinal(); - case GRANT_USER_ROLE: - return PrivilegeType.GRANT_USER_ROLE.ordinal(); - case REVOKE_USER_ROLE: - return PrivilegeType.REVOKE_USER_ROLE.ordinal(); - case STORAGE_GROUP_SCHEMA: + case SHOW_SCHEMA_TEMPLATE: + case SHOW_NODES_IN_SCHEMA_TEMPLATE: + case SHOW_PATH_SET_SCHEMA_TEMPLATE: + case SHOW_PATH_USING_SCHEMA_TEMPLATE: + return PrivilegeType.READ_SCHEMA.ordinal(); case TTL: + case STORAGE_GROUP_SCHEMA: case DELETE_STORAGE_GROUP: - return PrivilegeType.CREATE_DATABASE.ordinal(); case CREATE_TIMESERIES: case CREATE_ALIGNED_TIMESERIES: case CREATE_MULTI_TIMESERIES: - return PrivilegeType.CREATE_TIMESERIES.ordinal(); case DELETE_TIMESERIES: - case DELETE: case DROP_INDEX: - return PrivilegeType.DELETE_TIMESERIES.ordinal(); case ALTER_TIMESERIES: - return PrivilegeType.ALTER_TIMESERIES.ordinal(); + case CREATE_TEMPLATE: + case DROP_TEMPLATE: + case SET_TEMPLATE: + case ACTIVATE_TEMPLATE: + case DEACTIVATE_TEMPLATE: + case UNSET_TEMPLATE: + case CREATE_LOGICAL_VIEW: + case ALTER_LOGICAL_VIEW: + case RENAME_LOGICAL_VIEW: + case DELETE_LOGICAL_VIEW: + return PrivilegeType.WRITE_SCHEMA.ordinal(); case SHOW: case QUERY: case GROUP_BY_TIME: @@ -194,74 +183,55 @@ public class AuthorityChecker { case GROUP_BY_FILL: case SELECT_INTO: case COUNT: - return PrivilegeType.READ_TIMESERIES.ordinal(); + case CREATE_FUNCTION: + case DROP_FUNCTION: + return PrivilegeType.READ_DATA.ordinal(); case INSERT: + case DELETE: case LOAD_DATA: case CREATE_INDEX: case BATCH_INSERT: case BATCH_INSERT_ONE_DEVICE: case BATCH_INSERT_ROWS: case MULTI_BATCH_INSERT: - return PrivilegeType.INSERT_TIMESERIES.ordinal(); - case LIST_ROLE: - case LIST_ROLE_USERS: - case LIST_ROLE_PRIVILEGE: - return PrivilegeType.LIST_ROLE.ordinal(); + return PrivilegeType.WRITE_DATA.ordinal(); + case CREATE_USER: + case DELETE_USER: case LIST_USER: case LIST_USER_ROLES: case LIST_USER_PRIVILEGE: - return PrivilegeType.LIST_USER.ordinal(); - case CREATE_FUNCTION: - case DROP_FUNCTION: - return PrivilegeType.READ_DATA.ordinal(); + return PrivilegeType.USER.ordinal(); + case CREATE_ROLE: + case DELETE_ROLE: + case LIST_ROLE: + case LIST_ROLE_USERS: + case LIST_ROLE_PRIVILEGE: + return PrivilegeType.ROLE.ordinal(); + case MODIFY_PASSWORD: + return PrivilegeType.ALTER_PASSWORD.ordinal(); + case GRANT_USER_PRIVILEGE: + case REVOKE_USER_PRIVILEGE: + case GRANT_ROLE_PRIVILEGE: + case REVOKE_ROLE_PRIVILEGE: + case GRANT_USER_ROLE: + case REVOKE_USER_ROLE: + return PrivilegeType.GRANT_PRIVILEGE.ordinal(); case CREATE_TRIGGER: - return PrivilegeType.CREATE_TRIGGER.ordinal(); case DROP_TRIGGER: - return PrivilegeType.DROP_TRIGGER.ordinal(); + return PrivilegeType.TRIGGER.ordinal(); case CREATE_CONTINUOUS_QUERY: - return PrivilegeType.CREATE_CONTINUOUS_QUERY.ordinal(); case DROP_CONTINUOUS_QUERY: - return PrivilegeType.DROP_CONTINUOUS_QUERY.ordinal(); - case CREATE_TEMPLATE: - case DROP_TEMPLATE: - return PrivilegeType.UPDATE_TEMPLATE.ordinal(); - case SET_TEMPLATE: - case ACTIVATE_TEMPLATE: - case DEACTIVATE_TEMPLATE: - case UNSET_TEMPLATE: - return PrivilegeType.APPLY_TEMPLATE.ordinal(); - case SHOW_SCHEMA_TEMPLATE: - case SHOW_NODES_IN_SCHEMA_TEMPLATE: - return PrivilegeType.READ_TEMPLATE.ordinal(); - case SHOW_PATH_SET_SCHEMA_TEMPLATE: - case SHOW_PATH_USING_SCHEMA_TEMPLATE: - return PrivilegeType.READ_TEMPLATE_APPLICATION.ordinal(); case SHOW_CONTINUOUS_QUERIES: - return PrivilegeType.SHOW_CONTINUOUS_QUERIES.ordinal(); + return PrivilegeType.CONTINUOUS_QUERY.ordinal(); case CREATE_PIPEPLUGIN: - return PrivilegeType.CREATE_PIPEPLUGIN.ordinal(); case DROP_PIPEPLUGIN: - return PrivilegeType.DROP_PIPEPLUGIN.ordinal(); case SHOW_PIPEPLUGINS: - return PrivilegeType.SHOW_PIPEPLUGINS.ordinal(); case CREATE_PIPE: - return PrivilegeType.CREATE_PIPE.ordinal(); case START_PIPE: - return PrivilegeType.START_PIPE.ordinal(); case STOP_PIPE: - return PrivilegeType.STOP_PIPE.ordinal(); case DROP_PIPE: - return PrivilegeType.DROP_PIPE.ordinal(); case SHOW_PIPES: - return PrivilegeType.SHOW_PIPES.ordinal(); - case CREATE_LOGICAL_VIEW: - return PrivilegeType.CREATE_VIEW.ordinal(); - case ALTER_LOGICAL_VIEW: - return PrivilegeType.ALTER_VIEW.ordinal(); - case RENAME_LOGICAL_VIEW: - return PrivilegeType.RENAME_VIEW.ordinal(); - case DELETE_LOGICAL_VIEW: - return PrivilegeType.DELETE_VIEW.ordinal(); + return PrivilegeType.PIPE.ordinal(); default: logger.error("Unrecognizable operator type ({}) for AuthorityChecker.", type); return -1; diff --git a/server/src/main/java/org/apache/iotdb/db/mpp/plan/parser/ASTVisitor.java b/server/src/main/java/org/apache/iotdb/db/mpp/plan/parser/ASTVisitor.java index cff2606bac5..7e6aad4ab35 100644 --- a/server/src/main/java/org/apache/iotdb/db/mpp/plan/parser/ASTVisitor.java +++ b/server/src/main/java/org/apache/iotdb/db/mpp/plan/parser/ASTVisitor.java @@ -2256,7 +2256,7 @@ public class ASTVisitor extends IoTDBSqlParserBaseVisitor<Statement> { for (String privilege : privileges) { if ("SET_STORAGE_GROUP".equalsIgnoreCase(privilege) || "DELETE_STORAGE_GROUP".equalsIgnoreCase(privilege)) { - privilege = PrivilegeType.CREATE_DATABASE.name(); + privilege = PrivilegeType.WRITE_SCHEMA.name(); } if (!PrivilegeType.valueOf(privilege.toUpperCase()).isPathRelevant()) { pathRelevant = false; diff --git a/server/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java b/server/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java index 2fac0adae4d..26c66b4bc6a 100644 --- a/server/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java +++ b/server/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java @@ -54,8 +54,8 @@ public class AuthorizerManagerTest { Set<Integer> privilegesIds = new HashSet<>(); PathPrivilege privilege = new PathPrivilege(); List<PathPrivilege> privilegeList = new ArrayList<>(); - privilegesIds.add(PrivilegeType.CREATE_ROLE.ordinal()); - privilegesIds.add(PrivilegeType.REVOKE_USER_ROLE.ordinal()); + privilegesIds.add(PrivilegeType.ROLE.ordinal()); + privilegesIds.add(PrivilegeType.GRANT_PRIVILEGE.ordinal()); privilege.setPath(new PartialPath("root.ln")); privilege.setPrivileges(privilegesIds); privilegeList.add(privilege); @@ -108,7 +108,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_ROLE.ordinal()) + PrivilegeType.ROLE.ordinal()) .getCode()); // User does not have permission Assert.assertEquals( @@ -117,7 +117,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_USER.ordinal()) + PrivilegeType.USER.ordinal()) .getCode()); // Authenticate users with roles @@ -153,7 +153,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_ROLE.ordinal()) + PrivilegeType.ROLE.ordinal()) .getCode()); // role does not have permission Assert.assertEquals( @@ -162,7 +162,7 @@ public class AuthorizerManagerTest { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_USER.ordinal()) + PrivilegeType.USER.ordinal()) .getCode()); authorityFetcher.getAuthorCache().invalidateCache(user.getName(), "");
